[go: up one dir, main page]

WO2019021922A1 - Abnormality detection device, and abnormality detection method - Google Patents

Abnormality detection device, and abnormality detection method Download PDF

Info

Publication number
WO2019021922A1
WO2019021922A1 PCT/JP2018/027012 JP2018027012W WO2019021922A1 WO 2019021922 A1 WO2019021922 A1 WO 2019021922A1 JP 2018027012 W JP2018027012 W JP 2018027012W WO 2019021922 A1 WO2019021922 A1 WO 2019021922A1
Authority
WO
WIPO (PCT)
Prior art keywords
frame
abnormality detection
rule
network
control command
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2018/027012
Other languages
French (fr)
Japanese (ja)
Inventor
芳賀 智之
正人 田邉
唯之 鳥崎
弘泰 寺澤
遼 加藤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Panasonic Intellectual Property Corp of America
Original Assignee
Panasonic Intellectual Property Corp of America
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from JP2018097207A external-priority patent/JP7033499B2/en
Application filed by Panasonic Intellectual Property Corp of America filed Critical Panasonic Intellectual Property Corp of America
Priority to EP18837632.1A priority Critical patent/EP3659868B1/en
Priority to CN201880003962.9A priority patent/CN109843653B/en
Publication of WO2019021922A1 publication Critical patent/WO2019021922A1/en
Priority to US16/730,977 priority patent/US11539727B2/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/30Services specially adapted for particular environments, situations or purposes
    • H04W4/40Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P]
    • H04W4/48Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P] for in-vehicle communication
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R16/00Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for
    • B60R16/02Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R16/00Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for
    • B60R16/02Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements
    • B60R16/023Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements for transmission of signals between vehicle parts or subsystems
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W50/02Ensuring safety in case of control system failures, e.g. by diagnosing, circumventing or fixing failures
    • B60W50/0205Diagnosing or detecting failures; Failure detection models
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W50/02Ensuring safety in case of control system failures, e.g. by diagnosing, circumventing or fixing failures
    • B60W50/029Adapting to failures or work around with other constraints, e.g. circumvention by avoiding use of failed parts
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L12/407Bus networks with decentralised control
    • H04L12/413Bus networks with decentralised control with random access, e.g. carrier-sense multiple-access with collision detection [CSMA-CD]
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W50/02Ensuring safety in case of control system failures, e.g. by diagnosing, circumventing or fixing failures
    • B60W50/0205Diagnosing or detecting failures; Failure detection models
    • B60W2050/021Means for detecting failure or malfunction
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W50/02Ensuring safety in case of control system failures, e.g. by diagnosing, circumventing or fixing failures
    • B60W50/029Adapting to failures or work around with other constraints, e.g. circumvention by avoiding use of failed parts
    • B60W2050/0295Inhibiting action of specific actuators or systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40208Bus networks characterized by the use of a particular bus standard
    • H04L2012/40215Controller Area Network CAN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic

Definitions

  • the present disclosure relates to an abnormality detection apparatus and an abnormality detection method for detecting an abnormality in a network system mounted on a mobile.
  • Patent Document 1 discloses an in-vehicle network system for controlling a vehicle.
  • Patent Document 1 there is a possibility that an abnormality can not be effectively detected in a network system mounted on a mobile object such as a vehicle.
  • An object of the present disclosure is to provide an abnormality detection device and an abnormality detection method capable of effectively detecting an abnormality in a network system mounted on a mobile object.
  • an anomaly detection apparatus mounted on a mobile body and detecting an anomaly in a network system having a first network and a second network having different communication protocols.
  • a first communication unit for receiving status information indicating the status of the mobile obtained from the second network; a second communication unit for transmitting and receiving a first frame according to a communication protocol of the first network; Whether the control command included in the first frame received by the second communication unit is abnormal with reference to the abnormality detection rule holding unit that holds the detection rule, the state information, and the abnormality detection rule And an abnormality detection processing unit that detects whether the control command is abnormal or not. If, to prohibit transfer of the control command.
  • an abnormality can be effectively detected in a network system mounted on a mobile.
  • FIG. 1 is an overall configuration diagram of an in-vehicle network according to a first embodiment.
  • FIG. 2 is a diagram showing the format of a data frame (CAN frame) transmitted and received by the second network.
  • FIG. 3 is a diagram showing the format of an E frame transmitted and received by the first network.
  • FIG. 4 is a diagram showing an example of the data configuration in the payload of the E frame.
  • FIG. 5 is a block diagram showing an example of a functional configuration of the CAN gateway.
  • FIG. 6 is a diagram showing an image of transmitting an E frame based on a plurality of CAN frames received by the CAN gateway according to the first embodiment.
  • FIG. 7 is a block diagram showing an example of a functional configuration of the autonomous driving DCU.
  • FIG. 1 is an overall configuration diagram of an in-vehicle network according to a first embodiment.
  • FIG. 2 is a diagram showing the format of a data frame (CAN frame) transmitted and received by the second network.
  • FIG. 3 is
  • FIG. 8 is a diagram showing an example of switch rules held by the switch rule holding unit.
  • FIG. 9 is a diagram showing an example of an abnormality detection rule held by the abnormality detection rule holding unit of the automatic driving DCU according to the first embodiment.
  • FIG. 10 is a sequence diagram showing an example of an abnormality detection method in the network system according to the first embodiment.
  • FIG. 11 is a sequence diagram showing an example of an abnormality detection method in the network system according to the first embodiment.
  • FIG. 12 is a diagram showing an image of transmitting an E frame based on a plurality of CAN frames received by the CAN gateway according to the second embodiment.
  • FIG. 13 is a diagram showing an example of an abnormality detection rule held by the abnormality detection rule holding unit 105 of the automatic driving DCU according to the second embodiment.
  • FIG. 14 is a sequence diagram showing an example of an abnormality detection method in the network system according to the second embodiment.
  • FIG. 15 is a sequence diagram showing an example of an abnormality detection method in the network system according to the second embodiment.
  • FIG. 16 is a diagram showing an image of transmitting an E frame based on a plurality of CAN frames received by the CAN gateway according to the third embodiment.
  • FIG. 17 is a diagram showing a table defining a detection rule when detecting an abnormality in CAN in the autonomous driving DCU according to the third embodiment.
  • ECUs electronice control units
  • a network connecting these ECUs is called an in-vehicle network.
  • in-vehicle networks There are many standards for in-vehicle networks. Among them, one of the most mainstream in-vehicle networks is a standard called CAN (Controller Area Network) defined by ISO 11898-1. Further, as a standard for transmitting more information, there is a standard called Ethernet (registered trademark) defined by IEEE 802.3.
  • CAN Controller Area Network
  • Ethernet registered trademark
  • the present inventors after earnest investigation, refer to information flowing on a plurality of different communication protocols to determine whether or not the message of the vehicle control system is incorrect, thereby a safe automatic driving or advanced driving support system.
  • An abnormality detection device is an abnormality detection device that is mounted on a mobile body and detects an abnormality in a network system having a first network and a second network that have different communication protocols from each other, and the second network A first communication unit for receiving status information indicating the status of the mobile obtained from the second communication unit for transmitting and receiving a first frame according to a communication protocol of the first network, and an anomaly detection for retaining an anomaly detection rule Abnormality detection that detects whether or not a control command included in the first frame received by the second communication unit is abnormal with reference to a rule holding unit, the state information, and the abnormality detection rule A processing unit, and the abnormality detection processing unit detects that the control command is abnormal; To prohibit the transfer.
  • the abnormality detection device detects whether or not the generated control command for automatic driving is abnormal, based on the state information of the mobile obtained from the second network and the abnormality detection rule. For this reason, it is possible to effectively detect an abnormality in a network system mounted on a mobile.
  • the abnormality detection device prohibits transfer of a control command detected that there is an abnormality. Therefore, for example, even if there is vulnerability in the device connected to the first network and attacked via the first network, the abnormality detection device can prevent unauthorized control of automatic operation. .
  • a vehicle control command such as an automatic driving or an advanced driving system.
  • the abnormality detection rule includes a first rule indicating a control command permitted in each of a plurality of different states of the moving body, and the abnormality detection processing unit determines the state of the moving body indicated by the state information.
  • the control command is not included in the state associated with the first rule, it may be detected that the control command is abnormal.
  • the abnormality detection device can detect an abnormality of the vehicle control command based on the vehicle state such as the current vehicle speed, the steering angle state, and the shift position, for example.
  • control command may be a control command that causes the mobile unit to execute at least one of forward, bend, and stop.
  • the abnormality detection device detects an abnormality in control commands of an automatic driving or advanced driving support system, such as a sudden steering wheel while driving, a sudden braking or acceleration, a sudden transmission while stopping, etc. It becomes possible to offer.
  • the first network is a network by Ethernet (registered trademark)
  • the second network is a network by CAN
  • the first communication unit receives the CAN frame including the state information.
  • the abnormality detection rule further includes a second rule for detecting whether or not the CAN frame is abnormal, and the abnormality detection processing unit further detects that the CAN frame is abnormal. The transfer of the control command may be prohibited when it is detected that there is a problem.
  • the first network is a network by Ethernet (registered trademark)
  • the second network is a network by CAN
  • the first communication unit is an Ethernet (a CAN frame indicating the state information). You may receive the 2nd frame which is a registered trademark frame.
  • a CAN frame indicating status information is stored in the Ethernet (registered trademark) frame, and the device on the Ethernet (registered trademark) can detect an abnormality in the CAN frame.
  • the second frame stores a plurality of CAN frames including CAN frames indicating the state information, and the abnormality detection rule further determines whether each of the plurality of CAN frames is abnormal or not.
  • Each of the plurality of CAN frames has a different identifier for each type, and the second rule is permitted in a CAN frame corresponding to each of the plurality of identifiers, including a second rule for detecting A range of a reception cycle of a CAN frame is indicated, and the abnormality detection processing unit uses a reception time corresponding to each of the plurality of CAN frames to select a first CAN frame among the plurality of CAN frames having the same identifier. From the second reception time of the second CAN frame received one before the first CAN frame of the first reception time Difference, if in the second rule is outside the scope of the reception period associated with the same identifier may detect that the first 1CAN frame is abnormal.
  • the abnormality in the CAN frame having periodicity can be detected in the devices in the first network, so the automatic driving and the advanced driving support system can be safely stopped. It is possible to
  • the second rule is a change amount permitted in the state information corresponding to each of the plurality of identifiers, and the change amount from the data value of the state information immediately before the state information is
  • the abnormality detection processing unit further associates a difference between the first data value of the first state information and the second data of the second state information with the same identifier in the second rule. If the variation amount is exceeded, it may be detected that the first state information is abnormal.
  • the abnormality detection device can detect an abnormality in the data value of the CAN frame in the device in the first network, so that the automatic operation can be stopped. It becomes possible.
  • the second frame stores a plurality of CAN frames including CAN frames indicating the state information, and the abnormality detection rule further determines whether each of the plurality of CAN frames is abnormal or not.
  • Each of the plurality of CAN frames has a different identifier for each type, and the third rule is permitted in the CAN frame corresponding to each of the plurality of identifiers.
  • a range of a reception cycle of a CAN frame is indicated, and the abnormality detection processing unit uses a reception time corresponding to each of the plurality of CAN frames to select a first CAN frame among the plurality of CAN frames having the same identifier. From the second reception time of the second CAN frame received one before the first CAN frame of the first reception time Difference, if it is within range of the receiving period which is associated with the same identifier in the third rule may detect that the first 1CAN frame is abnormal.
  • the abnormality in the CAN frame having periodicity can be detected in the devices in the first network, so the automatic driving and the advanced driving support system can be safely stopped. It is possible to
  • the third rule is a change amount permitted in the CAN frame corresponding to each of the plurality of identifiers, and the change amount from the data value of the CAN frame immediately before the CAN frame
  • the abnormality detection processing unit further associates a difference between the first data value of the first CAN frame and the second data value of the second CAN frame with the same identifier in the third rule. If within the range of the variation, it may be detected that the first CAN frame is abnormal.
  • the abnormality detection device can detect an abnormality in the data value of the CAN frame in the device in the first network, so that the automatic operation can be stopped. It becomes possible.
  • the abnormality detection processing unit acquires, as the abnormality detection rule, a rule associated with each of the plurality of identifiers, and detects that the state information is abnormal with reference to the abnormality detection rule. May be
  • FIG. 1 is an overall configuration diagram of an in-vehicle network according to a first embodiment.
  • the network system 3 of the vehicle 1 is a network communication system in the vehicle 1 on which various devices such as a control device, a sensor, an actuator, and a user interface device are mounted.
  • the network system 3 has a first network 10 and a second network 20.
  • the vehicle 1 is an example of a moving body.
  • the first network 10 is an Ethernet (registered trademark) network in which transmission of an Ethernet (registered trademark) frame (hereinafter, referred to as “E frame”) is performed according to the Ethernet (registered trademark) protocol.
  • the second network 20 is a CAN network in which transmissions such as data frames (CAN frames) are performed by a bus in accordance with the CAN protocol.
  • the network system 3 includes a central gateway 400, a telematics control unit 410, a diagnosis port 420, an autonomous driving DCU (Domain Control Unit) 100, an autonomous driving ECU 110, a camera 120, and a LIDAR 130. , Dynamic map ECU 140, infotainment DCU 300, IVI (In-Vehicle Infotainment) 310, CAN gateway 200, engine ECU 210, steering ECU 220, brake ECU 230, window ECU 240, and first transmission path 11; And a second transmission path 21.
  • the first transmission path 11 is a transmission path of the first network 10, and is, for example, an Ethernet (registered trademark) cable.
  • the second transmission path 21 is a transmission path of the second network 20, and is, for example, a CAN bus.
  • the network system 3 may include any number of ECUs or DCUs in addition to the above-described ECUs 110, 140, 210, 220, 230, 240 or the DCUs 100, 300.
  • an ECU (not shown) may be connected to the second transmission path 21 in addition to the ECUs 210, 220, 230, and 240.
  • Each ECU 110, 140, 210, 220, 230, 240 or each DCU 100, 300 is, for example, a device including a processor (microprocessor), a digital circuit such as a memory, an analog circuit, a communication circuit and the like.
  • the memory is a ROM, a RAM or the like, and can store a program (computer program as software) to be executed by the processor.
  • the memory may include non-volatile memory.
  • the processor operates according to a program (computer program)
  • the ECU realizes various functions.
  • the computer program is configured by combining a plurality of instruction codes indicating instructions to the processor in order to achieve a predetermined function.
  • Each of the ECUs 210, 220, 230, and 240 transmits and receives frames in accordance with the CAN protocol.
  • Each of the ECUs 210, 220, 230, 240 is connected to equipment such as an engine, steering wheel, brake, window open / close sensor, acquires the state of the equipment, and periodically, for example, It transmits to the 2nd network 20 comprised with transmission path 21 grade
  • each ECU 210, 220, 230, 240 receives a data frame from the second transmission path 21 configuring the second network 20, interprets the data frame, and is a data frame having a CAN-ID to be received.
  • each ECU 210, 220, 230, 240 may control the device connected to the ECU according to the data (the content of the data field) in the data frame as necessary as a result of the determination.
  • Data frames may be generated and transmitted as needed.
  • Each ECU 110, 140 or each DCU 100, 300 transmits or receives an E frame according to the Ethernet (registered trademark) protocol.
  • the DCUs 100 and 300 are connected to devices such as the IVI 310, the autonomous driving ECU 110, the camera 120, the LIDAR 130, and the dynamic map ECU 140, respectively, and perform processing based on the information acquired from the devices. Further, each DCU 100, 300 may control connected devices as needed, and may transmit information to other ECUs as needed.
  • a telematics control unit 410, a diagnostic port 420, an autonomous operation DCU 100, a CAN gateway 200, and an infotainment DCU 300 are connected to the central gateway 400 by a first transmission path 11.
  • the central gateway 400 includes, for example, a digital circuit such as a memory, an analog circuit, a communication circuit, and the like.
  • the telematics control unit 410 is a unit with which the vehicle 1 communicates with the server 2 on the external network 30.
  • the telematics control unit 410 conforms to a communication standard used in a mobile communication system such as, for example, a third generation mobile communication system (3G), a fourth generation mobile communication system (4G), or LTE (registered trademark).
  • a wireless communication interface may be included, or a wireless local area network (LAN) interface conforming to the IEEE 802.11a, b, g, n standards may be included. That is, the external network 30 is a cellular phone communication network, Wi-Fi, or the like.
  • the server 2 is, for example, a computer having a function of providing information to an ECU of the vehicle 1.
  • the diagnosis port 420 is a port used by the dealer for fault diagnosis of the vehicle 1 and is a port used for transmission and reception of a diagnostic command.
  • the autonomous driving DCU 100 is connected to the autonomous driving ECU 110, the camera 120, the LIDAR 130, the dynamic map ECU 140, and the first transmission path 11.
  • the autonomous driving ECU 110 generates a control command for controlling the driving of the vehicle 1. Specifically, the autonomous driving ECU 110 generates a control command for controlling a steering for steering a wheel, an engine for rotationally driving a wheel, a power source such as a motor, a brake for braking a wheel, and the like. That is, the control command is a control command that causes the vehicle 1 to execute at least one of forward (that is, travel), turn, and stop. The autonomous driving ECU 110 transmits the generated control command to the second network 20.
  • the camera 120 is a camera for photographing the situation outside the vehicle, that is, the surroundings of the vehicle 1.
  • the camera 120 may be disposed, for example, outside the vehicle body of the vehicle 1.
  • the LIDAR 130 is a sensor for detecting an obstacle outside the vehicle.
  • the LIDAR 130 is, for example, a laser sensor that detects a distance to an object within a detection range of 360 degrees in the horizontal direction of the vehicle 1 and an angle range of a predetermined angle (for example, 30 degrees) in the vertical direction.
  • the LIDAR 130 emits a laser around the vehicle 1 and measures the distance from the LIDAR 130 to the object by detecting the laser reflected by the surrounding object.
  • the dynamic map ECU 140 is an electronic control unit for receiving data used for the dynamic map and decoding the dynamic map using the received data.
  • the decoded dynamic map is used, for example, for control of automatic driving by the automatic driving ECU 110.
  • the CAN gateway 200 is a gateway connected to the second network 20 and the first network 10.
  • the second network 20 includes two CAN buses: a control system bus for the engine ECU 210, the steering ECU 220, and the brake ECU 230, and a body system bus to which the window ECU 240 for controlling the opening and closing of the window is connected.
  • the CAN gateway 200 includes a processor, a digital circuit such as a memory, an analog circuit, a communication circuit, and the like.
  • the CAN gateway 200 has a function of transferring (or relaying) a frame received from one of the two transmission paths 11 and 21 to another transmission path. Transfer of a frame by the CAN gateway 200 is relay of data related to the frame.
  • the CAN gateway 200 may perform conversion of a communication method, a frame format, and the like corresponding to the communication protocol used in the transfer path of the transfer destination in the transfer of the frame. In addition, CAN gateway 200 transmits one or more frames to one or more transmission paths in response to one or more frames received from one or more transmission paths as frame transfer between transmission paths. You may go.
  • the infotainment DCU 300 is connected to the IVI 310 via the first transmission path 11 and performs domain management of the information system network.
  • the IVI 310 is a device having a display and having multimedia functions such as playback of video and audio.
  • FIG. 2 is a diagram showing the format of a data frame (CAN frame) transmitted and received by the second network.
  • the ECUs 210, 220, 230, 240, and so on exchange frames according to the CAN protocol.
  • Frames in the CAN protocol include data frames, remote frames, overload frames, and error frames, but here, mainly the data frames will be described.
  • FIG. 2A shows a standard format.
  • the data frame is SOF (Start Of Frame), ID (CAN-ID), RTR (Remote Transmission Request), IDE (Identifier Extension), reserved bit “r”, size, data, CRC (Cyclic Redundancy) Check) Sequence, CRC delimiter “DEL”, ACK (Acknowledgement) slot, ACK delimiter “DEL”, and EOF (End Of Frame).
  • ID CAN-ID
  • an ID is an identifier indicating the type of data, and is also referred to as a message ID. That is, the CAN frame has a different identifier for each type.
  • CAN In CAN, when a plurality of nodes start transmission at the same time, communication arbitration is performed in which priority is given to a frame in which the CAN-ID has a small value.
  • the size is a DLC (Data Length Code) indicating the length of the subsequent data field (data).
  • DLC Data Length Code
  • the specification of data is not defined by the CAN protocol, but is defined by the network system 3. Therefore, the specification can be dependent on the type of vehicle, the manufacturer (manufacturer), and the like.
  • (B) of FIG. 2 is an extended format.
  • the base ID of the 11-bit ID field (a part of CAN-ID And 29 bits of the 18-bit extended ID (remaining part of CAN-ID) may be treated as CAN-ID.
  • FIG. 3 is a diagram showing the format of an E frame transmitted and received by the first network.
  • the E frame is an Ethernet (registered trademark) payload (also referred to as "E payload") storing data that is the main transmission content, and an Ethernet (registered trademark) header (also referred to as "E header”). And.).
  • the E header includes the destination MAC address and the source MAC address.
  • the E payload includes an IP header, a TCP / UDP header, and data.
  • the IP header includes a transmission source IP address and a transmission destination address. In FIG. 3, the IP header is described as “IP v4 header”.
  • the TCP / UDP header indicates a TCP header or a UDP header, and the TCP / UDP header includes a transmission source port number and a transmission destination port number.
  • the CAN gateway 200 in the network system 3 transmits an E frame including a plurality of CAN frame information.
  • the CAN frame information is information extracted from the CAN frame transmitted by the CAN bus, and includes at least the content (data) of the data field.
  • the CAN frame information may include, for example, CAN-ID and size.
  • CAN frame information is configured by CAN-ID, size, and data.
  • the number of messages (the number of MSGs) in FIG. 4 indicates the number of pieces of CAN frame information. Note that, instead of the number of messages, information indicating the total amount of data of CAN frame information may be used.
  • the CAN flag is an identification flag for identifying whether or not the E frame includes the information transmitted from the second network 20 (that is, CAN frame information), and the CAN frame information is included in the E payload of the E frame. It is a flag that is turned on in the case, and turned off otherwise (that is, a value indicating information contradicting the on).
  • FIG. 4 shows an example in which the CAN flag is placed at the beginning of the E payload of the E frame, this is merely an example.
  • transmission efficiency can be enhanced.
  • FIG. 5 is a block diagram showing an example of a functional configuration of the CAN gateway.
  • the CAN gateway 200 includes an Ethernet (registered trademark) transmission / reception unit 201 (hereinafter referred to as "E transmission / reception unit 201"), CAN transmission / reception units 202a and 202b, a transfer control unit 203, and transfer. And a rule holding unit 204.
  • E transmission / reception unit 201 Ethernet (registered trademark) transmission / reception unit 201
  • CAN transmission / reception units 202a and 202b CAN transmission / reception units 202a and 202b
  • transfer control unit 203 a transfer control unit 203
  • transfer transfer.
  • a rule holding unit 204 Each of these components is realized by a communication circuit in the CAN gateway 200, a memory, a digital circuit, a processor that executes a program stored in the memory, and the like.
  • the E transmission / reception unit 201 is a communication circuit or the like connected to the first transmission path 11 constituting the first network 10.
  • the E transmission / reception unit 201 receives an E frame from the first transmission path 11. Also, the E transmission / reception unit 201 transmits an E frame to the first transmission path 11.
  • the CAN transmission / reception unit 202 a is a communication circuit or the like connected to the CAN bus 21 a configuring the second network 20.
  • the CAN transmission / reception unit 202a sequentially receives a CAN frame from the CAN bus 21a. Further, the CAN transmission / reception unit 202a transmits a CAN frame to the CAN bus 21a.
  • the CAN transmission / reception unit 202 b is a communication circuit or the like connected to the CAN bus 21 b configuring the second network 20.
  • the CAN transmission / reception unit 202b sequentially receives a CAN frame from the CAN bus 21b.
  • the CAN transmission / reception unit 202b transmits a CAN frame to the CAN bus 21b.
  • the transfer rule holding unit 204 is realized by a storage medium such as a memory, and holds reference information that defines conditions for frame transfer.
  • the reference information includes, for example, transfer rule information in which the transfer target CAN-ID and transfer source bus are associated with the destination (MAC address etc.), priority transfer target CAN-ID, transfer source bus and transfer destination. It is a prioritized transfer list attached.
  • the transfer control unit 203 is realized by, for example, a processor that executes a program, determines whether or not the received frame should be transferred, and performs transfer control according to the determination result.
  • the control relating to this transfer is, for example, control for causing the E transmission / reception unit 201 to transmit the E frame including the plurality of CAN frame information as a payload to the first transmission path 11 based on the plurality of CAN frames received sequentially. It is.
  • FIG. 6 is a diagram showing an image of transmitting an E frame based on a plurality of CAN frames (CAN frames 1 to N) received by the CAN gateway 200 according to the first embodiment.
  • the CAN gateway 200 when transferring a frame, the CAN gateway 200 changes the configuration of the frame.
  • the payload of the E frame to be transmitted includes, for example, a predetermined number of N pieces of CAN frame information.
  • the data of the N pieces of CAN frame information is the contents (data) of the data fields of the received N pieces of CAN frame, and the like.
  • the contents of the CAN frame received and awaiting transfer are stored, for example, in a storage medium (buffer) such as a memory included in the CAN gateway 200.
  • the E frame including the N pieces of CAN frame information of FIG. 6 will be received by the destination ECU or DCU (for example, infotainment DCU 300) via, for example, the central gateway 400.
  • the MAC address of the CAN gateway 200 is set as a transmission source MAC address of the header of the E frame, and an ON CAN flag indicating that CAN frame information is included is set in the E payload of the E frame.
  • the destination MAC address of the E frame the MAC address of the ECU or DCU as the destination is set according to the transfer rule information and the like held by the transfer rule holding unit 204.
  • CAN gateway 200 combines N CAN frames including status information indicating a vehicle status flowing in second network 20 in order to detect an abnormality in a control command for automatic driving. Convert to one E-frame.
  • the vehicle state included in the CAN frame is the current vehicle speed, steering angle, shift position, and the like.
  • the vehicle state is an example of the state of the moving body.
  • the transfer control unit 203 controls the E transmission / reception unit 201 and the CAN transmission / reception units 202a and 202b under certain conditions according to the result of the determination, etc. to transmit a frame.
  • the transfer control unit 203 determines whether data of the CAN frame is to be transmitted to the first network 10 based on the CAN-ID for the CAN frame received by the CAN transmission / reception units 202a and 202b. This determination is performed, for example, in accordance with predetermined reference information on the CAN-ID. Further, the transfer control unit 203 selects the destination of the data of the CAN frame according to the reference information.
  • FIG. 7 is a block diagram showing an example of a functional configuration of the autonomous driving DCU 100. As shown in FIG.
  • the autonomous driving DCU 100 includes a first communication unit 101a, a second communication unit 101b, a switch processing unit 102, a switch rule holding unit 103, an abnormality detection processing unit 104, and an abnormality detection rule holding. And a unit 105.
  • the autonomous driving DCU 100 is an example of the abnormality detection device.
  • the first communication unit 101a includes one Ethernet (registered trademark) port (port P1) in the present embodiment.
  • the port P1 is connected to the central gateway 400 by the first transmission path 11. That is, the first communication unit 101 a exchanges data with the central gateway 400. That is, the first communication unit 101a receives the E frame in which the CAN frame is stored as data. Thus, the first communication unit 101a receives the CAN frame to receive the state information included in the CAN frame.
  • the second communication unit 101b includes four Ethernet (registered trademark) ports (ports P2 to P5) in the present embodiment.
  • the ports P2 to P5 are connected to the camera 120, the LIDAR 130, the dynamic map ECU 140, and the autonomous driving ECU 110 through the first transmission path 11, respectively. That is, the second communication unit 101 b transmits and receives the first frame (that is, E frame) by the communication protocol (that is, Ethernet (registered trademark) protocol) of the first network 10.
  • the second communication unit 101b includes a first communication unit 101a that transmits and receives an E frame at the port P1.
  • the switch processing unit 102 transfers the E frame received by the second communication unit 101 b to an appropriate transfer destination based on the rules held by the switch rule holding unit 103.
  • FIG. 8 is a diagram showing an example of switch rules held by the switch rule holding unit 103. As shown in FIG. 8
  • the switch rule comprises an input port, a transmission source IP address, a transmission source MAC address, an output port, a transmission destination IP address, and a transmission destination MAC address.
  • the switch rule in the present embodiment is a white list indicating the correct transfer destination of the normal E frame.
  • the switch rule for example, it is indicated that an E frame from the CAN gateway 200 is received at the port P1 via the central gateway 400 and a path for forwarding to the autonomous driving ECU 110 connected to the port P5 is permitted.
  • the MAC address of the central gateway 400 is set as the transmission source MAC address of the E frame received by the port P1 serving as the input port
  • the IP address of the CAN gateway 200 is set as the transmission source IP address.
  • the IP address and the MAC address of the autonomous driving ECU are set in the transmission destination IP address and the transmission destination MAC address connected to the port 5 serving as the output port.
  • the camera 120 connected to port 2 the LIDAR 130 connected to port 3, and the dynamic map ECU 140 connected to port 4 are connected to port 5 in an automatic operation. It indicates that the transfer to the ECU 110 is permitted. Also, since it is necessary to transmit the E frame from the autonomous driving ECU 110 connected to the port 5 to the CAN gateway 200, the IP address of the CAN gateway 200 is set in the transmission destination IP, and the central MAC address in the transmission destination The MAC address of the gateway is set.
  • the source and destination in the input or output are defined by the IP address and the MAC address, but the present invention is not limited to this. For example, only the IP address may be defined, or only the MAC address may be defined. Further, in the switch rule, information that can identify the transmission source or the transmission destination other than the IP address or the MAC address may be defined, or the service port number may be defined. This allows the source and destination at the input or output to be restricted to the routes permitted by the switch rule.
  • the switch rules in FIG. 8 are defined by the whitelist, but may be defined by the blacklist. Also, the switch rules shown in FIG. 8 are partial and not all. In other words, the switch rules are set to cover necessary routes.
  • the abnormality detection processing unit 104 refers to the state information of the vehicle 1 received by the first communication unit 101a from the second network 20 via the CAN gateway 200 and the abnormality detection rule held in the abnormality detection rule holding unit 105. Then, it is detected whether or not the control command included in the E frame received by the second communication unit 101 b is abnormal.
  • the control command is, for example, an automatic driving control command generated by the automatic driving ECU 110. If the abnormality detection processing unit 104 determines that the control command is normal, the central gateway 400 causes the second communication unit 101b to transmit the control command to the second network 20 via the CAN gateway 200. When the abnormality detection processing unit 104 determines that the control command is abnormal, the abnormality detection processing unit 104 prohibits the transfer of the control command to the second network 20 by the second communication unit 101b.
  • FIG. 9 is a diagram showing an example of an abnormality detection rule held by the abnormality detection rule holding unit 105 of the automatic driving DCU 100 according to the first embodiment.
  • the abnormality detection rule is a rule for permitting automatic driving control in Ethernet (registered trademark) based on the vehicle state acquired from the second network 20. That is, the abnormality detection rule includes a first rule indicating control commands permitted in each of a plurality of vehicle states.
  • the first rule of the abnormality detection rule indicates a combination of the vehicle speed instruction and the steering instruction, which is permitted according to the vehicle speed state and the shift state of the vehicle 1.
  • the vehicle speed state indicates the speed of the vehicle 1 while traveling, for example, the speed range of 0 km / h to 30 km / h is low speed, the speed of 30 km / h to 60 km / h is medium speed, 60 km / h or more High speed is defined as 100 km / h or less.
  • the shift state indicates a shift position, and is, for example, parking (P), reverse (R), neutral (N), drive (D) and the like.
  • the vehicle speed instruction indicates the increase / decrease speed value permitted from the current vehicle speed.
  • the steering instruction indicates an increase or decrease angle permitted from the current steering turning angle.
  • the vehicle speed instruction in the automatic driving control is in the range of 10 km / h from the current vehicle speed indicated by the state information. For example, it is permitted to increase or decrease the vehicle speed.
  • the vehicle speed instruction in the automatic driving control is 20 km / h from the current vehicle speed indicated by the state information. If it is in the range, it is permitted to increase or decrease the vehicle speed.
  • the vehicle speed instruction in the automatic driving control ranges from the current vehicle speed indicated by the state information to 30 km / h If so, it is permitted to increase or decrease the vehicle speed.
  • the turning instruction angle of the steering instruction is also defined in the same manner as the vehicle speed. That is, in the first rule, for example, when the vehicle speed state is low and the shift state is drive (D), the steering instruction in the automatic driving control is 360 degrees from the current steering angle indicated by the state information. If it is within, it is permitted to change the steering angle. In the first rule, for example, when the vehicle speed state is medium speed and the shift state is drive (D), the steering instruction in the automatic driving control is 180 left and right from the current steering angle indicated by the state information. It is permitted to change the steering angle if it is within a degree. In the first rule, for example, when the vehicle speed state is high and the shift state is drive (D), the steering instruction in the automatic driving control is 90 degrees from the current steering angle indicated by the state information. If it is within, it is permitted to change the steering angle.
  • the abnormality detection processing unit 104 detects that the control command is abnormal when the state of the vehicle 1 indicated by the state information is not included in the state in which the control command is associated in the first rule. That is, the abnormality detection processing unit 104, for example, performs a vehicle speed instruction exceeding the increase or decrease of the vehicle speed in the permitted range, which is associated with the vehicle state in the first rule, or steering exceeding the steering angle in the permitted range.
  • the control command including the instruction is received by the second communication unit 101b, it is detected that the control command is abnormal, and the transfer of the control command to the second network 20 by the first communication unit 101a is inhibited.
  • 10 and 11 are sequence diagrams showing an example of an abnormality detection method in the network system 3 according to the first embodiment.
  • the autonomous driving DCU 100 sets the autonomous driving mode to the valid state for the autonomous driving ECU 110 (S100). For example, when receiving an input from the user to turn on the automatic operation mode, the automatic operation DCU 100 enables the automatic operation mode.
  • the CAN gateway 200 receives a CAN frame including state information of the vehicle 1 from each of the ECUs 210, 220, 230, and 240 connected to the CAN gateway 200, and as shown in FIG. An E frame including a frame is generated (S101).
  • the CAN gateway 200 transmits an E frame including a CAN frame of the state information of the vehicle 1 to the central gateway 400 (S102).
  • the central gateway 400 transmits the E frame received in step S102 to the autonomous driving DCU 100 (S103).
  • the second communication unit 101b performs image information indicating an image captured by the camera 120, obstacle information based on information indicating the distance to the object detected by the LIDAR 130, and map information obtained by the dynamic map ECU 140 , Respectively from the camera 120, the LIDAR 130 and the dynamic map ECU 140 (S104).
  • the switch processing unit 102 refers to the switch rule of the switch rule holding unit 103, and determines whether or not the information is received through the correct route (S105).
  • step S104 the second communication unit 101b receives the correct route among the information such as the video information, the obstacle information and the map information received from the camera 120, the LIDAR 130, and the dynamic map ECU 140.
  • the information determined by the switch processing unit 102 is transferred to the automatic driving ECU 110 (S106).
  • the autonomous driving ECU 110 generates a control command for the autonomous driving based on the information such as the video information, the obstacle information and the map information received in step S106 (S107).
  • the autonomous driving ECU 110 first generates a CAN frame to be transmitted to the control system CAN bus, and generates an E frame in which the CAN frame is stored in the data area of the E frame.
  • the generated E frame is a control command for automatic operation.
  • the autonomous driving ECU 110 transmits a control command for autonomous driving to the autonomous driving DCU 100 (S108).
  • the abnormality detection processing unit 104 refers to the abnormality detection rule held by the abnormality detection rule holding unit 105 (S109).
  • the rule referred to here is the first rule shown in FIG.
  • the abnormality detection processing unit 104 further refers to the E frame including the CAN frame of the state information of the vehicle 1 received in S103 in addition to the abnormality detection rule, and the second communication unit 101b It is determined whether the received control command is abnormal (S110). If the abnormality detection processing unit 104 determines that the control command is abnormal (abnormal in step S110), the process proceeds to step S111. On the other hand, when the abnormality detection processing unit 104 determines that the control command is normal (normal in step S110), the process proceeds to step S120.
  • the second communication unit 101b notifies information including the abnormality in the server 2 or the IVI 310 (S111). .
  • the abnormality detection processing unit 104 does not transmit the control command to the central gateway 400. That is, in this case, the abnormality detection processing unit 104 prohibits transfer of the control command determined to be abnormal to the second network 20 via the central gateway 400 and the CAN gateway 200.
  • the abnormality detection processing unit 104 transmits, to the autonomous driving ECU 110, a termination instruction for terminating the autonomous driving using the second communication unit 101b (S112).
  • the autonomous driving ECU 110 When receiving the termination instruction transmitted in step S112, the autonomous driving ECU 110 terminates the autonomous driving mode (S113).
  • the automatic driving ECU 110 may switch to the manual driving mode after ending the automatic driving mode.
  • step S110 When it is determined in step S110 that the control command is normal (normal in S110), the abnormality detection processing unit 104 transmits a control command for automatic operation to the central gateway 400 using the second communication unit 101b. (S120).
  • the central gateway 400 transfers the automatic operation control command transmitted in step S120 to the CAN gateway 200 (S121).
  • the CAN gateway 200 converts the control command for automatic operation of the E frame received in step S121 into a CAN frame (S122).
  • the CAN gateway 200 transmits the CAN frame converted in step S122 to the second network 20 (S123).
  • the engine ECU 210, the steering ECU 220 or the brake ECU 230 connected to the control system CAN bus receives a control command for automatic driving of the CAN frame, and executes automatic control by executing control according to the received control command. Do.
  • the abnormality detection device is an abnormality detection device mounted on a vehicle 1 and detecting an abnormality in a network system 3 having a first network 10 and a second network 20 having different communication protocols.
  • the autonomous driving DCU 100 includes a first communication unit 101 a, a second communication unit 101 b, an abnormality detection rule holding unit 105, and an abnormality detection processing unit 104.
  • the first communication unit 101 a receives state information indicating the state of the vehicle 1 acquired from the second network 20.
  • the second communication unit 101 b transmits and receives an E frame according to the communication protocol of the first network 10.
  • the abnormality detection rule holding unit 105 holds an abnormality detection rule.
  • the abnormality detection processing unit 104 detects whether or not the control command included in the E frame received by the second communication unit 101b is abnormal with reference to the state information and the abnormality detection rule. When detecting that the control command is abnormal, the abnormality detection processing unit 104 prohibits the transfer of the control command.
  • the abnormality detection device detects whether or not the generated control command for automatic driving is abnormal, based on the state information of the vehicle 1 obtained from the second network 20 and the abnormality detection rule. Then, the abnormality detection device prohibits the transfer of the control command detected that there is an abnormality. Thus, for example, even if there is a vulnerability in the device connected to the first network 10 and an attack is made via the first network 10, the abnormality detection device prevents unauthorized control of automatic operation. It becomes possible.
  • the abnormality detection rule includes a first rule indicating a control command permitted in each of a plurality of different states of the vehicle 1.
  • the abnormality detection processing unit 104 detects that the control command is abnormal when the state of the vehicle 1 indicated by the state information is not included in the state in which the control command is associated in the first rule. For this reason, for example, it becomes possible to detect an abnormality in the control command based on the vehicle state such as the current vehicle speed, the steering angle of the steering wheel, and the shift position.
  • the control command is a control command that causes the vehicle 1 to execute at least one of forward, bend, and stop.
  • the abnormality detection device can detect an abnormality in a control command in automatic driving such as, for example, sudden steering while traveling, sudden braking or acceleration, or sudden transmission while stopping, and can provide a safe driving environment. It becomes.
  • the first communication unit 101a receives a first frame which is an E frame in which a CAN frame is stored as data.
  • the second communication unit 101b also includes a first communication unit 101a. According to this, since the abnormality detection apparatus receives the CAN frame converted into the E frame, the apparatus on Ethernet (registered trademark) can detect the abnormality of the CAN frame.
  • the automatic operation DCU 100 as the abnormality detection device according to the second embodiment is substantially the same as the automatic operation DCU 100 according to the first embodiment, so only different parts will be described.
  • the second embodiment differs from the automatic driving DCU 100 according to the first embodiment in that the abnormality detection of the CAN frame is also performed in the automatic driving DCU 100.
  • FIG. 12 is a diagram showing an image of transmitting an E frame based on a plurality of CAN frames received by the CAN gateway 200 according to the second embodiment.
  • the autonomous driving DCU 100 confirms the CAN frame period and performs CAN abnormality detection.
  • the CAN gateway 200 receives a plurality of CAN frames, and gives the reception time at which the CAN frame is received to the CAN frame for each of the plurality of received CAN frames. That is, the CAN gateway 200 generates an E frame by storing a CAN frame provided with N reception times in the data area of the E frame.
  • the state information of the vehicle 1 included in the CAN frame that the CAN gateway 200 converts into an E frame is the vehicle speed, the angle of steering, or the shift position.
  • the second communication unit 101b of the autonomous driving DCU 100 receives the E frame of the configuration of FIG. 12, it is the time when each of a plurality of CAN frames and a plurality of CAN frames is received by a device such as CAN gateway 200, for example.
  • the E frame in which the reception time is stored as data is to be received.
  • FIG. 13 is a diagram showing an example of an abnormality detection rule held by the abnormality detection rule holding unit 105 of the autonomous driving DCU 100 according to the second embodiment.
  • the abnormality detection rule illustrated in FIG. 13 is an example of a second rule for detecting whether the CAN frame is abnormal.
  • the second rule indicates the range of the CAN frame reception cycle permitted in the CAN frame corresponding to the CAN-ID, which is an identifier indicating the type of data of the CAN frame. Further, the second rule is the amount of change permitted in the CAN frame corresponding to each of the plurality of CAN-IDs, and the amount of change from the data value of the CAN frame immediately before the CAN frame It may be shown.
  • the CAN frame immediately preceding the CAN frame is a CAN frame received one timing earlier than the CAN frame in the same CAN-ID.
  • the second rule is based on the CAN frame whose CAN-ID is “0xA1” and the period calculated with reference to the reception time of the CAN frame attached to the E frame described in FIG. It is a rule indicating that the cycle is correct if the cycle is in the range of 10 ms ⁇ 3 ms, that is, if the difference of the reception time from the CAN frame received immediately before is within the range of the basic cycle 10 ms ⁇ 3 ms.
  • the second rule indicates that, in a CAN frame whose CAN-ID is “0xA1”, if the amount of change in data from the CAN frame received immediately before is ⁇ 50, the amount of change is the correct amount. It may be Similarly, the range of permitted cycles and the amount of change of data are defined for other IDs.
  • the amount of change of the data value defined by the second rule is a numerical value corresponding to the state information of the vehicle 1 and is, for example, the amount of change of the vehicle speed, the amount of change of the steering angle, and the like.
  • the abnormality detection processing unit 104 of the autonomous driving DCU 100 uses the plurality of reception times respectively corresponding to the plurality of CAN frames obtained from the E frame received by the second communication unit 101 b. It is detected whether or not a plurality of CAN frames included in the frame are abnormal. Specifically, the abnormality detection processing unit 104 compares the first reception time of the first CAN frame with the second reception time of the second CAN frame among the plurality of CAN frames having the same identifier. 1 Detect whether or not there is an abnormality in the CAN frame. If the difference between the first reception time and the second reception time is out of the range of the reception cycle associated with the same identifier in the second rule, the abnormality detection processing unit 104 indicates that the first CAN frame is abnormal. Detect that.
  • the abnormality detection processing unit 104 may detect that the first CAN frame is abnormal.
  • the abnormality detection processing unit 104 prohibits the transfer of the control command. That is, in this case, the abnormality detection processing unit 104 may prohibit the transfer of the control command received from the automatic driving ECU 110 at this time, and prohibit the transfer of the control command received from the automatic driving ECU 110 after this time. May be
  • FIG. 14 and FIG. 15 are sequence diagrams showing an example of an abnormality detection method in the network system 3 according to the second embodiment.
  • the point at which the reception time of the CAN frame shown in FIG. 12 is included in the E frame only in step S201 is step S101 of the abnormality detection method according to the first embodiment.
  • the other steps S200 and S202 to S208 are the same as S100 and S102 to S108 in the abnormality detection method according to the first embodiment, the description thereof will be omitted.
  • the abnormality detection processing unit 104 refers to the abnormality detection rule held by the abnormality detection rule holding unit 105.
  • the rule referred to here is the second rule shown in FIG.
  • the abnormality detection processing unit 104 determines whether the CAN frame is abnormal (S210). If the abnormality detection processing unit 104 determines that the CAN frame is abnormal (abnormal in step S210), the process proceeds to step S213. If the abnormality detection processing unit 104 determines that the CAN frame is normal (normal in step S210), the process proceeds to step S211.
  • the abnormality detection processing unit 104 since the abnormality detection processing unit 104 detects an abnormality in the CAN frame, it is judged that the risk is high to continue the automatic control, and the information including the abnormality in the server 2 or IVI 310 , And notifies using the second communication unit 101b (S213). In this case, the abnormality detection processing unit 104 does not transmit the control command to the central gateway 400. That is, in this case, the abnormality detection processing unit 104 prohibits transfer of the control command determined to be abnormal to the second network 20 via the central gateway 400 and the CAN gateway 200.
  • Steps S211, S212, S214, and S215 are the same as steps S109, S110, S112, and S113 in the abnormality detection method according to the first embodiment, and thus the description thereof is omitted. Further, steps S221 to S224 are the same as S120 to S123 in the abnormality detection method according to the first embodiment, and thus the description thereof is omitted.
  • step S212 is performed after step S210, step S210 may be performed after step S212.
  • the abnormality detection rule further includes a second rule for detecting whether the CAN frame is abnormal. If the abnormality detection processing unit 104 further detects that the CAN frame is abnormal, it prohibits the transfer of the control command. Thereby, the abnormality detection device can execute the control command after detecting the abnormality of the CAN frame. That is, it is possible to determine the transmission of the automatic driving control command after confirming that the second network 20 side is normal also by the abnormality detection device which is the device on the first network 10 side. For this reason, the abnormality detection device can prevent unauthorized control of automatic driving even during an attack with vulnerability of the second network 20.
  • the second rule indicates the range of the CAN frame reception cycle permitted in the CAN frame corresponding to each of the plurality of identifiers.
  • the second communication unit 101 b receives an E frame in which a plurality of CAN frames and a reception time, which is a time when each of the plurality of CAN frames is received by the device on the first network 10, is stored as data.
  • the abnormality detection processing unit 104 uses the plurality of reception times respectively corresponding to the plurality of CAN frames, and among the plurality of CAN frames having the same identifier, the first CAN frame of the first reception time of the first CAN frame.
  • the abnormality detection device can detect an abnormality in the CAN frame having periodicity in the devices in the first network 10, so the automatic operation is stopped. It is possible to
  • the second rule further includes the amount of change from the data value of the previous CAN frame permitted in the CAN frame corresponding to each of the plurality of identifiers. Show. If the difference between the first data value of the first CAN frame and the second data of the second CAN frame exceeds the amount of change associated with the same identifier in the second rule, the abnormality detection processing unit 104 further It detects that the first CAN frame is abnormal. As a result, even if an abnormality occurs on the second network 20, the abnormality detection device can detect an abnormality in the data value of the CAN frame in the device in the first network 10, and thus stops the automatic operation. It becomes possible.
  • the third embodiment will be described.
  • the automatic operation DCU 100 as the abnormality detection device according to the third embodiment performs the abnormality detection of the CAN frame in substantially the same manner as the automatic operation DCU according to the second embodiment, the rule for abnormality detection is It is different in that it can be specified by.
  • FIG. 16 is a diagram showing an image of transmitting an E frame based on a plurality of CAN frames received by the CAN gateway 200 according to the third embodiment.
  • FIG. 17 shows a table in which an abnormality detection rule is defined when detecting an abnormality in a CAN in the autonomous driving DCU 100 according to the third embodiment.
  • the anomaly detection processing unit 104 of the autonomous driving DCU 100 is a CAN frame having the same CAN-ID as the CAN frame. Check the cycle and detect abnormalities.
  • the abnormality detection processing unit 104 performs abnormality detection using the second rule and the period calculated with reference to the reception time of the CAN frame described in the second embodiment.
  • the abnormality detection processing unit 104 of the autonomous driving DCU 100 checks the amount of change of the data value of the CAN frame to perform abnormality detection.
  • the abnormality detection processing unit 104 performs the abnormality detection using the data value of the CAN frame described in the second embodiment and the second rule.
  • the abnormality detection processing unit 104 of the automatically operating DCU 100 checks the message authentication code of the CAN frame to perform abnormality detection. .
  • rule 3 it is assumed that the autonomous driving DCU 100 is shared in advance with the MAC key for authentication. That is, in this case, the abnormality detection processing unit 104 determines that the message authentication code and the MAC key match if they match, and determines that it is abnormal if they do not match.
  • the abnormality detection processing unit 104 acquires a rule associated with each of the plurality of identifiers as an abnormality detection rule. Then, the abnormality detection processing unit 104 detects that the CAN frame is abnormal with reference to the abnormality detection rule.
  • the abnormality detection apparatus can set the detection rule for each CAN frame. For example, when the load on the second network 20 side is high and the detection processing on the second network 20 side is difficult, the device on the first network 10 can detect an abnormality in the second network 20.
  • the CAN gateway 200 may receive a plurality of CAN frames, and assign an abnormality detection rule associated with the CAN-ID of the CAN frame to each of the received plurality of CAN frames.
  • the abnormality detection rule given by the CAN gateway 200 may be, for example, the second rule described in FIG. 13 in the second embodiment.
  • the CAN gateway 200 may assign a rule corresponding to the CAN-ID of the second rules, or may assign all of the second rules.
  • the abnormality detection rule described in FIG. 17 may be held by the abnormality detection rule holding unit 105 of the automatic operation DCU 100.
  • the abnormality detection rule is associated with each CAN-ID.
  • Embodiments 1 to 3 have been described as examples of the technology according to the present disclosure.
  • the technology according to the present disclosure is not limited to this, and is also applicable to embodiments in which changes, replacements, additions, omissions, and the like are appropriately made.
  • the following modifications are also included in an embodiment of the present disclosure.
  • transmission of data frames is performed according to the CAN protocol in the in-vehicle network, but the CAN protocol is CANOpen used for embedded systems in automation systems, or TTCAN (Time CAN) -Triggered CAN), CANFD (CAN with Flexible Data Rate), or the like may be treated as in a broad sense including derivative protocols.
  • the in-vehicle network may use a protocol other than the CAN protocol. For example, LIN (Local Interconnect Network), MOST (registered trademark) (Media Oriented Systems Transport), FlexRay (registered trademark), Ethernet (registered trademark) as a protocol of an in-vehicle network for transmission of a frame or the like for control of a vehicle. Etc. may be used.
  • Ethernet (registered trademark) protocol is Ethernet (registered trademark) AVB (Audio Video Bridging) according to IEEE802, or Ethernet (registered trademark) TSN (Time Sensitive Networking) according to IEEE 802.12, Ethernet (registered trademark) It may be treated as a broad sense including derivative protocols such as IP / Industrial Protocol (IP), EtherCAT (registered trademark) (Ethernet (registered trademark) for Control Automation Technology) and the like.
  • IP IP / Industrial Protocol
  • EtherCAT registered trademark
  • Ethernet registered trademark for Control Automation Technology
  • the network bus of the in-vehicle network may be, for example, a wired communication path configured of a wire, an optical fiber, or the like.
  • the frame transmission blocking device 2400 is connected to the network bus in a network system in which the ECU communicates using any of the above-mentioned protocols, and receives management of a frame and manages whether to allow blocking of transmission of the frame. Based on the information, it may be switched whether or not to execute a predetermined process for blocking transmission of the received frame when the received frame satisfies the predetermined condition.
  • the data frame in the CAN protocol is described in the standard ID format in the above embodiment, it may be in the extended ID format, and the ID of the data frame is the extended ID in the extended ID format, etc. May be
  • the above data frame may be a type of frame in a network using a protocol other than CAN. In this case, an ID for identifying the type of the frame or the like corresponds to the ID of the data frame.
  • the automatic driving control command is prevented from being illegal, but it is possible to detect an abnormality in control of the advanced driving support system such as the parking support system, the lane keeping function and the collision prevention function. It is also good.
  • the server 2 and IVI (In-Vehicle Infotainment) 310 are notified of abnormality at the time of abnormality detection, but if communication by V2X or V2I is possible, inter-vehicle communication or road-vehicle communication is possible. If it corresponds, abnormality notification may be made to other vehicles and abnormality notification may be made to the infrastructure device. As a result, it is possible to notify an abnormality to a vehicle owned by the own vehicle or a possessed device of a passerby, which makes it possible to prevent an accident.
  • the abnormality is notified to the server 2 and the IVI (In-Vehicle Infotainment) 310 at the time of abnormality detection, but may be left as a log in a device on the in-vehicle network. If it is left in the log, it is possible for the dealer to grasp the contents of the abnormality by reading the log from the diagnostic port. Alternatively, the log may be periodically transmitted to the server 2. This enables remote detection of vehicle abnormalities.
  • the CAN gateway stores the CAN frame of the state information of the vehicle in the data of E frame, but if the state information of the vehicle can be identified, it is not a CAN frame format It is also good.
  • the autonomous driving DCU 100 may be connected to the second transmission path.
  • the CAN frame flowing on the second transmission path may be read to receive vehicle state information.
  • the automatic driving control command may also be transmitted directly to the second transmission path.
  • the abnormality detection rule of the control command for automatic driving in FIG. 9 or the abnormality detection rule in FIG. 13 defines a normal condition as a white list, it is defined as a black list It may be the third rule.
  • the third rule in which the blacklist is defined instead of the second rule in which the whitelist is defined may be used as the abnormality detection rule.
  • the third rule indicates the range of the CAN frame reception period permitted in the CAN frame corresponding to the CAN-ID, which is an identifier indicating the type of data of the CAN frame. Further, the third rule further indicates a change amount permitted in the CAN frame corresponding to each of the plurality of identifiers, and indicates the change amount from the data value of the CAN frame immediately before the CAN frame. .
  • the abnormality detection processing unit 104 of the autonomous driving DCU 100 uses the plurality of reception times respectively corresponding to the plurality of CAN frames obtained from the E frame received by the second communication unit 101 b. It is detected whether or not a plurality of CAN frames included in the frame are abnormal. Specifically, the abnormality detection processing unit 104 compares the first reception time of the first CAN frame with the second reception time of the second CAN frame among the plurality of CAN frames having the same identifier. 1 Detect whether or not there is an abnormality in the CAN frame. If the difference between the first reception time and the second reception time is within the range of the reception cycle associated with the same identifier in the second rule, the abnormality detection processing unit 104 indicates that the first CAN frame is abnormal. Detect that.
  • the abnormality detection device can detect an abnormality in the CAN frame having periodicity in the devices in the first network 10, so the automatic operation is stopped. It is possible to
  • the abnormality detection processing unit 104 is configured such that a difference between the first data value of the first CAN frame and the second data value of the second CAN frame corresponds to the same identifier in the third rule and the range of the change amount If yes, it may detect that the first CAN frame is abnormal.
  • the abnormality detection device can detect an abnormality in the data value of the CAN frame in the device in the first network 10, and thus stops the automatic operation. It becomes possible.
  • the abnormality detection rule may detect abnormality by combining the whitelist and the blacklist.
  • the switch rule in FIG. 8 defines the IP address, MAC address and port number of the normal transmission source and transmission destination in the white list format, but is defined as a blacklist It is also good. Further, as the rule defined in the switch rule, conditions of the flow rate, the communication frequency, and the value of the payload may be defined.
  • the frame abnormality detection apparatus is mounted on a vehicle and is included in an in-vehicle network system that performs communication for control of the vehicle. It may be included in a network system for control. That is, the moving body is, for example, a robot, an aircraft, a ship, a machine, a construction machine, an agricultural machine, a drone or the like.
  • Each device such as the ECU described in the above embodiment may be provided with a hard disk unit, a display unit, a keyboard, a mouse and the like in addition to a memory, a processor and the like. Further, each device such as the ECU described in the above embodiment may be one in which the program stored in the memory is executed by the processor to realize the function of each device in software, or a dedicated hardware The function may be realized by hardware (such as a digital circuit) without using a program. Also, the function sharing of each component in each device can be changed.
  • a part or all of the components constituting each device in the above embodiment may be configured from one system LSI (Large Scale Integration: large scale integrated circuit).
  • the system LSI is a super-multifunctional LSI manufactured by integrating a plurality of components on one chip, and more specifically, is a computer system including a microprocessor, a ROM, a RAM and the like. .
  • a computer program is recorded in the RAM.
  • the system LSI achieves its functions by the microprocessor operating according to the computer program.
  • each part of the component which comprises each said apparatus may be integrated into 1 chip separately, and 1 chip may be integrated so that one part or all may be included.
  • a system LSI may be called an IC, an LSI, a super LSI, or an ultra LSI depending on the degree of integration.
  • the method of circuit integration is not limited to LSI's, and implementation using dedicated circuitry or general purpose processors is also possible.
  • a programmable field programmable gate array FPGA
  • a reconfigurable processor that can reconfigure connection and setting of circuit cells in the LSI may be used.
  • FPGA field programmable gate array
  • a reconfigurable processor that can reconfigure connection and setting of circuit cells in the LSI may be used.
  • integrated circuit technology comes out to replace LSI's as a result of the advancement of semiconductor technology or a derivative other technology, it is naturally also possible to carry out function block integration using this technology. Application of biotechnology etc. may be possible.
  • the IC card or the module is a computer system including a microprocessor, a ROM, a RAM, and the like.
  • the IC card or the module may include the above-described ultra-multifunctional LSI.
  • the IC card or module achieves its functions by the microprocessor operating according to the computer program. This IC card or this module may be tamper resistant.
  • One aspect of the present disclosure may be a program (computer program) that realizes a method of detecting an abnormality by a computer, or may be a digital signal including the computer program.
  • a recording medium that can read the computer program or the digital signal by a computer such as a flexible disk, a hard disk, a CD-ROM, an MO, a DVD, a DVD, a DVD-ROM, a DVD-RAM, a BD It may be recorded on a (Blu-ray (registered trademark) Disc), a semiconductor memory or the like.
  • digital signals may be recorded on these recording media.
  • a computer program or a digital signal may be transmitted via a telecommunication line, a wireless or wired communication line, a network typified by the Internet, data broadcasting, or the like.
  • a computer system including a microprocessor and a memory, the memory may store the computer program, and the microprocessor may operate according to the computer program.
  • it may be implemented by another independent computer system by recording and transferring a program or digital signal on a recording medium, or transferring a program or digital signal via a network or the like.
  • the abnormality detection device is useful as an abnormality detection device and an abnormality detection method that can effectively detect an abnormality.

Landscapes

  • Engineering & Computer Science (AREA)
  • Automation & Control Theory (AREA)
  • Mechanical Engineering (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Human Computer Interaction (AREA)
  • Transportation (AREA)
  • Small-Scale Networks (AREA)

Abstract

Provided is an abnormality detection device for detecting abnormalities in a network system mounted on a moving body. The abnormality detection device detects abnormalities in a network system including a first network and a second network having different communication protocols from each other. The abnormality detection device receives state information indicating the state of the moving body and acquired from the second network, transmits and receives an E frame by the communication protocol of the first network, stores an abnormality detection rule, and detects whether or not a control command contained in the received E frame is abnormal by referring to the state information and the abnormality detection rule. When detecting that the control command is abnormal, the abnormality detection device prohibits forwarding of the control command.

Description

異常検知装置および異常検知方法Abnormality detection device and abnormality detection method

 本開示は、移動体に搭載されるネットワークシステムにおける異常を検知する異常検知装置および異常検知方法に関する。 The present disclosure relates to an abnormality detection apparatus and an abnormality detection method for detecting an abnormality in a network system mounted on a mobile.

 特許文献1には、車両を制御するための車内ネットワークシステムについて開示されている。 Patent Document 1 discloses an in-vehicle network system for controlling a vehicle.

特開2012-6446号公報JP, 2012-6446, A

 特許文献1の技術では、車両のような移動体に搭載されるネットワークシステムにおいて、効果的に異常を検知することができないおそれがある。 According to the technology of Patent Document 1, there is a possibility that an abnormality can not be effectively detected in a network system mounted on a mobile object such as a vehicle.

 本開示は、移動体に搭載されるネットワークシステムにおいて、効果的に異常を検知することができる異常検知装置および異常検知方法を提供することを目的とする。 An object of the present disclosure is to provide an abnormality detection device and an abnormality detection method capable of effectively detecting an abnormality in a network system mounted on a mobile object.

 上記課題を解決するために本開示の一態様に係る異常検知装置は、移動体に搭載され、通信プロトコルが互いに異なる第1ネットワークおよび第2ネットワークを有するネットワークシステムにおける異常を検知する異常検知装置であって、前記第2ネットワークから取得される前記移動体の状態を示す状態情報を受信する第1通信部と、前記第1ネットワークの通信プロトコルによる第1フレームを送受信する第2通信部と、異常検知ルールを保持する異常検知ルール保持部と、前記状態情報と、前記異常検知ルールとを参照して、前記第2通信部において受信された前記第1フレームに含まれる制御コマンドが異常であるか否かを検知する異常検知処理部と、を備え、前記異常検知処理部は、前記制御コマンドが異常であることを検知した場合、当該制御コマンドの転送を禁止する。 In order to solve the above problems, an anomaly detection apparatus according to an aspect of the present disclosure is an anomaly detection apparatus mounted on a mobile body and detecting an anomaly in a network system having a first network and a second network having different communication protocols. A first communication unit for receiving status information indicating the status of the mobile obtained from the second network; a second communication unit for transmitting and receiving a first frame according to a communication protocol of the first network; Whether the control command included in the first frame received by the second communication unit is abnormal with reference to the abnormality detection rule holding unit that holds the detection rule, the state information, and the abnormality detection rule And an abnormality detection processing unit that detects whether the control command is abnormal or not. If, to prohibit transfer of the control command.

 なお、これらの全般的または具体的な態様は、システム、方法、集積回路、コンピュータプログラムまたはコンピュータ読み取り可能なCD-ROMなどの記録媒体で実現されてもよく、システム、方法、集積回路、コンピュータプログラムおよび記録媒体の任意な組み合わせで実現されてもよい。 Note that these general or specific aspects may be realized by a system, a method, an integrated circuit, a computer program, or a recording medium such as a computer readable CD-ROM, a system, a method, an integrated circuit, a computer program And any combination of recording media.

 本開示の異常検知装置および異常検知方法によれば、移動体に搭載されるネットワークシステムにおいて、効果的に異常を検知することができる。 According to the abnormality detection device and the abnormality detection method of the present disclosure, an abnormality can be effectively detected in a network system mounted on a mobile.

図1は、実施の形態1における車載ネットワークの全体構成図である。FIG. 1 is an overall configuration diagram of an in-vehicle network according to a first embodiment. 図2は、第2ネットワークで送受信されるデータフレーム(CANフレーム)のフォーマットを示す図である。FIG. 2 is a diagram showing the format of a data frame (CAN frame) transmitted and received by the second network. 図3は、第1ネットワークで送受信されるEフレームのフォーマットを示す図である。FIG. 3 is a diagram showing the format of an E frame transmitted and received by the first network. 図4は、Eフレームのペイロード内のデータ構成例を示す図である。FIG. 4 is a diagram showing an example of the data configuration in the payload of the E frame. 図5は、CANゲートウェイの機能構成の一例を示すブロック図である。FIG. 5 is a block diagram showing an example of a functional configuration of the CAN gateway. 図6は、実施の形態1に係るCANゲートウェイが受信した複数のCANフレームに基づいてEフレームを送信するイメージを示す図である。FIG. 6 is a diagram showing an image of transmitting an E frame based on a plurality of CAN frames received by the CAN gateway according to the first embodiment. 図7は、自動運転DCUの機能構成の一例を示すブロック図である。FIG. 7 is a block diagram showing an example of a functional configuration of the autonomous driving DCU. 図8は、スイッチルール保持部が保持するスイッチルールの一例を示す図である。FIG. 8 is a diagram showing an example of switch rules held by the switch rule holding unit. 図9は、実施の形態1に係る自動運転DCUの異常検知ルール保持部が保持する異常検知ルールの一例を示す図である。FIG. 9 is a diagram showing an example of an abnormality detection rule held by the abnormality detection rule holding unit of the automatic driving DCU according to the first embodiment. 図10は、実施の形態1に係るネットワークシステムにおける異常検知方法の一例を示すシーケンス図である。FIG. 10 is a sequence diagram showing an example of an abnormality detection method in the network system according to the first embodiment. 図11は、実施の形態1に係るネットワークシステムにおける異常検知方法の一例を示すシーケンス図である。FIG. 11 is a sequence diagram showing an example of an abnormality detection method in the network system according to the first embodiment. 図12は、実施の形態2に係るCANゲートウェイが受信した複数のCANフレームに基づいてEフレームを送信するイメージを示す図である。FIG. 12 is a diagram showing an image of transmitting an E frame based on a plurality of CAN frames received by the CAN gateway according to the second embodiment. 図13は、実施の形態2に係る自動運転DCUの異常検知ルール保持部105が保持する異常検知ルールの一例を示す図である。FIG. 13 is a diagram showing an example of an abnormality detection rule held by the abnormality detection rule holding unit 105 of the automatic driving DCU according to the second embodiment. 図14は、実施の形態2に係るネットワークシステムにおける異常検知方法の一例を示すシーケンス図である。FIG. 14 is a sequence diagram showing an example of an abnormality detection method in the network system according to the second embodiment. 図15は、実施の形態2に係るネットワークシステムにおける異常検知方法の一例を示すシーケンス図である。FIG. 15 is a sequence diagram showing an example of an abnormality detection method in the network system according to the second embodiment. 図16は、実施の形態3に係るCANゲートウェイが受信した複数のCANフレームに基づいてEフレームを送信するイメージを示す図である。FIG. 16 is a diagram showing an image of transmitting an E frame based on a plurality of CAN frames received by the CAN gateway according to the third embodiment. 図17は、実施の形態3における自動運転DCUにおけるCANの異常検知をするときの検知ルールを定義したテーブルを示す図である。FIG. 17 is a diagram showing a table defining a detection rule when detecting an abnormality in CAN in the autonomous driving DCU according to the third embodiment.

 (本発明の基礎となった知見)
 本発明者は、「背景技術」の欄において記載した、車内ネットワークシステムに関し、以下の問題が生じることを見出した。 (Findings that formed the basis of the present invention)
The inventor has found that the following problems occur with the in-vehicle network system described in the "Background Art" section.

 近年、自動車の中のシステムには、電子制御ユニット(ECU:Electronic Control Unit)と呼ばれる装置が多数配置されている。これらのECUをつなぐネットワークは車載ネットワークと呼ばれる。車載ネットワークには、多数の規格が存在する。その中でも最も主流な車載ネットワークの一つに、ISO11898-1で規定されているCAN(Controller Area Network)という規格が存在する。また、より多くの情報を伝送するための規格として、IEEE 802.3で規定されているEthernet(登録商標)という規格が存在する。 In recent years, a large number of devices called electronic control units (ECUs) are disposed in a system in a car. A network connecting these ECUs is called an in-vehicle network. There are many standards for in-vehicle networks. Among them, one of the most mainstream in-vehicle networks is a standard called CAN (Controller Area Network) defined by ISO 11898-1. Further, as a standard for transmitting more information, there is a standard called Ethernet (registered trademark) defined by IEEE 802.3.

 先進運転支援システムや自動運転においては、カメラもしくはLIDAR(Light Detection and Ranging)などのセンサにより得られたデータ、または、ダイナミックマップに用いるデータのような膨大な情報を処理する必要があるため、データ伝送速度が高いEthernet(登録商標)の導入が進んでいる。一方で、従来から存在するCANも車両制御系としては利用されている。そのため、CANとEthernet(登録商標)とが混在する車載ネットアーキテクチャが増えている。 In advanced driving support systems and automatic driving, it is necessary to process a vast amount of information such as data obtained by a camera or sensor such as LIDAR (Light Detection and Ranging) or data used for a dynamic map. The introduction of Ethernet (registered trademark) with high transmission speed is in progress. On the other hand, CAN existing conventionally is also used as a vehicle control system. Therefore, an in-vehicle network architecture in which CAN and Ethernet (registered trademark) are mixed is increasing.

 自動車は、外部ネットワークと接続され、電子制御化が進んでいる。これにより、自動車は、自動車の制御系コマンドがなりすまされることで、不正に操作される脅威がある。そのような脅威から守るために、特許文献1の技術では、後付け電子制御装置から、車内ネットワークシステムの車両制御系ネットワークにデータを送信する場合に、車内ネットワークの情報系ネットワークに送信されたデータを車両制御系ネットワークへ転送することの可否の判断をしていている。しかし、特許文献1の技術では、複数の異なる通信プロトコル上に流れる情報を元に転送可否の判断をしていない。したがって、従来技術には、例えば、CANおよびEthernet(登録商標)のような互いに異なる通信プロトコルによる複数のネットワークの間でデータの転送を行う場合に、適切に転送可否の判断をできないという課題があった。 Automobiles are connected to external networks, and electronic control is in progress. As a result, there is a threat that the vehicle is tampered with by spoofing control commands of the vehicle. In order to protect against such threats, in the technology of Patent Document 1, when data is transmitted from the retrofit electronic control device to the vehicle control system network of the in-vehicle network system, the data transmitted to the information system network of the in-vehicle network is It is determined whether to transfer to the vehicle control system network. However, in the technique of Patent Document 1, the determination as to transferability is not made based on the information flowing on a plurality of different communication protocols. Therefore, in the related art, there is a problem that, for example, when data is transferred between a plurality of networks using different communication protocols such as CAN and Ethernet (registered trademark), it is impossible to appropriately determine whether transfer is possible or not. The

 本発明者らは、鋭意検討の上、複数の異なる通信プロトコル上に流れる情報を参照し、車両制御系のメッセージが不正であるかどうかを判断することで、安全な自動運転または先進運転支援システムを実現するための異常検知装置および異常検知方法を見出すに至った。 The present inventors, after earnest investigation, refer to information flowing on a plurality of different communication protocols to determine whether or not the message of the vehicle control system is incorrect, thereby a safe automatic driving or advanced driving support system. We have come to find an anomaly detection apparatus and an anomaly detection method for realizing the

 本開示の一態様に係る異常検知装置は、移動体に搭載され、通信プロトコルが互いに異なる第1ネットワークおよび第2ネットワークを有するネットワークシステムにおける異常を検知する異常検知装置であって、前記第2ネットワークから取得される前記移動体の状態を示す状態情報を受信する第1通信部と、前記第1ネットワークの通信プロトコルによる第1フレームを送受信する第2通信部と、異常検知ルールを保持する異常検知ルール保持部と、前記状態情報と、前記異常検知ルールとを参照して、前記第2通信部において受信された前記第1フレームに含まれる制御コマンドが異常であるか否かを検知する異常検知処理部と、を備え、前記異常検知処理部は、前記制御コマンドが異常であることを検知した場合、当該制御コマンドの転送を禁止する。 An abnormality detection device according to an aspect of the present disclosure is an abnormality detection device that is mounted on a mobile body and detects an abnormality in a network system having a first network and a second network that have different communication protocols from each other, and the second network A first communication unit for receiving status information indicating the status of the mobile obtained from the second communication unit for transmitting and receiving a first frame according to a communication protocol of the first network, and an anomaly detection for retaining an anomaly detection rule Abnormality detection that detects whether or not a control command included in the first frame received by the second communication unit is abnormal with reference to a rule holding unit, the state information, and the abnormality detection rule A processing unit, and the abnormality detection processing unit detects that the control command is abnormal; To prohibit the transfer.

 これにより、異常検知装置は、第2ネットワークから得られる移動体の状態情報と、異常検知ルールとに基づき、生成された自動運転の制御コマンドが異常であるかを検知する。このため、移動体に搭載されるネットワークシステムにおいて、効果的に異常を検知することができる。 Thereby, the abnormality detection device detects whether or not the generated control command for automatic driving is abnormal, based on the state information of the mobile obtained from the second network and the abnormality detection rule. For this reason, it is possible to effectively detect an abnormality in a network system mounted on a mobile.

 また、異常検知装置は、異常があることを検知された制御コマンドの転送を禁止する。このため、例えば第1ネットワークに接続される機器に脆弱性があって、第1ネットワーク経由で攻撃された場合であっても、異常検知装置は、不正な自動運転の制御を防止することができる。し、異常検知時に、自動運転や先進運転システムといった車両制御コマンドの実行を防止することが可能となる。 Further, the abnormality detection device prohibits transfer of a control command detected that there is an abnormality. Therefore, for example, even if there is vulnerability in the device connected to the first network and attacked via the first network, the abnormality detection device can prevent unauthorized control of automatic operation. . When an abnormality is detected, it is possible to prevent the execution of a vehicle control command such as an automatic driving or an advanced driving system.

 また、前記異常検知ルールは、前記移動体の異なる複数の状態のそれぞれにおいて許可される制御コマンドを示す第1ルールを含み、前記異常検知処理部は、前記状態情報が示す前記移動体の状態が、前記制御コマンドが前記第1ルールにおいて対応付けられている状態に含まれない場合、前記制御コマンドが異常であることを検知してもよい。 Further, the abnormality detection rule includes a first rule indicating a control command permitted in each of a plurality of different states of the moving body, and the abnormality detection processing unit determines the state of the moving body indicated by the state information. When the control command is not included in the state associated with the first rule, it may be detected that the control command is abnormal.

 これにより、異常検知装置は、例えば、現時点の車速、ステアリングの操舵角度状態、シフトポジションなどの車両状態に基づいて車両制御コマンドの異常を検知することが可能となる。 Thus, the abnormality detection device can detect an abnormality of the vehicle control command based on the vehicle state such as the current vehicle speed, the steering angle state, and the shift position, for example.

 また、前記制御コマンドは、進む、曲がる、および、止まるの少なくとも1つを前記移動体に実行させる制御コマンドであってもよい。 Also, the control command may be a control command that causes the mobile unit to execute at least one of forward, bend, and stop.

 これにより、異常検知装置は、例えば、走行中の急ハンドル、急ブレーキや急加速、停車中の急発信など、自動運転または先進運転支援システムの制御コマンドの異常を検知し、安全な運転環境を提供することが可能となる。 Thus, the abnormality detection device detects an abnormality in control commands of an automatic driving or advanced driving support system, such as a sudden steering wheel while driving, a sudden braking or acceleration, a sudden transmission while stopping, etc. It becomes possible to offer.

 また、前記第1ネットワークは、Ethernet(登録商標)によるネットワークであり、前記第2ネットワークは、CANによるネットワークであり、前記第1通信部は、前記状態情報を含むCANフレームを受信することで前記状態情報を受信し、前記異常検知ルールは、さらに、前記CANフレームが異常であるか否かを検知するための第2ルールを含み、前記異常検知処理部は、さらに、前記CANフレームが異常であることを検知した場合、前記制御コマンドの転送を禁止してもよい。 The first network is a network by Ethernet (registered trademark), the second network is a network by CAN, and the first communication unit receives the CAN frame including the state information. The abnormality detection rule further includes a second rule for detecting whether or not the CAN frame is abnormal, and the abnormality detection processing unit further detects that the CAN frame is abnormal. The transfer of the control command may be prohibited when it is detected that there is a problem.

 これにより、CANフレームの異常を検知した上で、車両制御コマンドの実行が可能となる。 This enables execution of a vehicle control command after detecting an abnormality in the CAN frame.

 また、前記第1ネットワークは、Ethernet(登録商標)によるネットワークであり、前記第2ネットワークは、CANによるネットワークであり、前記第1通信部は、前記状態情報を示すCANフレームが格納されたEthernet(登録商標)フレームである第2フレームを受信してもよい。 The first network is a network by Ethernet (registered trademark), the second network is a network by CAN, and the first communication unit is an Ethernet (a CAN frame indicating the state information). You may receive the 2nd frame which is a registered trademark frame.

 これにより、状態情報を示すCANフレームがEthernet(登録商標)フレームに格納され、Ethernet(登録商標)上の機器でCANフレームの異常検知が可能となる。 As a result, a CAN frame indicating status information is stored in the Ethernet (registered trademark) frame, and the device on the Ethernet (registered trademark) can detect an abnormality in the CAN frame.

 また、前記第2フレームは、前記状態情報を示すCANフレームを含む複数のCANフレームが格納されており、前記異常検知ルールは、さらに、前記複数のCANフレームのそれぞれが異常であるか否かを検知するための第2ルールを含み、前記複数のCANフレームのそれぞれは、種類毎に異なる識別子を有し、前記第2ルールは、複数の前記識別子のそれぞれに対応するCANフレームおいて許可されるCANフレームの受信周期の範囲を示し、前記異常検知処理部は、前記複数のCANフレームにそれぞれ対応する受信時刻を用いて、互いに同じ識別子を有する前記複数のCANフレームのうちで、第1CANフレームの第1受信時刻の、前記第1CANフレームよりも1つ前に受信された第2CANフレームの第2受信時刻からの差分が、前記第2ルールにおいて前記同じ識別子に対応付けられている受信周期の範囲外である場合、前記第1CANフレームが異常であることを検知してもよい。 The second frame stores a plurality of CAN frames including CAN frames indicating the state information, and the abnormality detection rule further determines whether each of the plurality of CAN frames is abnormal or not. Each of the plurality of CAN frames has a different identifier for each type, and the second rule is permitted in a CAN frame corresponding to each of the plurality of identifiers, including a second rule for detecting A range of a reception cycle of a CAN frame is indicated, and the abnormality detection processing unit uses a reception time corresponding to each of the plurality of CAN frames to select a first CAN frame among the plurality of CAN frames having the same identifier. From the second reception time of the second CAN frame received one before the first CAN frame of the first reception time Difference, if in the second rule is outside the scope of the reception period associated with the same identifier may detect that the first 1CAN frame is abnormal.

 これにより、第2ネットワーク上において異常が発生している場合であっても、第1ネットワークにおける機器において周期性を持つCANフレームの異常を検知できるため、自動運転や先進運転支援システムを安全に停止することが可能となる。 As a result, even if an abnormality occurs on the second network, the abnormality in the CAN frame having periodicity can be detected in the devices in the first network, so the automatic driving and the advanced driving support system can be safely stopped. It is possible to

 また、前記第2ルールは、さらに、複数の前記識別子のそれぞれに対応する状態情報おいて許可される変化量であって、当該状態情報の1つ前の状態情報のデータ値からの変化量を示し、前記異常検知処理部は、さらに、前記第1状態情報の第1データ値の、前記第2状態情報の第2データからの差分が、前記第2ルールにおいて前記同じ識別子に対応付けられている前記変化量を超える場合、前記第1状態情報が異常であることを検知してもよい。 Further, the second rule is a change amount permitted in the state information corresponding to each of the plurality of identifiers, and the change amount from the data value of the state information immediately before the state information is And the abnormality detection processing unit further associates a difference between the first data value of the first state information and the second data of the second state information with the same identifier in the second rule. If the variation amount is exceeded, it may be detected that the first state information is abnormal.

 これにより、異常検知装置は、第2ネットワーク上において異常が発生している場合であっても、第1ネットワークにおける機器においてCANフレームのデータ値の異常を検知できるため、自動運転を停止することが可能となる。 As a result, even if an abnormality occurs on the second network, the abnormality detection device can detect an abnormality in the data value of the CAN frame in the device in the first network, so that the automatic operation can be stopped. It becomes possible.

 また、前記第2フレームは、前記状態情報を示すCANフレームを含む複数のCANフレームが格納されており、前記異常検知ルールは、さらに、前記複数のCANフレームのそれぞれが異常であるか否かを検知するための第3ルールを含み、前記複数のCANフレームのそれぞれは、種類毎に異なる識別子を有し、前記第3ルールは、複数の前記識別子のそれぞれに対応するCANフレームおいて許可されるCANフレームの受信周期の範囲を示し、前記異常検知処理部は、前記複数のCANフレームにそれぞれ対応する受信時刻を用いて、互いに同じ識別子を有する前記複数のCANフレームのうちで、第1CANフレームの第1受信時刻の、前記第1CANフレームよりも1つ前に受信された第2CANフレームの第2受信時刻からの差分が、前記第3ルールにおいて前記同じ識別子に対応付けられている受信周期の範囲内である場合、前記第1CANフレームが異常であることを検知してもよい。 The second frame stores a plurality of CAN frames including CAN frames indicating the state information, and the abnormality detection rule further determines whether each of the plurality of CAN frames is abnormal or not. Each of the plurality of CAN frames has a different identifier for each type, and the third rule is permitted in the CAN frame corresponding to each of the plurality of identifiers. A range of a reception cycle of a CAN frame is indicated, and the abnormality detection processing unit uses a reception time corresponding to each of the plurality of CAN frames to select a first CAN frame among the plurality of CAN frames having the same identifier. From the second reception time of the second CAN frame received one before the first CAN frame of the first reception time Difference, if it is within range of the receiving period which is associated with the same identifier in the third rule may detect that the first 1CAN frame is abnormal.

 これにより、第2ネットワーク上において異常が発生している場合であっても、第1ネットワークにおける機器において周期性を持つCANフレームの異常を検知できるため、自動運転や先進運転支援システムを安全に停止することが可能となる。 As a result, even if an abnormality occurs on the second network, the abnormality in the CAN frame having periodicity can be detected in the devices in the first network, so the automatic driving and the advanced driving support system can be safely stopped. It is possible to

 また、前記第3ルールは、さらに、複数の前記識別子のそれぞれに対応するCANフレームおいて許可される変化量であって、当該CANフレームの1つ前のCANフレームのデータ値からの変化量を示し、前記異常検知処理部は、さらに、前記第1CANフレームの第1データ値の、前記第2CANフレームの第2データ値からの差分が、前記第3ルールにおいて前記同じ識別子に対応付けられている前記変化量の範囲内である場合、前記第1CANフレームが異常であることを検知してもよい。 Further, the third rule is a change amount permitted in the CAN frame corresponding to each of the plurality of identifiers, and the change amount from the data value of the CAN frame immediately before the CAN frame And the abnormality detection processing unit further associates a difference between the first data value of the first CAN frame and the second data value of the second CAN frame with the same identifier in the third rule. If within the range of the variation, it may be detected that the first CAN frame is abnormal.

 これにより、異常検知装置は、第2ネットワーク上において異常が発生している場合であっても、第1ネットワークにおける機器においてCANフレームのデータ値の異常を検知できるため、自動運転を停止することが可能となる。 As a result, even if an abnormality occurs on the second network, the abnormality detection device can detect an abnormality in the data value of the CAN frame in the device in the first network, so that the automatic operation can be stopped. It becomes possible.

 また、前記異常検知処理部は、複数の前記識別子のそれぞれに対応付けられたルールを前記異常検知ルールとして取得し、前記異常検知ルールを参照して、前記状態情報が異常であることを検知してもよい。 Further, the abnormality detection processing unit acquires, as the abnormality detection rule, a rule associated with each of the plurality of identifiers, and detects that the state information is abnormal with reference to the abnormality detection rule. May be

 これにより、例えば、第2ネットワーク側の処理が逼迫している際に、第2ネットワーク上における異常検知を第1ネットワーク上における機器で実施することが可能となり、負荷分散につながる。 By this, for example, when processing on the second network side is tight, it is possible to perform abnormality detection on the second network by the device on the first network, which leads to load distribution.

 なお、これらの全般的又は具体的な態様は、システム、方法、集積回路、コンピュータプログラム又はコンピュータで読み取り可能なCD-ROM等の記録媒体で実現されても良く、システム、方法、集積回路、コンピュータプログラム又は記録媒体の任意な組み合わせで実現されてもよい。 Note that these general or specific aspects may be realized by a system, a method, an integrated circuit, a computer program, or a recording medium such as a computer readable CD-ROM, and the system, the method, the integrated circuit, the computer It may be realized by any combination of programs or recording media.

 以下、実施の形態に係る異常検知装置および異常検知方法について図面を参照しながら説明する。ここで示す実施の形態は、いずれも本開示の一具体例を示すものである。従って、以下の実施の形態で示される数値、構成要素、構成要素の配置及び接続形態、並びに、処理の要素としてのステップ及びステップの順序等は、一例であって本開示を限定するものではない。以下の実施の形態における構成要素のうち、独立請求項に記載されていない構成要素については、任意に付加可能な構成要素である。また、各図は、模式図であり、必ずしも厳密に図示されたものではない。 Hereinafter, an abnormality detection apparatus and an abnormality detection method according to the embodiment will be described with reference to the drawings. Each embodiment shown here shows one specific example of the present disclosure. Accordingly, the numerical values, components, the arrangement and connection of the components, the order of steps and steps as elements of processing, and the like shown in the following embodiments are merely examples and do not limit the present disclosure. . Among the components in the following embodiments, components not described in the independent claims are components that can be added arbitrarily. Further, each drawing is a schematic view, and is not necessarily illustrated exactly.

 (実施の形態1)
 図1は、実施の形態1における車載ネットワークの全体構成図である。 Embodiment 1
FIG. 1 is an overall configuration diagram of an in-vehicle network according to a first embodiment.

 車両1のネットワークシステム3は、制御装置、センサ、アクチュエータ、ユーザインタフェース装置等の各種機器が搭載された車両1におけるネットワーク通信システムである。ネットワークシステム3は、第1ネットワーク10と第2ネットワーク20とを有する。車両1は、移動体の一例である。第1ネットワーク10は、Ethernet(登録商標)プロトコルに従ってEthernet(登録商標)フレーム(以下、「Eフレーム」という)の伝送が行われるEthernet(登録商標)のネットワークである。第2ネットワーク20は、CANプロトコルに従ってバスでデータフレーム(CANフレーム)等の伝送が行われるCANのネットワークである。 The network system 3 of the vehicle 1 is a network communication system in the vehicle 1 on which various devices such as a control device, a sensor, an actuator, and a user interface device are mounted. The network system 3 has a first network 10 and a second network 20. The vehicle 1 is an example of a moving body. The first network 10 is an Ethernet (registered trademark) network in which transmission of an Ethernet (registered trademark) frame (hereinafter, referred to as “E frame”) is performed according to the Ethernet (registered trademark) protocol. The second network 20 is a CAN network in which transmissions such as data frames (CAN frames) are performed by a bus in accordance with the CAN protocol.

 図1に示すように、ネットワークシステム3は、セントラルゲートウェイ400と、テレマティクスコントロールユニット410と、診断ポート420と、自動運転DCU(Domain Control Unit)100と、自動運転ECU110と、カメラ120と、LIDAR130と、ダイナミックマップECU140と、インフォテインメントDCU300と、IVI(In-Vehicle Infotainment)310と、CANゲートウェイ200と、エンジンECU210と、ステアリングECU220と、ブレーキECU230と、ウィンドウECU240と、第1伝送路11と、第2伝送路21とを含んで構成される。第1伝送路11は、第1ネットワーク10の伝送路であり、例えばEthernet(登録商標)ケーブルである。第2伝送路21は、第2ネットワーク20の伝送路であり、例えばCANバスである。 As shown in FIG. 1, the network system 3 includes a central gateway 400, a telematics control unit 410, a diagnosis port 420, an autonomous driving DCU (Domain Control Unit) 100, an autonomous driving ECU 110, a camera 120, and a LIDAR 130. , Dynamic map ECU 140, infotainment DCU 300, IVI (In-Vehicle Infotainment) 310, CAN gateway 200, engine ECU 210, steering ECU 220, brake ECU 230, window ECU 240, and first transmission path 11; And a second transmission path 21. The first transmission path 11 is a transmission path of the first network 10, and is, for example, an Ethernet (registered trademark) cable. The second transmission path 21 is a transmission path of the second network 20, and is, for example, a CAN bus.

 なお、ネットワークシステム3には、上記の各ECU110、140、210、220、230、240または各DCU100、300の他にもいくつものECUまたはDCUが含まれてもよい。例えば、第2伝送路21には、各ECU210、220、230、240以外にも、図示しないECUが接続されてもよい。 The network system 3 may include any number of ECUs or DCUs in addition to the above-described ECUs 110, 140, 210, 220, 230, 240 or the DCUs 100, 300. For example, an ECU (not shown) may be connected to the second transmission path 21 in addition to the ECUs 210, 220, 230, and 240.

 各ECU110、140、210、220、230、240または各DCU100、300は、例えば、プロセッサ(マイクロプロセッサ)、メモリ等のデジタル回路、アナログ回路、通信回路等を含む装置である。メモリは、ROM、RAM等であり、プロセッサにより実行されるプログラム(ソフトウェアとしてのコンピュータプログラム)を記憶することができる。メモリとして、不揮発性メモリを含んでもよい。例えばプロセッサが、プログラム(コンピュータプログラム)に従って動作することにより、ECUは各種機能を実現することになる。なお、コンピュータプログラムは、所定の機能を達成するために、プロセッサに対する指令を示す命令コードが複数個組み合わされて構成されたものである。 Each ECU 110, 140, 210, 220, 230, 240 or each DCU 100, 300 is, for example, a device including a processor (microprocessor), a digital circuit such as a memory, an analog circuit, a communication circuit and the like. The memory is a ROM, a RAM or the like, and can store a program (computer program as software) to be executed by the processor. The memory may include non-volatile memory. For example, when the processor operates according to a program (computer program), the ECU realizes various functions. The computer program is configured by combining a plurality of instruction codes indicating instructions to the processor in order to achieve a predetermined function.

 各ECU210、220、230、240は、CANプロトコルに従ってフレームの授受を行う。各ECU210、220、230、240は、それぞれエンジン、ステアリング、ブレーキ、ウィンドウ開閉センサといった機器に接続されており、その機器の状態を取得し、例えば周期的に、状態を表すデータフレームを、第2伝送路21等で構成される第2ネットワーク20に送信している。また、各ECU210、220、230、240は、第2ネットワーク20を構成する第2伝送路21からデータフレームを受信して、データフレームを解釈し、受信すべきCAN-IDを有するデータフレームか否かの判別を行う。そして、各ECU210、220、230、240は、判別の結果、必要に応じてデータフレーム内のデータ(データフィールドの内容)に従って、当該ECUに接続されている機器の制御を行ってもよいし、必要に応じてデータフレームを生成して送信してもよい。 Each of the ECUs 210, 220, 230, and 240 transmits and receives frames in accordance with the CAN protocol. Each of the ECUs 210, 220, 230, 240 is connected to equipment such as an engine, steering wheel, brake, window open / close sensor, acquires the state of the equipment, and periodically, for example, It transmits to the 2nd network 20 comprised with transmission path 21 grade | etc.,. In addition, each ECU 210, 220, 230, 240 receives a data frame from the second transmission path 21 configuring the second network 20, interprets the data frame, and is a data frame having a CAN-ID to be received. Make a decision on Then, each ECU 210, 220, 230, 240 may control the device connected to the ECU according to the data (the content of the data field) in the data frame as necessary as a result of the determination. Data frames may be generated and transmitted as needed.

 各ECU110、140または各DCU100、300は、Ethernet(登録商標)プロトコルに従ってEフレームの送信又は受信を行う。各DCU100、300は、それぞれIVI310、自動運転ECU110、カメラ120、LIDAR130、ダイナミックマップECU140といった機器に接続されており、その機器から取得した情報に基づく処理を行う。また、各DCU100、300は、必要に応じて接続されている機器を制御してもよいし、必要に応じて他のECUへの情報の送信を行ってもよい。 Each ECU 110, 140 or each DCU 100, 300 transmits or receives an E frame according to the Ethernet (registered trademark) protocol. The DCUs 100 and 300 are connected to devices such as the IVI 310, the autonomous driving ECU 110, the camera 120, the LIDAR 130, and the dynamic map ECU 140, respectively, and perform processing based on the information acquired from the devices. Further, each DCU 100, 300 may control connected devices as needed, and may transmit information to other ECUs as needed.

 セントラルゲートウェイ400には、テレマティクスコントロールユニット410と診断ポート420と、自動運転DCU100と、CANゲートウェイ200と、インフォテインメントDCU300が、第1伝送路11で接続される。セントラルゲートウェイ400は、例えば、メモリ等のデジタル回路、アナログ回路、通信回路等を含む。 A telematics control unit 410, a diagnostic port 420, an autonomous operation DCU 100, a CAN gateway 200, and an infotainment DCU 300 are connected to the central gateway 400 by a first transmission path 11. The central gateway 400 includes, for example, a digital circuit such as a memory, an analog circuit, a communication circuit, and the like.

 テレマティクスコントロールユニット410は、車両1が外部ネットワーク30上にあるサーバ2と通信するユニットである。テレマティクスコントロールユニット410は、例えば、第3世代移動通信システム(3G)、第4世代移動通信システム(4G)、または、LTE(登録商標)などのような移動通信システムで利用される通信規格に適合した無線通信インタフェースを有していてもよいし、IEEE802.11a、b、g、n規格に適合した無線LAN(Local Area Network)インタフェースを有していてもよい。つまり、外部ネットワーク30は、携帯電話通信網、Wi-Fiなどである。サーバ2は、例えば車両1のECUに対して情報を提供する機能等を有するコンピュータである。 The telematics control unit 410 is a unit with which the vehicle 1 communicates with the server 2 on the external network 30. The telematics control unit 410 conforms to a communication standard used in a mobile communication system such as, for example, a third generation mobile communication system (3G), a fourth generation mobile communication system (4G), or LTE (registered trademark). A wireless communication interface may be included, or a wireless local area network (LAN) interface conforming to the IEEE 802.11a, b, g, n standards may be included. That is, the external network 30 is a cellular phone communication network, Wi-Fi, or the like. The server 2 is, for example, a computer having a function of providing information to an ECU of the vehicle 1.

 診断ポート420は、ディーラが車両1の故障診断に使うためのポートであり、診断用のコマンドの送受信に利用されるポートである。 The diagnosis port 420 is a port used by the dealer for fault diagnosis of the vehicle 1 and is a port used for transmission and reception of a diagnostic command.

 自動運転DCU100は、自動運転ECU110と、カメラ120と、LIDAR130と、ダイナミックマップECU140と、第1伝送路11で接続されている。 The autonomous driving DCU 100 is connected to the autonomous driving ECU 110, the camera 120, the LIDAR 130, the dynamic map ECU 140, and the first transmission path 11.

 自動運転ECU110は、車両1の運転を制御する制御コマンドを生成する。具体的には、自動運転ECU110は、車輪の操舵を行うステアリング、車輪を回転駆動させるエンジン、モータなどの動力源、車輪の制動するブレーキなどを制御する制御コマンドを生成する。つまり、制御コマンドは、進む(つまり、走行する)、曲がる、止まるの少なくとも1つを車両1に実行させる制御コマンドである。自動運転ECU110は、生成した制御コマンドを第2ネットワーク20に送信する。 The autonomous driving ECU 110 generates a control command for controlling the driving of the vehicle 1. Specifically, the autonomous driving ECU 110 generates a control command for controlling a steering for steering a wheel, an engine for rotationally driving a wheel, a power source such as a motor, a brake for braking a wheel, and the like. That is, the control command is a control command that causes the vehicle 1 to execute at least one of forward (that is, travel), turn, and stop. The autonomous driving ECU 110 transmits the generated control command to the second network 20.

 カメラ120は、車外の状況、つまり、車両1の周囲を撮影するカメラである。カメラ120は、例えば、車両1の車体の外側に配置されていてもよい。 The camera 120 is a camera for photographing the situation outside the vehicle, that is, the surroundings of the vehicle 1. The camera 120 may be disposed, for example, outside the vehicle body of the vehicle 1.

 LIDAR130は、車外の障害物を感知するためのセンサである。LIDAR130は、例えば、車両1の水平方向において360度全方位、および、垂直方向において所定の角度(例えば30度)の角度範囲の検出範囲にある物体との距離を検出するレーザセンサである。LIDAR130は、車両1の周囲にレーザを発し、周囲の物体に反射されたレーザを検知することで、LIDAR130から物体までの距離を計測する。 The LIDAR 130 is a sensor for detecting an obstacle outside the vehicle. The LIDAR 130 is, for example, a laser sensor that detects a distance to an object within a detection range of 360 degrees in the horizontal direction of the vehicle 1 and an angle range of a predetermined angle (for example, 30 degrees) in the vertical direction. The LIDAR 130 emits a laser around the vehicle 1 and measures the distance from the LIDAR 130 to the object by detecting the laser reflected by the surrounding object.

 ダイナミックマップECU140は、ダイナミックマップに用いるデータを受信し、受信したデータを用いてダイナミックマップを復号するための電子制御ユニットである。復号されたダイナミックマップは、例えば、自動運転ECU110による自動運転の制御に用いられる。 The dynamic map ECU 140 is an electronic control unit for receiving data used for the dynamic map and decoding the dynamic map using the received data. The decoded dynamic map is used, for example, for control of automatic driving by the automatic driving ECU 110.

 CANゲートウェイ200は、第2ネットワーク20および第1ネットワーク10に接続されているゲートウェイである。第2ネットワーク20は、本実施の形態では、エンジンECU210、ステアリングECU220、ブレーキECU230の制御系バスと、ウィンドウ開閉を制御するウィンドウECU240が接続されるボディ系バスとの2本のCANバスを備えている。CANゲートウェイ200は、プロセッサ、メモリ等のデジタル回路、アナログ回路、通信回路等を含む。CANゲートウェイ200は、2つの伝送路11、21のうち、一の伝送路から受信したフレームを他の伝送路に転送(または中継)する機能を有する。CANゲートウェイ200によるフレームの転送は、フレームに係るデータの中継である。CANゲートウェイ200は、フレームの転送において、転送先の伝送路で用いられる通信プロトコルに対応した、通信方式、フレームフォーマット等の変換が行われてもよい。また、CANゲートウェイ200は、伝送路間でのフレームの転送として、1以上の伝送路から受信した1以上のフレームに対応して、1以上のフレームの、1以上複数の伝送路への送信を行ってもよい。 The CAN gateway 200 is a gateway connected to the second network 20 and the first network 10. In the present embodiment, the second network 20 includes two CAN buses: a control system bus for the engine ECU 210, the steering ECU 220, and the brake ECU 230, and a body system bus to which the window ECU 240 for controlling the opening and closing of the window is connected. There is. The CAN gateway 200 includes a processor, a digital circuit such as a memory, an analog circuit, a communication circuit, and the like. The CAN gateway 200 has a function of transferring (or relaying) a frame received from one of the two transmission paths 11 and 21 to another transmission path. Transfer of a frame by the CAN gateway 200 is relay of data related to the frame. The CAN gateway 200 may perform conversion of a communication method, a frame format, and the like corresponding to the communication protocol used in the transfer path of the transfer destination in the transfer of the frame. In addition, CAN gateway 200 transmits one or more frames to one or more transmission paths in response to one or more frames received from one or more transmission paths as frame transfer between transmission paths. You may go.

 インフォテインメントDCU300は、IVI310と、第1伝送路11で接続されており、情報系ネットワークのドメイン管理を行う。IVI310は、ディスプレイを備え、映像、音声等の再生といったマルチメディア機能を有する装置である。 The infotainment DCU 300 is connected to the IVI 310 via the first transmission path 11 and performs domain management of the information system network. The IVI 310 is a device having a display and having multimedia functions such as playback of video and audio.

 図2は、第2ネットワークで送受信されるデータフレーム(CANフレーム)のフォーマットを示す図である。 FIG. 2 is a diagram showing the format of a data frame (CAN frame) transmitted and received by the second network.

 第2ネットワーク20では、各ECU210、220、230、240等がCANプロトコルに従ってフレームの授受を行う。CANプロトコルにおけるフレームには、データフレーム、リモートフレーム、オーバーロードフレーム及びエラーフレームがあるが、ここでは、主にデータフレームに注目して説明する。 In the second network 20, the ECUs 210, 220, 230, 240, and so on exchange frames according to the CAN protocol. Frames in the CAN protocol include data frames, remote frames, overload frames, and error frames, but here, mainly the data frames will be described.

 図2の(a)は標準フォーマットである。標準フォーマットにおいては、データフレームは、SOF(Start Of Frame)、ID(CAN-ID)、RTR(Remote Transmission Request)、IDE(Identifier Extension)、予約ビット「r」、サイズ、データ、CRC(Cyclic Redundancy Check)シーケンス、CRCデリミタ「DEL」、ACK(Acknowledgement)スロット、ACKデリミタ「DEL」、及び、EOF(End Of Frame)で構成される。ここで、IDフィールドの内容としてのID(CAN-ID)は、データの種類を示す識別子であり、メッセージIDとも称される。つまり、CANフレームは、種類毎に異なる識別子を有する。なお、CANでは、複数のノードが同時に送信を開始した場合、このCAN-IDが小さい値を持つフレームを優先する通信調停がなされる。サイズは、後続するデータフィールド(データ)の長さを示すDLC(Data Length Code)である。データ(データフィールドの内容)の仕様については、CANプロトコルで規定されておらず、ネットワークシステム3において定められる。従って、車両の車種、製造者(製造メーカ)等に依存した仕様となり得る。 FIG. 2A shows a standard format. In the standard format, the data frame is SOF (Start Of Frame), ID (CAN-ID), RTR (Remote Transmission Request), IDE (Identifier Extension), reserved bit "r", size, data, CRC (Cyclic Redundancy) Check) Sequence, CRC delimiter “DEL”, ACK (Acknowledgement) slot, ACK delimiter “DEL”, and EOF (End Of Frame). Here, an ID (CAN-ID) as the content of the ID field is an identifier indicating the type of data, and is also referred to as a message ID. That is, the CAN frame has a different identifier for each type. In CAN, when a plurality of nodes start transmission at the same time, communication arbitration is performed in which priority is given to a frame in which the CAN-ID has a small value. The size is a DLC (Data Length Code) indicating the length of the subsequent data field (data). The specification of data (content of data field) is not defined by the CAN protocol, but is defined by the network system 3. Therefore, the specification can be dependent on the type of vehicle, the manufacturer (manufacturer), and the like.

 図2の(b)は拡張フォーマットである。本実施の形態では第2ネットワーク20で標準フォーマットが用いられることとして説明するが、第1ネットワーク10において拡張フォーマットが用いられる場合には、11ビットのIDフィールドのベースID(CAN-IDの一部)と、18ビットの拡張ID(CAN-IDの残部)とを合わせた29ビットをCAN-IDと扱えばよい。 (B) of FIG. 2 is an extended format. In this embodiment, although it is described that the standard format is used in the second network 20, when the extended format is used in the first network 10, the base ID of the 11-bit ID field (a part of CAN-ID And 29 bits of the 18-bit extended ID (remaining part of CAN-ID) may be treated as CAN-ID.

 図3は、第1ネットワークで送受信されるEフレームのフォーマットを示す図である。 FIG. 3 is a diagram showing the format of an E frame transmitted and received by the first network.

 同図に示すように、Eフレームは、主たる伝送内容であるデータを格納するEthernet(登録商標)ペイロード(「Eペイロード」とも言う。)と、Ethernet(登録商標)ヘッダ(「Eヘッダ」とも言う。)とにより構成される。Eヘッダには、宛先MACアドレスおよび送信元MACアドレスが含まれる。また、Eペイロードには、IPヘッダ、TCP/UDPヘッダおよびデータが含まれる。IPヘッダには、送信元IPアドレスおよび送信先アドレスが含まれる。なお、図3では、IPヘッダは、「IP v4ヘッダ」と表記している。TCP/UDPヘッダは、TCPヘッダまたはUDPヘッダを示し、TCP/UDPヘッダには、送信元ポート番号および送信先ポート番号が含まれる。 As shown in the figure, the E frame is an Ethernet (registered trademark) payload (also referred to as "E payload") storing data that is the main transmission content, and an Ethernet (registered trademark) header (also referred to as "E header"). And.). The E header includes the destination MAC address and the source MAC address. In addition, the E payload includes an IP header, a TCP / UDP header, and data. The IP header includes a transmission source IP address and a transmission destination address. In FIG. 3, the IP header is described as “IP v4 header”. The TCP / UDP header indicates a TCP header or a UDP header, and the TCP / UDP header includes a transmission source port number and a transmission destination port number.

 ネットワークシステム3におけるCANゲートウェイ200は、CANバスから受信したCANフレームを第1ネットワーク10へと転送する際に、複数のCANフレーム情報を含むEフレームを送信する。CANフレーム情報は、CANバスで伝送されたCANフレームから抽出した情報であり、少なくともデータフィールドの内容(データ)を含む。CANフレーム情報は、例えばCAN-ID及びサイズを含んでもよい。 When transferring the CAN frame received from the CAN bus to the first network 10, the CAN gateway 200 in the network system 3 transmits an E frame including a plurality of CAN frame information. The CAN frame information is information extracted from the CAN frame transmitted by the CAN bus, and includes at least the content (data) of the data field. The CAN frame information may include, for example, CAN-ID and size.

 図3に示すEフレームのペイロード内のデータ構成例を図4に示す。図4の例では、CANフレーム情報は、CAN-ID、サイズ及びデータで構成される。図4のメッセージ数(MSG数)は、CANフレーム情報の個数を示す。なお、メッセージ数の代わりに、CANフレーム情報の全体のデータ量等を示す情報を用いてもよい。また、CANフラグは、Eフレームが第2ネットワーク20から伝送される情報(つまりCANフレーム情報)を含むか否かを識別するための識別フラグであり、EフレームのEペイロードにCANフレーム情報を含む場合においてONにされ、それ以外の場合にOFF(つまりONと相反する情報を示す値)にされるフラグである。図4の例では、EフレームのEペイロードの先頭にCANフラグを配置する例を示しているがこれは一例に過ぎない。図4の例のような複数のCANフレーム情報をEフレームのEペイロードに含ませることで、例えば、伝送効率が高まり得る。 An example of the data configuration in the payload of the E frame shown in FIG. 3 is shown in FIG. In the example of FIG. 4, CAN frame information is configured by CAN-ID, size, and data. The number of messages (the number of MSGs) in FIG. 4 indicates the number of pieces of CAN frame information. Note that, instead of the number of messages, information indicating the total amount of data of CAN frame information may be used. The CAN flag is an identification flag for identifying whether or not the E frame includes the information transmitted from the second network 20 (that is, CAN frame information), and the CAN frame information is included in the E payload of the E frame. It is a flag that is turned on in the case, and turned off otherwise (that is, a value indicating information contradicting the on). Although the example of FIG. 4 shows an example in which the CAN flag is placed at the beginning of the E payload of the E frame, this is merely an example. By including a plurality of pieces of CAN frame information as in the example of FIG. 4 in the E payload of the E frame, for example, transmission efficiency can be enhanced.

 図5は、CANゲートウェイの機能構成の一例を示すブロック図である。 FIG. 5 is a block diagram showing an example of a functional configuration of the CAN gateway.

 同図に示すように、CANゲートウェイ200は、Ethernet(登録商標)送受信部201(以下、「E送受信部201」と言う。)と、CAN送受信部202a、202bと、転送制御部203と、転送ルール保持部204とを備える。これらの各構成要素は、CANゲートウェイ200における通信回路、メモリ、デジタル回路、メモリに格納されたプログラムを実行するプロセッサ等により実現される。 As shown in the figure, the CAN gateway 200 includes an Ethernet (registered trademark) transmission / reception unit 201 (hereinafter referred to as "E transmission / reception unit 201"), CAN transmission / reception units 202a and 202b, a transfer control unit 203, and transfer. And a rule holding unit 204. Each of these components is realized by a communication circuit in the CAN gateway 200, a memory, a digital circuit, a processor that executes a program stored in the memory, and the like.

 E送受信部201は、第1ネットワーク10を構成する第1伝送路11に接続される通信回路等である。E送受信部201は、第1伝送路11からEフレームを受信する。また、E送受信部201は、第1伝送路11にEフレームを送信する。 The E transmission / reception unit 201 is a communication circuit or the like connected to the first transmission path 11 constituting the first network 10. The E transmission / reception unit 201 receives an E frame from the first transmission path 11. Also, the E transmission / reception unit 201 transmits an E frame to the first transmission path 11.

 CAN送受信部202aは、第2ネットワーク20を構成するCANバス21aに接続される通信回路等である。CAN送受信部202aは、CANバス21aからCANフレームを逐次受信する。また、CAN送受信部202aは、CANバス21aにCANフレームを送信する。 The CAN transmission / reception unit 202 a is a communication circuit or the like connected to the CAN bus 21 a configuring the second network 20. The CAN transmission / reception unit 202a sequentially receives a CAN frame from the CAN bus 21a. Further, the CAN transmission / reception unit 202a transmits a CAN frame to the CAN bus 21a.

 CAN送受信部202bは、第2ネットワーク20を構成するCANバス21bに接続される通信回路等である。CAN送受信部202bは、CANバス21bからCANフレームを逐次受信する。CAN送受信部202bは、CANバス21bにCANフレームを送信する。 The CAN transmission / reception unit 202 b is a communication circuit or the like connected to the CAN bus 21 b configuring the second network 20. The CAN transmission / reception unit 202b sequentially receives a CAN frame from the CAN bus 21b. The CAN transmission / reception unit 202b transmits a CAN frame to the CAN bus 21b.

 転送ルール保持部204は、メモリ等の記憶媒体で実現され、フレームの転送の条件等を定める基準情報を保持する。基準情報は、例えば、転送対象のCAN-ID及び転送元のバスと宛先(MACアドレス等)とを対応付けた転送ルール情報、優先転送対象のCAN-ID及び転送元のバスと宛先とを対応付けた優先転送リスト等である。 The transfer rule holding unit 204 is realized by a storage medium such as a memory, and holds reference information that defines conditions for frame transfer. The reference information includes, for example, transfer rule information in which the transfer target CAN-ID and transfer source bus are associated with the destination (MAC address etc.), priority transfer target CAN-ID, transfer source bus and transfer destination. It is a prioritized transfer list attached.

 転送制御部203は、例えばプログラムを実行するプロセッサ等で実現され、受信したフレームを転送すべきか否か判定し判定結果に応じて転送に係る制御を行う。この転送に係る制御は、例えば、逐次受信した複数のCANフレームに基づいて、複数のCANフレーム情報をペイロードとして含ませたEフレームを、E送受信部201に第1伝送路11へと送信させる制御である。 The transfer control unit 203 is realized by, for example, a processor that executes a program, determines whether or not the received frame should be transferred, and performs transfer control according to the determination result. The control relating to this transfer is, for example, control for causing the E transmission / reception unit 201 to transmit the E frame including the plurality of CAN frame information as a payload to the first transmission path 11 based on the plurality of CAN frames received sequentially. It is.

 図6は、実施の形態1に係るCANゲートウェイ200が受信した複数のCANフレーム(CANフレーム1~N)に基づいてEフレームを送信するイメージを示す図である。 FIG. 6 is a diagram showing an image of transmitting an E frame based on a plurality of CAN frames (CAN frames 1 to N) received by the CAN gateway 200 according to the first embodiment.

 同図に示すように、CANゲートウェイ200はフレームを転送する際に、フレームの構成を変更する。送信されるEフレームのペイロードには、例えば予め定められた数であるN個のCANフレーム情報が含まれる。そのN個のCANフレーム情報のデータは、受信されたN個のCANフレームのデータフィールドの内容(データ)等である。受信され転送待ちになっているCANフレームの内容は、例えば、CANゲートウェイ200が備えるメモリ等の記憶媒体(バッファ)に格納される。図6のN個のCANフレーム情報を含むEフレームは、例えばセントラルゲートウェイ400を経由して、宛先のECUまたはDCU(例えばインフォテインメントDCU300)に受信されることになる。Eフレームのヘッダの送信元MACアドレスとして、CANゲートウェイ200のMACアドレスが設定され、EフレームのEペイロードには、CANフレーム情報が含まれることを示す、ONにしたCANフラグが設定される。Eフレームの宛先MACアドレスとしては、転送ルール保持部204が保持する転送ルール情報等に従って、宛先となるECUまたはDCUのMACアドレスが設定される。 As shown in the figure, when transferring a frame, the CAN gateway 200 changes the configuration of the frame. The payload of the E frame to be transmitted includes, for example, a predetermined number of N pieces of CAN frame information. The data of the N pieces of CAN frame information is the contents (data) of the data fields of the received N pieces of CAN frame, and the like. The contents of the CAN frame received and awaiting transfer are stored, for example, in a storage medium (buffer) such as a memory included in the CAN gateway 200. The E frame including the N pieces of CAN frame information of FIG. 6 will be received by the destination ECU or DCU (for example, infotainment DCU 300) via, for example, the central gateway 400. The MAC address of the CAN gateway 200 is set as a transmission source MAC address of the header of the E frame, and an ON CAN flag indicating that CAN frame information is included is set in the E payload of the E frame. As the destination MAC address of the E frame, the MAC address of the ECU or DCU as the destination is set according to the transfer rule information and the like held by the transfer rule holding unit 204.

 なお、本実施の形態では、CANゲートウェイ200は、自動運転の制御コマンドの異常を検知するために、第2ネットワーク20に流れる車両状態を示す状態情報を含むN個のCANフレームを結合して1つのEフレームに変換する。本実施の形態では、CANフレームに含まれる車両状態は、現在の車速、ステアリングの角度、シフトポジションなどである。車両状態は、移動体の状態の一例である。 In the present embodiment, CAN gateway 200 combines N CAN frames including status information indicating a vehicle status flowing in second network 20 in order to detect an abnormality in a control command for automatic driving. Convert to one E-frame. In the present embodiment, the vehicle state included in the CAN frame is the current vehicle speed, steering angle, shift position, and the like. The vehicle state is an example of the state of the moving body.

 転送制御部203は、判定等の結果に応じて一定条件下でE送受信部201、CAN送受信部202a、202bを制御して、フレームの送信を行わせる。転送制御部203は、CAN送受信部202a、202bにより受信されたCANフレームについて、CAN-IDに基づいてそのCANフレームのデータが第1ネットワーク10に送信されるべきか否かを判定する。この判定は、例えば、予め定められた、CAN-IDに関する基準情報に従って行われる。また、転送制御部203は、CANフレームのデータの宛先を、基準情報に従って選定する。CANフレームが第1ネットワーク10に送信されるべきか否かの判定及びCANフレームのデータを含むフレーム(Eフレーム或いはCANフレーム)の宛先の選定は、例えば、データが第1ネットワーク10に送信されるべき1つ以上のCANフレームのCAN-ID等を示す転送ルール情報を用いて行われる。 The transfer control unit 203 controls the E transmission / reception unit 201 and the CAN transmission / reception units 202a and 202b under certain conditions according to the result of the determination, etc. to transmit a frame. The transfer control unit 203 determines whether data of the CAN frame is to be transmitted to the first network 10 based on the CAN-ID for the CAN frame received by the CAN transmission / reception units 202a and 202b. This determination is performed, for example, in accordance with predetermined reference information on the CAN-ID. Further, the transfer control unit 203 selects the destination of the data of the CAN frame according to the reference information. The determination as to whether the CAN frame should be transmitted to the first network 10 and the selection of the destination of the frame (E frame or CAN frame) containing the data of the CAN frame, for example, data is transmitted to the first network 10 This is performed using transfer rule information indicating CAN-ID and the like of one or more CAN frames.

 図7は、自動運転DCU100の機能構成の一例を示すブロック図である。 FIG. 7 is a block diagram showing an example of a functional configuration of the autonomous driving DCU 100. As shown in FIG.

 同図に示すように、自動運転DCU100は、第1通信部101aと、第2通信部101bと、スイッチ処理部102と、スイッチルール保持部103と、異常検知処理部104と、異常検知ルール保持部105とを有する。自動運転DCU100は、異常検知装置の一例である。 As shown in the figure, the autonomous driving DCU 100 includes a first communication unit 101a, a second communication unit 101b, a switch processing unit 102, a switch rule holding unit 103, an abnormality detection processing unit 104, and an abnormality detection rule holding. And a unit 105. The autonomous driving DCU 100 is an example of the abnormality detection device.

 第1通信部101aは、本実施の形態では1つのEthernet(登録商標)ポート(ポートP1)を備える。ポートP1は、セントラルゲートウェイ400と第1伝送路11で接続されている。つまり、第1通信部101aは、セントラルゲートウェイ400との間でデータの送受信を行う。つまり、第1通信部101aは、CANフレームがデータとして格納されたEフレームを受信する。これにより、第1通信部101aは、CANフレームを受信することで、CANフレームに含まれる状態情報を受信する。 The first communication unit 101a includes one Ethernet (registered trademark) port (port P1) in the present embodiment. The port P1 is connected to the central gateway 400 by the first transmission path 11. That is, the first communication unit 101 a exchanges data with the central gateway 400. That is, the first communication unit 101a receives the E frame in which the CAN frame is stored as data. Thus, the first communication unit 101a receives the CAN frame to receive the state information included in the CAN frame.

 第2通信部101bは、本実施の形態では4つのEthernet(登録商標)ポート(ポートP2~P5)を備える。ポートP2~P5は、それぞれ、カメラ120、LIDAR130、ダイナミックマップECU140および自動運転ECU110と第1伝送路11で接続されている。つまり、第2通信部101bは、第1ネットワーク10の通信プロトコル(つまりEthernet(登録商標)プロトコル)による第1フレーム(つまりEフレーム)を送受信する。また、第2通信部101bは、ポートP1でのEフレームの送受信を行う第1通信部101aを含む。 The second communication unit 101b includes four Ethernet (registered trademark) ports (ports P2 to P5) in the present embodiment. The ports P2 to P5 are connected to the camera 120, the LIDAR 130, the dynamic map ECU 140, and the autonomous driving ECU 110 through the first transmission path 11, respectively. That is, the second communication unit 101 b transmits and receives the first frame (that is, E frame) by the communication protocol (that is, Ethernet (registered trademark) protocol) of the first network 10. In addition, the second communication unit 101b includes a first communication unit 101a that transmits and receives an E frame at the port P1.

 スイッチ処理部102は、第2通信部101bにより受信されたEフレームを、スイッチルール保持部103が保持するルールに基づき、適切な転送先に転送する処理を行う。 The switch processing unit 102 transfers the E frame received by the second communication unit 101 b to an appropriate transfer destination based on the rules held by the switch rule holding unit 103.

 図8は、スイッチルール保持部103が保持するスイッチルールの一例を示す図である。 FIG. 8 is a diagram showing an example of switch rules held by the switch rule holding unit 103. As shown in FIG.

 同図に示すように、スイッチルールは、入力ポート、送信元IPアドレス、送信元MACアドレス、出力ポート、送信先IPアドレス、送信先MACアドレスから構成される。本実施の形態のおけるスイッチルールは、正常なEフレームの正しい転送先を示すホワイトリストである。スイッチルールでは、例えば、ポートP1において、CANゲートウェイ200からのEフレームがセントラルゲートウェイ400を介して受信され、ポートP5に接続される自動運転ECU110へ転送する経路が許可されていることを示している。この場合、入力ポートとなるポートP1で受信するEフレームの送信元MACアドレスはセントラルゲートウェイ400のMACアドレスが設定されており、送信元IPアドレスはCANゲートウェイ200のIPアドレスが設定されている。一方、出力ポートとなるポート5に接続されている送信先IPアドレスおよび送信先MACアドレスには、自動運転ECUのIPアドレスおよびMACアドレスが設定されている。 As shown in the figure, the switch rule comprises an input port, a transmission source IP address, a transmission source MAC address, an output port, a transmission destination IP address, and a transmission destination MAC address. The switch rule in the present embodiment is a white list indicating the correct transfer destination of the normal E frame. In the switch rule, for example, it is indicated that an E frame from the CAN gateway 200 is received at the port P1 via the central gateway 400 and a path for forwarding to the autonomous driving ECU 110 connected to the port P5 is permitted. . In this case, the MAC address of the central gateway 400 is set as the transmission source MAC address of the E frame received by the port P1 serving as the input port, and the IP address of the CAN gateway 200 is set as the transmission source IP address. On the other hand, the IP address and the MAC address of the autonomous driving ECU are set in the transmission destination IP address and the transmission destination MAC address connected to the port 5 serving as the output port.

 また、図8のスイッチルールでは、ポート2に接続されているカメラ120、ポート3に接続されているLIDAR130、および、ポート4に接続されているダイナミックマップECU140は、ポート5に接続される自動運転ECU110への転送が許可されていることを示している。また、ポート5に接続される自動運転ECU110からのEフレームは、CANゲートウェイ200に送信する必要があるので、送信先IPにはCANゲートウェイ200のIPアドレスが設定され、送信先MACアドレスにはセントラルゲートウェイのMACアドレスが設定されている。 Further, in the switch rule of FIG. 8, the camera 120 connected to port 2, the LIDAR 130 connected to port 3, and the dynamic map ECU 140 connected to port 4 are connected to port 5 in an automatic operation. It indicates that the transfer to the ECU 110 is permitted. Also, since it is necessary to transmit the E frame from the autonomous driving ECU 110 connected to the port 5 to the CAN gateway 200, the IP address of the CAN gateway 200 is set in the transmission destination IP, and the central MAC address in the transmission destination The MAC address of the gateway is set.

 なお、スイッチルールでは、入力または出力における送信元および送信先には、IPアドレスおよびMACアドレスで定義されているが、これに限定されない。例えば、IPアドレスだけが定義されていてもよいし、MACアドレスだけが定義されていてもよい。また、スイッチルールには、IPアドレスまたはMACアドレス以外の送信元または送信先が識別できる情報が定義されていてもよいし、サービスポート番号が定義されてもよい。これにより、入力または出力における送信元および送信先を、スイッチルールで許可されている経路に制限することができる。 Note that in the switch rule, the source and destination in the input or output are defined by the IP address and the MAC address, but the present invention is not limited to this. For example, only the IP address may be defined, or only the MAC address may be defined. Further, in the switch rule, information that can identify the transmission source or the transmission destination other than the IP address or the MAC address may be defined, or the service port number may be defined. This allows the source and destination at the input or output to be restricted to the routes permitted by the switch rule.

 図8のスイッチルールは、ホワイトリストにより定義されたが、ブラックリストにより定義されてもよい。また、図8で示したスイッチルールは、一部であり、これが全てではない。つまり、スイッチルールは、必要な経路が網羅されるように設定されるものとする。 The switch rules in FIG. 8 are defined by the whitelist, but may be defined by the blacklist. Also, the switch rules shown in FIG. 8 are partial and not all. In other words, the switch rules are set to cover necessary routes.

 異常検知処理部104は、CANゲートウェイ200経由で第2ネットワーク20から第1通信部101aにより受信された車両1の状態情報と、異常検知ルール保持部105に保持されている異常検知ルールとを参照して、第2通信部101bにおいて受信されたEフレームに含まれる制御コマンドが異常であるか否かを検知する。制御コマンドは、例えば、自動運転ECU110が生成する自動運転制御コマンドである。異常検知処理部104は、制御コマンドが正常であると判断した場合、セントラルゲートウェイ400からCANゲートウェイ200を介して当該制御コマンドを第2通信部101bに第2ネットワーク20へ送信させる。異常検知処理部104は、制御コマンドが異常であると判断した場合、第2通信部101bによる制御コマンドの第2ネットワーク20への転送を禁止する。 The abnormality detection processing unit 104 refers to the state information of the vehicle 1 received by the first communication unit 101a from the second network 20 via the CAN gateway 200 and the abnormality detection rule held in the abnormality detection rule holding unit 105. Then, it is detected whether or not the control command included in the E frame received by the second communication unit 101 b is abnormal. The control command is, for example, an automatic driving control command generated by the automatic driving ECU 110. If the abnormality detection processing unit 104 determines that the control command is normal, the central gateway 400 causes the second communication unit 101b to transmit the control command to the second network 20 via the CAN gateway 200. When the abnormality detection processing unit 104 determines that the control command is abnormal, the abnormality detection processing unit 104 prohibits the transfer of the control command to the second network 20 by the second communication unit 101b.

 図9は、実施の形態1に係る自動運転DCU100の異常検知ルール保持部105が保持する異常検知ルールの一例を示す図である。異常検知ルールは、第2ネットワーク20から取得される車両状態をベースにしたEthernet(登録商標)における自動運転制御が許可されるルールである。つまり、異常検知ルールは、車両の複数の状態のそれぞれにおいて許可される制御コマンドを示す第1ルールを含む。 FIG. 9 is a diagram showing an example of an abnormality detection rule held by the abnormality detection rule holding unit 105 of the automatic driving DCU 100 according to the first embodiment. The abnormality detection rule is a rule for permitting automatic driving control in Ethernet (registered trademark) based on the vehicle state acquired from the second network 20. That is, the abnormality detection rule includes a first rule indicating control commands permitted in each of a plurality of vehicle states.

 同図に示すように、異常検知ルールの第1ルールは、車両1の車速状態およびシフト状態に応じて許可される、車速指示および操舵指示の組み合わせを示す。なお、車速状態とは、車両1の走行中の速度を示し、例えば、0km/h以上30km/h未満の速度範囲を低速、30km/h以上60km/h未満の速度を中速、60km/以上100km/h以下を高速とそれぞれ定義したものである。また、シフト状態とは、シフトポジションを示し、例えばパーキング(P)、リバース(R)、ニュートラル(N)、ドライブ(D)などである。車速指示は、現在の車速から許可される増減の速度値を示す。また、操舵指示は、現在のステアリングの旋回角度から許可される増減の角度を示す。 As shown in the figure, the first rule of the abnormality detection rule indicates a combination of the vehicle speed instruction and the steering instruction, which is permitted according to the vehicle speed state and the shift state of the vehicle 1. The vehicle speed state indicates the speed of the vehicle 1 while traveling, for example, the speed range of 0 km / h to 30 km / h is low speed, the speed of 30 km / h to 60 km / h is medium speed, 60 km / h or more High speed is defined as 100 km / h or less. Further, the shift state indicates a shift position, and is, for example, parking (P), reverse (R), neutral (N), drive (D) and the like. The vehicle speed instruction indicates the increase / decrease speed value permitted from the current vehicle speed. Also, the steering instruction indicates an increase or decrease angle permitted from the current steering turning angle.

 第1ルールでは、例えば、車速状態が低速であり、かつ、シフト状態がドライブ(D)のときに、自動運転制御における車速指示が、状態情報が示す現時点の車速から10km/hの範囲であれば、車速を増減することが許可されている。また、第1ルールでは、例えば、車速状態が中速であり、かつ、シフト状態がドライブ(D)のときに、自動運転制御における車速指示が、状態情報が示す現時点の車速から20km/hの範囲であれば、車速を増減することが許可されている。また、第1ルールでは、例えば、車速状態が高速であり、かつ、シフト状態がドライブ(D)のときに、自動運転制御における車速指示が、状態情報が示す現時点の車速から30km/hの範囲であれば、車速を増減することが許可されている。 In the first rule, for example, when the vehicle speed state is low and the shift state is drive (D), the vehicle speed instruction in the automatic driving control is in the range of 10 km / h from the current vehicle speed indicated by the state information. For example, it is permitted to increase or decrease the vehicle speed. In the first rule, for example, when the vehicle speed state is medium speed and the shift state is drive (D), the vehicle speed instruction in the automatic driving control is 20 km / h from the current vehicle speed indicated by the state information. If it is in the range, it is permitted to increase or decrease the vehicle speed. In the first rule, for example, when the vehicle speed state is high speed and the shift state is drive (D), the vehicle speed instruction in the automatic driving control ranges from the current vehicle speed indicated by the state information to 30 km / h If so, it is permitted to increase or decrease the vehicle speed.

 第1ルールでは、操舵指示のステアリングの旋回指示角度においても車速と同様に定義されている。つまり、第1ルールでは、例えば、車速状態が低速であり、かつ、シフト状態がドライブ(D)のときに、自動運転制御における操舵指示が、状態情報が示す現時点のステアリングの角度から左右360度以内であれば、ステアリングの角度を変更することが許可されている。また、第1ルールでは、例えば、車速状態が中速であり、かつ、シフト状態がドライブ(D)のときに、自動運転制御における操舵指示が、状態情報が示す現時点のステアリングの角度から左右180度以内であれば、ステアリングの角度を変更することが許可されている。また、第1ルールでは、例えば、車速状態が高速であり、かつ、シフト状態がドライブ(D)のときに、自動運転制御における操舵指示が、状態情報が示す現時点のステアリングの角度から左右90度以内であれば、ステアリングの角度を変更することが許可されている。 In the first rule, the turning instruction angle of the steering instruction is also defined in the same manner as the vehicle speed. That is, in the first rule, for example, when the vehicle speed state is low and the shift state is drive (D), the steering instruction in the automatic driving control is 360 degrees from the current steering angle indicated by the state information. If it is within, it is permitted to change the steering angle. In the first rule, for example, when the vehicle speed state is medium speed and the shift state is drive (D), the steering instruction in the automatic driving control is 180 left and right from the current steering angle indicated by the state information. It is permitted to change the steering angle if it is within a degree. In the first rule, for example, when the vehicle speed state is high and the shift state is drive (D), the steering instruction in the automatic driving control is 90 degrees from the current steering angle indicated by the state information. If it is within, it is permitted to change the steering angle.

 異常検知処理部104は、状態情報が示す車両1の状態が、制御コマンドが第1ルールにおいて対応付けられている状態に含まれない場合、制御コマンドが異常であることを検知する。つまり、異常検知処理部104は、例えば、車両状態に第1ルールにおいて対応付けられている、許可される範囲の車速の増減を超える車速指示、または、許可される範囲のステアリングの角度を超える操舵指示を含む制御コマンドが第2通信部101bにより受信された場合、当該制御コマンドが異常であることを検知し、第1通信部101aによる第2ネットワーク20への当該制御コマンドの転送を禁止する。 The abnormality detection processing unit 104 detects that the control command is abnormal when the state of the vehicle 1 indicated by the state information is not included in the state in which the control command is associated in the first rule. That is, the abnormality detection processing unit 104, for example, performs a vehicle speed instruction exceeding the increase or decrease of the vehicle speed in the permitted range, which is associated with the vehicle state in the first rule, or steering exceeding the steering angle in the permitted range. When the control command including the instruction is received by the second communication unit 101b, it is detected that the control command is abnormal, and the transfer of the control command to the second network 20 by the first communication unit 101a is inhibited.

 次に、実施の形態1に係る車両1に搭載されるネットワークシステム3の動作について説明する。 Next, the operation of the network system 3 mounted on the vehicle 1 according to the first embodiment will be described.

 図10および図11は、実施の形態1に係るネットワークシステム3における異常検知方法の一例を示すシーケンス図である。 10 and 11 are sequence diagrams showing an example of an abnormality detection method in the network system 3 according to the first embodiment.

 まず、自動運転DCU100は、自動運転ECU110に対して、自動運転モードを有効な状態にする(S100)。例えば、ユーザからの自動運転モードをONにする入力を受け付けた場合、自動運転DCU100は、自動運転モードを有効な状態にする。 First, the autonomous driving DCU 100 sets the autonomous driving mode to the valid state for the autonomous driving ECU 110 (S100). For example, when receiving an input from the user to turn on the automatic operation mode, the automatic operation DCU 100 enables the automatic operation mode.

 CANゲートウェイ200は、CANゲートウェイ200に接続されている各ECU210、220、230、240から車両1の状態情報を含むCANフレームを受信し、図6に示したように、車両1の状態情報のCANフレームを含んだEフレームを生成する(S101)。 The CAN gateway 200 receives a CAN frame including state information of the vehicle 1 from each of the ECUs 210, 220, 230, and 240 connected to the CAN gateway 200, and as shown in FIG. An E frame including a frame is generated (S101).

 CANゲートウェイ200は、車両1の状態情報のCANフレームを含むEフレームをセントラルゲートウェイ400に送信する(S102)。 The CAN gateway 200 transmits an E frame including a CAN frame of the state information of the vehicle 1 to the central gateway 400 (S102).

 セントラルゲートウェイ400は、ステップS102において受信したEフレームを自動運転DCU100に送信する(S103)。 The central gateway 400 transmits the E frame received in step S102 to the autonomous driving DCU 100 (S103).

 自動運転DCU100では、第2通信部101bがカメラ120により撮影された映像を示す映像情報、LIDAR130により検出された物体までの距離を示す情報に基づく障害物情報、ダイナミックマップECU140により得られる地図情報を、それぞれカメラ120、LIDAR130およびダイナミックマップECU140から受信する(S104)。 In the automatic driving DCU 100, the second communication unit 101b performs image information indicating an image captured by the camera 120, obstacle information based on information indicating the distance to the object detected by the LIDAR 130, and map information obtained by the dynamic map ECU 140 , Respectively from the camera 120, the LIDAR 130 and the dynamic map ECU 140 (S104).

 自動運転DCU100では、スイッチ処理部102が、スイッチルール保持部103のスイッチルールを参照して、正しい経路で情報を受信したか否かを判定する(S105)。 In the autonomous driving DCU 100, the switch processing unit 102 refers to the switch rule of the switch rule holding unit 103, and determines whether or not the information is received through the correct route (S105).

 これにより、自動運転DCU100では、ステップS104において第2通信部101bは、カメラ120、LIDAR130、ダイナミックマップECU140から受信した映像情報、障害物情報および地図情報などの情報のうち、正しい経路で受信したとスイッチ処理部102により判定された情報を、自動運転ECU110に転送する(S106)。 Thereby, in the autonomous driving DCU 100, in step S104, the second communication unit 101b receives the correct route among the information such as the video information, the obstacle information and the map information received from the camera 120, the LIDAR 130, and the dynamic map ECU 140. The information determined by the switch processing unit 102 is transferred to the automatic driving ECU 110 (S106).

 自動運転ECU110は、ステップS106で受信した映像情報、障害物情報および地図情報などの情報に基づいて、自動運転のための制御コマンドを生成する(S107)。ここでは、自動運転ECU110は、まず制御系CANバスに伝えるためのCANフレームを生成し、それらCANフレームをEフレームのデータ領域に格納したEフレームを生成する。生成されたEフレームは、自動運転のための制御コマンドである。 The autonomous driving ECU 110 generates a control command for the autonomous driving based on the information such as the video information, the obstacle information and the map information received in step S106 (S107). Here, the autonomous driving ECU 110 first generates a CAN frame to be transmitted to the control system CAN bus, and generates an E frame in which the CAN frame is stored in the data area of the E frame. The generated E frame is a control command for automatic operation.

 自動運転ECU110は、自動運転のための制御コマンドを自動運転DCU100に送信する(S108)。 The autonomous driving ECU 110 transmits a control command for autonomous driving to the autonomous driving DCU 100 (S108).

 自動運転DCU100では、異常検知処理部104は、異常検知ルール保持部105が保持する異常検知ルールを参照する(S109)。ここで参照するルールは、図9で示した第1ルールである。 In the autonomous driving DCU 100, the abnormality detection processing unit 104 refers to the abnormality detection rule held by the abnormality detection rule holding unit 105 (S109). The rule referred to here is the first rule shown in FIG.

 自動運転DCU100では、異常検知処理部104は、異常検知ルールに加えて、さらにS103で受信した車両1の状態情報のCANフレームを含んだEフレームを参照し、ステップS108によって第2通信部101bが受信した制御コマンドが異常であるか否かを判定する(S110)。異常検知処理部104は、制御コマンドが異常であると判定した場合(ステップS110で異常)、ステップS111へ処理を移す。一方で、異常検知処理部104は、制御コマンドが正常であると判定した場合(ステップS110で正常)、ステップS120へ処理を移す。 In the autonomous driving DCU 100, the abnormality detection processing unit 104 further refers to the E frame including the CAN frame of the state information of the vehicle 1 received in S103 in addition to the abnormality detection rule, and the second communication unit 101b It is determined whether the received control command is abnormal (S110). If the abnormality detection processing unit 104 determines that the control command is abnormal (abnormal in step S110), the process proceeds to step S111. On the other hand, when the abnormality detection processing unit 104 determines that the control command is normal (normal in step S110), the process proceeds to step S120.

 自動運転DCU100では、異常検知処理部104は、制御コマンドが異常であると判定したため、サーバ2またはIVI310に異常があったことを含む情報を、第2通信部101bを用いて通知する(S111)。これにより、ドライバ、または、リモートで監視しているセキュリティ監視サービスの事業者は、車両1に自動運転において異常が発生したことを把握することが可能になる。なお、この場合、異常検知処理部104は、制御コマンドをセントラルゲートウェイ400に送信しない。つまり、異常検知処理部104は、この場合、異常であると判定した制御コマンドを、セントラルゲートウェイ400およびCANゲートウェイ200を介して第2ネットワーク20に転送することを禁止する。 In the autonomous driving DCU 100, since the abnormality detection processing unit 104 determines that the control command is abnormal, the second communication unit 101b notifies information including the abnormality in the server 2 or the IVI 310 (S111). . As a result, the driver or the operator of the security monitoring service remotely monitoring can recognize that an abnormality has occurred in automatic driving of the vehicle 1. In this case, the abnormality detection processing unit 104 does not transmit the control command to the central gateway 400. That is, in this case, the abnormality detection processing unit 104 prohibits transfer of the control command determined to be abnormal to the second network 20 via the central gateway 400 and the CAN gateway 200.

 自動運転DCU100では、異常検知処理部104は、自動運転ECU110に、自動運転を終了させる終了指示を、第2通信部101bを用いて送信する(S112)。 In the autonomous driving DCU 100, the abnormality detection processing unit 104 transmits, to the autonomous driving ECU 110, a termination instruction for terminating the autonomous driving using the second communication unit 101b (S112).

 自動運転ECU110は、ステップS112において送信された終了指示を受信した場合、自動運転モードを終了する(S113)。なお、自動運転ECU110は、自動運転モードを終了した後に、手動運転モードに切り替えてもよい。 When receiving the termination instruction transmitted in step S112, the autonomous driving ECU 110 terminates the autonomous driving mode (S113). The automatic driving ECU 110 may switch to the manual driving mode after ending the automatic driving mode.

 ステップS110において、制御コマンドが正常であると判定された場合(S110で正常)、異常検知処理部104は、第2通信部101bを用いて、自動運転のための制御コマンドをセントラルゲートウェイ400に送信する(S120)。 When it is determined in step S110 that the control command is normal (normal in S110), the abnormality detection processing unit 104 transmits a control command for automatic operation to the central gateway 400 using the second communication unit 101b. (S120).

 セントラルゲートウェイ400は、ステップS120において送信された自動運転制御コマンドをCANゲートウェイ200に転送する(S121)。 The central gateway 400 transfers the automatic operation control command transmitted in step S120 to the CAN gateway 200 (S121).

 CANゲートウェイ200は、ステップS121で受信したEフレームの自動運転の制御コマンドをCANフレームに変換する(S122)。 The CAN gateway 200 converts the control command for automatic operation of the E frame received in step S121 into a CAN frame (S122).

 CANゲートウェイ200は、ステップS122で変換したCANフレームを第2ネットワーク20に送信する(S123)。これにより、制御系CANバスに接続されるエンジンECU210、ステアリングECU220またはブレーキECU230は、CANフレームの自動運転の制御コマンドを受信し、受信した制御コマンドに応じた制御を実行することで自動運転制御を行う。 The CAN gateway 200 transmits the CAN frame converted in step S122 to the second network 20 (S123). Thereby, the engine ECU 210, the steering ECU 220 or the brake ECU 230 connected to the control system CAN bus receives a control command for automatic driving of the CAN frame, and executes automatic control by executing control according to the received control command. Do.

 本実施の形態に係る異常検知装置は、車両1に搭載され、通信プロトコルが互いに異なる第1ネットワーク10および第2ネットワーク20を有するネットワークシステム3における異常を検知する異常検知装置である。自動運転DCU100は、第1通信部101aと、第2通信部101bと、異常検知ルール保持部105と、異常検知処理部104とを備える。第1通信部101aは、第2ネットワーク20から取得される車両1の状態を示す状態情報を受信する。第2通信部101bは、第1ネットワーク10の通信プロトコルによるEフレームを送受信する。異常検知ルール保持部105は、異常検知ルールを保持する。異常検知処理部104は、状態情報と、異常検知ルールとを参照して、第2通信部101bにおいて受信されたEフレームに含まれる制御コマンドが異常であるか否かを検知する。異常検知処理部104は、制御コマンドが異常であることを検知した場合、当該制御コマンドの転送を禁止する。 The abnormality detection device according to the present embodiment is an abnormality detection device mounted on a vehicle 1 and detecting an abnormality in a network system 3 having a first network 10 and a second network 20 having different communication protocols. The autonomous driving DCU 100 includes a first communication unit 101 a, a second communication unit 101 b, an abnormality detection rule holding unit 105, and an abnormality detection processing unit 104. The first communication unit 101 a receives state information indicating the state of the vehicle 1 acquired from the second network 20. The second communication unit 101 b transmits and receives an E frame according to the communication protocol of the first network 10. The abnormality detection rule holding unit 105 holds an abnormality detection rule. The abnormality detection processing unit 104 detects whether or not the control command included in the E frame received by the second communication unit 101b is abnormal with reference to the state information and the abnormality detection rule. When detecting that the control command is abnormal, the abnormality detection processing unit 104 prohibits the transfer of the control command.

 これによれば、異常検知装置は、第2ネットワーク20から得られる車両1の状態情報と、異常検知ルールとに基づき、生成された自動運転の制御コマンドが異常であるか否かを検知する。そして、異常検知装置は、異常があることを検知された制御コマンドの転送を禁止する。このため、例えば第1ネットワーク10に接続される機器に脆弱性があって、第1ネットワーク10経由で攻撃をされた場合であっても、異常検知装置は、不正な自動運転の制御を防止することが可能となる。 According to this, the abnormality detection device detects whether or not the generated control command for automatic driving is abnormal, based on the state information of the vehicle 1 obtained from the second network 20 and the abnormality detection rule. Then, the abnormality detection device prohibits the transfer of the control command detected that there is an abnormality. Thus, for example, even if there is a vulnerability in the device connected to the first network 10 and an attack is made via the first network 10, the abnormality detection device prevents unauthorized control of automatic operation. It becomes possible.

 また、本実施の形態に係る異常検知装置において、異常検知ルールは、車両1の異なる複数の状態のそれぞれにおいて許可される制御コマンドを示す第1ルールを含む。異常検知処理部104は、状態情報が示す車両1の状態が、制御コマンドが第1ルールにおいて対応付けられている状態に含まれない場合、制御コマンドが異常であることを検知する。このため、例えば、現時点の車速、ステアリングの操舵角度、シフトポジションなどの車両状態に基づいて制御コマンドの異常を検知することが可能となる。 Further, in the abnormality detection device according to the present embodiment, the abnormality detection rule includes a first rule indicating a control command permitted in each of a plurality of different states of the vehicle 1. The abnormality detection processing unit 104 detects that the control command is abnormal when the state of the vehicle 1 indicated by the state information is not included in the state in which the control command is associated in the first rule. For this reason, for example, it becomes possible to detect an abnormality in the control command based on the vehicle state such as the current vehicle speed, the steering angle of the steering wheel, and the shift position.

 また、本実施の形態に係る異常検知装置において、制御コマンドは、進む、曲がる、および、止まるの少なくとも1つを車両1に実行させる制御コマンドである。このため、異常検知装置は、例えば、走行中の急ハンドル、急ブレーキまたは急加速、停車中の急発信など、自動運転における制御コマンドの異常を検知し、安全な運転環境を提供することが可能となる。 Further, in the abnormality detection device according to the present embodiment, the control command is a control command that causes the vehicle 1 to execute at least one of forward, bend, and stop. For this reason, the abnormality detection device can detect an abnormality in a control command in automatic driving such as, for example, sudden steering while traveling, sudden braking or acceleration, or sudden transmission while stopping, and can provide a safe driving environment. It becomes.

 また、本実施の形態に係る異常検知装置において、第1通信部101aは、CANフレームがデータとして格納されたEフレームである第1フレームを受信する。また、第2通信部101bは、第1通信部101aを含む。これによれば、異常検知装置は、Eフレームに変換されたCANフレームを受信するため、Ethernet(登録商標)上の機器でCANフレームの異常検知が可能となる。 In addition, in the abnormality detection device according to the present embodiment, the first communication unit 101a receives a first frame which is an E frame in which a CAN frame is stored as data. The second communication unit 101b also includes a first communication unit 101a. According to this, since the abnormality detection apparatus receives the CAN frame converted into the E frame, the apparatus on Ethernet (registered trademark) can detect the abnormality of the CAN frame.

 (実施の形態2)
 次に実施の形態2について説明する。実施の形態2に係る異常検知装置としての自動運転DCU100は、実施の形態1に係る自動運転DCU100とほぼ同等であるので、異なる部分のみを説明する。実施の形態2では、自動運転DCU100にて、CANフレームの異常検知も行う点が実施の形態1に係る自動運転DCU100と異なる。 Second Embodiment
A second embodiment will now be described. The automatic operation DCU 100 as the abnormality detection device according to the second embodiment is substantially the same as the automatic operation DCU 100 according to the first embodiment, so only different parts will be described. The second embodiment differs from the automatic driving DCU 100 according to the first embodiment in that the abnormality detection of the CAN frame is also performed in the automatic driving DCU 100.

 図12は、実施の形態2に係るCANゲートウェイ200が受信した複数のCANフレームに基づいてEフレームを送信するイメージを示す図である。 FIG. 12 is a diagram showing an image of transmitting an E frame based on a plurality of CAN frames received by the CAN gateway 200 according to the second embodiment.

 本実施の形態では、自動運転DCU100は、CANフレームの周期を確認してCANの異常検知を行う。図12に示すように、CANゲートウェイ200は、複数のCANフレームを受信し、受信した複数のCANフレームのそれぞれについて、当該CANフレームを受信した受信時刻を当該CANフレームに付与する。つまり、CANゲートウェイ200は、N個の受信時刻が付与されたCANフレームをEフレームのデータ領域に格納することでEフレームを生成する。実施の形態1と同様に、CANゲートウェイ200が、Eフレーム化するCANフレームに含まれる車両1の状態情報は、車速、ステアリングの角度またはシフトポジションなどである。 In the present embodiment, the autonomous driving DCU 100 confirms the CAN frame period and performs CAN abnormality detection. As shown in FIG. 12, the CAN gateway 200 receives a plurality of CAN frames, and gives the reception time at which the CAN frame is received to the CAN frame for each of the plurality of received CAN frames. That is, the CAN gateway 200 generates an E frame by storing a CAN frame provided with N reception times in the data area of the E frame. As in the first embodiment, the state information of the vehicle 1 included in the CAN frame that the CAN gateway 200 converts into an E frame is the vehicle speed, the angle of steering, or the shift position.

 自動運転DCU100の第2通信部101bは、図12の構成のEフレームを受信するため、複数のCANフレームと、複数のCANフレームのそれぞれが例えばCANゲートウェイ200などの機器により受信された時刻である受信時刻とがデータとして格納されたEフレームを受信することとなる。 Since the second communication unit 101b of the autonomous driving DCU 100 receives the E frame of the configuration of FIG. 12, it is the time when each of a plurality of CAN frames and a plurality of CAN frames is received by a device such as CAN gateway 200, for example. The E frame in which the reception time is stored as data is to be received.

 図13は、実施の形態2に係る自動運転DCU100の異常検知ルール保持部105が保持する異常検知ルールの一例を示す図である。図13に示す異常検知ルールは、CANフレームが異常であるか否かを検知するための第2ルールの一例である。 FIG. 13 is a diagram showing an example of an abnormality detection rule held by the abnormality detection rule holding unit 105 of the autonomous driving DCU 100 according to the second embodiment. The abnormality detection rule illustrated in FIG. 13 is an example of a second rule for detecting whether the CAN frame is abnormal.

 同図に示すように、第2ルールは、CANフレームのデータの種類を示す識別子であるCAN-IDに対応するCANフレームおいて許可されるCANフレームの受信周期の範囲を示す。また、第2ルールは、さらに、複数のCAN-IDのそれぞれに対応するCANフレームおいて許可される変化量であって、当該CANフレームの1つ前のCANフレームのデータ値からの変化量を示してもよい。当該CANフレームの1つ前のCANフレームとは、同一のCAN-IDにおいて、当該CANフレームよりも1タイミング前に受信されたCANフレームである。 As shown in the figure, the second rule indicates the range of the CAN frame reception cycle permitted in the CAN frame corresponding to the CAN-ID, which is an identifier indicating the type of data of the CAN frame. Further, the second rule is the amount of change permitted in the CAN frame corresponding to each of the plurality of CAN-IDs, and the amount of change from the data value of the CAN frame immediately before the CAN frame It may be shown. The CAN frame immediately preceding the CAN frame is a CAN frame received one timing earlier than the CAN frame in the same CAN-ID.

 第2ルールは、具体的には、図12で説明したEフレームに付与されたCANフレームの受信時刻を参照して算出された周期が、CAN-IDが「0xA1」であるCANフレームにおいて、基本周期10ms±3msの範囲である、つまり、1つ前に受信されたCANフレームからの受信時刻の差分が基本周期10ms±3msの範囲内であれば正しい周期であることを示すルールである。また、第2ルールは、CAN-IDが「0xA1」であるCANフレームにおいて、1つ前に受信されたCANフレームからのデータの変化量が±50であれば正しい変化量であることを示すルールであってもよい。他のIDに対しても同様に、許可される周期の範囲およびデータの変化量が定義されている。 Specifically, the second rule is based on the CAN frame whose CAN-ID is “0xA1” and the period calculated with reference to the reception time of the CAN frame attached to the E frame described in FIG. It is a rule indicating that the cycle is correct if the cycle is in the range of 10 ms ± 3 ms, that is, if the difference of the reception time from the CAN frame received immediately before is within the range of the basic cycle 10 ms ± 3 ms. The second rule indicates that, in a CAN frame whose CAN-ID is “0xA1”, if the amount of change in data from the CAN frame received immediately before is ± 50, the amount of change is the correct amount. It may be Similarly, the range of permitted cycles and the amount of change of data are defined for other IDs.

 なお、第2ルールで定義されているデータ値の変化量は、車両1の状態情報と対応する数値であり、例えば、車速の変化量、ステアリングの角度の変化量などである。 The amount of change of the data value defined by the second rule is a numerical value corresponding to the state information of the vehicle 1 and is, for example, the amount of change of the vehicle speed, the amount of change of the steering angle, and the like.

 第2ルールを用いる場合、自動運転DCU100の異常検知処理部104は、第2通信部101bにより受信されたEフレームから得られる複数のCANフレームにそれぞれ対応する複数の受信時刻を用いて、当該Eフレームに含まれる複数のCANフレームが異常であるか否かを検知する。具体的には、異常検知処理部104は、互いに同じ識別子を有する複数のCANフレームのうちの、第1CANフレームの第1受信時刻と、第2CANフレームの第2受信時刻とを比較することで第1CANフレームに異常があるか否かを検知する。異常検知処理部104は、第1受信時刻の第2受信時刻からの差分が、第2ルールにおいて上記同じ識別子に対応付けられている受信周期の範囲外である場合、第1CANフレームが異常であることを検知する。 When the second rule is used, the abnormality detection processing unit 104 of the autonomous driving DCU 100 uses the plurality of reception times respectively corresponding to the plurality of CAN frames obtained from the E frame received by the second communication unit 101 b. It is detected whether or not a plurality of CAN frames included in the frame are abnormal. Specifically, the abnormality detection processing unit 104 compares the first reception time of the first CAN frame with the second reception time of the second CAN frame among the plurality of CAN frames having the same identifier. 1 Detect whether or not there is an abnormality in the CAN frame. If the difference between the first reception time and the second reception time is out of the range of the reception cycle associated with the same identifier in the second rule, the abnormality detection processing unit 104 indicates that the first CAN frame is abnormal. Detect that.

 また、異常検知処理部104は、第1CANフレームの第1データ値の、第2CANフレームの第2データ値からの差分が、第2ルールにおいて前記同じ識別子に対応付けられている変化量を超える場合、第1CANフレームが異常であることを検知してもよい。 In addition, when the difference between the first data value of the first CAN frame and the second data value of the second CAN frame exceeds the amount of change associated with the same identifier in the second rule, the abnormality detection processing unit 104 , And may detect that the first CAN frame is abnormal.

 そして、異常検知処理部104は、CANフレームが異常であることを検知した場合、制御コマンドの転送を禁止する。つまり、異常検知処理部104は、この場合、この時点で自動運転ECU110から受信した制御コマンドの転送を禁止してもよいし、この時点以降で自動運転ECU110から受信した制御コマンドの転送を禁止してもよい。 Then, when detecting that the CAN frame is abnormal, the abnormality detection processing unit 104 prohibits the transfer of the control command. That is, in this case, the abnormality detection processing unit 104 may prohibit the transfer of the control command received from the automatic driving ECU 110 at this time, and prohibit the transfer of the control command received from the automatic driving ECU 110 after this time. May be

 次に、実施の形態2に係る車両1に搭載されるネットワークシステム3の動作について説明する。 Next, the operation of the network system 3 mounted on the vehicle 1 according to the second embodiment will be described.

 図14および図15は、実施の形態2に係るネットワークシステム3における異常検知方法の一例を示すシーケンス図である。実施の形態2に係る異常検知方法では、ステップS200~S208までは、ステップS201のみにおいて図12で示すCANフレームの受信時刻をEフレームに含める点が実施の形態1に係る異常検知方法のステップS101と異なるが、他のステップS200、S202~S208は、実施の形態1に係る異常検知方法におけるS100、S102~S108と同様であるので説明を省略する。 FIG. 14 and FIG. 15 are sequence diagrams showing an example of an abnormality detection method in the network system 3 according to the second embodiment. In the abnormality detection method according to the second embodiment, in steps S200 to S208, the point at which the reception time of the CAN frame shown in FIG. 12 is included in the E frame only in step S201 is step S101 of the abnormality detection method according to the first embodiment. Although the other steps S200 and S202 to S208 are the same as S100 and S102 to S108 in the abnormality detection method according to the first embodiment, the description thereof will be omitted.

 自動運転DCU100では、異常検知処理部104は、異常検知ルール保持部105が保持する異常検知ルールを参照する。ここで参照するルールは、図13に示した第2ルールである。 In the autonomous driving DCU 100, the abnormality detection processing unit 104 refers to the abnormality detection rule held by the abnormality detection rule holding unit 105. The rule referred to here is the second rule shown in FIG.

 自動運転DCU100では、異常検知処理部104は、CANフレームが異常であるか否かを判定する(S210)。異常検知処理部104は、CANフレームが異常であると判定した場合(ステップS210で異常)、ステップS213へ処理を移す。異常検知処理部104は、CANフレームが正常であると判定した場合(ステップS210で正常)、ステップS211へ処理を移す。 In the autonomous driving DCU 100, the abnormality detection processing unit 104 determines whether the CAN frame is abnormal (S210). If the abnormality detection processing unit 104 determines that the CAN frame is abnormal (abnormal in step S210), the process proceeds to step S213. If the abnormality detection processing unit 104 determines that the CAN frame is normal (normal in step S210), the process proceeds to step S211.

 自動運転DCU100では、異常検知処理部104は、CANフレームの異常を検知したため、自動制御を継続するのはリスクが高いと判断し、サーバ2またはIVI310に対して異常があったことを含む情報を、第2通信部101bを用いて通知する(S213)。なお、この場合、異常検知処理部104は、制御コマンドをセントラルゲートウェイ400に送信しない。つまり、異常検知処理部104は、この場合、異常であると判定した制御コマンドを、セントラルゲートウェイ400およびCANゲートウェイ200を介して第2ネットワーク20に転送することを禁止する。 In the automatic operation DCU 100, since the abnormality detection processing unit 104 detects an abnormality in the CAN frame, it is judged that the risk is high to continue the automatic control, and the information including the abnormality in the server 2 or IVI 310 , And notifies using the second communication unit 101b (S213). In this case, the abnormality detection processing unit 104 does not transmit the control command to the central gateway 400. That is, in this case, the abnormality detection processing unit 104 prohibits transfer of the control command determined to be abnormal to the second network 20 via the central gateway 400 and the CAN gateway 200.

 ステップS211、S212、S214およびS215は、それぞれ、実施の形態1に係る異常検知方法におけるステップS109、S110、S112およびS113と同様であるので説明を省略する。また、ステップS221~S224は、実施の形態1に係る異常検知方法におけるS120~S123と同様であるので説明を省略する。 Steps S211, S212, S214, and S215 are the same as steps S109, S110, S112, and S113 in the abnormality detection method according to the first embodiment, and thus the description thereof is omitted. Further, steps S221 to S224 are the same as S120 to S123 in the abnormality detection method according to the first embodiment, and thus the description thereof is omitted.

 なお、ステップS210の後にステップS212が行われるフローとなっているが、ステップS212の後にステップS210が行われても良い。 Although step S212 is performed after step S210, step S210 may be performed after step S212.

 本実施の形態に係る異常検知装置において、異常検知ルールは、さらに、CANフレームが異常であるか否かを検知するための第2ルールを含む。異常検知処理部104は、さらに、CANフレームが異常であることを検知した場合、制御コマンドの転送を禁止する。これにより、異常検知装置は、CANフレームの異常を検知した上で、制御コマンドの実行が可能となる。つまり、第2ネットワーク20側が正常であることを第1ネットワーク10側の機器である異常検知装置でも確認した上で、自動運転制御コマンドの送信を判断することが可能になる。このため、異常検知装置は、第2ネットワーク20の脆弱性をついた攻撃中であっても、不正な自動運転の制御を防止することが可能となる。 In the abnormality detection device according to the present embodiment, the abnormality detection rule further includes a second rule for detecting whether the CAN frame is abnormal. If the abnormality detection processing unit 104 further detects that the CAN frame is abnormal, it prohibits the transfer of the control command. Thereby, the abnormality detection device can execute the control command after detecting the abnormality of the CAN frame. That is, it is possible to determine the transmission of the automatic driving control command after confirming that the second network 20 side is normal also by the abnormality detection device which is the device on the first network 10 side. For this reason, the abnormality detection device can prevent unauthorized control of automatic driving even during an attack with vulnerability of the second network 20.

 また、本実施の形態に係る異常検知装置において、第2ルールは、複数の識別子のそれぞれに対応するCANフレームおいて許可されるCANフレームの受信周期の範囲を示す。第2通信部101bは、複数のCANフレームと、複数のCANフレームのそれぞれが第1ネットワーク10上の機器により受信された時刻である受信時刻とがデータとして格納されたEフレームを受信する。異常検知処理部104は、複数のCANフレームにそれぞれ対応する複数の受信時刻を用いて、互いに同じ識別子を有する複数のCANフレームのうちで、第1CANフレームの第1受信時刻の、第1CANフレームよりも1つ前に受信された第2CANフレームの第2受信時刻からの差分が、第2ルールにおいて上記同じ識別子に対応付けられている受信周期の範囲外である場合、第1CANフレームが異常であることを検知する。これにより、異常検知装置は、第2ネットワーク20上において異常が発生している場合であっても、第1ネットワーク10における機器において周期性を持つCANフレームの異常を検知できるため、自動運転を停止することが可能となる。 Further, in the abnormality detection device according to the present embodiment, the second rule indicates the range of the CAN frame reception cycle permitted in the CAN frame corresponding to each of the plurality of identifiers. The second communication unit 101 b receives an E frame in which a plurality of CAN frames and a reception time, which is a time when each of the plurality of CAN frames is received by the device on the first network 10, is stored as data. The abnormality detection processing unit 104 uses the plurality of reception times respectively corresponding to the plurality of CAN frames, and among the plurality of CAN frames having the same identifier, the first CAN frame of the first reception time of the first CAN frame. If the difference from the second reception time of the second CAN frame received one before is out of the range of the reception cycle associated with the same identifier in the second rule, the first CAN frame is abnormal Detect that. As a result, even if an abnormality occurs on the second network 20, the abnormality detection device can detect an abnormality in the CAN frame having periodicity in the devices in the first network 10, so the automatic operation is stopped. It is possible to

 また、本実施の形態に係る異常検知装置において、第2ルールは、さらに、複数の前記識別子のそれぞれに対応するCANフレームおいて許可される1つ前のCANフレームのデータ値からの変化量を示す。異常検知処理部104は、さらに、第1CANフレームの第1データ値の、第2CANフレームの第2データからの差分が、第2ルールにおいて上記同じ識別子に対応付けられている変化量を超える場合、第1CANフレームが異常であることを検知する。これにより、異常検知装置は、第2ネットワーク20上において異常が発生している場合であっても、第1ネットワーク10における機器においてCANフレームのデータ値の異常を検知できるため、自動運転を停止することが可能となる。 Further, in the abnormality detection device according to the present embodiment, the second rule further includes the amount of change from the data value of the previous CAN frame permitted in the CAN frame corresponding to each of the plurality of identifiers. Show. If the difference between the first data value of the first CAN frame and the second data of the second CAN frame exceeds the amount of change associated with the same identifier in the second rule, the abnormality detection processing unit 104 further It detects that the first CAN frame is abnormal. As a result, even if an abnormality occurs on the second network 20, the abnormality detection device can detect an abnormality in the data value of the CAN frame in the device in the first network 10, and thus stops the automatic operation. It becomes possible.

 (実施の形態3)
 次に実施の形態3について説明する。実施の形態3に係る異常検知装置としての自動運転DCU100は、CANフレームの異常検知を行う点は実施の形態2に係る自動運転DCUとほぼ同じであるが、異常検知のルールを、Eフレーム内で指定できるようにしている点が異なる。 Third Embodiment
Next, the third embodiment will be described. Although the automatic operation DCU 100 as the abnormality detection device according to the third embodiment performs the abnormality detection of the CAN frame in substantially the same manner as the automatic operation DCU according to the second embodiment, the rule for abnormality detection is It is different in that it can be specified by.

 図16は、実施の形態3に係るCANゲートウェイ200が受信した複数のCANフレームに基づいてEフレームを送信するイメージを示す図である。 FIG. 16 is a diagram showing an image of transmitting an E frame based on a plurality of CAN frames received by the CAN gateway 200 according to the third embodiment.

 図17は、実施の形態3に係る自動運転DCU100にて、CANの異常検知をするときの異常検知ルールを定義したテーブルを示すである。 FIG. 17 shows a table in which an abnormality detection rule is defined when detecting an abnormality in a CAN in the autonomous driving DCU 100 according to the third embodiment.

 図16のEフレームの中において、異常検知ルールとしてルール1が定義されているCANフレームであれば、自動運転DCU100の異常検知処理部104は、当該CANフレームと同じCAN-IDを有するCANフレームの周期をチェックして、異常検知を行う。異常検知処理部104は、ルール1を用いる場合、実施の形態2で説明したCANフレームの受信時刻を参照して算出された周期と、第2ルールとを用いて異常検知を行う。 In the E frame of FIG. 16, if the CAN frame is defined as Rule 1 as an anomaly detection rule, the anomaly detection processing unit 104 of the autonomous driving DCU 100 is a CAN frame having the same CAN-ID as the CAN frame. Check the cycle and detect abnormalities. When the rule 1 is used, the abnormality detection processing unit 104 performs abnormality detection using the second rule and the period calculated with reference to the reception time of the CAN frame described in the second embodiment.

 また、検知ルールとしてルール2が定義されているCANフレームであれば、自動運転DCU100の異常検知処理部104は、当該CANフレームのデータ値の変化量をチェックして、異常検知を行う。異常検知処理部104は、ルール2を用いる場合、実施の形態2で説明したCANフレームのデータ値と、第2ルールとを用いて異常検知を行う。 In addition, if the CAN frame in which the rule 2 is defined as the detection rule, the abnormality detection processing unit 104 of the autonomous driving DCU 100 checks the amount of change of the data value of the CAN frame to perform abnormality detection. When using the rule 2, the abnormality detection processing unit 104 performs the abnormality detection using the data value of the CAN frame described in the second embodiment and the second rule.

 また、検知ルールとしてルール3が定義されているCANフレームであれば、自動運転DCU100の異常検知処理部104は、当該CANフレームのメッセージ認証コード(Message Authenctication Code)をチェックして、異常検知を行う。ルール3の場合、自動運転DCU100は、認証するためのMAC鍵を事前に共有されていることが前提となる。つまり、この場合、異常検知処理部104は、メッセージ認証コードと、MAC鍵と、が一致すれば正常と判断し、一致しなければ異常と判断する。 If the CAN frame is defined as rule 3 as a detection rule, the abnormality detection processing unit 104 of the automatically operating DCU 100 checks the message authentication code of the CAN frame to perform abnormality detection. . In the case of rule 3, it is assumed that the autonomous driving DCU 100 is shared in advance with the MAC key for authentication. That is, in this case, the abnormality detection processing unit 104 determines that the message authentication code and the MAC key match if they match, and determines that it is abnormal if they do not match.

 このように、異常検知処理部104は、複数の識別子のそれぞれに対応付けられたルールを異常検知ルールとして取得する。そして、異常検知処理部104は、異常検知ルールを参照して、CANフレームが異常であることを検知する。 As described above, the abnormality detection processing unit 104 acquires a rule associated with each of the plurality of identifiers as an abnormality detection rule. Then, the abnormality detection processing unit 104 detects that the CAN frame is abnormal with reference to the abnormality detection rule.

 これにより、異常検知装置は、CANフレーム毎に検知ルールを設定することが可能になる。例えば第2ネットワーク20側の負荷が高く、第2ネットワーク20側で検知処理が難しい場合は、第1ネットワーク10上の機器で第2ネットワーク20における異常を検知することができる。 Thus, the abnormality detection apparatus can set the detection rule for each CAN frame. For example, when the load on the second network 20 side is high and the detection processing on the second network 20 side is difficult, the device on the first network 10 can detect an abnormality in the second network 20.

 なお、CANゲートウェイ200は、複数のCANフレームを受信し、受信した複数のCANフレームのそれぞれについて、当該CANフレームのCAN-IDに対応付けられた異常検知のルールを付与してもよい。ここで、CANゲートウェイ200が付与する異常検知のルールは、例えば、実施の形態2における図13で説明した第2ルールであってもよい。CANゲートウェイ200は、第2ルールのうちのCAN-IDに対応するルールを付与してもよいし、第2ルールの全てを付与してもよい。 The CAN gateway 200 may receive a plurality of CAN frames, and assign an abnormality detection rule associated with the CAN-ID of the CAN frame to each of the received plurality of CAN frames. Here, the abnormality detection rule given by the CAN gateway 200 may be, for example, the second rule described in FIG. 13 in the second embodiment. The CAN gateway 200 may assign a rule corresponding to the CAN-ID of the second rules, or may assign all of the second rules.

 また、図17で説明した異常検知ルールは、自動運転DCU100の異常検知ルール保持部105が保持していてもよく、この場合、当該異常検知ルールは、CAN-ID毎に対応付けられている。 Further, the abnormality detection rule described in FIG. 17 may be held by the abnormality detection rule holding unit 105 of the automatic operation DCU 100. In this case, the abnormality detection rule is associated with each CAN-ID.

 (他の実施の形態)
 以上のように、本開示に係る技術の例示として実施の形態1~3を説明した。しかしながら、本開示に係る技術は、これに限定されず、適宜、変更、置き換え、付加、省略等を行った実施の形態にも適用可能である。例えば、以下のような変形例も本開示の一実施態様に含まれる。 (Other embodiments)
As described above, Embodiments 1 to 3 have been described as examples of the technology according to the present disclosure. However, the technology according to the present disclosure is not limited to this, and is also applicable to embodiments in which changes, replacements, additions, omissions, and the like are appropriately made. For example, the following modifications are also included in an embodiment of the present disclosure.

 (1)上記の実施の形態では、車載ネットワークでCANプロトコルに従って、データフレームの伝送が行われるものとしたが、CANプロトコルは、オートメーションシステム内の組み込みシステム等に用いられるCANOpen、或いは、TTCAN(Time-Triggered CAN)、CANFD(CAN with Flexible Data Rate)等の派生的なプロトコルを包含する広義の意味のものと扱われることとしてもよい。また、車載ネットワークは、CANプロトコル以外のプロトコルを用いるものであってもよい。車両の制御のためのフレーム等の伝送がなされる車載ネットワークのプロトコルとして、例えばLIN(Local Interconnect Network)、MOST(登録商標)(Media Oriented Systems Transport)、FlexRay(登録商標)、Ethernet(登録商標)等を用いてもよい。また、これらのプロトコルを用いたネットワークをサブネットワークとして、複数種類のプロトコルに係るサブネットワークを組み合わせて、車載ネットワークを構成してもよい。また、Ethernet(登録商標)プロトコルは、IEEE802.1に係るEthernet(登録商標)AVB(Audio Video Bridging)、或いは、IEEE802.1に係るEthernet(登録商標)TSN(Time Sensitive Networking)、Ethernet(登録商標)/IP(Industrial Protocol)、EtherCAT(登録商標)(Ethernet(登録商標) for Control Automation Technology)等の派生的なプロトコルを包含する広義の意味のものと扱われることとしてもよい。なお、車載ネットワークのネットワークバスは、例えば、ワイヤ、光ファイバ等で構成される有線通信路であり得る。例えば、フレーム伝送阻止装置2400は、上述のいずれかのプロトコルを用いてECUが通信するネットワークシステムでネットワークバスに接続され、フレームを受信し、フレームの伝送の阻止を許容するか否かを示す管理情報に基づいて、受信されたフレームが所定条件を満たす場合にそのフレームの伝送を阻止する所定処理を実行するか否かを切り替えるようにしてもよい。 (1) In the above embodiment, transmission of data frames is performed according to the CAN protocol in the in-vehicle network, but the CAN protocol is CANOpen used for embedded systems in automation systems, or TTCAN (Time CAN) -Triggered CAN), CANFD (CAN with Flexible Data Rate), or the like may be treated as in a broad sense including derivative protocols. Also, the in-vehicle network may use a protocol other than the CAN protocol. For example, LIN (Local Interconnect Network), MOST (registered trademark) (Media Oriented Systems Transport), FlexRay (registered trademark), Ethernet (registered trademark) as a protocol of an in-vehicle network for transmission of a frame or the like for control of a vehicle. Etc. may be used. In addition, a network using these protocols may be used as a subnetwork, and subnetwork related to a plurality of types of protocols may be combined to configure an in-vehicle network. Also, Ethernet (registered trademark) protocol is Ethernet (registered trademark) AVB (Audio Video Bridging) according to IEEE802, or Ethernet (registered trademark) TSN (Time Sensitive Networking) according to IEEE 802.12, Ethernet (registered trademark) It may be treated as a broad sense including derivative protocols such as IP / Industrial Protocol (IP), EtherCAT (registered trademark) (Ethernet (registered trademark) for Control Automation Technology) and the like. The network bus of the in-vehicle network may be, for example, a wired communication path configured of a wire, an optical fiber, or the like. For example, the frame transmission blocking device 2400 is connected to the network bus in a network system in which the ECU communicates using any of the above-mentioned protocols, and receives management of a frame and manages whether to allow blocking of transmission of the frame. Based on the information, it may be switched whether or not to execute a predetermined process for blocking transmission of the received frame when the received frame satisfies the predetermined condition.

 (2)上記実施の形態では、CANプロトコルにおけるデータフレームを標準IDフォーマットで記述しているが、拡張IDフォーマットであっても良く、データフレームのIDは、拡張IDフォーマットでの拡張ID等であってもよい。また、上述したデータフレームは、CAN以外のプロトコルが用いられるネットワークにおける一種のフレームであっても良く、この場合に、そのフレームの種類等を識別するIDが、データフレームのIDに相当する。 (2) Although the data frame in the CAN protocol is described in the standard ID format in the above embodiment, it may be in the extended ID format, and the ID of the data frame is the extended ID in the extended ID format, etc. May be The above data frame may be a type of frame in a network using a protocol other than CAN. In this case, an ID for identifying the type of the frame or the like corresponds to the ID of the data frame.

 (3)上記の実施の形態では、自動運転制御コマンドの不正を防止していたが、駐車支援システムやレーンキープ機能や衝突防止機能などの先進運転支援システムの制御の異常を検知するようにしてもよい。 (3) In the above embodiment, the automatic driving control command is prevented from being illegal, but it is possible to detect an abnormality in control of the advanced driving support system such as the parking support system, the lane keeping function and the collision prevention function. It is also good.

 (4)上記実施の形態では、異常検知時にサーバ2やIVI(In-Vehicle Infotainment)310に異常通知していたが、V2XやV2Iによる通信が可能であれば、車車間通信や路車間通信に対応してれば、他の車両に異常通知や、インフラ装置に異常通知してもよい。これにより自車周辺の車両や通行人の保有デバイスに異常を通知することができ、事故防止につなげることが可能となる。 (4) In the above embodiment, the server 2 and IVI (In-Vehicle Infotainment) 310 are notified of abnormality at the time of abnormality detection, but if communication by V2X or V2I is possible, inter-vehicle communication or road-vehicle communication is possible. If it corresponds, abnormality notification may be made to other vehicles and abnormality notification may be made to the infrastructure device. As a result, it is possible to notify an abnormality to a vehicle owned by the own vehicle or a possessed device of a passerby, which makes it possible to prevent an accident.

 (5)上記実施の形態では、異常検知時にサーバ2やIVI(In-Vehicle Infotainment)310に異常通知していたが、車載ネットワーク上のデバイスにログとして残すようにしてもよい。ログに残した場合は、診断ポートからログを読み出すことで、ディーラが異常内容を把握することが可能になる。また、ログを定期的にサーバ2に送信するようにしてもよい。これにより、リモートで車両の異常検知が可能となる。 (5) In the above embodiment, the abnormality is notified to the server 2 and the IVI (In-Vehicle Infotainment) 310 at the time of abnormality detection, but may be left as a log in a device on the in-vehicle network. If it is left in the log, it is possible for the dealer to grasp the contents of the abnormality by reading the log from the diagnostic port. Alternatively, the log may be periodically transmitted to the server 2. This enables remote detection of vehicle abnormalities.

 (6)上記実施の形態では、CANゲートウェイが車両の状態情報のCANフレームをEフレームのデータに格納しているが、車両の状態情報が識別できる形であれば、CANフレームのフォーマットでなくてもよい。 (6) In the above embodiment, the CAN gateway stores the CAN frame of the state information of the vehicle in the data of E frame, but if the state information of the vehicle can be identified, it is not a CAN frame format It is also good.

 (7)上記実施の形態では、自動運転DCU100が第2伝送路21と接続されていないが、自動運転DCUが第2伝送路と接続されてもよい。この場合、第2伝送路上に流れるCANフレームを読み込み、車両の状態情報を受信してもよい。さらにこの場合、自動運転制御コマンドも直接第2伝送路に対して送信するようにしてもよい。 (7) In the above embodiment, although the autonomous driving DCU 100 is not connected to the second transmission path 21, the autonomous driving DCU may be connected to the second transmission path. In this case, the CAN frame flowing on the second transmission path may be read to receive vehicle state information. Furthermore, in this case, the automatic driving control command may also be transmitted directly to the second transmission path.

 (8)上記実施の形態では、図9の自動運転の制御コマンドの異常検知ルール、または、図13の異常検知ルールは、ホワイトリストとして正常な条件を定義しているが、ブラックリストとして定義された第3ルールであってもよい。 (8) In the above embodiment, although the abnormality detection rule of the control command for automatic driving in FIG. 9 or the abnormality detection rule in FIG. 13 defines a normal condition as a white list, it is defined as a black list It may be the third rule.

 例えば、実施の形態2においては、ホワイトリストが定義された第2ルールの代わりにブラックリストが定義された第3ルールが異常検知ルールとして用いられてもよい。 For example, in the second embodiment, the third rule in which the blacklist is defined instead of the second rule in which the whitelist is defined may be used as the abnormality detection rule.

 第3ルールは、CANフレームのデータの種類を示す識別子であるCAN-IDに対応するCANフレームおいて許可されるCANフレームの受信周期の範囲を示す。また、第3ルールは、さらに、複数の前記識別子のそれぞれに対応するCANフレームおいて許可される変化量であって、当該CANフレームの1つ前のCANフレームのデータ値からの変化量を示す。 The third rule indicates the range of the CAN frame reception period permitted in the CAN frame corresponding to the CAN-ID, which is an identifier indicating the type of data of the CAN frame. Further, the third rule further indicates a change amount permitted in the CAN frame corresponding to each of the plurality of identifiers, and indicates the change amount from the data value of the CAN frame immediately before the CAN frame. .

 第3ルールを用いる場合、自動運転DCU100の異常検知処理部104は、第2通信部101bにより受信されたEフレームから得られる複数のCANフレームにそれぞれ対応する複数の受信時刻を用いて、当該Eフレームに含まれる複数のCANフレームが異常であるか否かを検知する。具体的には、異常検知処理部104は、互いに同じ識別子を有する複数のCANフレームのうちの、第1CANフレームの第1受信時刻と、第2CANフレームの第2受信時刻とを比較することで第1CANフレームに異常があるか否かを検知する。異常検知処理部104は、第1受信時刻の第2受信時刻からの差分が、第2ルールにおいて上記同じ識別子に対応付けられている受信周期の範囲内である場合、第1CANフレームが異常であることを検知する。 When the third rule is used, the abnormality detection processing unit 104 of the autonomous driving DCU 100 uses the plurality of reception times respectively corresponding to the plurality of CAN frames obtained from the E frame received by the second communication unit 101 b. It is detected whether or not a plurality of CAN frames included in the frame are abnormal. Specifically, the abnormality detection processing unit 104 compares the first reception time of the first CAN frame with the second reception time of the second CAN frame among the plurality of CAN frames having the same identifier. 1 Detect whether or not there is an abnormality in the CAN frame. If the difference between the first reception time and the second reception time is within the range of the reception cycle associated with the same identifier in the second rule, the abnormality detection processing unit 104 indicates that the first CAN frame is abnormal. Detect that.

 これにより、異常検知装置は、第2ネットワーク20上において異常が発生している場合であっても、第1ネットワーク10における機器において周期性を持つCANフレームの異常を検知できるため、自動運転を停止することが可能となる。 As a result, even if an abnormality occurs on the second network 20, the abnormality detection device can detect an abnormality in the CAN frame having periodicity in the devices in the first network 10, so the automatic operation is stopped. It is possible to

 また、異常検知処理部104は、前記第1CANフレームの第1データ値の、第2CANフレームの第2データ値からの差分が、第3ルールにおいて前記同じ識別子に対応付けられている変化量の範囲内である場合、第1CANフレームが異常であることを検知してもよい。 Further, the abnormality detection processing unit 104 is configured such that a difference between the first data value of the first CAN frame and the second data value of the second CAN frame corresponds to the same identifier in the third rule and the range of the change amount If yes, it may detect that the first CAN frame is abnormal.

 これにより、異常検知装置は、第2ネットワーク20上において異常が発生している場合であっても、第1ネットワーク10における機器においてCANフレームのデータ値の異常を検知できるため、自動運転を停止することが可能となる。 As a result, even if an abnormality occurs on the second network 20, the abnormality detection device can detect an abnormality in the data value of the CAN frame in the device in the first network 10, and thus stops the automatic operation. It becomes possible.

 また、異常検知ルールは、ホワイトリストとブラックリストを合わせて異常検知をしてもよい。 Further, the abnormality detection rule may detect abnormality by combining the whitelist and the blacklist.

 (9)上記実施の形態では、図8のスイッチルールは、正常な送信元、送信先のIPとMACアドレスとポート番号をホワイトリスト形式で定義しているが、ブラックリリストとして定義されていてもよい。また、スイッチルールに定義されるルールとして、流量、通信頻度、ペイロードの値の条件が定義されていてもよい。 (9) In the above embodiment, the switch rule in FIG. 8 defines the IP address, MAC address and port number of the normal transmission source and transmission destination in the white list format, but is defined as a blacklist It is also good. Further, as the rule defined in the switch rule, conditions of the flow rate, the communication frequency, and the value of the payload may be defined.

 (10)上記実施の形態では、フレーム異常検知装置が、車両に搭載され、車両の制御のための通信を行う車載ネットワークシステムに含まれる例を示したが、車両以外の移動体の制御対象の制御のためのネットワークシステムに含まれるものであってもよい。つまり、移動体は、例えば、ロボット、航空機、船舶、機械、建設機械、農作業機器、ドローン等である。 (10) In the above embodiment, the frame abnormality detection apparatus is mounted on a vehicle and is included in an in-vehicle network system that performs communication for control of the vehicle. It may be included in a network system for control. That is, the moving body is, for example, a robot, an aircraft, a ship, a machine, a construction machine, an agricultural machine, a drone or the like.

 (11)上記実施の形態で示したECU等の各装置は、メモリ、プロセッサ等の他に、ハードディスクユニット、ディスプレイユニット、キーボード、マウス等を備えるものであってもよい。また、上記実施の形態で示したECU等の各装置は、メモリに記憶されたプログラムがプロセッサにより実行されてソフトウェア的にその各装置の機能を実現するものであってもよいし、専用のハードウェア(デジタル回路等)によりプログラムを用いずにその機能を実現するものであってもよい。また、その各装置内の各構成要素の機能分担は変更可能である。 (11) Each device such as the ECU described in the above embodiment may be provided with a hard disk unit, a display unit, a keyboard, a mouse and the like in addition to a memory, a processor and the like. Further, each device such as the ECU described in the above embodiment may be one in which the program stored in the memory is executed by the processor to realize the function of each device in software, or a dedicated hardware The function may be realized by hardware (such as a digital circuit) without using a program. Also, the function sharing of each component in each device can be changed.

 (12)上記実施の形態における各装置を構成する構成要素の一部又は全部は、1個のシステムLSI(Large Scale Integration:大規模集積回路)から構成されているとしてもよい。システムLSIは、複数の構成部を1個のチップ上に集積して製造された超多機能LSIであり、具体的には、マイクロプロセッサ、ROM、RAM等を含んで構成されるコンピュータシステムである。RAMには、コンピュータプログラムが記録されている。マイクロプロセッサが、コンピュータプログラムに従って動作することにより、システムLSIは、その機能を達成する。また、上記各装置を構成する構成要素の各部は、個別に1チップ化されていてもよいし、一部又は全部を含むように1チップ化されてもよい。また、ここでは、システムLSIとしたが、集積度の違いにより、IC、LSI、スーパーLSI、ウルトラLSIと呼称されることもある。また、集積回路化の手法はLSIに限るものではなく、専用回路又は汎用プロセッサで実現してもよい。LSI製造後に、プログラムすることが可能なFPGA(Field Programmable Gate Array)や、LSI内部の回路セルの接続や設定を再構成可能なリコンフィギュラブル・プロセッサを利用してもよい。更には、半導体技術の進歩又は派生する別技術によりLSIに置き換わる集積回路化の技術が登場すれば、当然、その技術を用いて機能ブロックの集積化を行ってもよい。バイオ技術の適用等が可能性としてあり得る。 (12) A part or all of the components constituting each device in the above embodiment may be configured from one system LSI (Large Scale Integration: large scale integrated circuit). The system LSI is a super-multifunctional LSI manufactured by integrating a plurality of components on one chip, and more specifically, is a computer system including a microprocessor, a ROM, a RAM and the like. . A computer program is recorded in the RAM. The system LSI achieves its functions by the microprocessor operating according to the computer program. Moreover, each part of the component which comprises each said apparatus may be integrated into 1 chip separately, and 1 chip may be integrated so that one part or all may be included. Further, although a system LSI is used here, it may be called an IC, an LSI, a super LSI, or an ultra LSI depending on the degree of integration. Further, the method of circuit integration is not limited to LSI's, and implementation using dedicated circuitry or general purpose processors is also possible. After the LSI is manufactured, a programmable field programmable gate array (FPGA) may be used, or a reconfigurable processor that can reconfigure connection and setting of circuit cells in the LSI may be used. Further, if integrated circuit technology comes out to replace LSI's as a result of the advancement of semiconductor technology or a derivative other technology, it is naturally also possible to carry out function block integration using this technology. Application of biotechnology etc. may be possible.

 (13)上記各装置を構成する構成要素の一部又は全部は、各装置に脱着可能なICカード又は単体のモジュールから構成されているとしてもよい。ICカード又は前記モジュールは、マイクロプロセッサ、ROM、RAM等から構成されるコンピュータシステムである。ICカード又は前記モジュールは、上記の超多機能LSIを含むとしてもよい。マイクロプロセッサが、コンピュータプログラムに従って動作することにより、ICカード又はモジュールは、その機能を達成する。このICカード又はこのモジュールは、耐タンパ性を有するとしてもよい。 (13) Some or all of the components constituting each of the above-described devices may be configured from an IC card or a single module that can be detached from each device. The IC card or the module is a computer system including a microprocessor, a ROM, a RAM, and the like. The IC card or the module may include the above-described ultra-multifunctional LSI. The IC card or module achieves its functions by the microprocessor operating according to the computer program. This IC card or this module may be tamper resistant.

 (14)本開示の一態様としては、異常検知の方法をコンピュータにより実現するプログラム(コンピュータプログラム)であるとしてもよいし、前記コンピュータプログラムからなるデジタル信号であるとしてもよい。また、本開示の一態様としては、前記コンピュータプログラム又は前記デジタル信号をコンピュータで読み取り可能な記録媒体、例えば、フレキシブルディスク、ハードディスク、CD-ROM、MO、DVD、DVD-ROM、DVD-RAM、BD(Blu-ray(登録商標) Disc)、半導体メモリ等に記録したものとしてもよい。また、これらの記録媒体に記録されているデジタル信号であるとしてもよい。また、本開示の一態様としては、コンピュータプログラム又はデジタル信号を、電気通信回線、無線又は有線通信回線、インターネットを代表とするネットワーク、データ放送等を経由して伝送するものとしてもよい。また、本開示の一態様としては、マイクロプロセッサとメモリを備えたコンピュータシステムであって、メモリは、上記コンピュータプログラムを記録しており、マイクロプロセッサは、コンピュータプログラムに従って動作するとしてもよい。また、プログラム若しくはデジタル信号を記録媒体に記録して移送することにより、又は、プログラム若しくはデジタル信号を、ネットワーク等を経由して移送することにより、独立した他のコンピュータシステムにより実施するとしてもよい。 (14) One aspect of the present disclosure may be a program (computer program) that realizes a method of detecting an abnormality by a computer, or may be a digital signal including the computer program. Moreover, as one aspect of the present disclosure, a recording medium that can read the computer program or the digital signal by a computer, such as a flexible disk, a hard disk, a CD-ROM, an MO, a DVD, a DVD, a DVD-ROM, a DVD-RAM, a BD It may be recorded on a (Blu-ray (registered trademark) Disc), a semiconductor memory or the like. In addition, digital signals may be recorded on these recording media. Further, as an aspect of the present disclosure, a computer program or a digital signal may be transmitted via a telecommunication line, a wireless or wired communication line, a network typified by the Internet, data broadcasting, or the like. Further, according to an aspect of the present disclosure, a computer system including a microprocessor and a memory, the memory may store the computer program, and the microprocessor may operate according to the computer program. In addition, it may be implemented by another independent computer system by recording and transferring a program or digital signal on a recording medium, or transferring a program or digital signal via a network or the like.

 (15)上記実施の形態及び上記変形例で示した各構成及び機能を任意に組み合わせることで実現される形態も本開示の範囲に含まれる。 (15) An embodiment realized by arbitrarily combining each configuration and function shown in the above-mentioned embodiment and the above-mentioned modification is also included in the scope of the present disclosure.

 本開示にかかる異常検知装置は、効果的に異常を検知することができる異常検知装置および異常検知方法等として有用である。 The abnormality detection device according to the present disclosure is useful as an abnormality detection device and an abnormality detection method that can effectively detect an abnormality.

  1 車両
  2 サーバ
  3 ネットワークシステム
 10 第1ネットワーク
 11 第1伝送路
 20 第2ネットワーク
 21 第2伝送路
 21a、21b CANバス
 30 外部ネットワーク
 100 自動運転DCU
 101a 第1通信部
 101b 第2通信部
 102 スイッチ処理部
 103 スイッチルール保持部
 104 異常検知処理部
 105 異常検知ルール保持部
 110 自動運転ECU
 120 カメラ
 130 LIDAR
 140 ダイナミックマップECU
 200 CANゲートウェイ
 201 E送受信部
 202a、202b CAN送受信部
 203 転送制御部
 204 転送ルール保持部
 210 エンジンECU
 220 ステアリングECU
 230 ブレーキECU
 240 ウィンドウECU
 300 インフォテインメントDCU
 310 IVI
 400 セントラルゲートウェイ
 410 テレマティクスコントロールユニット
 420 診断ポート
 P1~P5 ポート 1 vehicle 2 server 3 network system 10 first network 11 first transmission line 20 second network 21 second transmission line 21a, 21b CAN bus 30 external network 100 automatic operation DCU
101a first communication unit 101b second communication unit 102 switch processing unit 103 switch rule holding unit 104 abnormality detection processing unit 105 abnormality detection rule holding unit 110 automatic operation ECU
120 Cameras 130 LIDAR
140 Dynamic Map ECU
200 CAN Gateway 201 E Transmission / reception unit 202a, 202b CAN transmission / reception unit 203 Transfer control unit 204 Transfer rule holding unit 210 Engine ECU
220 steering ECU
230 brake ECU
240 Window ECU
300 Infotainment DCU
310 IVI
400 Central Gateway 410 Telematics Control Unit 420 Diagnostic Port P1 to P5 Port

Claims (11)

 移動体に搭載され、通信プロトコルが互いに異なる第1ネットワークおよび第2ネットワークを有するネットワークシステムにおける異常を検知する異常検知装置であって、
 前記第2ネットワークから取得される前記移動体の状態を示す状態情報を受信する第1通信部と、
 前記第1ネットワークの通信プロトコルによる第1フレームを送受信する第2通信部と、
 異常検知ルールを保持する異常検知ルール保持部と、
 前記状態情報と、前記異常検知ルールとを参照して、前記第2通信部において受信された前記第1フレームに含まれる制御コマンドが異常であるか否かを検知する異常検知処理部と、を備え、
 前記異常検知処理部は、前記制御コマンドが異常であることを検知した場合、当該制御コマンドの転送を禁止する
 異常検知装置。 An abnormality detection apparatus for detecting an abnormality in a network system mounted on a mobile body and having a first network and a second network having different communication protocols.
A first communication unit that receives state information indicating a state of the mobile obtained from the second network;
A second communication unit that transmits and receives a first frame according to a communication protocol of the first network;
An abnormality detection rule holding unit that holds an abnormality detection rule;
An abnormality detection processing unit that detects whether or not a control command included in the first frame received by the second communication unit is abnormal with reference to the state information and the abnormality detection rule; Equipped
The abnormality detection processing unit prohibits transfer of the control command when detecting that the control command is abnormal.  前記異常検知ルールは、前記移動体の異なる複数の状態のそれぞれにおいて許可される制御コマンドを示す第1ルールを含み、
 前記異常検知処理部は、前記状態情報が示す前記移動体の状態が、前記制御コマンドが前記第1ルールにおいて対応付けられている状態に含まれない場合、前記制御コマンドが異常であることを検知する
 請求項1に記載の異常検知装置。 The abnormality detection rule includes a first rule indicating a control command permitted in each of a plurality of different states of the mobile body,
The abnormality detection processing unit detects that the control command is abnormal when the state of the moving body indicated by the state information is not included in the state in which the control command is associated in the first rule. The abnormality detection device according to claim 1.  前記制御コマンドは、進む、曲がる、および、止まるの少なくとも1つを前記移動体に実行させる制御コマンドである
 請求項1に記載の異常検知装置。 The abnormality detection device according to claim 1, wherein the control command is a control command that causes the moving object to execute at least one of forward, bend, and stop.  前記第1ネットワークは、Ethernet(登録商標)によるネットワークであり、
 前記第2ネットワークは、CANによるネットワークであり、
 前記第1通信部は、前記状態情報を含むCANフレームを受信することで前記状態情報を受信し、
 前記異常検知ルールは、さらに、前記CANフレームが異常であるか否かを検知するための第2ルールを含み、
 前記異常検知処理部は、さらに、前記CANフレームが異常であることを検知した場合、前記制御コマンドの転送を禁止する
 請求項1に記載の異常検知装置。 The first network is a network by Ethernet (registered trademark),
The second network is a CAN network,
The first communication unit receives the state information by receiving a CAN frame including the state information,
The abnormality detection rule further includes a second rule for detecting whether the CAN frame is abnormal or not.
The abnormality detection device according to claim 1, wherein the abnormality detection processing unit further prohibits transfer of the control command when detecting that the CAN frame is abnormal.  前記第1ネットワークは、Ethernet(登録商標)によるネットワークであり、
 前記第2ネットワークは、CANによるネットワークであり、
 前記第1通信部は、前記状態情報を示すCANフレームが格納されたEthernet(登録商標)フレームである第2フレームを受信する
 請求項1に記載の異常検知装置。 The first network is a network by Ethernet (registered trademark),
The second network is a CAN network,
The abnormality detection device according to claim 1, wherein the first communication unit receives a second frame that is an Ethernet (registered trademark) frame in which a CAN frame indicating the state information is stored.  前記第2フレームは、前記状態情報を示すCANフレームを含む複数のCANフレームが格納されており、
 前記異常検知ルールは、さらに、前記複数のCANフレームのそれぞれが異常であるか否かを検知するための第2ルールを含み、
 前記複数のCANフレームのそれぞれは、種類毎に異なる識別子を有し、
 前記第2ルールは、複数の前記識別子のそれぞれに対応するCANフレームおいて許可されるCANフレームの受信周期の範囲を示し、
 前記異常検知処理部は、前記複数のCANフレームにそれぞれ対応する受信時刻を用いて、互いに同じ識別子を有する前記複数のCANフレームのうちで、第1CANフレームの第1受信時刻の、前記第1CANフレームよりも1つ前に受信された第2CANフレームの第2受信時刻からの差分が、前記第2ルールにおいて前記同じ識別子に対応付けられている受信周期の範囲外である場合、前記第1CANフレームが異常であることを検知する
 請求項5に記載の異常検知装置。 The second frame stores a plurality of CAN frames including a CAN frame indicating the state information,
The abnormality detection rule further includes a second rule for detecting whether each of the plurality of CAN frames is abnormal or not.
Each of the plurality of CAN frames has a different identifier for each type,
The second rule indicates a range of a CAN frame reception cycle permitted in a CAN frame corresponding to each of a plurality of the identifiers,
The abnormality detection processing unit uses the reception times respectively corresponding to the plurality of CAN frames, and among the plurality of CAN frames having the same identifier, the first CAN frame of the first reception time of the first CAN frame. If the difference from the second reception time of the second CAN frame received one before the other is out of the range of the reception cycle associated with the same identifier in the second rule, the first CAN frame is The abnormality detection device according to claim 5, which detects an abnormality.  前記第2ルールは、さらに、複数の前記識別子のそれぞれに対応するCANフレームおいて許可される変化量であって、当該CANフレームの1つ前のCANフレームのデータ値からの変化量を示し、
 前記異常検知処理部は、さらに、前記第1CANフレームの第1データ値の、前記第2CANフレームの第2データ値からの差分が、前記第2ルールにおいて前記同じ識別子に対応付けられている前記変化量を超える場合、前記第1CANフレームが異常であることを検知する
 請求項6に記載の異常検知装置。 The second rule further indicates a change amount permitted in a CAN frame corresponding to each of a plurality of the identifiers, which is a change amount from a data value of a CAN frame immediately before the CAN frame.
The abnormality detection processing unit further determines that the difference between the first data value of the first CAN frame and the second data value of the second CAN frame is associated with the same identifier in the second rule. The abnormality detection device according to claim 6, which detects that the first CAN frame is abnormal when the amount is exceeded.  前記第2フレームは、前記状態情報を示すCANフレームを含む複数のCANフレームが格納されており、
 前記異常検知ルールは、さらに、前記複数のCANフレームのそれぞれが異常であるか否かを検知するための第3ルールを含み、
 前記複数のCANフレームのそれぞれは、種類毎に異なる識別子を有し、
 前記第3ルールは、複数の前記識別子のそれぞれに対応するCANフレームおいて許可されるCANフレームの受信周期の範囲を示し、
 前記異常検知処理部は、前記複数のCANフレームにそれぞれ対応する受信時刻を用いて、互いに同じ識別子を有する前記複数のCANフレームのうちで、第1CANフレームの第1受信時刻の、前記第1CANフレームよりも1つ前に受信された第2CANフレームの第2受信時刻からの差分が、前記第3ルールにおいて前記同じ識別子に対応付けられている受信周期の範囲内である場合、前記第1CANフレームが異常であることを検知する
 請求項5に記載の異常検知装置。 The second frame stores a plurality of CAN frames including a CAN frame indicating the state information,
The abnormality detection rule further includes a third rule for detecting whether each of the plurality of CAN frames is abnormal;
Each of the plurality of CAN frames has a different identifier for each type,
The third rule indicates the range of the CAN frame reception cycle permitted in the CAN frame corresponding to each of the plurality of identifiers,
The abnormality detection processing unit uses the reception times respectively corresponding to the plurality of CAN frames, and among the plurality of CAN frames having the same identifier, the first CAN frame of the first reception time of the first CAN frame. When the difference from the second reception time of the second CAN frame received one before the other is within the range of the reception cycle associated with the same identifier in the third rule, the first CAN frame is The abnormality detection device according to claim 5, which detects an abnormality.  前記第3ルールは、さらに、複数の前記識別子のそれぞれに対応するCANフレームおいて許可される変化量であって、当該CANフレームの1つ前のCANフレームのデータ値からの変化量を示し、
 前記異常検知処理部は、さらに、前記第1CANフレームの第1データ値の、前記第2CANフレームの第2データ値からの差分が、前記第3ルールにおいて前記同じ識別子に対応付けられている前記変化量の範囲内である場合、前記第1CANフレームが異常であることを検知する
 請求項8に記載の異常検知装置。 The third rule further indicates a change amount permitted in a CAN frame corresponding to each of a plurality of the identifiers, which is a change amount from a data value of a CAN frame immediately before the CAN frame.
The abnormality detection processing unit further determines that the difference between the first data value of the first CAN frame and the second data value of the second CAN frame is associated with the same identifier in the third rule. The abnormality detection device according to claim 8, which detects that the first CAN frame is abnormal when it is within the range of the amount.  前記異常検知処理部は、
  複数の前記識別子のそれぞれに対応付けられたルールを前記異常検知ルールとして取得し、
  前記異常検知ルールを参照して、前記CANフレームが異常であることを検知する
 請求項6から9のいずれか1項に記載の異常検知装置。 The abnormality detection processing unit
Acquiring a rule associated with each of the plurality of identifiers as the abnormality detection rule;
The abnormality detection device according to any one of claims 6 to 9, which detects that the CAN frame is abnormal with reference to the abnormality detection rule.  移動体に搭載され、通信プロトコルが互いに異なる第1ネットワークおよび第2ネットワークを有するネットワークシステムにおける異常を検知する異常検知装置による異常検知方法であって、
 前記第2ネットワークから取得される前記移動体の状態を示す状態情報を受信する第1通信ステップと、
 前記第1ネットワークの通信プロトコルによる第1フレームを送受信する第2通信ステップと、
 前記状態情報と、前記異常検知装置が備える保持部が保持する異常検知ルールとを参照して、前記第2通信ステップにおいて受信された前記第1フレームに含まれる制御コマンドが異常であるか否かを検知する検知ステップと、
 前記検知ステップにおいて、前記制御コマンドが異常であることを検知された場合、当該制御コマンドの転送を禁止する禁止ステップと、を含む
 異常検知方法。 An anomaly detection method by an anomaly detection apparatus for detecting an anomaly in a network system mounted on a mobile body and having a first network and a second network having different communication protocols.
A first communication step of receiving state information indicating the state of the mobile obtained from the second network;
A second communication step of transmitting and receiving a first frame according to a communication protocol of the first network;
Whether or not the control command included in the first frame received in the second communication step is abnormal with reference to the state information and the abnormality detection rule held by the holding unit included in the abnormality detection device Detection step for detecting
And a prohibition step of prohibiting transfer of the control command when it is detected that the control command is abnormal in the detection step.
PCT/JP2018/027012 2017-07-26 2018-07-19 Abnormality detection device, and abnormality detection method Ceased WO2019021922A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
EP18837632.1A EP3659868B1 (en) 2017-07-26 2018-07-19 Abnormality detection device, and abnormality detection method
CN201880003962.9A CN109843653B (en) 2017-07-26 2018-07-19 Abnormality detection device and abnormality detection method
US16/730,977 US11539727B2 (en) 2017-07-26 2019-12-30 Abnormality detection apparatus and abnormality detection method

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
JP2017-144490 2017-07-26
JP2017144490 2017-07-26
JP2018-097207 2018-05-21
JP2018097207A JP7033499B2 (en) 2017-07-26 2018-05-21 Anomaly detection device and anomaly detection method

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US16/730,977 Continuation US11539727B2 (en) 2017-07-26 2019-12-30 Abnormality detection apparatus and abnormality detection method

Publications (1)

Publication Number Publication Date
WO2019021922A1 true WO2019021922A1 (en) 2019-01-31

Family

ID=65041358

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2018/027012 Ceased WO2019021922A1 (en) 2017-07-26 2018-07-19 Abnormality detection device, and abnormality detection method

Country Status (1)

Country Link
WO (1) WO2019021922A1 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113486799A (en) * 2021-07-07 2021-10-08 深圳市商汤科技有限公司 Device linkage method, device, storage medium and program product
JPWO2022049895A1 (en) * 2020-09-01 2022-03-10
CN114301645A (en) * 2021-12-16 2022-04-08 北京六方云信息技术有限公司 Abnormal behavior detection method, device, terminal device and storage medium
CN114430896A (en) * 2020-05-26 2022-05-03 松下电器(美国)知识产权公司 Abnormality detection device, abnormality detection system, and abnormality detection method
CN114503518A (en) * 2019-11-28 2022-05-13 住友电气工业株式会社 Detection device, vehicle, detection method, and detection program
CN116319389A (en) * 2023-05-17 2023-06-23 工业富联(佛山)产业示范基地有限公司 Network anomaly identification method and related equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2012006446A (en) 2010-06-23 2012-01-12 Toyota Motor Corp In-vehicle network system
JP2015067187A (en) * 2013-09-30 2015-04-13 株式会社デンソー Vehicle control system
JP2016074317A (en) * 2014-10-07 2016-05-12 株式会社デンソー Instruction determination device used for remote control over vehicle, and program for instruction determination device
WO2017119027A1 (en) * 2016-01-08 2017-07-13 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Impropriety detection method, monitoring electronic control unit, and on-board network system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2012006446A (en) 2010-06-23 2012-01-12 Toyota Motor Corp In-vehicle network system
JP2015067187A (en) * 2013-09-30 2015-04-13 株式会社デンソー Vehicle control system
JP2016074317A (en) * 2014-10-07 2016-05-12 株式会社デンソー Instruction determination device used for remote control over vehicle, and program for instruction determination device
WO2017119027A1 (en) * 2016-01-08 2017-07-13 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Impropriety detection method, monitoring electronic control unit, and on-board network system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP3659868A4

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114503518A (en) * 2019-11-28 2022-05-13 住友电气工业株式会社 Detection device, vehicle, detection method, and detection program
CN114503518B (en) * 2019-11-28 2024-01-12 住友电气工业株式会社 Testing devices, vehicles, testing methods and testing procedures
CN114430896A (en) * 2020-05-26 2022-05-03 松下电器(美国)知识产权公司 Abnormality detection device, abnormality detection system, and abnormality detection method
EP4160998A4 (en) * 2020-05-26 2023-06-14 Panasonic Intellectual Property Corporation of America FAULT DETECTION DEVICE, SYSTEM AND METHOD
US11792219B2 (en) 2020-05-26 2023-10-17 Panasonic Intellectual Property Corporation Of America Anomaly detecting device, anomaly detecting system, and anomaly detecting method
JPWO2022049895A1 (en) * 2020-09-01 2022-03-10
WO2022049895A1 (en) * 2020-09-01 2022-03-10 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Abnormality monitoring device and abnormality monitoring method
JP7595079B2 (en) 2020-09-01 2024-12-05 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Abnormality monitoring device and abnormality monitoring method
CN113486799A (en) * 2021-07-07 2021-10-08 深圳市商汤科技有限公司 Device linkage method, device, storage medium and program product
CN114301645A (en) * 2021-12-16 2022-04-08 北京六方云信息技术有限公司 Abnormal behavior detection method, device, terminal device and storage medium
CN116319389A (en) * 2023-05-17 2023-06-23 工业富联(佛山)产业示范基地有限公司 Network anomaly identification method and related equipment
CN116319389B (en) * 2023-05-17 2023-07-18 工业富联(佛山)产业示范基地有限公司 Network anomaly identification method and related equipment

Similar Documents

Publication Publication Date Title
JP7033499B2 (en) Anomaly detection device and anomaly detection method
JP7071998B2 (en) In-vehicle network abnormality detection system and in-vehicle network abnormality detection method
WO2019021922A1 (en) Abnormality detection device, and abnormality detection method
US11546363B2 (en) Anomaly detection device, in-vehicle network system, and anomaly detection method
CN108886480B (en) Abnormality detection electronic control unit, vehicle-mounted network system, and abnormality detection method
US20190356574A1 (en) Motor vehicle comprising an internal data network and method for operating the motor vehicle
US10715600B2 (en) Network hub, transfer method, and onboard network system
JP5838983B2 (en) Information processing apparatus and information processing method
US10693675B2 (en) Electronic control unit, communication method, and onboard network system
CN109845196B (en) Network monitor, network monitoring method, and computer-readable recording medium
JPWO2019216306A1 (en) Anomaly detection electronic control unit, in-vehicle network system and anomaly detection method
US12063235B2 (en) Communication control device, anomaly detection electronic control unit, mobility network system, communication control method, anomaly detection method, and recording medium
WO2018008453A1 (en) Abnormality detecting electronic control unit, vehicle-mounted network system and abnormality detecting method
Kim et al. In-vehicle communication and cyber security
JP2019146145A (en) Communication device, communication method, and program
CN112968821B (en) Electronic control unit, communication method, and in-vehicle network system
KR20180072342A (en) Methods of secure processing at in-vehicle network having Ethernet network considering priority of V2X message
CN112787901B (en) Network hub, forwarding method and vehicle-mounted network system
WO2020021714A1 (en) Fraud prevention method and secure star coupler

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18837632

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2018837632

Country of ref document: EP

Effective date: 20200226