[go: up one dir, main page]

WO2017038351A1 - Dispositif de réseau embarqué - Google Patents

Dispositif de réseau embarqué Download PDF

Info

Publication number
WO2017038351A1
WO2017038351A1 PCT/JP2016/072719 JP2016072719W WO2017038351A1 WO 2017038351 A1 WO2017038351 A1 WO 2017038351A1 JP 2016072719 W JP2016072719 W JP 2016072719W WO 2017038351 A1 WO2017038351 A1 WO 2017038351A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
vehicle
state
monitoring
communication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2016/072719
Other languages
English (en)
Japanese (ja)
Inventor
松本 典剛
本多 豊太
中西 一弘
敏史 大塚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hitachi Astemo Ltd
Original Assignee
Hitachi Automotive Systems Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hitachi Automotive Systems Ltd filed Critical Hitachi Automotive Systems Ltd
Publication of WO2017038351A1 publication Critical patent/WO2017038351A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R16/00Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for
    • B60R16/02Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R16/00Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for
    • B60R16/02Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements
    • B60R16/023Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements for transmission of signals between vehicle parts or subsystems
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W50/02Ensuring safety in case of control system failures, e.g. by diagnosing, circumventing or fixing failures
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W50/04Monitoring the functioning of the control system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]

Definitions

  • the present invention relates to an in-vehicle control device and a network device mounted on an automobile or the like.
  • JP, 2013-131907, A (patent documents 1) as an example of this technical field.
  • the vehicle network 6 is provided with a vehicle-mounted control device for monitoring that detects illegal data through monitoring of the data communication format defined in operating the communication protocol, and the vehicle-mounted control device for monitoring Describes that when illegal data different from the specified communication format is detected, processing for sending warning information to each in-vehicle control device and processing for prohibiting illegal data from being routed by the gateway are described. ing.
  • Intrusion of illegal data is detected when error frames exceeding the set number of transmissions are transmitted. It is monitored whether or not the number of transmissions of the error frame to be transmitted exceeds the number of abnormalities (for example, 150 times) that is a criterion for occurrence of abnormality.
  • the threshold value for determination is fixed at a specific value, it cannot be guaranteed that the set value is always optimal when performing complex control according to the situation, such as in automatic operation.
  • the present invention has been made in view of such a situation, and even when complex control is performed as in automatic driving, illegal data can be obtained without increasing the data processing load in the in-vehicle device. It provides a means for detection.
  • an in-vehicle network device that performs data communication between a plurality of in-vehicle devices, a state acquisition unit that acquires a state of the host vehicle, and a communication monitoring unit that monitors the data, The data monitoring method is changed based on the state of the host vehicle.
  • the present invention it is possible to reduce the processing load for detecting unauthorized data on the in-vehicle network.
  • security measures corresponding to the complicated vehicle control and the diversified in-vehicle network are possible with a simple configuration without requiring dedicated hardware.
  • Embodiments for carrying out the present invention (hereinafter referred to as “embodiments”) will be described in detail with reference to the drawings as appropriate.
  • the present embodiment mainly describes a control device and a network device in an in-vehicle system of an automobile, application to other than the in-vehicle system is not hindered.
  • the in-vehicle network device 1 includes a communication monitoring unit 2, a state acquisition unit 3, and a determination method setting unit 4.
  • the in-vehicle network device 1 has an arithmetic device such as a CPU (central processing unit), a storage device such as a nonvolatile memory and a volatile memory, and a communication interface for connecting to the network 6, as with other ECUs 5. And has a function of communicating with other ECUs 5 via the network 6.
  • the three ECUs 5 are connected to each other via the two networks 6, but the types and number of the networks 6 and ECUs 5 to be connected are not particularly limited.
  • types of the network 6 for example, a wired network such as CAN, Ethernet (registered trademark), FLEXRAY (registered trademark), LIN (Local Interconnect Network), MOST (registered trademark), wireless LAN, Bluetooth (registered trademark), mobile phone There is a wireless network.
  • the communication monitoring unit 2 has a function of monitoring data passing through the network 6 and changing the communication monitoring method according to the vehicle state acquired by the state acquisition unit described later. Details of the communication monitoring method will be described later. Further, the communication monitoring unit 2 includes a communication determination unit 7 and determines whether or not there is an abnormality in data passing through the in-vehicle network device 1 via the network 6 according to the determination method set in the determination method setting unit 4. It has the function to do. In addition, when an abnormality is detected in the data, it may have a function of preventing the data from passing therethrough.
  • the state acquisition unit 3 has a function of acquiring one of the control state of the own vehicle, the automatic driving state, the driver's state, the surrounding environmental state, and the communication state with the outside of the vehicle as the own vehicle state.
  • the control state is information indicating what kind of control is being performed by the in-vehicle device of the own vehicle, and may be information regarding the traveling state of the vehicle, such as traveling or stopping, or what control data the in-vehicle device has. Information indicating whether processing is performed may be used. For example, it may be related to which level of ASIL levels (A to D), which is an index of functional safety, control processing is being executed.
  • ASIL levels A to D
  • information related to internal processing of the in-vehicle device such as whether or not the program of the ECU is being rewritten by OTA (OverOThe Air) or the like may be used.
  • the automatic operation state is the operation mode when the current operation is manual operation or automatic operation, or automatic operation.
  • driving modes include ACC (Adaptive Cruise Control), lane change, leading vehicle tracking, lane maintenance support, automatic parking, and the like.
  • the driver's state includes the driver's personal identification information, arousal state, health state, driver's operation state, and the like.
  • the operation state is, for example, whether or not the driver puts his hand on the steering wheel, where the driver's line of sight is pointing, and the like.
  • the surrounding environmental state is, for example, information on the temperature and humidity inside and outside the vehicle, the amount of rainfall, and the like.
  • the state of communication with the outside of the vehicle is information indicating whether or not communication between vehicles or communication with an external communication infrastructure is performed by C2X (Car-to-X) communication or the like.
  • the state acquisition unit 3 may acquire the various states described above from, for example, an external ECU 5 or the like via the network 6 described above, a maintenance connector such as OBD (OnOBoard Diagnosis), or local communication such as serial communication. It may be acquired via a communication interface, or may be acquired from various operation switches installed in the driver's seat or various sensors installed in the vehicle.
  • a maintenance connector such as OBD (OnOBoard Diagnosis)
  • local communication such as serial communication. It may be acquired via a communication interface, or may be acquired from various operation switches installed in the driver's seat or various sensors installed in the vehicle.
  • the determination method setting unit 4 has a function of setting a communication monitoring method executed by the communication monitoring unit 2 or a processing method of the communication determination unit 7 according to the state acquired by the state acquisition unit 3 described above.
  • the communication determination unit 7 has a function of determining whether or not the data monitored by the communication monitoring unit is abnormal in accordance with the data determination method set by the determination method setting unit 4 described above.
  • the communication monitoring unit 2 of the in-vehicle network device 1 determines whether data is received from the network 6 (processing S201).
  • the vehicle state is acquired by the state acquisition unit 3, and it is determined whether or not there is a change since the previous acquisition (processing S202).
  • a monitoring method corresponding to the changed vehicle state is newly set (processing S203).
  • the execution timing of the status acquisition (processing S202) and the monitoring method setting (processing S203) is not every time data reception occurs, as shown in FIG. 2, or when a predetermined number of data receptions occur, or A fixed period may be used regardless of whether or not data is received.
  • the communication monitoring unit 2 monitors the received data by the data monitoring method set in the process S203, and determines whether or not the received data is abnormal (process S204). If it is determined that there is an abnormality in the received data, error processing is executed (processing S205).
  • the error process is an abnormality countermeasure process such as notifying a higher system. Details of the countermeasure against abnormality will be described later. If it is determined by communication monitoring that there is no abnormality, it is determined whether or not the received data needs to be transferred to another network 6 (process S206). If data transfer is necessary, the data is transferred via the predetermined network 6 with reference to, for example, address information set in the received data (process S207). If data transfer is unnecessary, the process is terminated.
  • the communication monitoring unit 2 determines whether or not the received data monitoring method needs to be changed (processing S301). For example, when there is a change in the vehicle state in the above-described process S202, it is determined that the monitoring method needs to be changed. If it is necessary to change the monitoring method, a monitoring method corresponding to the vehicle condition is set (processing S302). For example, a priority corresponding to the vehicle state is set for the monitoring target data, and a monitoring method corresponding to the priority is set. The communication monitoring unit 2 determines the priority of data received from the vehicle state (processing S303), and executes a data monitoring method according to the priority (processing S304 to processing S306).
  • FIG. 4 shows an example in which a priority and a monitoring method corresponding to the control state 404 of the own vehicle are set for each data type 401.
  • Examples of the control state 404 of the host vehicle include a traveling state 405, a stopped state 406, and a repro state 407.
  • the running state 405 may be further divided according to speed such as high speed and low speed.
  • the stop state 406 may also be divided into states such as engine stop, idling, and accessory power ON.
  • the repro state 407 is a state in which reprogramming such as the firmware of the ECU is being executed. Depending on the progress of reprogramming, the update software is being downloaded, the software is being rewritten, the software is being reactivated, etc. It may be further divided into fine states.
  • the data type 401 is an index for identifying data having a specific common item.
  • the type is defined for each data using the same network area 402 and each data using the same network type 403.
  • the types, numbers, and formats of the data types 401 shown in FIG. 4 are examples, and are not limited to this example.
  • a monitoring priority is set for each data type 401 to be monitored.
  • the body control information, infotainment, and data type 401 of C2X communication are set to priority 1
  • chassis control information, powertrain control information, functional safety information, automatic driving information, and the outside world are set.
  • a priority of 3 is set for the recognition information.
  • priority levels 0 to 3 are set for each vehicle state and data type 401, respectively.
  • the communication monitoring unit 2 sets a data monitoring method for each data type according to the set priority. For example, when the vehicle state is a high-speed driving state 405, the network area 402 to which the data type 401 having a high priority belongs is preferentially monitored.
  • the network area 402 is, for example, a communication path, a data bus, a channel, a network interface, etc., in which each data type 401 mainly executes data transmission / reception.
  • the network area 402B is allocated in the case of chassis control information, the monitoring frequency of the network area 402B is set high.
  • the priority 3 network areas 402B, C, D, and F are preferentially monitored.
  • the monitoring priority for the network areas 402A, E, and G with priority 1 is set low.
  • the priority of the monitoring target may be set based not only on the network area 402 but also on the network type used by each data type 401.
  • the network types with high priority are CAN, Ethernet (registered trademark), and LVDS. Monitor.
  • the monitoring priority is lowered.
  • a data monitoring method of high priority for example, priority 3
  • the monitoring frequency is set high (monitored every time data reception occurs), and all of the data header, payload, and footer are monitored.
  • Yes processing S304. For example, it is monitored whether the values of the header, payload, and footer are specified values.
  • the monitoring frequency is set to medium (once every time, every fixed time, etc.), and only the data header and footer are monitored. There is a method (processing S305).
  • a data monitoring method with a low priority for example, priority 1
  • the monitoring frequency is set lower than the medium priority and only a part of the data header (for example, ID) is monitored (processing) S306).
  • the lowest priority for example, priority 0
  • the network area 402B, C, D, E, F related to chassis control information, powertrain control information, functional safety information, automatic driving information, infotainment, and external world recognition information, and the network 6 with the network type Ethernet (registered trademark). are excluded from data monitoring.
  • the monitoring frequency is lowered and only the data ID is monitored.
  • the header, payload, and footer of the received data are monitored every time for data using the network area 402G or the wireless LAN related to the C2X communication with high priority.
  • the data type 401 is infotainment data
  • the medium priority is monitored
  • the body control information is monitored with low priority
  • the other data types 401 are excluded from monitoring targets.
  • control state 404, the data type 401, the priority setting value, and the like are not limited to the example shown in FIG. That is, even if the data type 401, the network area 402, the network 6 type, the type and number of control states 404, the priority value setting, and the like are different from those in FIG.
  • Fig. 5 shows an example in which the priority and the monitoring method according to the automatic driving state of the vehicle are set for each individual data.
  • manual driving 508, ACC 509, leading vehicle tracking 510, and automatic parking 511 are defined as the automatic driving state 507.
  • data to be monitored includes data ID 501, data name 502, data transmission source 503, transmission destination 504, transmission method 505, and communication method 506.
  • the data ID 501 and the data name 502 are information indicating the type of data and may be in any format as long as other data can be specially specified.
  • the data transmission source 503 and the transmission destination 504 are, for example, address information indicating the data transmission source and the transmission destination ECU.
  • the transmission method 505 is a type of data physical network, such as Ethernet (registered trademark) or CAN.
  • the communication method 506 is a type of network protocol. For example, in the case of Ethernet (registered trademark), TCP, UDP, IP, Ethernet (registered trademark) AVB (Audio / Video Bridging, hereinafter abbreviated as AVB) and the like.
  • the transmission source 503 is ECU_A
  • the transmission destination 504 is ECU_B
  • the transmission method 505 is Ethernet (registered trademark)
  • the communication method 506 is TCP / IP. Indicates that it is in use.
  • the priority is 0, when the ACC 509 is the priority 3, when the leading vehicle follow 510 is the priority 3, the automatic parking 511 is performed. In this case, priority 1 is set.
  • priorities are set for each automatic driving state 507 for each piece of data such as landmark recognition information and steering camera (stereo camera) recognition information.
  • the communication monitoring unit 2 sets priority according to the automatic operation state 507, and executes data monitoring by a monitoring method according to the priority set when data is received.
  • the landmark recognition information monitoring is set to the high priority (priority 3), and the data of the lane change enable / disable flag, the ACC enable / disable flag, and the leading vehicle follow-up enable / disable flag are set.
  • Monitoring is set to medium priority (priority 2), and other data is excluded from monitoring.
  • the automatic driving state 507 is ACC509
  • the monitoring of the data of the lane recognition information, the forward object information, and the vehicle speed setting information is set to the high priority (priority 3)
  • the ACC availability flag is set to the automatic driving interruption flag
  • the monitoring of the data is set to the medium priority (priority 2)
  • the monitoring of the landmark recognition information, the steering wheel sign recognition information, and the preceding vehicle information is set to the low priority (priority 1), and other data Are not monitored.
  • the monitoring frequency is set high (such as monitoring every time), and data ID 501, transmission source 503, transmission destination 504, transmission method 505, and communication method 506 information
  • processing S304 There is a method of monitoring all of the above (processing S304). For example, it is monitored whether or not the data ID 501, the transmission source 503, the transmission destination 504, the transmission method 505, and the communication method 506 are specified values.
  • the monitoring frequency is set to medium (once a plurality of times, every fixed time, etc.), and the data ID 501 of the target data, the transmission source 503, There is a method of monitoring any one of the transmission destination 504, the transmission method 505, and the communication method 506 (processing S305).
  • the monitoring frequency is set lower than the medium priority, and the data ID 501 of the target data, the transmission source 503, the transmission destination 504, the transmission method 505, and the communication method 506 are set. There is a method of monitoring only one of them (processing S306).
  • the lowest priority (for example, priority 0) may be set to be excluded from the monitoring target.
  • the definition related to the type of data, the definition of the automatic operation state 507, and the setting value of the priority are not limited to the example shown in FIG. That is, the data ID 501, the data name 502, the transmission source 503, the transmission destination 504, the transmission method 505, the definition relating to the type and number of the communication method 506, the definition relating to the type and number of the automatic operation state 507, and the monitoring priority in each automatic operation state 507 Even if the setting value of the degree is different from that in FIG.
  • the present embodiment by setting the priority of data to be monitored on the in-vehicle network according to the own vehicle state, only important data is carefully selected and monitored without monitoring all data. I can do it. Therefore, it is possible to reduce the processing load for detecting data abnormality in the in-vehicle network.
  • the in-vehicle network device 21 in the second embodiment includes a communication monitoring unit 22, a state acquisition unit 23, and a determination method setting unit 24, and has the same functions as the in-vehicle network device 1 in the first embodiment.
  • the communication monitoring unit 22 and the state acquisition unit 23 have the same functions as in the first embodiment.
  • the determination method setting unit 24 has the same function as the determination method setting unit 4 in the first embodiment.
  • the determination method setting unit 24 further includes a filter selection unit 25, a filter list 26, a filter stage number setting unit 28, and a filter update unit 29. According to the own vehicle state acquired by the state acquisition unit 23, communication monitoring is performed. The communication monitoring method executed by the unit 22 and the communication determination method in the communication determination unit 27 are set.
  • the filter selection unit 25 has a function of selecting a filter to be used for communication determination from the filter list 26 according to the own vehicle state acquired by the state acquisition unit 23.
  • the filter stage number setting unit 28 has a function of setting the number of filter stages to be used according to the vehicle state acquired by the state acquisition unit 23.
  • the filter update unit 29 has a function of updating the filter list 26. Details of the filter list 26 will be described later.
  • the filter list 26 and the filter update unit 29 may be outside the in-vehicle network device 21, and when the change of the filter list 26 is not necessary, the filter update unit 29 may be omitted.
  • the determination method setting unit 24 acquires the vehicle state by the state acquisition unit 23, and determines whether or not there has been a change since the previous acquisition (processing S701). When there is a change in the vehicle state, it is determined whether or not the corresponding filter has been registered in the filter setting information 800 (processing S702). Details of the filter setting information 800 will be described later.
  • the filter setting is changed to the registered filter setting (step S703).
  • the filter setting is not set, it is determined whether or not there is a filter corresponding to the changed vehicle state in the filter list 26 (processing S704). If there is a filter corresponding to the changed vehicle state in the filter list 26, the filter stage number setting unit 28 sets the number of filter stages (step S705).
  • the filter selection unit 25 selects the type of filter to be used (processing S706). If a plurality of stages are set in step S705, filters corresponding to the number of stages are selected. If there is no corresponding filter in the process S704, it is determined whether or not the filter list 26 can be updated (process S707). If the filter list 26 can be updated, the filter update unit 29 adds a new filter or changes an existing filter (processing S708).
  • Step S705 and Step S206 are executed using the added or changed filter. If the filter cannot be updated, error processing is executed (processing S209).
  • error processing there is an abnormality countermeasure such as notification to a higher system. Details of the countermeasure against abnormality will be described later.
  • FIG. 8 An example of the filter setting information 800 is shown in FIG. 8, and an example of the filter list 26 is shown in FIG.
  • a filter 802 corresponding to the vehicle state 801 is set.
  • a filter target data list 803 (hereinafter referred to as a target data list 803) and a filter type 804 are set.
  • the target data list 803 information for identifying data to be filtered, for example, a data ID is set.
  • the number of filters 802 is not limited to three as shown in FIG. 8, and the number set according to the vehicle state 801 may be changed.
  • the first filter 802 performs communication determination related to the network type for data with data IDs of 0x01 and 0x02.
  • the second filter 802 performs communication determination regarding a transmission source / destination for data having data data IDs of 0x01 and 0x02.
  • the third filter 802 performs communication determination regarding the data size for data with data IDs of 0x01 and 0x02.
  • the first filter 802 performs communication determination regarding the data ID for 0x01 data.
  • the second filter 802 performs communication determination regarding the data transmission cycle for 0x02 data.
  • the combination of the target data list 803 and the filter type 804 is selected from the filter list 26 shown in FIG.
  • the filter 802 related to the period 902 when using the filter 802 related to the period 902, it is determined as normal if the period is within ⁇ 5% of the error with respect to the specified period of 10 ms.
  • the filter 802 related to the data size 903 is determined to be normal if the size is within an error of ⁇ 1 byte with respect to the specified 4 bytes.
  • the filter 802 relating to the transmission source 503 and the transmission destination 504 is used, if the transmission source 503 is an address indicating ECU_A and the transmission destination 504 is an address indicating ECU_B or ECU_C, it is determined as normal.
  • the filter type and the determination threshold are set for each target data to be determined by each filter 802.
  • the target data list 803 in FIG. 8, the target data ID 901 in FIG. 9, and the monitoring target data 1001 in FIG. 10 all use data IDs. good.
  • the target data list 803 may be identification information indicating that the data passes through a specific communication path, bus, or channel.
  • the filter setting information 800 in FIG. 8 and the filter list 26 in FIG. 9 are examples, and setting methods other than those shown in this example may be used. Therefore, the filter setting information 800 may be in any format as long as the number, type, and combination method of the filters 802 can be set for each vehicle state 801. Similarly, the filter list 26 may have any format as long as the filtering method and threshold information for determination can be set for each monitoring target data 1001.
  • the method for determining normality or abnormality of data monitored on the in-vehicle network can be changed according to the state of the vehicle. Accordingly, the processing speed, processing load, determination accuracy, etc. can be adjusted flexibly.
  • the in-vehicle network device 31 in the third embodiment includes a communication monitoring unit 32, a state acquisition unit 33, and a determination method setting unit 34, and has the same functions as the in-vehicle network device 1 in the first embodiment.
  • the communication monitoring unit 32 and the state acquisition unit 33 have the same functions as in the first embodiment.
  • the determination method setting unit 34 has the same function as the determination method setting unit 4 in the first embodiment or the determination method setting unit 24 in the second embodiment. Further, the determination method setting unit 34 includes a monitoring group list 35, a group determination method setting unit 36, a monitoring group setting unit 38, and a monitoring data list 39. According to the own vehicle state acquired by the state acquisition unit 33, monitoring is performed. It has a function of grouping data and setting a method for determining communication data for each group.
  • the monitoring data list 39 is a list of data monitored by the communication monitoring unit 32, and includes data identification information, address information related to the data transmission source / destination, information related to the data transmission method and communication method, information related to the data size, data Any of the information related to the transmission cycle.
  • the monitoring data list 39 may be stored outside the determination method setting unit 34.
  • the monitoring group setting unit 38 has a function of grouping data registered in the monitoring data list 39 based on the own vehicle state acquired by the state acquisition unit 33 and registering it in the monitoring group list 35.
  • the monitoring group list 35 is a list that defines a group of data to be monitored for each vehicle state, and includes a determination method for each group, group identification information, information for associating groups with individual data, and unique information for determination. , Threshold information for determination, and monitoring priority information.
  • the monitoring group list 35 may be stored outside the determination method setting unit 34.
  • the group determination method setting unit 34 has a function of selecting a group of monitoring data registered in the monitoring group list 35 based on the own vehicle state acquired by the state acquisition unit 33 and setting a data determination method for each group. .
  • the state acquisition unit 33 acquires the own vehicle state and determines whether or not there is a change from the previous acquisition (processing S1201). When there is a change in the vehicle state, it is checked whether or not there is a monitoring group list 35 corresponding to the vehicle state, and it is determined whether it is necessary to create or update a new monitoring group list 35 (processing) S1202).
  • the monitoring group list 35 When the monitoring group list 35 needs to be created or updated, the monitoring group list 35 is created or updated (processing S1203). An example of the monitoring group list 35 and an example of a list creation method will be described later. Next, a group determination method to be used for communication determination described later is selected from the monitoring group list 35 and set for each vehicle state (processing S1204).
  • the communication monitoring unit 32 monitors data reception (process S1205).
  • the communication data is monitored for each specific group according to the monitoring group list 35, and it is determined whether or not the communication data in the group is abnormal according to the group determination method set in step S1204 (step S1206).
  • step S1206 A detailed example regarding the communication data determination method will be described later.
  • step S1207 If it is determined that the data is abnormal, error processing is executed (step S1207).
  • the error process is an abnormality countermeasure process such as notifying a higher system. Details of the countermeasure against abnormality will be described later.
  • the monitoring group list 35 is created based on the monitoring data list 39 shown in FIG.
  • the monitoring data list 39 is information relating to data to be monitored by the communication monitoring unit 32.
  • a data ID 1301 as data identification information
  • address information transmission source 503 and transmission destination 504 indicating the transmission / reception source of data
  • data transmission method 505 a data size 1302, and data transmission A period 1303 and the like are included.
  • data with a data ID 1301 of “100” is “ECU_A” as the address information of the transmission source 503, “ECU_B” as the address information of the transmission destination 504, “Ethernet (registered trademark)” as the transmission method 505, and “ “100 bytes” and “1000 ms” are set as the data transmission cycle 1303.
  • the monitoring group setting unit 38 selects and groups specific data groups from the monitoring data list 39 for each vehicle state.
  • data having the same data ID 1301 are collected, data having the same transmission source 503 or transmission destination 504, data having the same transmission method 505, data size 1302 and transmission period 1303 are the same or approximate.
  • There are methods such as putting together what is done.
  • a method may be used in which importance is set in advance for each data and grouped according to importance.
  • the rules for collecting data are not particularly limited.
  • FIG. 13 shows an example in which the transmission source 503 and the transmission destination 504 group the same data as the same group, but the present embodiment can be realized even if they are grouped by other methods.
  • Group identification information is set in the monitoring group list 35. For example, a group with data ID 1301 “101” “102” is assigned a group ID 1304 “B”. Here, the group may have only one data, and for data with the data ID 1301 of “100”, the group ID 1304 made up of one data may be a group with “A”.
  • determination specific information unique information for communication data determination described later (abbreviated as determination specific information) may be set using the registration information of the monitoring data list 39 as a key.
  • determination specific information is generated using the transmission source 503, the transmission destination 504, and the transmission method 505 as keys.
  • the determination specific information I1305 is generated by the following equation.
  • Determination unique information I (transmission source ⁇ 8) + (transmission destination ⁇ 4) + transmission method
  • (transmission source ⁇ 8) shifts bit information indicating the transmission source 503 to the upper 8 bits.
  • the determination specific information I1305 is “0xBAC”.
  • the determination specific information II 1306 is generated by the following equation.
  • Judgment specific information II Data ID + Data size + Transmission cycle ⁇ 100
  • a plurality of determination specific information II 1306 calculated individually for each data may be assigned to one group.
  • the determination specific information may be generated by using a hash function or the like using the specific information in the monitoring data list 39 as a key. That is, the present embodiment can be established by any method as long as specific information unique to the determination can be generated using some information included in the data in the group as a key.
  • the communication monitoring unit 32 calculates determination specific information. Whether or not the calculated determination specific information is registered in the monitoring group list 35 is searched. If it is not registered, it is determined as abnormal. Here, even if the data is abnormal, there is a possibility that the determination unique information may coincide, so that the determination unique information may be used in combination of a plurality of types. For example, the determination specific information I1305 is searched first, and if the values match, the determination specific information II1306 is searched next, and only when both values match, it is determined as normal data.
  • the monitoring group list 35 may include information on the priority 1308 and the determination method 1309 in addition to the determination specific information.
  • a monitoring priority 1308 is set for each group ID 1304.
  • the method shown in the first embodiment is used. For example, there is a method in which data of a group with a high priority 1308 is individually monitored, and data of a group with a low priority 1308 is excluded from monitoring.
  • the determination method 1309 there is a method in which an upper limit size and a lower limit size of data are set for each group, and data whose data size 1302 does not fall within a predetermined threshold is determined as abnormal data. Further, an average data transfer amount of data in the group may be set, and if it does not fall within a predetermined threshold, it may be determined as abnormal.
  • the monitoring group list 35 is not limited to the example shown in FIG. 13, but a determination method for each group, group identification information, information for associating groups with individual data, unique information for determination, threshold information for determination, It is sufficient if any of the priority information for determination is included.
  • a plurality of monitoring data is grouped according to a specific rule, and the data is monitored for each group, thereby reducing the processing load compared to the case of individually monitoring data. Data can be monitored.
  • the in-vehicle network device 41 includes a communication monitoring unit 42, a state acquisition unit 43, and a determination method setting unit 44, and the first embodiment, second embodiment, or third embodiment. It has the same function as the in-vehicle network device 1/21/31 in the embodiment.
  • the in-vehicle network device 41 has an abnormality countermeasure list 45 and a countermeasure execution unit 46, and selects a countermeasure method from the abnormality countermeasure list 45 when the communication determination unit 47 of the communication monitoring unit 42 detects an abnormality in communication data. Has the function to execute.
  • the communication monitoring unit 42, the state acquisition unit 43, and the determination method setting unit 44 have the same functions as those in the first embodiment, the second embodiment, or the third embodiment.
  • the abnormality countermeasure list 45 includes a list of countermeasure methods corresponding to the state of the vehicle acquired by the state acquisition unit 43 or the content of communication data in which an abnormality is detected by the communication determination unit 47.
  • the countermeasure execution unit 46 selects and executes a countermeasure method corresponding to the vehicle state or the content of the communication data in which the abnormality is detected in the communication determination unit 47 from the abnormality countermeasure methods registered in the abnormality countermeasure list 45. It has a function.
  • the communication monitoring unit 42 determines whether there is an abnormality in the communication data according to the processing flow of any one of the first embodiment, the second embodiment, and the third embodiment (processing S1501). If an abnormality is detected in the communication data, it is determined whether or not a countermeasure method corresponding to the state of the vehicle at the time of abnormality detection and the content of the communication data in which the abnormality is detected is in the abnormality countermeasure list 45 (processing S1502). . If there is a countermeasure method in the abnormality countermeasure list 45, the countermeasure method is selected and executed (step S1503).
  • an error process is executed (process S1504).
  • error processing for example, there are methods such as notifying the host system of an abnormality and registering a new countermeasure method in the abnormality countermeasure list 45. Further, a countermeasure method when there is no applicable condition may be registered in the abnormality countermeasure list 45 in advance, and the countermeasure method may be executed as error processing.
  • FIG. 16A is an example of the abnormality countermeasure list 45 related to the first embodiment.
  • a countermeasure method corresponding to the network type 403, the transmission source 503, and the transmission destination 504 of the data in which the vehicle state and abnormality are detected is registered.
  • the countermeasure method 1602 include notification of abnormality, deceleration, stop, automatic operation cancellation, network disconnection, log storage, and the like, but countermeasures other than those described in this example may be newly registered.
  • a countermeasure ID 1603 may be assigned to the countermeasure method 1602 as identification information, and a countermeasure method 1602 in which a plurality of countermeasure methods 1602 are combined may be registered.
  • FIG. 16B is an example of the abnormality countermeasure list 45 related to the second embodiment.
  • a countermeasure method 1602 corresponding to the own vehicle state 1601 and the filter type 1605 that detected the abnormality is registered.
  • FIG. 16C is an example of the abnormality countermeasure list 45 related to the third embodiment.
  • a countermeasure method 1602 corresponding to the own vehicle state 1601 and the group ID 1304 or data ID 1301 of the data in which the abnormality is detected or the determination specific information 1607 is registered.
  • the items and format of the abnormality countermeasure list 45 shown in FIG. 16 are not limited to this example.
  • a plurality of abnormality countermeasure lists 45 may be used simultaneously or by switching.

Landscapes

  • Engineering & Computer Science (AREA)
  • Automation & Control Theory (AREA)
  • Mechanical Engineering (AREA)
  • Human Computer Interaction (AREA)
  • Transportation (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Small-Scale Networks (AREA)
  • Control Of Driving Devices And Active Controlling Of Vehicle (AREA)

Abstract

L'invention concerne des données illicites transférées sur un réseau embarqué pouvant être détectées au moyen d'une configuration simple sans augmentation de la charge de traitement de données dans un dispositif embarqué, même au cours d'une commande compliquée telle la conduite automatique. Un dispositif de réseau embarqué 1 comporte une unité de surveillance de communication 2, une unité d'acquisition d'état 3, et une unité de réglage de procédé de détermination 4. L'unité de surveillance de communication 2 surveille les données passant par l'intermédiaire d'un réseau 6, et change le procédé de surveillance de communication en fonction de l'état de l'automobile acquis par l'unité d'acquisition d'état. L'unité de surveillance de communication 2 a une unité de détermination de communication 7, et détermine, selon le procédé de détermination réglé dans l'unité de réglage de procédé de détermination 4, si oui ou non il y a des anomalies quelconques dans les données passant par l'intermédiaire du dispositif de réseau embarqué 1 par l'intermédiaire du réseau 6.
PCT/JP2016/072719 2015-09-04 2016-08-03 Dispositif de réseau embarqué Ceased WO2017038351A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2015-174303 2015-09-04
JP2015174303A JP6531011B2 (ja) 2015-09-04 2015-09-04 車載ネットワーク装置

Publications (1)

Publication Number Publication Date
WO2017038351A1 true WO2017038351A1 (fr) 2017-03-09

Family

ID=58187146

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2016/072719 Ceased WO2017038351A1 (fr) 2015-09-04 2016-08-03 Dispositif de réseau embarqué

Country Status (2)

Country Link
JP (1) JP6531011B2 (fr)
WO (1) WO2017038351A1 (fr)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2018203119A (ja) * 2017-06-06 2018-12-27 トヨタ自動車株式会社 操舵支援装置
US10382466B2 (en) 2017-03-03 2019-08-13 Hitachi, Ltd. Cooperative cloud-edge vehicle anomaly detection
CN111492625A (zh) * 2018-07-27 2020-08-04 松下电器(美国)知识产权公司 非法检测方法以及非法检测装置
WO2020162075A1 (fr) * 2019-02-08 2020-08-13 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Procédé de détermination d'anomalies, dispositif de détermination d'anomalies, et programme
US11012172B2 (en) 2018-05-15 2021-05-18 Denso Corporation Relay device

Families Citing this family (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2018160870A (ja) * 2017-03-24 2018-10-11 オムロンオートモーティブエレクトロニクス株式会社 車載通信システム、入出力装置
US20200151972A1 (en) * 2017-05-09 2020-05-14 Mitsubishi Electric Corporation In-vehicle authentication system, vehicle communication apparatus, authentication management apparatus, in-vehicle authentication method, and computer readable medium
JP2019026149A (ja) * 2017-08-01 2019-02-21 トヨタ自動車株式会社 車両の自動運転制御装置
JP6913869B2 (ja) 2017-08-30 2021-08-04 パナソニックIpマネジメント株式会社 監視装置、監視システムおよびコンピュータプログラム
JP6808595B2 (ja) 2017-09-01 2021-01-06 クラリオン株式会社 車載装置、インシデント監視方法
JP6973122B2 (ja) * 2018-01-26 2021-11-24 トヨタ自動車株式会社 車載ネットワークシステム
JP6908549B2 (ja) * 2018-03-20 2021-07-28 日立Astemo株式会社 車両制御装置および車両制御システム
WO2019216306A1 (fr) * 2018-05-08 2019-11-14 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Unité de commande électronique de détection d'anomalie, système de réseau monté sur véhicule et procédé de détection d'anomalie
CN109532847B (zh) 2018-11-19 2020-01-24 百度在线网络技术(北京)有限公司 用于控制无人驾驶车辆的方法和装置、服务器、介质
KR102111359B1 (ko) * 2018-12-20 2020-05-15 주식회사 만도 Ota 애드온 장치
JP7207824B2 (ja) * 2019-01-22 2023-01-18 日本電気通信システム株式会社 ネットワーク制御装置及び方法とプログラム
JP2020154530A (ja) * 2019-03-19 2020-09-24 Necソリューションイノベータ株式会社 リソース管理装置、ユーザ装置側リソース管理装置、リソース管理方法、ユーザ装置側リソース管理方法、プログラム及び記録媒体
KR102680714B1 (ko) * 2019-07-25 2024-07-02 바텔리 메모리얼 인스티튜트 방송 네트워크 보안을 위한 다중 상태 메시징 이상증후 검출
JP7192747B2 (ja) 2019-11-13 2022-12-20 株式会社オートネットワーク技術研究所 車載中継装置及び情報処理方法
JP2021158454A (ja) 2020-03-25 2021-10-07 トヨタ自動車株式会社 車両制御システム、データ送信方法及びプログラム
WO2021240662A1 (fr) * 2020-05-26 2021-12-02 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Dispositif, système et procédé de détection d'anomalie
US20240265750A1 (en) * 2021-05-20 2024-08-08 Mitsubishi Electric Corporation Control apparatus
JP7471532B2 (ja) 2021-10-08 2024-04-19 三菱電機株式会社 制御装置
CN118215609A (zh) * 2021-10-25 2024-06-18 三菱电机株式会社 侵入检测系统

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH03128542A (ja) * 1989-10-13 1991-05-31 Toyota Motor Corp 車両内通信制御装置
JPH11334494A (ja) * 1998-05-29 1999-12-07 Hino Motors Ltd 車両用コンピュータ間通信装置
JP2002176430A (ja) * 2000-12-06 2002-06-21 Auto Network Gijutsu Kenkyusho:Kk 車両用通信制御装置
JP2004090787A (ja) * 2002-08-30 2004-03-25 Mitsubishi Motors Corp バス方式通信ネットワークにおける通信エラー検出方法
JP2009194497A (ja) * 2008-02-13 2009-08-27 Hitachi Ltd 送信フィルタ方法及び車載ゲートウェイ装置、プログラム
JP2010268066A (ja) * 2009-05-12 2010-11-25 Hitachi Automotive Systems Ltd Lin通信装置及びlin通信制御方法
JP2013038711A (ja) * 2011-08-10 2013-02-21 Toyota Motor Corp 車両ネットワークの通信管理装置

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH03128542A (ja) * 1989-10-13 1991-05-31 Toyota Motor Corp 車両内通信制御装置
JPH11334494A (ja) * 1998-05-29 1999-12-07 Hino Motors Ltd 車両用コンピュータ間通信装置
JP2002176430A (ja) * 2000-12-06 2002-06-21 Auto Network Gijutsu Kenkyusho:Kk 車両用通信制御装置
JP2004090787A (ja) * 2002-08-30 2004-03-25 Mitsubishi Motors Corp バス方式通信ネットワークにおける通信エラー検出方法
JP2009194497A (ja) * 2008-02-13 2009-08-27 Hitachi Ltd 送信フィルタ方法及び車載ゲートウェイ装置、プログラム
JP2010268066A (ja) * 2009-05-12 2010-11-25 Hitachi Automotive Systems Ltd Lin通信装置及びlin通信制御方法
JP2013038711A (ja) * 2011-08-10 2013-02-21 Toyota Motor Corp 車両ネットワークの通信管理装置

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10382466B2 (en) 2017-03-03 2019-08-13 Hitachi, Ltd. Cooperative cloud-edge vehicle anomaly detection
US10676086B2 (en) 2017-06-06 2020-06-09 Toyota Jidosha Kabushiki Kaisha Steering assist apparatus
JP2018203119A (ja) * 2017-06-06 2018-12-27 トヨタ自動車株式会社 操舵支援装置
US11518385B2 (en) 2017-06-06 2022-12-06 Toyota Jidosha Kabushiki Kaisha Steering assist apparatus
US11012172B2 (en) 2018-05-15 2021-05-18 Denso Corporation Relay device
CN111492625A (zh) * 2018-07-27 2020-08-04 松下电器(美国)知识产权公司 非法检测方法以及非法检测装置
CN111492625B (zh) * 2018-07-27 2022-07-01 松下电器(美国)知识产权公司 非法检测方法以及非法检测装置
CN112889246A (zh) * 2019-02-08 2021-06-01 松下电器(美国)知识产权公司 异常判定方法、异常判定装置以及程序
US11516045B2 (en) 2019-02-08 2022-11-29 Panasonic Intellectual Property Corporation Of America Anomaly determination method, anomaly determination device, and recording medium
WO2020162075A1 (fr) * 2019-02-08 2020-08-13 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Procédé de détermination d'anomalies, dispositif de détermination d'anomalies, et programme
CN112889246B (zh) * 2019-02-08 2023-09-22 松下电器(美国)知识产权公司 异常判定方法、异常判定装置以及程序
US11843477B2 (en) 2019-02-08 2023-12-12 Panasonic Intellectual Property Corporation Of America Anomaly determination method, anomaly determination device, and recording medium
US12177038B2 (en) 2019-02-08 2024-12-24 Panasonic Intellectual Property Corporation Of America Anomaly determination method, anomaly determination device, and recording medium

Also Published As

Publication number Publication date
JP2017047835A (ja) 2017-03-09
JP6531011B2 (ja) 2019-06-12

Similar Documents

Publication Publication Date Title
JP6531011B2 (ja) 車載ネットワーク装置
JP7410223B2 (ja) 不正検知サーバ、及び、方法
US11190533B2 (en) Anomaly detection electronic control unit, onboard network system, and anomaly detection method
JP7496404B2 (ja) セキュリティ処理方法及びサーバ
CN107925600B (zh) 安全处理方法以及服务器
US11165851B2 (en) System and method for providing security to a communication network
US11539727B2 (en) Abnormality detection apparatus and abnormality detection method
CN111052681B (zh) 异常检测电子控制单元、车载网络系统及异常检测方法
CN110494330B (zh) 车辆监视装置、不正当检测服务器、以及控制方法
US10623205B2 (en) Security device, network system, and fraud detection method
CN108353014B (zh) 非法控制抑止方法、非法控制抑止装置和车载网络系统
US20190334897A1 (en) Monitoring device, monitoring method, and computer program
EP3248844A1 (fr) Procédé de mise à jour de règle de détection d'irrégularité, unité de commande électronique de détection d'irrégularité et système de réseau à bord
JP2022542251A (ja) ブロードキャストネットワークをセキュアにするための多状態メッセージング異常検出
WO2018110046A1 (fr) Appareil de commande, système de commande, procédé de commande, programme de commande et support de stockage
JP7571844B2 (ja) ログ管理装置及びセンタ装置
JP2019212976A (ja) 電子制御装置、監視方法、プログラム及びゲートウェイ装置
CN113556271A (zh) 非法控制抑止方法、非法控制抑止装置和车载网络系统
JP2019209962A (ja) 情報処理装置、監視方法、プログラム及びゲートウェイ装置
JP2021145328A (ja) ゲートウェイ装置およびデータ構造

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16841383

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16841383

Country of ref document: EP

Kind code of ref document: A1