US-12619719-B2 - Monitoring system and control method

Abstract

An integrated ECU includes: a host virtual machine; an anomaly detector that detects a security anomaly in the host virtual machine; a service list storage that stores a service list indicating a list of a plurality of services executed by the in-vehicle system; a determiner that determines a specific service from among the plurality of services indicated in the service list when the anomaly detector detects the security anomaly, the specific service being a service which needs to be stopped or needs a change in a setting in order to resolve the security anomaly; and an anomaly countermeasures unit that executes an anomaly countermeasures process of stopping the specific service or changing the setting of the specific service, based on a determination result of the determiner.

Inventors

• Ryo Hirano
• Yoshiharu Imamoto
• Shoichiro SEKIYA

Assignees

• PANASONIC AUTOMOTIVE SYSTEMS CO., LTD.

Dates

Publication Date

20260505

Application Date

20240418

Priority Date

20230425

Claims (9)

1. 1 . A monitoring system for monitoring an in- vehicle system provided to a vehicle, the monitoring system being included in the in-vehicle system, the monitoring system comprising: a processor; and a memory including at least set of instructions that, when executed by the processor, causes the processor to perform operations, the operations including: detecting a security anomaly in an operating system included in the monitoring system, the security anomaly including an unauthorized access to the vehicle; determining a specific service from among a plurality of services indicated in a service list indicating a list of the plurality of services executed by the in-vehicle system when the security anomaly is detected, the specific service being a service to be stopped or to be changed in a setting in order to resolve the security anomaly; and executing an anomaly countermeasures process of stopping the specific service or changing the setting of the specific service, based on a determination result; counting an anomaly countermeasures count that is a total number of times that the anomaly countermeasures process has been executed in a predetermined time period; determining the specific service from among the plurality of services indicated in the service list, based on the anomaly countermeasures count; and obtaining vehicle status information indicating, as a state of the vehicle, whether the vehicle is running or stopped, wherein in the service list, each of the plurality of services is associated with whether the service is stoppable while the vehicle is running or stopped, and based on the anomaly countermeasures count and the vehicle status information, the determining by the processor does not select as the specific service a service not stoppable while the vehicle is running or stopped from among the plurality of services indicated in the service list.
2. 2 . The monitoring system according to claim 1 , wherein: the determining by the processor further includes determining the specific service from among the plurality of services indicated in the service list, based on the anomaly countermeasures process associated with the anomaly countermeasures count counted with reference to an anomaly countermeasures table indicating a correspondence between the anomaly countermeasures count and the anomaly countermeasures process.
3. 3 . The monitoring system according to claim 1 , wherein: the determining by the processor further includes determining the specific service from among the plurality of services indicated in the service list, based on the anomaly countermeasures count and the vehicle status information.
4. 4 . The monitoring system according to claim 1 wherein: the processor further performs operations including notifying that the specific service is stopped or the setting of the specific service is changed, when the specific service is stopped or the setting of the specific service is changed.
5. 5 . The monitoring system according to claim 4 , wherein when the security anomaly is resolved, the notifying by the processer further includes notifying details of the anomaly countermeasures process executed.
6. 6 . The monitoring system according to claim 1 , wherein when the security anomaly is detected, the processor further performs operations including generating a replicated operating system that is a replication of the operating system in which the security anomaly has been detected.
7. 7 . The monitoring system according to claim 1 , wherein in the service list, each of the plurality of services indicated in the service list is associated with a numerical value representing a degree of priority the specific service is to be stopped or the setting thereof is to be changed, and the determining by the processor further includes determining the specific service from among the plurality of services indicated in the service list, based on the degree of priority.
8. 8 . The monitoring system according to claim 1 , wherein in the service list, the plurality of services are classified into categories including at least one of a network, a device, a vehicle function, a vehicle safety function, or security.
9. 9 . A control method performed by a monitoring system for monitoring an in-vehicle system provided to a vehicle, the monitoring system being included in the in-vehicle system, the control method comprising: (a) detecting a security anomaly in an operating system included in the monitoring system; (b) determining, when the security anomaly is detected in (a), a specific service from among a plurality of services indicated in a service list indicating a list of the plurality of services executed by the in-vehicle system, the specific service being a service which needs to be stopped or needs a change in a setting in order to resolve the security anomaly; (c) executing an anomaly countermeasures process of stopping the specific service or changing the setting of the specific service, based on a determination result of (b); and (d) counting an anomaly countermeasures count that is a total number of times that the anomaly countermeasures process has been executed in a predetermined time period in (c); (e) determining the specific service from among the plurality of services indicated in the service list, based on the anomaly countermeasures count counted in (d); and (f) obtaining vehicle status information indicating, as a state of the vehicle, whether the vehicle is running or stopped, wherein in the service list, each of the plurality of services is associated with whether the service is stoppable while the vehicle is running or stopped, and based on the anomaly countermeasures count and the vehicle status information, the determining does not select as the specific service a service not stoppable while the vehicle is running or stopped from among the plurality of services indicated in the service list.

Description

CROSS REFERENCE TO RELATED APPLICATIONS The present application is based on and claims priority of Japanese Patent Application No. 2023-071248 filed on Apr. 25, 2023. FIELD The present disclosure relates to a monitoring system and a control method. BACKGROUND Monitoring systems have been known that monitor an operating system provided in a vehicle for the occurrence of security anomalies caused by attack on the operating system from the outside (e.g., see PTL 1). CITATION LIST Patent Literature PTL 1: Japanese Patent No. 7113337 SUMMARY However, the above conventional monitoring systems can be improved upon. In view of this, the present disclosure provides a monitoring system and a control method capable of improving upon the above related art. In accordance with an aspect of the present disclosure, a monitoring system which monitors an in-vehicle system provided to a vehicle and is included in the in-vehicle system includes: an operating system; an anomaly detector that detects a security anomaly in the operating system; a first storage that stores a service list indicating a list of a plurality of services executed by the in-vehicle system; a determiner that determines a specific service from among the plurality of services indicated in the service list when the anomaly detector detects the security anomaly, the specific service being a service which needs to be stopped or needs a change in a setting in order to resolve the security anomaly; and an anomaly countermeasures unit that executes an anomaly countermeasures process of stopping the specific service or changing the setting of the specific service, based on a determination result of the determiner. General or specific aspects of the present disclosure may be implemented to a system, a device, a method, an integrated circuit, a computer program, a computer-readable recording medium such as a Compact Disc-Read Only Memory (CD-ROM), or any given combination thereof. The monitoring system or the like according to the present disclosure are capable of improving upon the above related art. BRIEF DESCRIPTION OF DRAWINGS These and other advantages and features of the present disclosure will become apparent from the following description thereof taken in conjunction with the accompanying drawings that illustrate a specific embodiment of the present disclosure. FIG. 1 is a conceptual diagram illustrating an overview of an in-vehicle system according to an embodiment. FIG. 2 is a block diagram illustrating an overview of the in-vehicle system according to the embodiment. FIG. 3 is a block diagram illustrating the functional configuration of an integrated ECU according to the embodiment. FIG. 4A is a diagram illustrating an example of detection result information according to the embodiment. FIG. 4B is a diagram illustrating an example of vehicle state information according to the embodiment. FIG. 4C is a diagram illustrating an example of an anomaly countermeasures count according to the embodiment. FIG. 5 is a diagram illustrating an example of a service list according to the embodiment. FIG. 6 is a diagram illustrating an example of an anomaly countermeasures table according to the embodiment. FIG. 7 is a diagram for describing processing in a determiner of the integrated ECU according to the embodiment. FIG. 8 is a diagram illustrating an example of a to-be-stopped service list according to the embodiment. FIG. 9 is a sequence diagram illustrating the process of general operations of the integrated ECU according to the embodiment. FIG. 10 is a flowchart illustrating the process of operations of the determiner of the integrated ECU according to the embodiment. FIG. 11 is a flowchart illustrating the process of operations of the determiner of the integrated ECU according to the embodiment. FIG. 12 is a flowchart illustrating the process of operations of the determiner of the integrated ECU according to the embodiment. FIG. 13 is a diagram for describing operations of the determiner of the integrated ECU according to the embodiment. FIG. 14 is a diagram illustrating an example of the anomaly countermeasures table according to a variation of the embodiment. DESCRIPTION OF EMBODIMENT Underlying Knowledge Forming Basis of the Present Disclosure The inventors have found that the techniques mentioned in the Background involve the following inconvenience. In the above conventional monitoring systems, functions of a vehicle may be significantly restricted by executing an anomaly countermeasures process for resolving a security anomaly. In order to solve the above problem, in accordance with an aspect of the present disclosure, a monitoring system which monitors an in-vehicle system provided to a vehicle and is included in the in-vehicle system includes: an operating system; an anomaly detector that detects a security anomaly in the operating system; a first storage that stores a service list indicating a list of a plurality of services executed by the in-vehicle sys