Search

JP-7856000-B2 - Anomaly frame detection device, anomaly frame detection method, and anomaly frame detection program

JP7856000B2JP 7856000 B2JP7856000 B2JP 7856000B2JP-7856000-B2

Inventors

  • 竹内 錬磨
  • 川上 達郎
  • 福島 理天

Assignees

  • 株式会社デンソー

Dates

Publication Date
20260511
Application Date
20221227

Claims (18)

  1. An abnormal frame determination device connected to an electronic control device (20) that transmits data frames at a predetermined interval, A receiving unit (101) that receives a first data frame which is presumed to have been transmitted from the electronic control unit, A reception interval calculation unit (104) calculates the reception interval between the first data frame and the second data frame that the receiving unit received immediately before the first data frame, A storage unit (106) that stores a judgment value used to detect abnormal frames, A determination value update unit (107) adds a predetermined value to the determination value if the reception interval is shorter than a threshold, An abnormal frame determination unit (110) determines that the second data frame is an abnormal frame when the determination value reaches a limit value and the reception interval is longer than the proximity reception interval which is the criterion for determining whether the first data frame and the second data frame were received in close proximity, An abnormal frame detection device (10) is provided.
  2. The abnormal frame determination unit further determines that at least one of the first data frame or the second data frame is an abnormal frame when the reception interval is less than or equal to the nearest reception interval. The abnormal frame detection device according to claim 1.
  3. The abnormal frame determination unit determines that the second data frame is an abnormal frame when the determination value first reaches the limit value and the reception interval is longer than the nearest reception interval. The abnormal frame detection device according to claim 1.
  4. The abnormal frame determination unit determines that the determination value has reached the limit value for the first time when the determination value reaches the limit value due to the addition of the predetermined value to the initial value of the determination value a predetermined number of times. The abnormal frame determination device according to claim 3.
  5. The determination value update unit further subtracts the predetermined value from the determination value if the reception interval is longer than the threshold. The abnormal frame determination unit determines that the determination value has reached the limit value for the first time when the determination value reaches the limit value after the predetermined value has been subtracted from the determination value and then the predetermined value has been added to it a predetermined number of times. The abnormal frame determination device according to claim 3.
  6. The abnormal frame determination unit determines that the second data frame is an abnormal frame when the determination value reaches the limit value due to the addition of a predetermined value to the determination value which is less than the limit value, and the reception interval is longer than the nearest reception interval. The abnormal frame detection device according to claim 1.
  7. The abnormal frame determination unit determines that at least one of the first data frame or the second data frame is an abnormal frame if the predetermined value is added to the determination value which is equal to or greater than the limit value. The abnormal frame detection device according to claim 1.
  8. The threshold is a value less than or equal to the predetermined period. The abnormal frame detection device according to claim 1.
  9. The threshold is equal to the minimum reception interval between the first data frame and the second data frame, which are data frames transmitted from the electronic control device. The abnormal frame determination device according to claim 8.
  10. The predetermined value is the difference between the reception interval and the threshold, The limit value is a value less than or equal to the value obtained by subtracting the predetermined period from twice the threshold value. The abnormal frame detection device according to claim 1.
  11. The limit value is equal to twice the threshold value minus the maximum reception interval between the first data frame and the second data frame, which are data frames transmitted from the electronic control device. The abnormal frame determination device according to claim 10.
  12. The determination value update unit further subtracts the difference from the determination value if the reception interval is longer than the threshold. The abnormal frame determination unit determines that the second data frame is an abnormal frame when the determination value reaches the limit value after the difference has been subtracted and then added twice, and the reception interval is longer than the nearest reception interval. The abnormal frame determination device according to claim 10.
  13. The predetermined value is the difference between the reception interval and the threshold, The proximity reception interval is a value less than or equal to the value obtained by subtracting the limit value from the threshold value. The abnormal frame detection device according to claim 1.
  14. The proximity reception interval is equal to the value obtained by subtracting the minimum value of the reception interval between the first data frame and the second data frame, which are data frames transmitted from the electronic control device, from the maximum value of the reception interval between the first data frame and the second data frame, which are data frames transmitted from the electronic control device. The abnormal frame determination device according to claim 13.
  15. The predetermined value is a value based on the difference between the reception interval and the threshold. The abnormal frame detection device according to claim 1.
  16. The maximum value of the judgment value is equal to the limit value. The abnormal frame detection device according to claim 1.
  17. An abnormal frame determination method performed by an abnormal frame determination device (10) connected to an electronic control device (20) that transmits data frames at predetermined intervals, The first data frame, which is presumed to have been transmitted from the electronic control unit, is received (S101). The reception interval between the first data frame and the second data frame received immediately before the first data frame is calculated (S103). If the reception interval is shorter than the threshold, a predetermined value is added to the determination value stored in the storage unit and used for detecting abnormal frames (S105). If the determination value reaches the limit value, and the reception interval is longer than the proximity reception interval which is the criterion for determining whether the first data frame and the second data frame were received in close proximity, the second data frame is determined to be the abnormal frame (S109). Method for detecting abnormal frames.
  18. An abnormal frame determination program that can be executed by an abnormal frame determination device (10) connected to an electronic control device (20) that transmits data frames at predetermined intervals, The first data frame, which is presumed to have been transmitted from the electronic control unit, is received (S101). The reception interval between the first data frame and the second data frame received immediately before the first data frame is calculated (S103). If the reception interval is shorter than the threshold, a predetermined value is added to the determination value stored in the storage unit and used for detecting abnormal frames (S105). If the determination value reaches the limit value, and the reception interval is longer than the proximity reception interval which is the criterion for determining whether the first data frame and the second data frame were received in close proximity, the second data frame is determined to be the abnormal frame (S109). An abnormal frame detection program.

Description

This invention relates to a device for determining abnormal data frames from data frames transmitted from an electronic control device, as well as a method and program executed by said device. Traditionally, automobiles have been equipped with various types of electronic control devices, and these devices are interconnected via a communication network to form an in-vehicle system. In such in-vehicle systems, it is known that Network-based Intrusion Detection Systems (NIDS) are used to detect suspicious access or data from external sources. For example, Patent Document 1 discloses a communication system capable of determining the legitimacy or legitimacy of messages transmitted in a communication system with a simple configuration. In this communication system, multiple ECUs are connected to a communication bus to enable message transmission. Each ECU has a predetermined communication interval set, and the ECU sending a message transmits the message based on this predetermined communication interval. If the communication interval of a received message is shorter than the predetermined communication interval, the message is determined to be invalid. Patent Document 2 discloses a relay connection unit that relays messages transmitted and received between electronic control units. This relay connection unit counts the number of messages received within a predetermined set time, and determines that a message is not valid if the number of received messages exceeds the set number. International Publication No. 2013/094072Japanese Patent Publication No. 2009-253557 A diagram illustrating an in-vehicle system having a log determination device according to Embodiment 1 or 2.A diagram showing an example configuration of the log determination device of Embodiment 1 or 2.A diagram illustrating the timestamp assigned by the timestamp assignment unit of Embodiment 1 or 2.Diagram illustrating the reception interval and determination value of the data frame in Embodiment 1.Diagram illustrating the reception interval and determination value of the data frame in Embodiment 1.Diagram illustrating the reception interval and determination value of the data frame in Embodiment 1.Diagram illustrating the reception interval and determination value of the data frame in Embodiment 1.Diagram illustrating the operation of the abnormal frame detection device of Embodiment 1.Diagram illustrating the operation of the abnormal frame detection device of Embodiment 1.Diagram illustrating the operation of the abnormal frame detection device of Embodiment 2.Diagram illustrating the operation of the abnormal frame detection device of Embodiment 2. The embodiments of the present invention will be described below with reference to the drawings. Furthermore, "the present invention" means the invention described in the claims or the means for solving the problem, and is not limited to the following embodiments. Also, at least the terms within quotation marks mean the terms described in the claims or the means for solving the problem, and are likewise not limited to the following embodiments. The configurations and methods described in the dependent claims are optional configurations and methods in the invention described in the independent claims. The configurations and methods in embodiments corresponding to the configurations and methods described in the dependent claims, as well as configurations and methods described only in embodiments and not in the claims, are optional configurations and methods in this invention. Configurations and methods described in embodiments where the claims are broader than the embodiments are also optional configurations and methods in this invention, in the sense that they are illustrative examples of the configurations and methods of this invention. In all cases, by describing them in the independent claims, they become essential configurations and methods of this invention. The effects described in the embodiments are those obtained when the configuration is that of an exemplary embodiment of the present invention, and are not necessarily effects of the present invention itself. When there are multiple embodiments, the configuration disclosed in each embodiment is not confined to that embodiment alone, but can be combined across embodiments. For example, the configuration disclosed in one embodiment may be combined with another embodiment. Alternatively, the configuration disclosed in each of multiple embodiments may be combined. The problem described in the problem that this invention aims to solve is not a publicly known problem, but rather something that the inventor has discovered independently. This fact, along with the structure and method of the present invention, affirms the inventive step of the invention. 1. Configuration common to each embodiment (1) In-vehicle system 1 Figure 1 shows an in-vehicle system 1 consisting of an abnormal frame detection device 10, a plurality of electronic control units 20