Information processing apparatus, information processing system, information processing method, and recording medium

By acquiring and notifying response instructions and event information through the in-vehicle information processing device, the problem of responding to safety events when wireless communication fails is solved, realizing the ability to respond to safety events when communication is unavailable, and ensuring the safety and stability of the vehicle.

CN115801301BActive Publication Date: 2026-06-09TOYOTA JIDOSHA KK +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
TOYOTA JIDOSHA KK
Filing Date
2022-08-03
Publication Date
2026-06-09

Smart Images

  • Figure CN115801301B_ABST
    Figure CN115801301B_ABST
Patent Text Reader

Abstract

The present application relates to an information processing apparatus, an information processing system, an information processing method, and a recording medium recording an information processing program, the information processing apparatus including: an acquisition section that acquires safety event information of a vehicle from another information processing apparatus mounted on the vehicle; and a notification section that, in a case where wireless communication with a safety center is not possible, notifies at least one of a predetermined response instruction and the safety event information to the vehicle in accordance with the safety event information.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This disclosure relates to information processing apparatus, information processing system, information processing method, and recording medium containing information processing procedures for processing vehicle information. Background Technology

[0002] There is a technique for collecting safety events occurring in the ECU of a vehicle. In the prior art, the safety event information is notified to a safety center via wireless communication based on the content of the collected safety events. Furthermore, the safety center determines the level of danger based on the notified safety event information, and if the vehicle is determined to be in a dangerous state, it issues a command to disable specific functions of the vehicle to avoid the dangerous state.

[0003] For example, Japanese Patent Application Publication No. 2020-119090 discloses a vehicle safety monitoring device that acquires log data sent from an in-vehicle network, detects log data indicating abnormal actions by calculating the correlation between the acquired log data and threat information, infers the scope of the impact of the abnormal actions, the degree of danger, and the type or cause of the threat, or both, based on the detection information of the abnormal actions, selects vehicles to be notified of response instructions based on these inference results, and sends response instructions to the selected vehicles.

[0004] This vehicle safety monitoring device can perform safety countermeasures based on log data sent from the vehicle network.

[0005] However, in the technology of Patent Document 1, when the vehicle's wireless function malfunctions or it is located in a place where radio waves cannot reach, such as underground, it is unable to notify the security center of security incident information and cannot issue appropriate commands, raising concerns about the inability to respond to security incidents. Summary of the Invention

[0006] This disclosure was made in consideration of the above facts, and its purpose is to provide an information processing apparatus, an information processing system, an information processing method, and a recording medium containing information processing programs that can respond to security incidents even in situations where wireless communication with a security center is not possible.

[0007] To achieve the above objectives, the information processing apparatus of the first method includes: an acquisition unit that acquires vehicle safety incident information from other information processing devices mounted in the vehicle; and a notification unit that, in the event that wireless communication with a safety center is not possible, notifies the vehicle of at least one of a predetermined response instruction and the safety incident information based on the safety incident information.

[0008] According to the disclosure of the first method, in the acquisition section, vehicle safety incident information is obtained from other information processing devices installed in the vehicle.

[0009] Furthermore, in the notification unit, when wireless communication with the safety center is unavailable, at least one of the pre-determined response instructions and the safety incident information is notified to the vehicle based on the safety incident information. Therefore, even in situations where communication with the safety center is impossible, since at least one of the response instructions corresponding to the safety incident information and the safety incident information is still notified to the vehicle, safety-related dangerous situations can be avoided.

[0010] Furthermore, this device, as well as the other information processing devices mentioned above, can also be used in electronic control devices mounted on vehicles.

[0011] Additionally, it may include a first determination unit, which determines whether to send the security event information obtained by the acquisition unit to the security center. When the first determination unit determines that the security event information should be sent to the security center, and wireless communication with the security center is not possible, the notification unit notifies at least one party inside the vehicle.

[0012] In addition, the acquisition unit can acquire multiple security event information from multiple other information processing devices, and the first determination unit determines whether to send the security event information to the security center based on the multiple event information.

[0013] Additionally, it may include a confirmation unit that verifies whether wireless communication with the security center is possible when the first determination unit determines that the aforementioned security incident information has been sent.

[0014] Additionally, it may also include a sending unit that sends the security incident information to the security center when the first determination unit determines that the security incident information should be sent.

[0015] In addition, the aforementioned transmitting unit can transmit the aforementioned security event information via an electronic control device with wireless communication capabilities.

[0016] Additionally, it may include a second determination unit that determines whether to issue a notification based on the notification unit when wireless communication with the aforementioned security center is not possible.

[0017] In addition, the second determination step mentioned above can use the number of attacks to make a determination.

[0018] In addition, the second determination unit mentioned above can make a determination during the period when communication with the security center is not implemented.

[0019] In addition, the aforementioned notification unit may notify at least one of the aforementioned information processing devices other than the aforementioned other information processing devices that have received information about the aforementioned security incident.

[0020] Additionally, it may include an authentication code appending section that appends an authentication code to at least one party when the aforementioned notification section notifies the aforementioned at least one party.

[0021] Additionally, it may include a public key encryption unit that encrypts the at least one party using public key encryption when the notification unit notifies the at least one party.

[0022] Furthermore, after the notification unit notifies at least one of the parties, and when wireless communication with the security center becomes possible, the sending unit can send the security event information to the security center.

[0023] Furthermore, after the notification unit notifies at least one of the parties, and when wireless communication with the security center is possible, the sending unit may also send information indicating that a response process has been implemented.

[0024] Additionally, it may include a cancellation notification unit that receives response instructions from the aforementioned security center corresponding to the aforementioned security incident information. If the received response instructions differ from the aforementioned response instructions, the unit cancels the aforementioned response instructions and notifies the aforementioned response instructions.

[0025] Additionally, it may include a detection unit that, upon resuming communication with the aforementioned security center, detects tampering with electronic control devices that have the aforementioned wireless communication function.

[0026] In addition, the detection department can detect the tampering if the period during which communication with the security center is unable to be reached is more than a predetermined time.

[0027] Alternatively, it could be an information processing system that includes multiple control devices mounted in the vehicle, which cooperate to acquire information about a safety incident occurring in the vehicle, and when wireless communication with a safety center is not possible, it processes at least one of the safety incident information to notify the vehicle of a predetermined response instruction.

[0028] Alternatively, a computer may perform the following information processing method: obtain vehicle safety incident information from other information processing devices installed in the vehicle, and, in the absence of wireless communication with a safety center, notify the vehicle of a predetermined response instruction and at least one of the safety incident information based on the aforementioned safety incident information.

[0029] Furthermore, the information processing method can also be performed by a computer: obtaining vehicle safety incident information from other information processing devices installed in the vehicle, and in the absence of wireless communication with the safety center, notifying the vehicle of a predetermined response instruction and at least one of the safety incident information based on the aforementioned safety incident information.

[0030] As explained above, this disclosure provides an information processing apparatus, an information processing system, an information processing method, and a recording medium containing information processing procedures that can respond to security incidents even when wireless communication with a security center is not possible. Attached Figure Description

[0031] Exemplary embodiments of the present invention will be described in detail with reference to the following accompanying drawings, wherein:

[0032] Figure 1 This is a diagram showing a simplified structure of the information processing system involved in this embodiment.

[0033] Figure 2 This is a block diagram illustrating an example of the configuration within a vehicle in the information processing system according to this embodiment.

[0034] Figure 3 This is a block diagram representing the software architecture of the SOC of the safety monitoring ECU.

[0035] Figure 4 It is a diagram representing the information included in security incident information.

[0036] Figure 5 This is a functional block diagram representing the functions of security monitoring applications and wireless communication ECUs.

[0037] Figure 6 This is a flowchart illustrating an example of the processing flow performed when a security monitoring application receives security event information in the information processing system involved in this embodiment.

[0038] Figure 7 This is a diagram representing the criteria for determining the severity of a security incident.

[0039] Figure 8 This is a flowchart illustrating an example of the processing flow when a security monitoring application receives a response instruction from a security center in the information processing system involved in this embodiment.

[0040] Figure 9 This is a flowchart illustrating an example of the processing flow when a security monitoring application sends a response instruction to a corresponding application or a corresponding ECU in the information processing system involved in this embodiment, and then receives the response instruction from the security center.

[0041] Figure 10 This is a flowchart illustrating an example of the process performed in the information processing system according to this embodiment when a security monitoring application cancels a response instruction that has been sent. Detailed Implementation

[0042] Hereinafter, an example of an embodiment of the present disclosure will be described in detail with reference to the accompanying drawings. Figure 1 This is a diagram showing a simplified structure of the information processing system involved in this embodiment.

[0043] The information processing system 10 involved in this embodiment is as follows: Figure 1 As shown, vehicle 14 and safety center 12 are connected via communication network 18. The information processing system 10 of this embodiment collects safety event information occurring in various ECUs (Electronic Control Units) installed in vehicle 14, and sends the safety event information to safety center 12 when notification to safety center 12 is required. In safety center 12, the appropriate response is determined based on the safety event information sent from vehicle 14, and a response instruction is returned to vehicle 14.

[0044] Figure 2 This is a block diagram illustrating a configuration example within the vehicle 14 of the information processing system 10 according to this embodiment.

[0045] like Figure 2 As shown, the vehicle 14 is equipped with a plurality of ECUs 24, including a safety monitoring ECU 20 as an example of an information processing device, as an example of an electronic control device.

[0046] The safety monitoring ECU 20 is configured to include a System On Chip (SOC) 22 and an Ether SW 26. The SOC 22 has CPU (Central Processing Unit) functionality, memory functionality, and communication interface functionality, and multiple ECUs 24 are connected to the SOC 22. Some of the multiple ECUs 24 are connected via the Ether SW 26. The CPU is an example of a processor.

[0047] As an example of an ECU24 connected to SOC22, there are ECUs that control the drive of vehicle 14, ECUs that control braking, ECUs that control steering, ECUs that control air conditioning, and ECUs that control safety equipment.

[0048] On the other hand, as an example of an ECU24 connected to SOC22 via Ether SW26, there are multimedia ECUs that control multiple media such as text, sound, still images, and animations; ITS ECUs (Intelligent Transport Systems) that are used to control traffic safety, traffic congestion countermeasures, environmental countermeasures, etc. by sending and receiving information with people, roads, and vehicles 14; and wireless communication ECU24A that communicates wirelessly with the outside of the vehicle via antenna 28.

[0049] Specifically, for the connection between the safety monitoring ECU20 and multiple ECU24, there can be one physical wiring, which communicates with one or more ECU24s via any one of the multiple ECU24s.

[0050] The safety monitoring ECU 20 collects safety event information occurring in the ECU 24 within the vehicle 14 and determines the level of danger based on the content. Based on the level of danger, it notifies the safety center 12 of the safety event information via wireless communication. The safety center 12 determines the level of danger based on the notification result, and if it determines that the vehicle 14 is in a dangerous state, it issues commands to the vehicle 14 to disable specific functions, etc., to avoid the dangerous state.

[0051] Figure 3 This is a block diagram representing the software architecture of the SOC22 of the safety monitoring ECU20.

[0052] The SOC22 contains multiple CPU cores (in...) Figure 3 In this example, CPU cores 1 through 4 (30) are used. The physical CPU cores 30 are virtualized through a virtual machine monitor (Hypervisor) (32), and a VM (Virtual Machine) (34) is configured. Figure 3 The text indicates two VMs, VM1 and VM2. On each VM34, an OS (Operating System) 36 is configured, along with applications (…). Figure 3 The four applications (App2 to App4) operate on OS36. The security monitoring application 38 receives security event information from multiple ECUs 24 connected to the security monitoring ECU 20. Hereinafter, the applications will be referred to simply as "applications".

[0053] Here, we will explain the information about the security incident. Figure 4 It is a diagram representing the information included in security incident information.

[0054] Security event information includes nine items: Protocol Version, Protocol Header, Instance ID, Sensor Instance ID, Event Definition ID, Count, Timestamp, Context Data, and Signature.

[0055] The Protocol Version specifies the version of the security event information transmission protocol. The Protocol Header specifies the presence or absence of specific items in the security event information. The Instance ID is the ID used for security event identification. The Sensor Instance ID is the ID of the security event source. The Event Definition ID is the security event type ID. The Count is the aggregated count when multiple events occur within a short period and are sent together. The Timestamp indicates the time the security event occurred. Context Data contains detailed information about the security event. The Signature is a signature or authentication code. Information related to port scanning, such as port numbers and the IP address of the attack source, is included in the Context.

[0056] The security monitoring application 38 shares a key with the attack detection-enabled ECU 24, which acts as the source of security events. An authentication code is appended to the signature, while the public key is used on the receiving side to ensure the integrity of the security event information. Alternatively, public-key encryption can be used instead of public-key-based message authentication to ensure information integrity.

[0057] Here, the functions of the security monitoring application 38 and the wireless communication ECU 24A are explained. Figure 5 This is a functional block diagram representing the functions of the safety monitoring application 38 and the wireless communication ECU24A.

[0058] The security monitoring application 38 includes a security event information receiving function 40, a central transmission need determination function 42, an inter-center communication capability determination function 44, a response instruction sending function 46, a public key encryption function 48, an attack count function 50, a central communication non-implementation period measurement function 52, and a response instruction cancellation function 54. Specifically, the security event information receiving function 40 corresponds to an example of the acquisition unit; the response instruction sending function 46 corresponds to an example of the notification unit and the sending unit; the central transmission need determination function 42 corresponds to an example of the first determination unit and the second determination unit; the inter-center communication capability determination function 44 corresponds to an example of the confirmation unit; the public key encryption function 48 corresponds to an example of the authentication code attachment unit and the public key encryption unit; the response instruction cancellation function 54 corresponds to an example of the cancellation notification unit; and the software tampering detection function 62 corresponds to an example of the detection unit.

[0059] In the safety event information receiving function 40, safety event information is received from multiple ECUs 24 located in the vehicle 14.

[0060] In the "Need to Send to Security Center" function 42, the determination of whether or not to notify the security center 12 is made based on the content of the received security event information.

[0061] In the inter-center communication determination function 44, it is determined whether communication between vehicle 14 and security center 12 can be achieved.

[0062] If the central transmission necessity determination function 42 determines that it is necessary to notify the safety center 12 of the safety incident information, the response instruction transmission function 46 sends the safety incident information to the safety center 12. Conversely, if the inter-center communication capability determination function 44 determines that communication with the safety center 12 is not possible, the response instruction transmission function 46 sends at least one of the safety incident information and the corresponding response instruction to the appropriate ECU 24 or application, which is an example within the vehicle. Furthermore, after the safety incident information is sent to the safety center 12, if wireless communication with the safety center 12 becomes possible, the response instruction transmission function 46 sends information indicating that the response process has been implemented to the safety center 12.

[0063] When using public-key encryption, public-key encryption function 48 uses the public key to encrypt associated information related to the security event, including security event information. In the case of public-key-based message authentication, the public key is used to encrypt associated information related to the security event, including security event information. This associated information includes response instructions corresponding to the security event information.

[0064] The attack count function 50 counts the number of times a security incident occurs.

[0065] The metering function 52 measures the period of non-implementation of communication with the security center 12.

[0066] If communication with Security Center 12 is restored, Response Instruction Cancellation Function 54 will cancel the response instructions corresponding to the security incident information sent through Response Instruction Sending Function 46.

[0067] On the other hand, the wireless communication ECU24A has an inter-center wireless communication function 56, an inter-center encrypted communication function 58, an inter-ECU transceiver function 60, a software tamper detection function 62, and a message authentication function 64.

[0068] The inter-center wireless communication function 56 enables the exchange of information between vehicle 14 and security center 12 via wireless communication.

[0069] The inter-center encrypted communication function 58 encrypts communication when communicating between vehicle 14 and security center 12.

[0070] The ECU inter-controller function 60 enables the transmission and reception of information between multiple ECUs 24 located within the vehicle 14.

[0071] The software tampering detection function 62 detects whether the software has been rewritten and tampered with.

[0072] In order to confirm whether the transmitted information has not been tampered with in the meantime, the message authentication function 64 authenticates the communication data by assigning public keys, public keys and other message authentication information to the communication data, and confirms the integrity of the data.

[0073] Next, the specific processing performed when the security monitoring application 38 receives security incident information will be explained, as part of the function of the information processing system 10 configured as described above. Figure 6 This is a flowchart illustrating an example of the processing flow performed in the information processing system 10 according to this embodiment when the security monitoring application 38 receives security event information.

[0074] In step 100, the security monitoring application 38 determines whether security event information has been received. This determination determines whether security event information has been received through the security event information receiving function 40. If the determination is positive, proceed to step 102; otherwise, proceed to step 104.

[0075] In step 102, the security monitoring application 38 activates the reception flag indicating that security event information has been received and sets the timer count to a predetermined value (N seconds) before returning to step 100 to repeat the above process. In this embodiment, no information is sent to the security center until the reception of security event information disappears for a certain period of time, that is, until the attack has subsided for a certain period of time.

[0076] In step 104, the security monitoring application 38 determines whether the received flag is valid. If the determination is negative, it returns to step 100 and repeats the above process; if the determination is positive, it proceeds to step 106.

[0077] In step 106, the security monitoring application 38 determines whether N seconds have elapsed since the set timer counted. If the determination is negative, it returns to step 100 and repeats the above process; if the determination is positive, it proceeds to step 108.

[0078] In step 108, the security monitoring application 38 saves the received security event information to non-volatile memory and moves to step 110.

[0079] In step 110, the security monitoring application 38 determines whether it is necessary to send security event information to the security center 12. This determination is made through the center's transmission necessity determination function 42. If the determination is negative, the process returns to step 100 and repeats the above process; if the determination is positive, it proceeds to step 112. Specifically, the degree of danger is determined based on a series of received security event information groups, and a decision is made on whether to send the information to the security center 12. For example, using... Figure 7 The security center uses the established criteria to determine the severity of security incident information. Figure 7This diagram illustrates the criteria for determining the severity of security incident information. Specifically, the security monitoring application 38 verifies whether a received set of security incident information includes information conforming to No. 1 to No. N. In No. 1, a security incident containing sensor instance ID 1, event definition ID 2, and context data of type ABCD is classified as severity level 5. Furthermore, in No. 2, severity is determined based on one or more security incidents, such as a security incident containing sensor instance ID 1 and event definition ID 2, a security incident containing sensor instance ID 2 and event definition ID 2, and a security incident containing sensor instance ID 3 and event definition ID 2, classified as severity level 2. The order of events can be used as a condition based on timestamp information, or the number of attacks can be used as a condition based on count information. The severity derived from these determinations is compared with a pre-determined severity threshold, and if the value exceeds the threshold, it is sent to the security center 12. While the severity comparison is used as a condition, it is not limited to this; transmission can proceed as long as the determination criteria are met. In addition, if multiple conditions are met, the risk levels can be added together. Alternatively, step 110 can be omitted to determine whether or not security event information needs to be sent, thus sending all security event information to the security center 12.

[0080] In step 112, when it is determined that security event information needs to be sent to security center 12, security monitoring application 38 determines whether communication with security center 12 is possible. This determination is made through inter-center communication capability determination function 44. If the determination is affirmative, proceed to step 114; otherwise, proceed to step 118.

[0081] In step 114, if transmission to the security center 12 is successful, the security monitoring application 38 sends security event information to the security center 12 and proceeds to step 116. Alternatively, instead of determining the feasibility of communication in step 112, an attempt can be made to send the information, and if transmission fails, it can be determined that transmission is not possible.

[0082] In step 116, the security monitoring application 38 invalidates the sending flag, invalidates the timer count, returns to step 100, and repeats the above process.

[0083] On the other hand, in step 118, the security monitoring application 38 determines whether a response instruction needs to be sent to the corresponding application. This determination is made by the central transmission need-or-notification function 42. For example, it determines whether the danger level of the security center's transmission determination condition exceeds a predetermined response instruction determination threshold. If the determination is negative, it returns to step 100 and repeats the above process; if the determination is positive, it moves to step 120. In this way, by consolidating the function of making determinations at the end ECU 24 to the security monitoring application 38, development costs can be reduced. Furthermore, the determination in step 118 can also be made by preparing the same response instruction transmission determination conditions independently of the security center's transmission determination conditions. In addition, the transmission determination conditions may include at least one of the number of attacks received and the period during which communication with the security center 12 is not implemented. For example, a response instruction is sent if the number of attacks exceeds a threshold held by the security monitoring application 38. If no response instruction is sent when the number of attacks is below the threshold, the period during which communication with the security center 12 is not implemented is periodically checked, and a response instruction is sent when the period during which communication is not implemented is above a predetermined threshold. By including the number of attacks in the transmission determination criteria, in the event of a malfunction in the wireless function with Security Center 12, the degree of danger can be judged based on the frequency of attacks, thus avoiding serious situations. Furthermore, by including periods of non-communication with Security Center 12 in the transmission determination criteria, unnatural states such as intentional malfunctions or communication cutoffs in wireless communication with Security Center 12 can be determined with high accuracy.

[0084] In step 120, the safety monitoring application 38 sends a response instruction to the corresponding application and returns to step 100 to repeat the above process. That is, the response instruction is sent to the corresponding application via the response instruction sending function 46. Alternatively, one or more pieces of safety event information can be sent to the corresponding ECU 24 or application instead of sending a response instruction. Furthermore, for example... Figure 7 As shown, corresponding applications and corresponding ECUs 24 are predefined according to each judgment condition of the safety center. Alternatively, instead of sending response instructions to the corresponding application or corresponding ECU 24, response instructions can be sent via broadcast on a bus unit. Furthermore, for sending response instructions and safety event information to the corresponding application, it is possible to send them not only to the ECU 24 where the safety event occurred, but also to other ECUs 24. For example, a safety event may occur in an upstream ECU 24, and response instructions and safety event information may be sent to a downstream ECU 24.

[0085] Thus, in this embodiment, even if communication with the security center 12 is not possible, the security monitoring application 38 can still notify at least one party of the response instructions corresponding to the security incident information and the security incident information, thereby avoiding dangerous situations related to security.

[0086] Furthermore, the security monitoring application 38 can send response instructions and security incident information by attaching an authentication code using its public key. The receiving application or ECU 24 uses its public key to authenticate the content of the received response instruction, thus confirming its completeness. Alternatively, instead of public key-based message authentication, public key encryption can be used to encrypt the information. By attaching an authentication code or using public key encryption, it can be ensured that the sender of the response instruction is the security monitoring application 38 and that the transmitted information has not been tampered with.

[0087] Next, the processing of the response instructions received by the security monitoring application 38 from the security center 12 will be explained. Figure 8 This is a flowchart illustrating an example of the processing flow in the information processing system 10 according to this embodiment when the security monitoring application 38 receives a response instruction from the security center 12.

[0088] In step 150, the security monitoring application 38 receives a response instruction from the security center 12 via wireless communication and proceeds to step 152. Here, as a condition for receiving the response instruction, it is determined whether it is a response instruction associated with security incident information that has already been sent to the security center 12. If it is not an associated response instruction, it can be discarded.

[0089] In step 152, the safety monitoring application 38 sends the received response instructions to the corresponding application or the corresponding ECU 24 and ends a series of processes.

[0090] Next, the process of receiving response instructions from the security center 12 after the security monitoring application 38 sends response instructions to the corresponding application or the corresponding ECU 24 will be explained. Figure 9 This is a flowchart illustrating an example of the processing flow in the information processing system 10 according to this embodiment when the security monitoring application 38 sends a response instruction to the corresponding application or the corresponding ECU 24 and then receives the response instruction from the security center 12.

[0091] In step 200, the security monitoring application 38 determines whether communication with the security center 12 is possible. This determination is made periodically after the security monitoring application 38 sends a response instruction to the corresponding application or the corresponding ECU 24, confirming whether communication with the security center 12 is possible. If the determination is affirmative, the process proceeds to step 202.

[0092] In step 202, the security monitoring application 38 sends the security event information and the response instruction sent by the security monitoring application 38 to the security center 12, and then proceeds to step 204. That is, after sending the security event information to the security center 12 through the response instruction sending function 46, when wireless communication with the security center 12 becomes possible, the response instruction is sent to the security center 12 as information indicating that a response process has been implemented. The response instruction sent by the security center 12 includes information on the application or ECU 24 that determines the destination of the response instruction, information on the time of instruction implementation, and the response result of the receiving ECU 24. Thus, the appropriateness of the response to the security event based on the response instruction implemented in the vehicle 14 can be determined at the security center 12. Here, if it can be determined that it is appropriate, it is not necessary to send the response instruction from the security center 12 to the vehicle 14.

[0093] In step 204, the security monitoring application 38 stores the sent response instruction in non-volatile memory and terminates a series of processes.

[0094] Next, the process of canceling the response instruction that has been sent after communication between the security center 12 and the security monitoring application 38 is explained. Figure 10 This is a flowchart illustrating an example of the process performed in the information processing system 10 according to this embodiment when the security monitoring application 38 cancels the response instruction that has been sent.

[0095] In step 250, the security monitoring application 38 receives a response instruction from the security center 12 and proceeds to step 252. That is, after the response instruction is sent to the security center 12, the application receives the response instruction as response instruction information from the security center 12.

[0096] In step 252, the security monitoring application 38 determines whether the instruction is related to the completion of a security incident response. This determination checks whether the content of the response instruction received from the security center 12 is the same as the response instruction command held by the security monitoring application 38. If the determination is affirmative, proceed to step 254; otherwise, proceed to step 256.

[0097] In step 254, the security monitoring application 38 cancels the response instruction that has been completed and proceeds to step 256. That is, the response instruction cancellation function 54 cancels the response instruction corresponding to the security event information sent by the response instruction sending function 46. Here, instead of sending a command that means cancellation, the response instruction received from the security center 12 can be sent to the corresponding application or the corresponding ECU 24 to override the response instruction already sent by the security monitoring application 38.

[0098] In step 256, the safety monitoring application 38 sends the received response instruction to the corresponding application or the corresponding ECU 24, and moves to step 258.

[0099] In step 258, the security monitoring application 38 sends a response to the security center 12 to complete the process and ends the series of processes.

[0100] Here, specific examples are given to illustrate the above. Figure 10 The instructions explain how to handle the cancellation of the response when the message has been sent.

[0101] For example, suppose a multimedia ECU and an ITS ECU are connected to Ether SW26. Security monitoring application 38 receives security event information from both the multimedia ECU and Ether SW26. Because a large number of authentication errors are detected in the access point function of the wireless LAN (Local Area Network) on the multimedia ECU, it is determined to be at high risk and attempts to send security event information to security center 12, but communication with security center 12 fails, resulting in unsuccessful transmission. Based on the risk level, security monitoring application 38 determines that a corresponding instruction is needed and sends a response instruction to the multimedia ECU to disable the wireless LAN access point function. Then, the wireless communication status improves, and communication with security center 12 is restored. Security monitoring application 38 detects the ability to communicate by periodically confirming the communication status with security center 12 after sending the response instruction. Security event information is then sent to security center 12. Security center 12 determines that the multimedia ECU is not at risk, but based on the security event information from Ether SW26 and known vulnerability information on the security center 12 side, it determines that the connected ITS ECU is at risk. The security center 12 receives a cancellation instruction for the response instruction already sent to the multimedia ECU, and a response instruction to invalidate the port of Ether SW26 for connection to the ITS ECU. Furthermore, instead of the cancellation instruction, a new response instruction that enables the access point function may be provided.

[0102] Furthermore, in this embodiment, when it is detected that communication with the security center 12 is possible, the ability to communicate with the security center 12 can be accurately verified before sending security event information and response instructions to the security center 12. This prevents the wireless communication ECU 24A from being tampered with and having a fake program that functions like the security center 12 installed, thus avoiding the cancellation of implemented response instructions within the vehicle. For example, to confirm whether the software of the wireless communication ECU 24A has been overwritten, the security monitoring application 38 sends a command to confirm whether the wireless communication ECU 24A is functioning correctly. The command includes a random number, encoded with the public key held by the public key encryption function 48, and verifies whether it matches the received code. Here, the wireless communication ECU 24A can have a secure boot function, verifying the legitimacy of the software through the software tamper detection function 62 when the wireless communication ECU 24A starts, and not starting if the software is abnormal. Here, the wireless communication ECU 24A can confirm whether the software has been overwritten only if the period of non-communication with the security center 12 exceeds a predetermined time. Therefore, in cases where it is desired to suppress the processing load of the wireless communication ECU24A, tampering confirmation can only be performed under specific conditions, such as when the non-communication state has lasted for a certain period of time or longer, allowing for tampering.

[0103] Furthermore, applications such as the security monitoring application 38 in this embodiment can be installed on the security monitoring ECU 20 and other ECUs 24 via OTA (Over-The-Air). Additionally, response instructions corresponding to security incidents can also be sent and received with respect to the security monitoring ECU 20 and other ECUs 24 via OTA.

[0104] Furthermore, while the above embodiments illustrate an example of the safety monitoring application 38 operating on a single safety monitoring ECU 20, the implementation is not limited to this. For example, multiple ECUs 24 could also collaborate to perform the processing initiated by the safety monitoring application 38. Figure 6 as well as Figures 8-10 (The way to handle it).

[0105] Furthermore, the processing performed in the SOC22 of the safety monitoring ECU20 in the above embodiments is described as software processing performed by executing a program, but it is not limited to this. For example, it can also be processed by hardware such as a GPU (Graphics Processing Unit), ASIC (Application Specific Integrated Circuit), and FPGA (Field-Programmable Gate Array). Alternatively, it can be a combination of software and hardware processing. In the case of software processing, the program can be stored in various storage media for distribution.

[0106] Furthermore, this disclosure is not limited to the above, and various modifications can be made without departing from its main idea.

Claims

1. An information processing device, wherein, include: The acquisition unit obtains vehicle safety incident information from other information processing devices installed in the vehicle. The first determination unit determines whether to send the security event information obtained by the acquisition unit to the security center. When the first determination unit determines that the security incident information should be sent to the security center, the notification unit, in the absence of wireless communication with the security center, notifies the vehicle of at least one of a pre-determined response instruction and the security incident information based on the security incident information. The transmitting unit transmits the security event information to the security center via an electronic control device with wireless communication function when the first determination unit determines that the security event information should be transmitted. as well as The detection department detects tampering with the electronic control device having the wireless communication function if the period during which communication with the security center is interrupted after communication with the security center has been resumed for more than a predetermined time.

2. The information processing apparatus according to claim 1, wherein, This device, along with the other information processing devices, is an electronic control unit mounted on the vehicle.

3. The information processing apparatus according to claim 1, wherein, The acquisition unit acquires multiple security event information from multiple other information processing devices. The first determination unit determines whether to send the security event information to the security center based on the multiple security event information.

4. The information processing apparatus according to claim 3, wherein, The information processing device further includes a confirmation unit that confirms whether wireless communication with the security center is possible when the first determination unit determines that the security event information should be sent.

5. The information processing apparatus according to any one of claims 1 to 4, wherein, The information processing device further includes a second determination unit that determines whether to issue a notification based on the notification unit when wireless communication with the security center is not possible.

6. The information processing apparatus according to claim 5, wherein, The second determination unit uses the number of attacks to make a determination.

7. The information processing apparatus according to claim 5, wherein, The second determination unit makes a determination during a period when communication with the security center is not in progress.

8. The information processing apparatus according to any one of claims 1 to 4, wherein, The notification unit notifies the at least one party to the other information processing device besides the other information processing device that received the security incident information.

9. The information processing apparatus according to any one of claims 1 to 4, wherein, The information processing apparatus further includes an authentication code appending unit that appends an authentication code to the at least one party when the notification unit notifies the at least one party.

10. The information processing apparatus according to any one of claims 1 to 4, wherein, The information processing apparatus further includes a public key encryption unit that encrypts the at least one party using public key encryption when the notification unit notifies the at least one party.

11. The information processing apparatus according to claim 1, wherein, After the notification unit notifies the at least one party, when it becomes possible to wirelessly communicate with the security center, the sending unit sends the security event information to the security center.

12. The information processing apparatus according to claim 11, wherein, After the notification unit notifies the at least one party, when it becomes possible to communicate wirelessly with the security center, the sending unit also sends information indicating that a response process has been implemented.

13. The information processing apparatus according to claim 11 or 12, wherein, The information processing device further includes a cancellation notification unit, which receives response instruction information corresponding to the security incident information from the security center, and cancels the response instruction and notifies the response instruction information if the received response instruction information is different from the response instruction.

14. The information processing apparatus according to claim 1, wherein, If tampering with the electronic control device is detected, the electronic control device shall not be activated.

15. An information processing system, wherein, It has multiple control devices that can be mounted on the vehicle. The multiple control devices work together to obtain information about safety incidents occurring in the vehicle. A determination is made as to whether the obtained security event information has been sent to the security center. When it is determined that the security incident information should be sent to the security center, and wireless communication with the security center is not possible, processing is performed to notify the vehicle of at least one of the pre-determined response instructions and the security incident information based on the security incident information. If it is determined that the security incident information needs to be sent, the security incident information is sent to the security center via an electronic control device with wireless communication capabilities. If communication with the security center is resumed and the period during which communication with the security center is not possible exceeds a predetermined time, tampering with the electronic control device having the wireless communication function is detected.

16. An information processing method, wherein, The computer performs the following processing: Vehicle safety incident information is obtained from other information processing devices installed in the vehicle. A determination is made as to whether the obtained security event information has been sent to the security center. When it is determined that the security incident information should be sent to the security center, and wireless communication with the security center is not possible, at least one of the following is communicated to the vehicle based on the security incident information: a pre-determined response instruction and the security incident information itself. If it is determined that the security incident information needs to be sent, the security incident information is sent to the security center via an electronic control device with wireless communication capabilities. If communication with the security center is resumed and the period during which communication with the security center is not possible exceeds a predetermined time, tampering with the electronic control device having the wireless communication function is detected.

17. A non-transitory recording medium, wherein, The document contains information processing programs for causing the computer to perform the following processes: Vehicle safety incident information is obtained from other information processing devices installed in the vehicle. A determination is made as to whether the obtained security event information has been sent to the security center. When it is determined that the security incident information should be sent to the security center, and wireless communication with the security center is not possible, at least one of the following is communicated to the vehicle based on the security incident information: a pre-determined response instruction and the security incident information itself. If it is determined that the security incident information needs to be sent, the security incident information is sent to the security center via an electronic control device with wireless communication capabilities. If communication with the security center is resumed and the period during which communication with the security center is not possible exceeds a predetermined time, tampering with the electronic control device having the wireless communication function is detected.