Search

US-12627678-B2 - Abnormality detecting device, security system, and abnormality notification method

US12627678B2US 12627678 B2US12627678 B2US 12627678B2US-12627678-B2

Abstract

An abnormality detecting device includes a controller for detecting an abnormality occurred in an in-vehicle network in which a plurality of pieces of vehicle-mounted equipment mounted in a vehicle communicate with each other; and a storage device for storing information, the controller determines a data amount and/or a timing to be used for communication with an external device, based on a priority that is a degree of influence on a system based on a degree of security violation or a degree of gradually increasing risk from a history of the number of times a security violation signal has been acquired when the security violation signal is detected as the abnormality from acquired data, and communicates contents or a transmission destination of a data frame including the security violation signal if the priority is more than a first prescribed value.

Inventors

  • Ken Naka
  • Satoru Matsuyama

Assignees

  • NISSAN MOTOR CO., LTD.

Dates

Publication Date
20260512
Application Date
20210721

Claims (12)

  1. 1 . An abnormality detecting device comprising: a controller for detecting an abnormality occurred in an in-vehicle network in which a plurality of pieces of vehicle-mounted equipment mounted in a vehicle communicate with each other; and a storage device for storing information, wherein the controller: determines a data amount and/or a timing to be used for communication with an external device, based on a priority that is a degree of influence on a system based on a degree of security violation or a degree of gradually increasing risk from a history of the number of times a security violation signal has been acquired when the security violation signal is detected as the abnormality from acquired data; generates detailed information, indicating contents of the abnormality, and summary information in which the contents of the abnormality are more summarized than those in the detailed information; stores the detailed information and the summary information in the storage device; upon the priority being more than a first threshold value and upon the abnormality being detected for a first time in a first time period, performs a notification of the detailed information to the external device and deletes the detailed information stored in the storage device after performing the notification; upon the priority being more than the first threshold value and upon the abnormality not being detected for a first time in the first time period and upon a log capacity of the storage device being at or above a certain level, performs a notification of the detailed information to the external device and deletes the detailed information stored in the storage device after performing the notification; upon the priority being more than the first threshold value and upon the abnormality not being detected for a first time in the first time period and upon the log capacity of the storage device not being at or above the certain level and upon a certain time having elapsed since a previous notification of the detailed information, performs a notification of the detailed information to the external device and deletes the detailed information stored in the storage device after performing the notification; and upon the priority being more than the first threshold value and upon the abnormality not being detected for a first time in the first time period and upon the log capacity of the storage device not being at or above the certain level and upon the certain time not having elapsed since a previous notification of the detailed information, performs a notification of the summary information to the external device and disallows deletion of a log of the detailed information stored in the storage device.
  2. 2 . The abnormality detecting device according to claim 1 , wherein the controller transmits, as the communication with the external device, an abnormality notification and/or all or a part of the information stored in the storage device to the external device according to the data amount and/or the timing.
  3. 3 . The abnormality detecting device according to claim 2 , wherein the controller reads the detailed information or the summary information from the storage device and transmits the detailed information or the summary information to a management server as the external device that is provided outside the vehicle and manages the abnormality occurred in the in-vehicle network according to the data amount.
  4. 4 . The abnormality detecting device according to claim 1 , wherein the abnormality is an external violation that is not a violation from the vehicle-mounted equipment.
  5. 5 . The abnormality detecting device according to claim 1 , wherein the controller further determines the data amount and/or the timing based on the priority according to at least one of a capacity of the storage device, a previously notified timing, and a frequency.
  6. 6 . The abnormality detecting device according to claim 1 , wherein the controller increases a data amount required for communication with the external device and/or advances a timing of notification to the external device, as the priority increases.
  7. 7 . The abnormality detecting device according to claim 1 , wherein the controller: communicates contents or a transmission destination of a data frame including the security violation signal when the priority is more than the first threshold value; and communicates only a type of the security violation signal, a frequency of notification, or an amount of detection when the priority is more than a second threshold value that is smaller than the first threshold value.
  8. 8 . The abnormality detecting device according to claim 1 , wherein the controller: communicates contents or a transmission destination of a data frame including the security violation signal when the priority is more than the first threshold value; and communicates an entire acquired data frame, when the priority is more than a third threshold value that is larger than the first threshold value.
  9. 9 . The abnormality detecting device according to claim 1 , wherein the controller communicates a communication sequence in addition to the acquired data frame, when the security violation signal is continuously acquired for a prescribed period of time or is acquired a prescribed number of times or more.
  10. 10 . The abnormality detecting device according to claim 8 , wherein the controller communicates a data frame from another vehicle-mounted equipment or a status of a vehicle, when the priority is more than a fourth threshold value that is larger than the third threshold value.
  11. 11 . A security system comprising: a vehicle constructed with an in-vehicle network in which a plurality of pieces of vehicle-mounted equipment communicate with each other; and a management server for communicating with the vehicle, wherein the vehicle includes an abnormality detecting device having a controller for detecting an abnormality occurred in the in-vehicle network and a storage device for storing information, wherein the controller of the abnormality detecting device; determines a data amount and/or a timing to be used for communication with an external device, based on a priority that is a degree of influence on a system based on a degree of security violation or a degree of gradually increasing risk from a history of the number of times a security violation signal has been acquired when the security violation signal is detected as the abnormality from acquired data; generates detailed information, indicating contents of the abnormality, and summary information in which the contents of the abnormality are more summarized than those in the detailed information; stores the detailed information and the summary information in the storage device; upon the priority being more than a first threshold value and upon the abnormality being detected for a first time in a first time period, performs a notification of the detailed information to the external device and deletes the detailed information stored in the storage device after performing the notification; upon the priority being more than the first threshold value and upon the abnormality not being detected for a first time in the first time period and upon a log capacity of the storage device being at or above a certain level, performs a notification of the detailed information to the external device and deletes the detailed information stored in the storage device after performing the notification; upon the priority being more than the first threshold value and upon the abnormality not being detected for a first time in the first time period and upon the log capacity of the storage device not being at or above the certain level and upon a certain time having elapsed since a previous notification of the detailed information, performs a notification of the detailed information to the external device and deletes the detailed information stored in the storage device after performing the notification; and upon the priority being more than the first threshold value and upon the abnormality not being detected for a first time in the first time period and upon the log capacity of the storage device not being at or above the certain level and upon the certain time not having elapsed since a previous notification of the detailed information, performs a notification of the summary information to the external device and disallows deletion of a log of the detailed information stored in the storage device, wherein the management server includes a controller for managing the abnormality occurred in the in-vehicle network, and wherein the controller of the management server communicates with the abnormality detecting device.
  12. 12 . An abnormality notification method performed by an abnormality detecting device including a controller for detecting an abnormality occurred in an in-vehicle network in which a plurality of pieces of vehicle-mounted equipment mounted in a vehicle communicate with each other, and a storage device for storing information, the abnormality notification method comprising: the controller determining a data amount and/or a timing to be used for communication with an external device, based on a priority that is a degree of influence on a system based on a degree of security violation or a degree of gradually increasing risk from a history of the number of times a security violation signal has been acquired when the security violation signal is detected as the abnormality from acquired data; the controller generating detailed information, indicating contents of the abnormality, and summary information in which the contents of the abnormality are more summarized than those in the detailed information; the controller storing the detailed information and the summary information in the storage device; upon the priority being more than a first threshold value and upon the abnormality being detected for a first time in a first time period, the controller performs a notification of the detailed information to the external device and deletes the detailed information stored in the storage device after performing the notification; upon the priority being more than the first threshold value and upon the abnormality not being detected for a first time in the first time period and upon a log capacity of the storage device being at or above a certain level, the controller performs a notification of the detailed information to the external device and deletes the detailed information stored in the storage device after performing the notification; upon the priority being more than the first threshold value and upon the abnormality not being detected for a first time in the first time period and upon the log capacity of the storage device not being at or above the certain level and upon a certain time having elapsed since a previous notification of the detailed information, the controller performs a notification of the detailed information to the external device and deletes the detailed information stored in the storage device after performing the notification; and upon the priority being more than the first threshold value and upon the abnormality not being detected for a first time in the first time period and upon the log capacity of the storage device not being at or above the certain level and upon the certain time not having elapsed since a previous notification of the detailed information, the controller performs a notification of the summary information to the external device and disallows deletion of a log of the detailed information stored in the storage device.

Description

TECHNICAL FIELD The present invention relates to an abnormality detecting device, a security system, and an abnormality notification method. BACKGROUND ART In recent years, various types of pieces of vehicle-mounted equipment such as Electronic Control Units (ECUs) are mounted on automobiles. The pieces of vehicle-mounted equipment are connected to each other via an in-vehicle network such as a Controller Area Network (CAN), and the pieces of vehicle-mounted equipment can cooperate with each other by communicating with each other. To prevent unauthorized access to vehicle-mounted equipment, an in-vehicle network is required to have high security. For example, Patent Literature 1 discloses a communication system that enables high-speed and safe acquisition of diagnostic information obtained by collecting pieces of information transmitted and received between communication devices from the outside. Specifically, due to an output device outputting diagnostic information obtained via a high-speed trunk line to an external device, high-speed acquisition of the diagnostic information from the outside is enabled. CITATION LIST Patent Literature [Patent Literature 1] Japanese Unexamined Patent Application Publication No. 2015-113002 SUMMARY OF THE INVENTION Problems to be Solved by the Invention However, according to the technology disclosed in Patent Literature 1, when the output device outputs the information to the external device, there is a problem that the amount of data required for communication with the external device increases, because all pieces of information stored in a storage device of a vehicle are output. It is possible to suppress the amount of data required for communication with an external server by transmitting all pieces of detailed information stored in a storage device in a vehicle only when there is a request from the external server without normally outputting the all pieces of detailed information. However, if this kind of method is adopted, contents that the external server can know at normal times are limited and detailed information or the like that can be stored as a log is also limited. Therefore, it thought that a new abnormality is detected before the detailed information is transmitted to the external server, or if it takes time for the external server to make a determination, the log of the detailed information may be overwritten by a new log. The present invention has been devised in consideration of the above problems, and an object of the present invention is to provide an abnormality detecting device, a security system, and an abnormality notification method capable of suppressing disappearance of a log such as detailed information before notification to an external server, by transmitting information indicating contents of an abnormality to the external server depending on a situation. Means for Solving the Problem An abnormality detecting device according to an aspect of the present invention includes: a controller (CPU 21) for detecting an abnormality occurred in an in-vehicle network in which a plurality of pieces of vehicle-mounted equipment mounted in a vehicle communicate with each other; and a storage device (storage unit 23) for storing information, in which the controller (CPU 21) determines a data amount and/or a timing to be used for communication with an external device (management server 100), based on a priority according to a type, contents, number of times, a frequency, a tendency, an amount of detection, a degree of influence, and/or a degree of risk of the detected abnormality, and communicates with the external device (management server 100) according to the data amount and/or the timing. Advantageous Effect of the Invention According to the present invention, by determining the amount and/or timing of notification of information indicating contents of an abnormality depending on a situation and transmitting information to an external server, it is possible to suppress disappearance of a log such as detailed information before notification to the external server. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a diagram schematically showing a configuration of a security system according to the present embodiment. FIG. 2 is a block diagram showing a configuration of a vehicle according to the present embodiment. FIG. 3 is a block diagram showing a configuration of a gateway. FIG. 4 is an explanatory diagram showing a procedure of processing of detailed information. FIG. 5 is an explanatory diagram showing a procedure of processing of summary information. FIGS. 6A and 6B are an explanatory diagram showing a procedure of processing related to information reading or the like. FIG. 7 is a block diagram showing a configuration of a vehicle according to a modified example. MODES FOR CARRYING OUT THE INVENTION An embodiment of the present invention will be described below with reference to the drawings. In the drawings, the same parts are denoted by the same refere