[go: up one dir, main page]

WO2018211790A1 - Ecu - Google Patents

Ecu Download PDF

Info

Publication number
WO2018211790A1
WO2018211790A1 PCT/JP2018/008882 JP2018008882W WO2018211790A1 WO 2018211790 A1 WO2018211790 A1 WO 2018211790A1 JP 2018008882 W JP2018008882 W JP 2018008882W WO 2018211790 A1 WO2018211790 A1 WO 2018211790A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
ecu
received
cpu
time
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2018/008882
Other languages
French (fr)
Japanese (ja)
Inventor
浩介 中園
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Bosch Corp
Original Assignee
Bosch Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Bosch Corp filed Critical Bosch Corp
Priority to DE112018002549.7T priority Critical patent/DE112018002549T5/en
Priority to JP2019519078A priority patent/JP6838147B2/en
Priority to CN201880047811.3A priority patent/CN110915170B/en
Publication of WO2018211790A1 publication Critical patent/WO2018211790A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/30Services specially adapted for particular environments, situations or purposes
    • H04W4/40Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P]
    • H04W4/48Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P] for in-vehicle communication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40208Bus networks characterized by the use of a particular bus standard
    • H04L2012/40215Controller Area Network CAN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40267Bus for use in transportation systems
    • H04L2012/40273Bus for use in transportation systems the transportation system being a vehicle

Definitions

  • the present invention relates to an ECU, and is particularly suitable for application to an ECU disposed on an in-vehicle network.
  • CAN network In recent years, an in-vehicle network (CAN network) using a communication standard called CAN (Controller Area Network) has become widespread.
  • This CAN network is configured by connecting a plurality of electronic control units (ECUs) installed in a vehicle and a communication bus (CAN bus) using CAN.
  • the ECU can communicate (CAN communication) with other ECUs via the CAN bus.
  • the CAN bus is provided with a data link connector (DLC) while connecting the ECUs so that they can communicate with each other.
  • DLC data link connector
  • OBD On Board Diagnostics
  • Incorrect data is transmitted from a device connected to the DLC by wire to the CAN bus, or when a device capable of wireless communication is connected to the DLC and transmitted wirelessly to the CAN bus via this device. You could think so.
  • Patent Document 1 the difference between the previous transmission timing and the current transmission timing is calculated as the transmission cycle for the data transmitted to the CAN bus, and this transmission cycle is stored in advance as an invalid data determination.
  • a technique for determining the currently transmitted data as illegal data is disclosed.
  • one ECU can monitor the CAN bus, and can detect and invalidate this before another ECU completes reception of illegal data.
  • unauthorized data with the same ID and different ID as the legitimate data enters the CAN bus, and all the ECUs connected to the in-vehicle network are prevented from impersonation attacks that cause malfunction of the ECUs connected to the CAN bus. It can be defended.
  • Patent Document 1 requires an additional device for constantly monitoring data transmitted to the CAN bus. Specifically, in addition to a normal communication line that connects the ECU and the CAN bus, an additional communication line that connects the ECU and the CAN bus in parallel with this is further required. Further, additional processing such as processing for constantly monitoring data on the CAN bus, processing for determining whether or not the data is illegal, and invalidation processing when the data is illegal is required.
  • the present invention has been made in consideration of the above points, and proposes an ECU that can realize security protection while avoiding the complexity and cost increase of an in-vehicle network.
  • the CPU (100) of the ECU (10) is properly connected via the communication bus (20).
  • the data (D1) After receiving the data (D1), the data (D2 to D8) having the same ID as the regular data (D1) is received, and the number of times the data (D2 to D8) having the same ID is received within a certain period is determined in advance. If it is equal to or greater than the specified number of times (DC), it is determined that the state is abnormal, and a transition is made to a safe control state.
  • DC specified number of times
  • FIG. 1 is an overall configuration diagram of an in-vehicle network. It is an internal block diagram of ECU. It is a flowchart of a reception process. It is a conceptual diagram of a reception process.
  • FIG. 1 shows the overall configuration of the in-vehicle network N1 in the vehicle 1.
  • the in-vehicle network N1 is a network using a communication standard called CAN (Controller Area Network), and includes an electronic control unit (ECU) 10 and a CAN bus 20.
  • ECU electronice control unit
  • the ECU 10 is a control device that controls various operations of the vehicle 1.
  • the ECU 10 includes a CPU (Central Processing Unit), a RAM (Random Access Memory), a ROM (Read Only Memory), an input / output interface, and the like.
  • Each ECU 10 is connected to a CAN bus 20.
  • the ECUs 10 are connected to each other via the CAN bus 20 so as to communicate with each other.
  • the ECU 10 As the ECUs 10 connected to the CAN bus 20, the ECU 10 called an engine ECU comprehensively controls the operation of the vehicle 1. Therefore, in the present embodiment, by applying the present invention to this engine ECU, it is intended to realize security protection especially for control related to traveling.
  • the CAN bus 20 is a communication bus using CAN, and connects the ECUs 10 so that they can communicate with each other.
  • the CAN bus 20 includes a data link connector (DLC) 30.
  • the DLC 30 is a connection connector for connecting the scan tool 40 to the CAN bus 20 by wire or wireless.
  • a fault code generated by a self-diagnosis function (OBD: On Board Diagnostics) provided in the ECU 10 can be read.
  • OBD On Board Diagnostics
  • the service engineer can specify the failure location of the vehicle 1 with reference to the failure code displayed on the display screen of the scan tool 40.
  • illegal data is transmitted to the CAN bus 20 from the outside of the vehicle 1 via the DLC 30.
  • the illegal data here refers to data that is at least transmitted to the CAN bus 20 at a different timing from the regular data.
  • the ID of one regular data is “1” and is transmitted to the CAN bus 20 every “100 ms”
  • the data transmitted to the CAN bus 20 every “120 ms” is “1”.
  • it is handled as invalid data.
  • data with different IDs, or data with different contents even if the IDs are the same are naturally invalid data.
  • the ECU 10 connected to the CAN bus 20 receives this and performs arithmetic processing.
  • the engine ECU receives illegal data and performs arithmetic processing, there is a possibility that control relating to traveling may become impossible.
  • the ECU 10 even if unauthorized data is transmitted to the CAN bus 20, the ECU 10 excludes the unauthorized data from the target of the arithmetic processing, and only the regular data is the target of the arithmetic processing. Like to do. If the number of times that the ECU 10 receives illegal data via the CAN bus 20 increases, it is determined that this is an abnormal state and a safe control state is entered.
  • the safe control state includes a state where the engine is stopped (a state where the engine is stopped), a state where reception of data from the CAN bus 20 is refused, a state where the vehicle shifts to a limp home mode which maintains traveling with the minimum gear stage, etc. There is.
  • FIG. 2 shows the internal configuration of the ECU 10.
  • the ECU 10 includes a memory such as a RAM and a ROM (not shown), an input / output interface, and a CPU 100.
  • the CPU 100 includes programs or memories such as a data transmission / reception unit 101, a reception data monitoring unit 102, a CAN buffer 103, a control determination unit 104, and a calculation unit 105.
  • the data transmitting / receiving unit 101 receives normal or illegal data D0 to D8 from the CAN bus 20 and outputs them to the received data monitoring unit 102. Further, the data transmitting / receiving unit 101 transmits operation results D21 and D22 for the regular data among these data D0 to D8 or fail-safe data D23 for shifting to a safe control state to the CAN bus 20.
  • the calculation results D21 and D22 and fail-safe data D23 are then used for operations of other ECUs 10 and other devices.
  • the other ECU 10 or another device receives the fail safe data D23, safe control is executed regardless of the operation of the driver.
  • the received data monitoring unit 102 When the received data monitoring unit 102 receives regular or illegal data D0 to D8 from the data transmitting / receiving unit 101, the received data monitoring unit 102 outputs these data to the CAN buffer 103 and counts the number of times these data D0 to D8 are received. It is determined whether or not the state is abnormal.
  • the received data monitoring unit 102 when the received data monitoring unit 102 receives one regular data D0 as a reference, it outputs this to the CAN buffer 103 and starts a timer T held in the CPU 100 to count the time. Start.
  • the received data monitoring unit 102 refers to the specified time DT associated in advance for each ID, and outputs the received data D0 to D8 to the CAN buffer 103 until the specified time DT elapses.
  • the counter C counts the number of times these data D0 to D8 are received. That is, the reception data monitoring unit 102 counts the number of data receptions per unit time.
  • the reception data monitoring unit 102 refers to a predetermined number of times DC, and determines whether or not the number of receptions counted by the counter C is equal to or greater than the number of times DC. When the number of receptions exceeds the specified number of times DC, the reception data monitoring unit 102 determines that the state is abnormal. The reception data monitoring unit 102 outputs a monitoring result indicating an abnormal state to the control determination unit 104.
  • the CAN buffer 103 is a memory for storing data waiting for arithmetic processing. Based on the monitoring result from the received data monitoring unit 102, the control determination unit 104 determines whether the data stored in the CAN buffer 103 is to be calculated or excluded from the calculation target. Then, the control determination unit 104 outputs the determination result to the calculation unit 105.
  • the calculation unit 105 Based on the determination result from the control determination unit 104, the calculation unit 105 receives the data received within a predetermined time (within the window) after the lapse of the specified time DT among the data D0 to D8 stored in the CAN buffer 103. Calculation processing is performed to generate calculation results D21 and D22. Alternatively, the fail-safe data D23 is generated by excluding the calculation target.
  • the arithmetic unit 105 receives the data D0 for the data with the ID “1”. Thereafter, the data received in the window of 100 ms to 110 ms or 95 ms to 105 ms is arithmetically processed to generate arithmetic results D21 and D22.
  • the operation unit 105 excludes the data D0 to D8 stored in the CAN buffer 103 from the operation target, and generates fail-safe data D23 for shifting to a safe control state.
  • the calculation unit 105 outputs the generated calculation results D21 and D22 or fail-safe data D23 to the data transmission / reception unit 101.
  • FIG. 3 shows a flowchart of reception processing in the present embodiment.
  • the reception process is started from the time when the counter C is activated by the CPU 100 of the ECU 10, and is continuously executed thereafter.
  • the start timing of the counter C is assumed to be when the ECU 10 is powered on, but is not necessarily limited thereto.
  • the CPU 100 starts the counter C and starts counting the number of receptions (S1). Thereafter, when the CPU 100 receives one regular data from the CAN bus 20 (S2), it starts the timer T and starts counting time (S3).
  • the CPU 100 Since the CPU 100 has started the timer T and has received regular data in step S2, the CPU 100 counts up the number of receptions i by +1 (S4). Then, the CPU 100 determines whether or not the number of receptions i is i ⁇ the specified number of times DC (S5).
  • step S5 when it is determined that the specified number of times DC is “6”, the number of receptions i is “1” at the time when one regular data is received, so that the number of receptions i ⁇ the specified number of times DC, In step S5, a negative result is obtained.
  • the CPU 100 When the CPU 100 obtains a negative result in the determination at step S5 (S5: N), it outputs the received regular data to the CAN buffer 103 (S6). Then, the CPU 100 determines whether there is other received data after starting the timer T (S7). When the CPU 100 obtains a positive result in the determination at step S7 (S7: Y), the CPU 100 proceeds to step S4 and repeats the above processing.
  • step S7 the CPU 100 starts counting at the specified time DT associated with the ID of the regular data received at step S2, and at step S3. Referring to the count time, it is determined whether or not the count time has passed the specified time DT (S8).
  • step S8 When the CPU 100 obtains a negative result in the determination at step S8 (S8: N), the CPU 100 proceeds to step S4 until the count time passes the specified time DT, and repeats the above processing.
  • the CPU 100 obtains a positive result in the determination at step S5 (S5: Y), it determines that the state is abnormal (S9). And CPU100 transfers to a safe control state (S10), and complete
  • the CPU 100 obtains a positive result in the determination at step S8 (S8: Y), it stops and restarts the counter C, thereby resetting the number of counts and restarting counting the number of receptions (S12). ).
  • the CPU 100 determines whether data stored in the CAN buffer 103 is received within a predetermined time (in the window) after the lapse of the specified time DT (S13).
  • FIG. 4 shows a conceptual diagram of the reception process described in FIG. Hereinafter, the processing of the data D0 to D8 will be described along the time series.
  • the received data monitoring unit 102 starts the timer T and refers to the specified time DT. Further, the number of receptions of the counter C is incremented by +1.
  • the data D0 is output to the CAN buffer 103.
  • the data D0 stored in the CAN buffer 103 is calculated by the control determination unit 104 and then processed by the calculation unit 105. As a result, a calculation result D21 is generated.
  • the received data monitoring unit 102 monitors the received data. Specifically, time is counted by the timer T, and the number of receptions is counted by the counter C. Here, since only the data D0 is received, the number of receptions is one.
  • the data D1 is then output to the CAN buffer 103, and after being determined as a calculation target by the control determination unit 104, is calculated by the calculation unit 105. As a result, a calculation result D22 is generated.
  • the received data is monitored again.
  • a plurality of illegal data D2 to D7 are received during this period.
  • the monitoring result from the received data monitoring unit 102 is output to the control determining unit 104, and the data received thereafter by the control determining unit 104 is excluded from the calculation processing target.
  • the second window W is set here. As described above, the window W is periodically provided every time the specified time DT elapses.
  • the number of receptions of data having the same ID as data D0 among the data received thereafter is counted and within a certain period. If the number of receptions does not reach the specified number of times DC, the data D1 received thereafter is processed, and if the number of receptions exceeds the specified number of times DC, it is determined that the state is abnormal, and a safe control state is entered. I tried to do it.
  • the timer T is started when the regular data D0 is received, the number of times of reception of the data received until the count time exceeds the specified time DT, and the number of received times is the specified number of times DC. If the number of receptions reaches the specified number of times DC, the regular data D8 is excluded from the computation processing target. Instead, fail-safe data D23 is generated, and based on this, a safe control state is entered.
  • the ID and the specified time DT are associated with each other in advance, but in addition to this, the specified time DT and the window width (the time between time t1 and t3 in FIG. 4) are It is good also as matched.
  • the specified time DT is “99 ms” and the window width is “10 ms”
  • the specified time DT is “50 ms” and the window width is “5 ms” may be associated in advance. That is, the window width may be variable according to the number of receptions per unit time.
  • the data having a large number of receptions per unit time can be made shorter by making the window width short so that illegal data can be easily excluded from the processing target. Therefore, security protection can be realized more reliably.
  • the number of receptions is once reset when the count time exceeds the specified time DT.
  • the present invention is not limited to this, and may not be reset until the total number of receptions reaches the specified number of times DC. Good. That is, after the counter C starts counting the number of times of reception, the number of times of reception may be reset when the total number of times of reception of data received outside the window W provided periodically reaches the specified number of times DC. .
  • the processing can be simplified. Further, even if the illegal data is not received to the extent that it is determined to be abnormal, it can be determined that it is abnormal if it is regularly received.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Small-Scale Networks (AREA)

Abstract

Proposed is an ECU that can realize security protection while avoiding an increase in the complexity and cost of an in-vehicle network. An ECU (10) connected to a CAN bus (20) is characterized in that a CPU (100) of the ECU (10) receives normal data (D1) via the communication bus (20), thereafter receives data (D2-D8) for which the ID is identical to the normal data (D1), and if the number of times data (D2-D8) with the identical ID is received within a certain period is greater than a predetermined prescribed number of times (DC), determines the state to be abnormal and transitions to a safe control state.

Description

ECUECU

 本発明は、ECUに関し、特に車載ネットワーク上に配置されるECUに適用して好適なものである。 The present invention relates to an ECU, and is particularly suitable for application to an ECU disposed on an in-vehicle network.

 近年、CAN(Controller Area Network)と呼ばれる通信規格を利用した車載ネットワーク(CANネットワーク)が普及している。このCANネットワークは、車両に設置された複数の電子制御装置(ECU:Electronic Control Unit)と、CANを利用した通信バス(CANバス)とが接続されて構成される。ECUは、このCANバスを介して、他のECUと互いに通信(CAN通信)することができる。 In recent years, an in-vehicle network (CAN network) using a communication standard called CAN (Controller Area Network) has become widespread. This CAN network is configured by connecting a plurality of electronic control units (ECUs) installed in a vehicle and a communication bus (CAN bus) using CAN. The ECU can communicate (CAN communication) with other ECUs via the CAN bus.

 CANバスは、ECU同士を互いに通信可能に接続する一方で、データリンクコネクタ(DLC:Data Link Connector)を備える。このデータリンクコネクタに専用の機器を接続することで、ECUが備える自己診断機能(OBD:On Board Diagnostics)により生成される故障コードを読み取ることができる。故障コードを参照することで、例えばサービスエンジニアは故障箇所を容易に特定することができる。 The CAN bus is provided with a data link connector (DLC) while connecting the ECUs so that they can communicate with each other. By connecting a dedicated device to this data link connector, it is possible to read a fault code generated by a self-diagnosis function (OBD: On Board Diagnostics) provided in the ECU. By referring to the failure code, for example, a service engineer can easily identify the failure location.

 ところで、このDLCが不正に利用された場合、具体的にはDLCを介して、正規のデータとIDが同一で中身が異なる不正なデータが外部からCANバスに送信された場合、CANバスに接続されているECUがこの不正なデータを受信して誤動作するおそれがある。よってセキュリティ保護の観点から、このような不正なデータを防御する技術が必要となる。 By the way, when this DLC is used illegally, specifically, when illegal data having the same ID and the same ID as the regular data is transmitted from the outside to the CAN bus via the DLC, it is connected to the CAN bus. There is a possibility that the ECU that has been received receives this illegal data and malfunctions. Therefore, from the viewpoint of security protection, a technique for protecting such illegal data is required.

 なお不正なデータは、DLCに有線で接続された機器からCANバスに送信される場合と、DLCに無線通信可能な機器が接続されて、この機器を介して無線でCANバスに送信される場合とが考えられる。 Incorrect data is transmitted from a device connected to the DLC by wire to the CAN bus, or when a device capable of wireless communication is connected to the DLC and transmitted wirelessly to the CAN bus via this device. You could think so.

 特許文献1には、CANバスに対して送信されたデータについて、前回の送信タイミングと、今回の送信タイミングとの間の差分を送信周期として算出し、この送信周期と、予め記憶する不正データ判定用の送信周期とを比較し、比較した結果、算出した送信周期が不正データ判定用の送信周期よりも短い場合、今回送信されたデータを不正データとして判定する技術が開示されている。 In Patent Document 1, the difference between the previous transmission timing and the current transmission timing is calculated as the transmission cycle for the data transmitted to the CAN bus, and this transmission cycle is stored in advance as an invalid data determination. As a result of comparison with a transmission cycle for use and a comparison result, when the calculated transmission cycle is shorter than the transmission cycle for determining illegal data, a technique for determining the currently transmitted data as illegal data is disclosed.

 この特許文献1に記載の技術によれば、一のECUがCANバスを監視し、他のECUが不正データの受信を完了する前にこれを検出して無効化することができる。これにより正規なデータとIDが同一で中身が異なる不正なデータがCANバスに侵入し、CANバスに接続されているECUの誤動作を引き起こすなりすまし攻撃から、車載ネットワークに接続している全てのECUを防御することができるとしている。 According to the technique described in Patent Document 1, one ECU can monitor the CAN bus, and can detect and invalidate this before another ECU completes reception of illegal data. As a result, unauthorized data with the same ID and different ID as the legitimate data enters the CAN bus, and all the ECUs connected to the in-vehicle network are prevented from impersonation attacks that cause malfunction of the ECUs connected to the CAN bus. It can be defended.

特開2014-236248号公報JP 2014-236248 A

 しかしこの特許文献1に記載の技術では、CANバスに対して送信されたデータを常時監視するための追加の機器が必要になる。具体的には、ECUとCANバスとを接続する通常の通信線に加えて、これと並列にこのECUとCANバスとを接続する追加の通信線が更に必要となる。またCANバス上のデータを常時監視する処理、不正データか否かを判定する処理及び不正データである場合の無効化処理等の追加の処理が必要になる。 However, the technique described in Patent Document 1 requires an additional device for constantly monitoring data transmitted to the CAN bus. Specifically, in addition to a normal communication line that connects the ECU and the CAN bus, an additional communication line that connects the ECU and the CAN bus in parallel with this is further required. Further, additional processing such as processing for constantly monitoring data on the CAN bus, processing for determining whether or not the data is illegal, and invalidation processing when the data is illegal is required.

 よって車載ネットワークのハードウェア構成及びソフトウェア構成が複雑化し、これに伴い、車載ネットワークを実現するための全体のコストが増加するという課題が生じる。 Therefore, the hardware configuration and software configuration of the in-vehicle network become complicated, and this causes a problem that the overall cost for realizing the in-vehicle network increases.

 本発明は以上の点を考慮してなされたものであり、車載ネットワークの複雑化及びコストの増加を回避しつつ、セキュリティの保護を実現し得るECUを提案する。 The present invention has been made in consideration of the above points, and proposes an ECU that can realize security protection while avoiding the complexity and cost increase of an in-vehicle network.

 かかる課題を解決するために、本発明においては、CANバス(20)に接続されているECU(10)において、ECU(10)のCPU(100)は、通信バス(20)を介して正規のデータ(D1)を受信した後、正規のデータ(D1)とIDが同一のデータ(D2~D8)を受信し、IDが同一のデータ(D2~D8)の一定期間内における受信回数が予め定められた規定回数(DC)以上である場合、異常な状態であると判断して、安全な制御状態に移行することを特徴とする。 In order to solve such a problem, in the present invention, in the ECU (10) connected to the CAN bus (20), the CPU (100) of the ECU (10) is properly connected via the communication bus (20). After receiving the data (D1), the data (D2 to D8) having the same ID as the regular data (D1) is received, and the number of times the data (D2 to D8) having the same ID is received within a certain period is determined in advance. If it is equal to or greater than the specified number of times (DC), it is determined that the state is abnormal, and a transition is made to a safe control state.

 本発明によれば、車載ネットワークの複雑化及びコストの増加を回避しつつ、セキュリティの保護を実現することができる。 According to the present invention, it is possible to realize security protection while avoiding the complexity and cost increase of the in-vehicle network.

車載ネットワークの全体構成図である。1 is an overall configuration diagram of an in-vehicle network. ECUの内部構成図である。It is an internal block diagram of ECU. 受信処理のフローチャートである。It is a flowchart of a reception process. 受信処理の概念図である。It is a conceptual diagram of a reception process.

 以下本発明について、図面を参照しながら本発明の一実施の形態を詳述する。なお以下の説明はあくまで本発明の一実施の形態にすぎず、本発明の技術的範囲がこれに限定されるものではない。 Hereinafter, an embodiment of the present invention will be described in detail with reference to the drawings. The following description is merely an embodiment of the present invention, and the technical scope of the present invention is not limited to this.

 図1は、車両1における車載ネットワークN1の全体構成を示す。車載ネットワークN1は、CAN(Controller Area Network)と呼ばれる通信規格を利用したネットワークであり、電子制御装置(ECU:Electronic Control Unit)10及びCANバス20を備えて構成される。 FIG. 1 shows the overall configuration of the in-vehicle network N1 in the vehicle 1. The in-vehicle network N1 is a network using a communication standard called CAN (Controller Area Network), and includes an electronic control unit (ECU) 10 and a CAN bus 20.

 ECU10は、車両1の各種動作を制御する制御装置である。ECU10は、CPU(Central Processing Unit)、RAM(Random Access Memory)、ROM(Read Only Memory)及び入出力インタフェース等を備えて構成される。各ECU10は、それぞれCANバス20に接続される。これにより各ECU10は、CANバス20を介して互いに通信可能に接続される。 The ECU 10 is a control device that controls various operations of the vehicle 1. The ECU 10 includes a CPU (Central Processing Unit), a RAM (Random Access Memory), a ROM (Read Only Memory), an input / output interface, and the like. Each ECU 10 is connected to a CAN bus 20. Thus, the ECUs 10 are connected to each other via the CAN bus 20 so as to communicate with each other.

 なおCANバス20に接続されるECU10のうち、エンジンECUと呼ばれるECU10は、車両1の動作を統括的に制御する。そのため本実施の形態においては、このエンジンECUに本発明を適用することで、特に走行に関する制御についてセキュリティの保護を実現しようとするものである。 Of the ECUs 10 connected to the CAN bus 20, the ECU 10 called an engine ECU comprehensively controls the operation of the vehicle 1. Therefore, in the present embodiment, by applying the present invention to this engine ECU, it is intended to realize security protection especially for control related to traveling.

 CANバス20は、CANを利用した通信バスであり、各ECU10を互いに通信可能に接続する。またCANバス20は、データリンクコネクタ(DLC:Data Link Connector)30を備える。DLC30は、スキャンツール40を有線又は無線によりCANバス20に接続するための接続コネクタである。 The CAN bus 20 is a communication bus using CAN, and connects the ECUs 10 so that they can communicate with each other. The CAN bus 20 includes a data link connector (DLC) 30. The DLC 30 is a connection connector for connecting the scan tool 40 to the CAN bus 20 by wire or wireless.

 DLC30にスキャンツール40を接続し、スキャンツール40上で特定の操作を行うと、ECU10が備える自己診断機能(OBD:On Board Diagnostics)により生成される故障コードを読み取ることができる。例えばサービスエンジニアは、スキャンツール40の表示画面上に表示される故障コードを参照して、車両1の故障箇所を特定することができる。 When the scan tool 40 is connected to the DLC 30 and a specific operation is performed on the scan tool 40, a fault code generated by a self-diagnosis function (OBD: On Board Diagnostics) provided in the ECU 10 can be read. For example, the service engineer can specify the failure location of the vehicle 1 with reference to the failure code displayed on the display screen of the scan tool 40.

 ここで、DLC30を介して車両1の外部から不正なデータがCANバス20に送信される場合が考えられる。ここでいう不正なデータとは、少なくともCANバス20に送信されるタイミングが正規のデータとは異なるデータをいう。 Here, there may be a case where illegal data is transmitted to the CAN bus 20 from the outside of the vehicle 1 via the DLC 30. The illegal data here refers to data that is at least transmitted to the CAN bus 20 at a different timing from the regular data.

 例えば一の正規のデータのIDが「1」で、「100ms」ごとにCANバス20に送信される場合、IDが「1」で、「120ms」ごとにCANバス20に送信されるデータは本実施の形態においては不正なデータとして取り扱われる。またこのIDが「1」のデータとの関係において、IDが異なるデータ、或いは、IDが同一であっても内容が異なるデータも当然に不正なデータとなる。 For example, when the ID of one regular data is “1” and is transmitted to the CAN bus 20 every “100 ms”, the data transmitted to the CAN bus 20 every “120 ms” is “1”. In the embodiment, it is handled as invalid data. In addition, in relation to the data with the ID “1”, data with different IDs, or data with different contents even if the IDs are the same are naturally invalid data.

 このような不正なデータがDLC30を介してCANバス20に送信された場合であって何らの防御手段もない場合、CANバス20に接続されているECU10がこれを受信して演算処理してしまう。特にエンジンECUが不正なデータを受信して演算処理すると、走行に関する制御が不能になるおそれがある。 When such illegal data is transmitted to the CAN bus 20 via the DLC 30 and there is no protection means, the ECU 10 connected to the CAN bus 20 receives this and performs arithmetic processing. . In particular, when the engine ECU receives illegal data and performs arithmetic processing, there is a possibility that control relating to traveling may become impossible.

 本実施の形態においては、たとえ不正なデータがCANバス20に送信された場合であっても、ECU10においてこの不正なデータは演算処理の対象から除外し、正規のデータだけを演算処理の対象とするようにしている。またECU10がCANバス20を介して、不正なデータを受信する受信回数が増加した場合、これを異常な状態と判断し、安全な制御状態に移行するようにしている。 In the present embodiment, even if unauthorized data is transmitted to the CAN bus 20, the ECU 10 excludes the unauthorized data from the target of the arithmetic processing, and only the regular data is the target of the arithmetic processing. Like to do. If the number of times that the ECU 10 receives illegal data via the CAN bus 20 increases, it is determined that this is an abnormal state and a safe control state is entered.

 安全な制御状態には、エンジンを停止させた状態(エンストさせた状態)、CANバス20からのデータの受信を拒否した状態、最小のギア段による走行を維持するリンプホームモードに移行した状態などがある。 The safe control state includes a state where the engine is stopped (a state where the engine is stopped), a state where reception of data from the CAN bus 20 is refused, a state where the vehicle shifts to a limp home mode which maintains traveling with the minimum gear stage, etc. There is.

 図2は、ECU10の内部構成を示す。ECU10は、ここでは図示しないRAM及びROM等のメモリや入出力インタフェースを備えるとともに、CPU100を備える。CPU100は、データ送受信部101、受信データ監視部102、CANバッファ103及び制御判断部104及び演算部105等のプログラム又はメモリを備える。 FIG. 2 shows the internal configuration of the ECU 10. The ECU 10 includes a memory such as a RAM and a ROM (not shown), an input / output interface, and a CPU 100. The CPU 100 includes programs or memories such as a data transmission / reception unit 101, a reception data monitoring unit 102, a CAN buffer 103, a control determination unit 104, and a calculation unit 105.

 データ送受信部101は、CANバス20からの正規又は不正なデータD0~D8を受信して、受信データ監視部102に出力する。またデータ送受信部101は、これらのデータD0~D8のうちの正規のデータに対する演算結果D21、D22又は安全な制御状態に移行するためのフェールセーフデータD23をCANバス20に送信する。 The data transmitting / receiving unit 101 receives normal or illegal data D0 to D8 from the CAN bus 20 and outputs them to the received data monitoring unit 102. Further, the data transmitting / receiving unit 101 transmits operation results D21 and D22 for the regular data among these data D0 to D8 or fail-safe data D23 for shifting to a safe control state to the CAN bus 20.

 演算結果D21、D22、フェールセーフデータD23は、その後他のECU10や他の機器の動作に用いられる。他のECU10や他の機器がフェールセーフデータD23を受信した場合、安全な制御がドライバの操作によらずに実行されることになる。 The calculation results D21 and D22 and fail-safe data D23 are then used for operations of other ECUs 10 and other devices. When the other ECU 10 or another device receives the fail safe data D23, safe control is executed regardless of the operation of the driver.

 受信データ監視部102は、データ送受信部101からの正規又は不正なデータD0~D8を入力すると、これらのデータをCANバッファ103に出力するとともに、これらのデータD0~D8の受信回数をカウントして異常な状態であるか否かを判断する。 When the received data monitoring unit 102 receives regular or illegal data D0 to D8 from the data transmitting / receiving unit 101, the received data monitoring unit 102 outputs these data to the CAN buffer 103 and counts the number of times these data D0 to D8 are received. It is determined whether or not the state is abnormal.

 具体的に、受信データ監視部102は、基準となる一の正規のデータD0を受信すると、これをCANバッファ103に出力するとともに、CPU100の内部に保持するタイマTを起動して時間のカウントを開始する。 Specifically, when the received data monitoring unit 102 receives one regular data D0 as a reference, it outputs this to the CAN buffer 103 and starts a timer T held in the CPU 100 to count the time. Start.

 受信データ監視部102は、IDごとに予め対応付けられた規定時間DTを参照して、この規定時間DTが経過するまでの間に受信したデータD0~D8をCANバッファ103に出力する。またこれらのデータD0~D8の受信回数をカウンタCによりカウントする。すなわち受信データ監視部102は、単位時間当たりのデータの受信回数をカウントする。 The received data monitoring unit 102 refers to the specified time DT associated in advance for each ID, and outputs the received data D0 to D8 to the CAN buffer 103 until the specified time DT elapses. The counter C counts the number of times these data D0 to D8 are received. That is, the reception data monitoring unit 102 counts the number of data receptions per unit time.

 そして受信データ監視部102は、予め定められた規定回数DCを参照して、カウンタCによりカウントされた受信回数が規定回数DC以上であるか否かを判断する。受信回数が規定回数DC以上になった場合、受信データ監視部102は異常な状態であるものと判断する。そして受信データ監視部102は、異常な状態であることを示す監視結果を制御判断部104に出力する。 Then, the reception data monitoring unit 102 refers to a predetermined number of times DC, and determines whether or not the number of receptions counted by the counter C is equal to or greater than the number of times DC. When the number of receptions exceeds the specified number of times DC, the reception data monitoring unit 102 determines that the state is abnormal. The reception data monitoring unit 102 outputs a monitoring result indicating an abnormal state to the control determination unit 104.

 CANバッファ103は、演算処理待ちのデータを格納するメモリである。
 制御判断部104は、受信データ監視部102からの監視結果に基づいて、CANバッファ103に格納されているデータを演算対象とするか、或いは、演算対象から除外するかを判断する。そして制御判断部104は、判断結果を演算部105に出力する。 The CAN buffer 103 is a memory for storing data waiting for arithmetic processing.
Based on the monitoring result from the received data monitoring unit 102, the control determination unit 104 determines whether the data stored in the CAN buffer 103 is to be calculated or excluded from the calculation target. Then, the control determination unit 104 outputs the determination result to the calculation unit 105.

 演算部105は、制御判断部104からの判断結果に基づいて、CANバッファ103に格納されたデータD0~D8のうちの規定時間DTの経過後で所定時間内(ウインドウ内)に受信したデータを演算処理して、演算結果D21、D22を生成する。或いは、演算処理の対象から除外してフェールセーフデータD23を生成する。 Based on the determination result from the control determination unit 104, the calculation unit 105 receives the data received within a predetermined time (within the window) after the lapse of the specified time DT among the data D0 to D8 stored in the CAN buffer 103. Calculation processing is performed to generate calculation results D21 and D22. Alternatively, the fail-safe data D23 is generated by excluding the calculation target.

 例えば演算部105は、データD0のIDが「1」であり、このIDに予め対応付けられている規定時間DTが「100ms」である場合、IDが「1」のデータについてはデータD0を受信してから100ms~110ms、或いは、95ms~105msの間のウインドウ内に受信したデータを演算処理して、演算結果D21、D22を生成する。 For example, when the ID of the data D0 is “1” and the specified time DT previously associated with this ID is “100 ms”, the arithmetic unit 105 receives the data D0 for the data with the ID “1”. Thereafter, the data received in the window of 100 ms to 110 ms or 95 ms to 105 ms is arithmetically processed to generate arithmetic results D21 and D22.

 一方で演算部105は、異常な状態である場合、CANバッファ103に格納されたデータD0~D8を演算対象から除外し、安全な制御状態に移行するためのフェールセーフデータD23を生成する。演算部105は、生成した演算結果D21、D22又はフェールセーフデータD23をデータ送受信部101に出力する。 On the other hand, if the operation unit 105 is in an abnormal state, the operation unit 105 excludes the data D0 to D8 stored in the CAN buffer 103 from the operation target, and generates fail-safe data D23 for shifting to a safe control state. The calculation unit 105 outputs the generated calculation results D21 and D22 or fail-safe data D23 to the data transmission / reception unit 101.

 図3は、本実施の形態における受信処理のフローチャートを示す。受信処理は、ECU10のCPU100により、カウンタCが起動された時点から開始され、それ以後は常時実行される。カウンタCの起動タイミングは、ECU10の電源ON時であることを想定しているが、必ずしもこれに限られない。 FIG. 3 shows a flowchart of reception processing in the present embodiment. The reception process is started from the time when the counter C is activated by the CPU 100 of the ECU 10, and is continuously executed thereafter. The start timing of the counter C is assumed to be when the ECU 10 is powered on, but is not necessarily limited thereto.

 またここでは、基準となる一の正規のデータを受信した後の一定期間に限って説明する。ここで説明するデータのIDは全て同一である(例えば「1」)。すなわちIDごとに本処理が行われる。説明の便宜上、処理主体をCPU100として説明する。 In addition, here, explanation will be made only for a certain period after receiving one regular data as a reference. The IDs of the data described here are all the same (for example, “1”). That is, this process is performed for each ID. For convenience of explanation, the processing subject will be described as the CPU 100.

 まずCPU100は、カウンタCを起動して受信回数のカウントを開始する(S1)。その後CPU100は、CANバス20から一の正規のデータを受信すると(S2)、タイマTを起動して時間のカウントを開始する(S3)。 First, the CPU 100 starts the counter C and starts counting the number of receptions (S1). Thereafter, when the CPU 100 receives one regular data from the CAN bus 20 (S2), it starts the timer T and starts counting time (S3).

 CPU100は、タイマTを起動した後、ステップS2で正規のデータを受信しているので受信回数iを+1だけカウントアップする(S4)。そしてCPU100は、受信回数iがi≧規定回数DCであるか否かを判断する(S5)。 Since the CPU 100 has started the timer T and has received regular data in step S2, the CPU 100 counts up the number of receptions i by +1 (S4). Then, the CPU 100 determines whether or not the number of receptions i is i ≧ the specified number of times DC (S5).

 例えば規定回数DCが「6」回であるものとして定められている場合、一の正規のデータを受信した時点では受信回数iは「1」回であるため受信回数i<規定回数DCであり、ステップS5の判断では否定結果を得ることになる。 For example, when it is determined that the specified number of times DC is “6”, the number of receptions i is “1” at the time when one regular data is received, so that the number of receptions i <the specified number of times DC, In step S5, a negative result is obtained.

 CPU100は、ステップS5の判断で否定結果を得ると(S5:N)、受信した正規のデータをCANバッファ103に出力する(S6)。そしてCPU100は、タイマTを起動した以後で他に受信したデータがあるか否かを判断する(S7)。CPU100は、ステップS7の判断で肯定結果を得ると(S7:Y)、ステップS4に移行して上述の処理を繰り返す。 When the CPU 100 obtains a negative result in the determination at step S5 (S5: N), it outputs the received regular data to the CAN buffer 103 (S6). Then, the CPU 100 determines whether there is other received data after starting the timer T (S7). When the CPU 100 obtains a positive result in the determination at step S7 (S7: Y), the CPU 100 proceeds to step S4 and repeats the above processing.

 これに対しCPU100は、ステップS7の判断で否定結果を得ると(S7:N)、ステップS2で受信した正規のデータのIDに対応付けられている規定時間DTと、ステップS3でカウントを開始したカウント時間とを参照して、カウント時間が規定時間DTを経過したか否かを判断する(S8)。 On the other hand, when the CPU 100 obtains a negative result in the determination at step S7 (S7: N), the CPU 100 starts counting at the specified time DT associated with the ID of the regular data received at step S2, and at step S3. Referring to the count time, it is determined whether or not the count time has passed the specified time DT (S8).

 CPU100は、ステップS8の判断で否定結果を得ると(S8:N)、カウント時間が規定時間DTを経過するまでステップS4に移行して、上述の処理を繰り返す。そしてCPU100は、ステップS5の判断で肯定結果を得ると(S5:Y)、異常な状態であるものと判断する(S9)。そしてCPU100は、安全な制御状態に移行して(S10)、本処理を終了する。 When the CPU 100 obtains a negative result in the determination at step S8 (S8: N), the CPU 100 proceeds to step S4 until the count time passes the specified time DT, and repeats the above processing. When the CPU 100 obtains a positive result in the determination at step S5 (S5: Y), it determines that the state is abnormal (S9). And CPU100 transfers to a safe control state (S10), and complete | finishes this process.

 これに対しCPU100は、ステップS8の判断で肯定結果を得ると(S8:Y)、カウンタCを停止及び再起動することにより、カウント回数を一旦リセットして受信回数のカウントを再度開始する(S12)。 On the other hand, if the CPU 100 obtains a positive result in the determination at step S8 (S8: Y), it stops and restarts the counter C, thereby resetting the number of counts and restarting counting the number of receptions (S12). ).

 次いでCPU100は、CANバッファ103に格納されているデータのうち、規定時間DTの経過後から所定時間内(ウインドウ内)に受信したデータがあるか否かを判断する(S13)。 Next, the CPU 100 determines whether data stored in the CAN buffer 103 is received within a predetermined time (in the window) after the lapse of the specified time DT (S13).

 CPU100は、ステップS13の判断で否定結果を得ると(S13:N)、CANバッファ103に格納されているデータを演算処理せずに本処理を終了する。これに対しCPU100は、肯定結果を得ると(S13:Y)、CANバッファ103に格納されているデータのうち、ウインドウ内に受信したデータを演算処理して(S14)、本処理を終了する。 When the CPU 100 obtains a negative result in the determination at step S13 (S13: N), the CPU 100 ends the process without performing arithmetic processing on the data stored in the CAN buffer 103. On the other hand, when the CPU 100 obtains a positive result (S13: Y), the CPU 100 performs arithmetic processing on the data received in the window among the data stored in the CAN buffer 103 (S14), and ends this processing.

 なおCPU100は、これ以降に受信するIDが同一のデータについてはステップS4に移行して上述の処理を繰り返すことになる。 Note that the CPU 100 shifts to step S4 and repeats the above-described processing for data having the same ID received thereafter.

 図4は、図3で説明した受信処理の概念図を示す。以下時系列に沿って、データD0~D8の処理について説明する。 FIG. 4 shows a conceptual diagram of the reception process described in FIG. Hereinafter, the processing of the data D0 to D8 will be described along the time series.

 時間t=t0のタイミングで、基準となる正規のデータD0がデータ送受信部101により受信される。また受信データ監視部102により、タイマTが起動されるとともに規定時間DTが参照される。またカウンタCの受信回数が+1だけカウントアップされる。 Regular data D0 serving as a reference is received by the data transmitting / receiving unit 101 at the timing of time t = t0. The received data monitoring unit 102 starts the timer T and refers to the specified time DT. Further, the number of receptions of the counter C is incremented by +1.

 その後データD0は、CANバッファ103に出力される。CANバッファ103に格納されたデータD0は、制御判断部104により演算対象であると判断された後、演算部105により演算処理される。その結果、演算結果D21が生成される。 Thereafter, the data D0 is output to the CAN buffer 103. The data D0 stored in the CAN buffer 103 is calculated by the control determination unit 104 and then processed by the calculation unit 105. As a result, a calculation result D21 is generated.

 時間tがt0≦t<t1の間では、受信されるデータの監視が受信データ監視部102により行われる。具体的にはタイマTにより時間がカウントされ、カウンタCにより受信回数がカウントされる。ここではデータD0のみが受信されただけであるため、受信回数は1回である。 When the time t is between t0 ≦ t <t1, the received data monitoring unit 102 monitors the received data. Specifically, time is counted by the timer T, and the number of receptions is counted by the counter C. Here, since only the data D0 is received, the number of receptions is one.

 時間t=t1のタイミングで、タイマT及びカウンタCが受信データ監視部102により停止及び再起動されて、カウント時間及び受信回数がリセットされる。リセットされた後はカウントが再開される。ここでのタイマTは、時間t=t2のタイミングで時間のカウントを再開し、カウンタCはリセットされた後すぐにデータのカウントを再開する。 At time t = t1, the timer T and the counter C are stopped and restarted by the reception data monitoring unit 102, and the count time and the number of receptions are reset. After resetting, the count is resumed. Here, the timer T resumes counting time at the timing of time t = t2, and the counter C resumes counting data immediately after being reset.

 時間tがt1<t≦t3の間は、受信したデータを演算処理の対象とする期間を示す。この期間をここではウインドウWと呼ぶ。正規のデータD1は、時間t=t2のタイミングで受信されたデータであり、このウインドウW内で受信されたデータである。 When the time t is t1 <t ≦ t3, this indicates a period during which the received data is subject to arithmetic processing. This period is called a window W here. The regular data D1 is data received at the timing of time t = t2, and is data received in this window W.

 よってデータD1は、その後CANバッファ103に出力されて、制御判断部104により演算対象と判断された後、演算部105により演算処理される。その結果、演算結果D22が生成される。 Therefore, the data D1 is then output to the CAN buffer 103, and after being determined as a calculation target by the control determination unit 104, is calculated by the calculation unit 105. As a result, a calculation result D22 is generated.

 時間tがt2≦t<t5の間は、受信されるデータの監視が再び行われる。ここではこの間に複数の不正なデータD2~D7が受信されている。カウンタCにより不正なデータD2~D7が受信されるたびに受信回数が+1だけカウントアップされる。 During the time t is t2 ≦ t <t5, the received data is monitored again. Here, a plurality of illegal data D2 to D7 are received during this period. Each time illegal data D2 to D7 are received by the counter C, the number of receptions is incremented by +1.

 時間t=t4のタイミングで、受信回数が規定回数DCに到達していることが示されている。この場合、受信データ監視部102からの監視結果が制御判断部104に出力され、制御判断部104により以降に受信するデータは演算処理の対象から除外される。 It is shown that the number of receptions reaches the specified number of times DC at the timing of time t = t4. In this case, the monitoring result from the received data monitoring unit 102 is output to the control determining unit 104, and the data received thereafter by the control determining unit 104 is excluded from the calculation processing target.

 時間tがt5<t≦t7の間は、ここでは2回目のウインドウWが設定されている。このようにウインドウWは規定時間DTが経過するたびに定期的に設けられる。正規のデータD8は、時間t=t6のタイミングで受信されたデータであり、このウインドウW内で受信されたデータであるが、演算処理の対象から除外される。そしてこれに代えてフェールセーフデータD23が生成される。 During the time t is t5 <t ≦ t7, the second window W is set here. As described above, the window W is periodically provided every time the specified time DT elapses. The regular data D8 is data received at the timing of time t = t6, and is data received in this window W, but is excluded from calculation processing targets. Instead, fail-safe data D23 is generated.

 以上のように本実施の形態によれば、基準となる正規のデータD0を受信した場合、その後に受信するデータのうち、データD0と同一のIDのデータの受信回数をカウントし、一定期間内における受信回数が規定回数DCに到達しない場合はその後に受信するデータD1を演算処理し、受信回数が規定回数DC以上になる場合は異常な状態であると判断して、安全な制御状態に移行するようにした。 As described above, according to the present embodiment, when regular data D0 serving as a reference is received, the number of receptions of data having the same ID as data D0 among the data received thereafter is counted and within a certain period. If the number of receptions does not reach the specified number of times DC, the data D1 received thereafter is processed, and if the number of receptions exceeds the specified number of times DC, it is determined that the state is abnormal, and a safe control state is entered. I tried to do it.

 より具体的には、正規のデータD0を受信した時点でタイマTを起動し、カウント時間が規定時間DTを経過するまでの間に受信したデータの受信回数をカウントし、受信回数が規定回数DCに到達しない場合はその後にウインドウW内で受信した正規のデータD1を演算処理するようにする一方で、受信回数が規定回数DCに到達した場合は正規のデータD8を演算処理の対象から除外し、代わりにフェールセーフデータD23を生成し、これに基づいて安全な制御状態に移行するようにした。 More specifically, the timer T is started when the regular data D0 is received, the number of times of reception of the data received until the count time exceeds the specified time DT, and the number of received times is the specified number of times DC. If the number of receptions reaches the specified number of times DC, the regular data D8 is excluded from the computation processing target. Instead, fail-safe data D23 is generated, and based on this, a safe control state is entered.

 これにより、なりすまし攻撃に対する防御手段として追加の機器を必要とすることなく、また不正な受信データを監視、判定及び無効化する等の煩雑な処理を必要とすることなく、単にソフトウェアの制御によって不正なデータを防御することができる。よって本実施の形態によれば、車載ネットワークの複雑化及びコストの増加を回避しつつ、セキュリティの保護を実現することができる。 As a result, no additional equipment is required as a defense against impersonation attacks, and there is no need for complicated processing such as monitoring, determination and invalidation of unauthorized received data. Can protect important data. Therefore, according to the present embodiment, it is possible to realize security protection while avoiding the complexity and cost increase of the in-vehicle network.

 なお本実施の形態においては、IDと規定時間DTとが予め対応付けられているが、これに加えて規定時間DTとウインドウ幅(図4においては時間t1とt3との間の時間)とが対応付けられているとしてもよい。 In the present embodiment, the ID and the specified time DT are associated with each other in advance, but in addition to this, the specified time DT and the window width (the time between time t1 and t3 in FIG. 4) are It is good also as matched.

 例えばIDが「1」については、規定時間DTが「99ms」、ウインドウ幅が「10ms」が予め対応付けられており、IDが「2」については、規定時間DTが「50ms」、ウインドウ幅が「5ms」が予め対応付けられているとしてもよい。すなわち単位時間当たりの受信回数に応じてウインドウ幅を可変にしてもよい。 For example, when the ID is “1”, the specified time DT is “99 ms” and the window width is “10 ms”, and when the ID is “2”, the specified time DT is “50 ms” and the window width is “5 ms” may be associated in advance. That is, the window width may be variable according to the number of receptions per unit time.

 この場合、単位時間当たりの受信回数が多いデータについてはウインドウ幅を短くするようにして、不正なデータを演算処理の対象から除外し易くすることができる。よってより確実にセキュリティの保護を実現することができる。 In this case, the data having a large number of receptions per unit time can be made shorter by making the window width short so that illegal data can be easily excluded from the processing target. Therefore, security protection can be realized more reliably.

 また本実施の形態においては、カウント時間が規定時間DTを経過した時点で受信回数を一旦リセットするとしているが、これに限らず、受信回数の累計が規定回数DCに到達するまでリセットしないとしてもよい。すなわちカウンタCが受信回数のカウントを開始してから、定期的に設けるウインドウWの範囲外で受信したデータの受信回数の累計が規定回数DCに到達したタイミングで、受信回数をリセットするとしてもよい。 In the present embodiment, the number of receptions is once reset when the count time exceeds the specified time DT. However, the present invention is not limited to this, and may not be reset until the total number of receptions reaches the specified number of times DC. Good. That is, after the counter C starts counting the number of times of reception, the number of times of reception may be reset when the total number of times of reception of data received outside the window W provided periodically reaches the specified number of times DC. .

 この場合、カウント時間が規定時間DTを経過するたびに受信回数をリセットする必要がなくなるため処理の簡素化を図ることができる。また異常な状態と判断されるほどに不正なデータを受信していなくとも、定常的に不正なデータを受信している場合、これを異常な状態と判断することができる。 In this case, since it is not necessary to reset the number of receptions every time the count time exceeds the specified time DT, the processing can be simplified. Further, even if the illegal data is not received to the extent that it is determined to be abnormal, it can be determined that it is abnormal if it is regularly received.

1   車両
10  ECU
20  CANバス
30  DLC
40  スキャンツール
100 CPU
101 データ送受信部
102 受信データ監視部
103 CANバッファ
104 制御判断部
105 演算部
  1 vehicle 10 ECU
20 CAN bus 30 DLC
40 Scan Tool 100 CPU
101 Data Transmission / Reception Unit 102 Received Data Monitoring Unit 103 CAN Buffer 104 Control Determination Unit 105 Calculation Unit

Claims (8)

 通信バス(20)に接続されているECU(10)において、
 前記ECU(10)のCPU(100)は、
 前記通信バス(20)を介して正規のデータ(D1)を受信した後、前記正規のデータ(D1)とIDが同一のデータ(D2~D8)を受信し、前記IDが同一のデータ(D2~D8)の一定期間内における受信回数が予め定められた規定回数(DC)以上である場合、異常な状態であると判断して、安全な制御状態に移行する
 ことを特徴とするECU。 In the ECU (10) connected to the communication bus (20),
The CPU (100) of the ECU (10)
After receiving the regular data (D1) via the communication bus (20), the regular data (D1) and the data (D2 to D8) having the same ID as the regular data (D1) are received, and the data (D2 having the same ID) An ECU characterized in that when the number of receptions within a predetermined period of (D8) to D8) is equal to or greater than a predetermined number of times (DC), it is determined that the state is abnormal and a safe control state is entered.  前記CPU(100)は、
 前記IDが同一のデータ(D2~D8)の一定期間内における受信回数が前記規定回数(DC)未満である場合、定期的に設けるウインドウ(W)内で受信したデータ(D1)を演算処理の対象とする
 ことを特徴とする請求項1に記載のECU。 The CPU (100)
When the number of receptions of the data (D2 to D8) having the same ID within a certain period is less than the specified number (DC), the data (D1) received in the window (W) provided periodically is subjected to the arithmetic processing. The ECU according to claim 1, which is a target.  前記CPU(100)は、
 異常な状態であると判断した場合、
 定期的に設けるウインドウ(W)内で受信したデータ(D8)を演算処理の対象から除外し、安全な制御状態に移行するためのフェールセーフデータを生成する
 ことを特徴とする請求項1又は2に記載のECU。 The CPU (100)
If you determine that the condition is abnormal,
The data (D8) received in the window (W) provided periodically is excluded from the target of arithmetic processing, and fail-safe data for shifting to a safe control state is generated. ECU as described in 1.  前記CPU(100)は、
 前記正規のデータ(D1)のIDに予め対応付けられている規定時間(DT)が経過するごとに前記ウインドウ(W)を定期的に設ける
 ことを特徴とする請求項2又は3に記載のECU。 The CPU (100)
4. The ECU according to claim 2, wherein the window (W) is periodically provided every time a specified time (DT) previously associated with the ID of the regular data (D1) elapses. .  前記CPU(100)は、
 前記正規のデータ(D1)の受信時に時間のカウントを開始し、カウント時間が予め定められる規定時間(DT)を経過した時点(t5)から所定時間が経過するまで(t7)の間に前記ウインドウ(W)を設定することにより、前記ウインドウ(W)を定期的に設ける
 ことを特徴とする請求項2~4の何れか一項に記載のECU。 The CPU (100)
When the regular data (D1) is received, the time starts to be counted, and the window is counted between the time (t5) when a predetermined time (DT) has passed and the predetermined time has elapsed (t7). The ECU according to any one of claims 2 to 4, wherein the window (W) is provided periodically by setting (W).  前記規定時間(DT)は、
 前記正規のデータ(D1)のIDごとに異なる
 ことを特徴とする請求項4又は5に記載のECU。 The specified time (DT) is
The ECU according to claim 4 or 5, wherein the ECU differs for each ID of the regular data (D1).  前記ウインドウ(W)は、
 前記正規のデータ(D1)のIDごとに幅が異なる
 ことを特徴とする請求項2~6の何れか一項に記載のECU。 The window (W) is
The ECU according to any one of claims 2 to 6, wherein the width differs for each ID of the regular data (D1).  前記CPU(100)は、
 異常な状態であると判断した場合、
 エンジンを停止させる制御、前記通信バス(20)からのデータの受信を拒否する制御又は最小のギア段による走行を維持する制御のうち、何れかの制御を実行することより、安全な制御状態に移行する
 ことを特徴とする請求項1~7の何れか一項に記載のECU。
 
 
  The CPU (100)
If you determine that the condition is abnormal,
By executing any one of the control for stopping the engine, the control for refusing the reception of data from the communication bus (20), or the control for maintaining the traveling with the minimum gear stage, a safe control state is obtained. The ECU according to any one of claims 1 to 7, wherein the ECU is shifted.


PCT/JP2018/008882 2017-05-18 2018-03-08 Ecu Ceased WO2018211790A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
DE112018002549.7T DE112018002549T5 (en) 2017-05-18 2018-03-08 Electronic control unit
JP2019519078A JP6838147B2 (en) 2017-05-18 2018-03-08 ECU
CN201880047811.3A CN110915170B (en) 2017-05-18 2018-03-08 Ecu

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2017099285 2017-05-18
JP2017-099285 2017-05-18

Publications (1)

Publication Number Publication Date
WO2018211790A1 true WO2018211790A1 (en) 2018-11-22

Family

ID=64274048

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2018/008882 Ceased WO2018211790A1 (en) 2017-05-18 2018-03-08 Ecu

Country Status (4)

Country Link
JP (1) JP6838147B2 (en)
CN (1) CN110915170B (en)
DE (1) DE112018002549T5 (en)
WO (1) WO2018211790A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020116235A1 (en) * 2018-12-05 2020-06-11 株式会社デンソー Line monitoring device and network switch
CN111596570A (en) * 2020-05-26 2020-08-28 陈媛芳 Vehicle CAN bus simulation and attack system and method
CN115309132A (en) * 2021-05-06 2022-11-08 三菱电机株式会社 Control system

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP7491203B2 (en) * 2020-12-09 2024-05-28 トヨタ自動車株式会社 Control device, system, vehicle, program, and control device operation method

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2013068216A (en) * 2011-09-10 2013-04-18 Denso Corp On-board speed reducing device
WO2013094072A1 (en) * 2011-12-22 2013-06-27 トヨタ自動車 株式会社 Communication system and communication method
WO2014115455A1 (en) * 2013-01-28 2014-07-31 日立オートモティブシステムズ株式会社 Network device and data sending and receiving system
WO2015170451A1 (en) * 2014-05-08 2015-11-12 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ In-vehicle network system, electronic control unit, and irregularity detection method
WO2016038816A1 (en) * 2014-09-12 2016-03-17 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Vehicle communication device, in-vehicle network system, and vehicle communication method
WO2017037977A1 (en) * 2015-08-31 2017-03-09 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Gateway apparatus, in-vehicle network system, and communication method

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101417636B (en) * 2008-03-14 2013-03-20 北京理工大学 Pure electric motor coach communication system and method based on three CAN bus
CN103605349B (en) * 2013-11-26 2017-11-14 厦门雅迅网络股份有限公司 A kind of remote real-time data collection and analytic statistics system and method based on CAN bus
CN110610092B (en) * 2014-04-17 2023-06-06 松下电器(美国)知识产权公司 In-vehicle network system, gateway device, and abnormality detection method
JP6267596B2 (en) * 2014-07-14 2018-01-24 国立大学法人名古屋大学 Communication system, communication control apparatus, and unauthorized information transmission prevention method
WO2016088304A1 (en) * 2014-12-01 2016-06-09 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Illegality detection electronic control unit, car onboard network system, and illegality detection method
JP6603617B2 (en) * 2015-08-31 2019-11-06 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Gateway device, in-vehicle network system, and communication method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2013068216A (en) * 2011-09-10 2013-04-18 Denso Corp On-board speed reducing device
WO2013094072A1 (en) * 2011-12-22 2013-06-27 トヨタ自動車 株式会社 Communication system and communication method
WO2014115455A1 (en) * 2013-01-28 2014-07-31 日立オートモティブシステムズ株式会社 Network device and data sending and receiving system
WO2015170451A1 (en) * 2014-05-08 2015-11-12 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ In-vehicle network system, electronic control unit, and irregularity detection method
WO2016038816A1 (en) * 2014-09-12 2016-03-17 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Vehicle communication device, in-vehicle network system, and vehicle communication method
WO2017037977A1 (en) * 2015-08-31 2017-03-09 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Gateway apparatus, in-vehicle network system, and communication method

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020116235A1 (en) * 2018-12-05 2020-06-11 株式会社デンソー Line monitoring device and network switch
JP2020092333A (en) * 2018-12-05 2020-06-11 株式会社デンソー Network switch and line monitoring device
CN113169908A (en) * 2018-12-05 2021-07-23 株式会社电装 Line monitoring device and network switch
CN113169908B (en) * 2018-12-05 2022-07-22 株式会社电装 Line monitoring device and network switch
JP7211051B2 (en) 2018-12-05 2023-01-24 株式会社デンソー Network switches and line monitoring devices
CN111596570A (en) * 2020-05-26 2020-08-28 陈媛芳 Vehicle CAN bus simulation and attack system and method
CN111596570B (en) * 2020-05-26 2023-09-12 杭州电子科技大学 Vehicle CAN bus simulation and attack system and method
CN115309132A (en) * 2021-05-06 2022-11-08 三菱电机株式会社 Control system
CN115309132B (en) * 2021-05-06 2025-08-12 三菱电机株式会社 Control system

Also Published As

Publication number Publication date
JP6838147B2 (en) 2021-03-03
JPWO2018211790A1 (en) 2020-02-27
CN110915170B (en) 2021-11-16
DE112018002549T5 (en) 2020-04-09
CN110915170A (en) 2020-03-24

Similar Documents

Publication Publication Date Title
CN107005447B (en) Communication control device and communication system
WO2018211790A1 (en) Ecu
CN104956626B (en) Network device and data transceiving system
JP6525825B2 (en) Communication device
US9600372B2 (en) Approach for controller area network bus off handling
US11784871B2 (en) Relay apparatus and system for detecting abnormalities due to an unauthorized wireless transmission
CN111147437A (en) Attributing bus disconnect attacks based on erroneous frames
CN107526290B (en) Method for operating a controller
US10721241B2 (en) Method for protecting a vehicle network against manipulated data transmission
EP3854651A1 (en) Electronic control device, electronic control method, and program
KR20180137306A (en) Method and System for detecting hacking attack based on the CAN protocol
US20170272451A1 (en) Monitoring apparatus and communication system
JP5578207B2 (en) Communication load judgment device
JP6586500B2 (en) Method and apparatus for transmitting message sequences over a data bus and method and apparatus for recognizing attacks on message sequences thus transmitted
JP6913869B2 (en) Surveillance equipment, surveillance systems and computer programs
WO2018198545A1 (en) Ecu
CN108632242B (en) Communication device and receiving device
CN108073489B (en) Method for ensuring operation of calculator
JP2015192216A (en) Communication apparatus and communication method
JP2001350735A (en) Method for mutual monitoring among plural data processors
WO2024071120A1 (en) Information processing device, information processing system, information processing program, and information processing method
JP2015112962A (en) Information processing device
JP2002314556A (en) Vehicle control system
JP2025177669A (en) Data transmission and reception system
US20190243738A1 (en) Fault Monitoring for a Complex Computing Unit

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18802617

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2019519078

Country of ref document: JP

Kind code of ref document: A

122 Ep: pct application non-entry in european phase

Ref document number: 18802617

Country of ref document: EP

Kind code of ref document: A1