Security monitoring device, security monitoring system, and security monitoring method

The security monitoring device and system effectively determine the security state of vehicle systems by testing ECUs for abnormalities, ensuring the integrity and functionality of ECUs and maintaining vehicle safety.

JP2026113141APending Publication Date: 2026-07-07PANASONIC AUTOMOTIVE SYST CO LTD

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Applications
Current Assignee / Owner
PANASONIC AUTOMOTIVE SYST CO LTD
Filing Date
2024-12-25
Publication Date
2026-07-07

AI Technical Summary

Technical Problem

Existing vehicle systems face challenges in determining the security state due to potential malfunctions from cyber attacks on Electronic Control Units (ECUs), which can compromise vehicle safety.

Method used

A security monitoring device and system that includes a security execution unit, trial unit, and verification unit to test and verify the security status of ECUs by attempting test patterns and analyzing their outputs to detect abnormalities.

Benefits of technology

Enables accurate determination of the security status of vehicle systems, ensuring the integrity and functionality of ECUs and maintaining vehicle safety by identifying and addressing potential cyber threats.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure 2026113141000001_ABST
    Figure 2026113141000001_ABST
Patent Text Reader

Abstract

The present invention provides a security monitoring device, etc., that can determine the security status of a vehicle system. [Solution] The security monitoring device 1 includes a security execution unit 112 that performs security protection for the vehicle system 30, a trial unit 113 that causes the security execution unit 112 to try out test patterns, and a verification unit 114 that verifies whether or not there is an abnormality in the security execution unit 112 based on the output of the security execution unit 112 after the test patterns have been tried out.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] The present disclosure relates to a security monitoring device, a security monitoring system, and a security monitoring method.

Background Art

[0002] Conventionally, a driving system that automatically performs driving operations such as acceleration, deceleration, steering, and braking of a vehicle is known. This driving system includes a plurality of ECUs (Electronic Control Units) to control the driving operations of the vehicle. However, there is a risk that the driving system may malfunction if an ECU is subjected to a cyber attack.

[0003] Patent Document 1 discloses a technique for determining the security state of a vehicle system by using an external port scan.

Prior Art Documents

Patent Documents

[0004]

Patent Document 1

Summary of the Invention

Problems to be Solved by the Invention

[0005] In the prior art, it may not be possible to appropriately determine the security state of a vehicle system.

[0006] Therefore, the present disclosure provides a security monitoring device and the like that can determine the security state of a vehicle system.

Means for Solving the Problems

[0007] A security monitoring device according to one aspect of the present disclosure includes a security execution unit that performs security protection for a vehicle system, a trial unit that causes the security execution unit to try out a test pattern, and a verification unit that verifies whether or not there is an abnormality in the security execution unit based on the output of the security execution unit after the test pattern has been tried out.

[0008] A security monitoring system according to one aspect of this disclosure comprises the above-mentioned security monitoring device and a monitoring server that communicates with the security monitoring device via an external network.

[0009] A security monitoring method according to one aspect of this disclosure involves having a security execution unit that performs security protection for a vehicle system try out a test pattern, and verifying whether or not there is an abnormality in the security execution unit based on the output of the security execution unit after the test pattern has been tried.

[0010] These comprehensive or specific embodiments may be implemented as a system, method, integrated circuit, computer program, or recording medium such as a computer-readable CD-ROM (Compact Disc-Read Only Memory), or as any combination of a system, method, integrated circuit, computer program, and recording medium. [Effects of the Invention]

[0011] According to one aspect of this disclosure, a security monitoring device, etc., can determine the security status of a vehicle system. [Brief explanation of the drawing]

[0012] [Figure 1] This is a block diagram showing the configuration of a security monitoring system according to an embodiment. [Figure 2] This block diagram shows an example of the configuration of a vehicle system included in a security monitoring system. [Figure 3]This block diagram shows an example of the configuration of an integrated ECU included in a vehicle system. [Figure 4] This is a block diagram showing the configuration of a security monitoring device according to an embodiment. [Figure 5] This figure shows the test patterns stored in the memory unit of the security monitoring device and the expected results for those test patterns. [Figure 6] This figure shows an example of the output from the security execution unit when a test pattern is attempted. [Figure 7] This figure shows an example of a response pattern when an abnormality is detected in the security execution unit. [Figure 8] Block diagram showing another example of an integrated ECU configuration. [Figure 9] This is a flowchart showing a security monitoring method according to an embodiment. [Modes for carrying out the invention]

[0013] (Background leading to this disclosure) To support high-speed communication, reduce weight, and improve the efficiency of function development, a cockpit domain controller (CDC) is being developed that integrates functions such as infotainment systems, clusters, and electronic mirrors. In the cockpit domain controller, each function is implemented in a virtual machine on a virtualization platform such as a hypervisor. This virtual machine is connected to the outside world via a network and various information is sent and received, but unauthorized access to the virtual machine via the network can have a negative impact on vehicle safety.

[0014] Therefore, to ensure vehicle safety, a security execution unit is installed inside the vehicle to protect the vehicle system's security. However, once the vehicle is in the user's possession, it becomes difficult to check whether the security execution unit is functioning correctly.

[0015] Therefore, in the present disclosure, a self-check function for checking whether the security execution unit is functioning properly is provided in the vehicle. The self-check function is realized by a security monitoring device provided in the vehicle. The security monitoring device is a device that causes the security execution unit to try a test pattern and verifies the presence or absence of an abnormality in the security execution unit based on the output of the security execution unit in which the test pattern has been tried. According to this device, it becomes possible to appropriately determine the security state of the vehicle system.

[0016] Hereinafter, embodiments will be specifically described with reference to the drawings. Note that all of the embodiments described below show comprehensive or specific examples. The numerical values, shapes, materials, components, arrangement positions and connection forms of the components, steps, order of steps, etc. shown in the following embodiments are merely examples and are not intended to limit the present disclosure. In addition, among the components in the following embodiments, components not described in the independent claims indicating the most general concept are described as optional components.

[0017] (Embodiment) [Configuration of Security Monitoring System and Security Monitoring Device] The configuration of the security monitoring system and the security monitoring device according to the embodiment will be described with reference to FIGS. 1 to 8.

[0018] FIG. 1 is a block diagram showing the configuration of a security monitoring system 2 according to the embodiment.

[0019] As shown in FIG. 1, the security monitoring system 2 includes a monitoring server 10 and a vehicle system 30. The monitoring server 10 and the vehicle system 30 are communicatively connected via an external network 20.

[0020] The external network 20 is a communication network such as the Internet. The monitoring server 10 is, for example, a cloud server, and sends and receives various information with the vehicle system 30 via the external network 20. The vehicle system 30 is all the systems installed in the vehicle 3.

[0021] Figure 2 is a block diagram showing an example of the configuration of the vehicle system 30 included in the security monitoring system 2.

[0022] As shown in Figure 2, the vehicle system 30 includes an integrated ECU 100, a gateway ECU 200, a steering ECU 400a, a brake ECU 400b, a zone ECU 300, a front camera ECU 400c, and a rear camera ECU 400d.

[0023] The integrated ECU 100 is a device that integrates multiple ECUs. The integrated ECU 100 is connected to the monitoring server 10 via an external network 20. The security monitoring device 1 of this disclosure is provided in the integrated ECU 100.

[0024] The gateway ECU 200 is an ECU that aggregates multiple multiplex communications and relays them. The gateway ECU 200 is connected to the integrated ECU 100 via CAN (Control Area Network) 40. The steering ECU 400a is an ECU that controls the steering operation of vehicle 3. The steering ECU 400a is connected to the gateway ECU 200 via CAN 41. The brake ECU 400b is an ECU that controls the brakes and accelerator of vehicle 3. The brake ECU 400b is connected to the gateway ECU 200 via CAN 41.

[0025] The Zone ECU 300 is an ECU that collects zone-specific information within the vehicle 3. The Zone ECU 300 is connected to the Integrated ECU 100 via Ethernet 50. The Front Camera ECU 400c is an ECU that controls the front camera installed in the vehicle 3. The Front Camera ECU 400c is connected to the Zone ECU 300 via Ethernet 51. The Rear Camera ECU 400d is an ECU that controls the rear camera installed in the vehicle 3. The Rear Camera ECU 400d is connected to the Zone ECU 300 via Ethernet 51.

[0026] Figure 3 is a block diagram showing an example of the configuration of the integrated ECU 100 included in the vehicle system 30.

[0027] As shown in Figure 3, the integrated ECU 100 includes multiple host computers 110A and 110B, a trust area 150, and a virtualization platform 170.

[0028] The virtualization platform 170 is virtualization software that controls multiple host computers 110A and 110B. The virtualization platform 170 is, for example, a hypervisor (registered trademark). Each host computer 110A and 110B is a virtual machine running on the virtualization platform 170. The trusted area 150 is an area designed to be more secure against cyberattacks than each host computer 110A and 110B. The trusted area 150 is, for example, SecureOS, TEE (Trusted Execution Environment), or TrustZone (registered trademark).

[0029] As shown in Figure 3, each host computer 110A, 110B is equipped with a security protection target 111 and a security monitoring device 1.

[0030] The security target 111 is a device that is subject to security protection. The security target 111 is sometimes also called the protected process. The security target 111 is, for example, a control unit for a car navigation system and a speedometer, and may be a target of cyberattacks. Therefore, the vehicle system 30 is provided with a security execution unit 112 for performing security protection on the security target 111.

[0031] Security monitoring device 1 is a device that determines the security status of the vehicle system 30.

[0032] Figure 4 is a block diagram showing the configuration of the security monitoring device 1.

[0033] As shown in Figure 4, the security monitoring device 1 comprises a security execution unit 112, a trial unit 113, a verification unit 114, a response unit 115, and a storage unit 116. The storage unit 116 is, for example, a writable non-volatile memory.

[0034] The security execution unit 112 performs security protection on the security target 111. Examples of security execution units 112 include DAC (Discretionary Access Control), SELinux (Security-Enhanced Linux (Linux™)), seccomp, Namespace, unshare, cgroup, Firewall™, NIDS (network-based intrusion detection system), Secureboot, and dm-verity.

[0035] For example, SELinux provides security protection for arbitrary or mandatory access control. seccomp provides security protection for system call restrictions. Namespace and unshare provide security protection for namespace isolation. cgroup provides security protection for computing resource restrictions. Firewall and NIDS provide security protection for communication monitoring. Secure Boot and dm-verity provide security protection for the vehicle system 30 software.

[0036] Cyberattacks can extend not only to the security target 111 but also to the security execution unit 112 that protects the security target 111. For example, if a cyberattack causes an abnormality in the security execution unit 112, it becomes impossible to properly protect the security target 111. Therefore, in this embodiment, the presence or absence of an abnormality in the security execution unit 112 is verified.

[0037] The trial unit 113 shown in Figure 4 causes the security execution unit 112 to execute a test pattern. The test pattern includes control information that causes the security execution unit 112 to output an abnormal event that is different from a normal event. The verification unit 114 verifies whether or not there is an abnormality in the security execution unit 112 based on the output of the security execution unit 112 after the test pattern has been executed.

[0038] It should be noted that abnormal events are not events that normally occur in vehicle 3, but rather events that are specially set to detect abnormalities in the security execution unit 112. The vehicle system 30 can perform driving control of vehicle 3 without problems even if, for example, an abnormal event is output from the security execution unit 112. The components included in the security monitoring device 1 will be described in detail below.

[0039] The trial unit 113 causes the security execution unit 112 to execute a test pattern based on the test pattern stored in the memory unit 116.

[0040] Figure 5 shows the test patterns stored in the storage unit 116 of the security monitoring device 1 and the expected results for those test patterns. This information is pre-stored in the storage unit 116.

[0041] Figure 5 shows an example of a security execution unit 112, specifically NIDS, and demonstrates the application of test patterns A001 and A002, along with the expected results (expected values) for these applications. In this example, the abnormal events output by the security execution unit 112 represent the expected results for the application of test patterns A001 and A002.

[0042] Specifically, Figure 5 shows that test patterns A001 and A002 are communication-related tests, that test patterns A001 and A002 are attempted in this order, and that each test pattern A001 and A002 is attempted periodically at one-minute intervals. Furthermore, it shows that, for example, the expected result for test pattern A001 is that the log information output from NIDS is saved to " / log / sec001", the access destination of test pattern A001 included in this log information is "192.168.0.10", the protocol is "HTTP", and the access content is "exploit". In addition, the expected result also includes that the trial results of test patterns A001 and A002 are recorded as log information in this order, and that the trial results of each test pattern A001 and A002 are recorded as log information periodically at one-minute intervals.

[0043] In this way, the trial unit 113 causes the security execution unit 112 to try a test pattern so that an unauthorized signal is sent to NIDS, which is an example of the security execution unit 112.

[0044] Figure 5 also shows an example of testing test patterns B001 and B002 on DAC and SELinux, which are part of the security execution unit 112, and the expected results for that test. In this example as well, the abnormal events output by the security execution unit 112 are the expected results for testing test patterns B001 and B002.

[0045] Specifically, Figure 5 shows that test patterns B001 and B002 are file access tests and are attempted when the vehicle state changes (i.e., when a predetermined event occurs). Furthermore, for example, the expected result for test pattern B001 is that the log information output from DAC and SELinux is saved to " / log / sec001", the access destination of test pattern B001 included in this log information is " / var / log / key", and the access content is "sec". It should also be noted that the expected result includes the trial results of test patterns B001 and B002 being recorded as log information when the vehicle state changes.

[0046] In this way, the trial unit 113 causes the security execution unit 112 to try test patterns so that unauthorized access is attempted to DAC and SELinux, which are examples of security execution units 112.

[0047] Figure 5 also shows an example of applying test patterns C001 and C002 to a Namespace, which is an example of the security execution unit 112, and the expected results for that application. In this example as well, the abnormal events output by the security execution unit 112 are the expected results for applying test patterns C001 and C002.

[0048] Specifically, Figure 5 shows that test patterns C001 and C002 are isolation tests and are attempted periodically at one-minute intervals. Furthermore, for example, the expected result for test pattern C001 is that the log information output from Namespace monitoring is stored in " / log / sec001", the access destination of test pattern C001 included in this log information is "Namespace1", and the access content is "Network Namespace". Here, Namespace monitoring is a process that verifies that Namespaces are correctly isolated. For example, if the network namespace is "Namespace1", it can be confirmed that "Namespace1" is correctly isolated by verifying that message queue communication is not possible from the process in "Namespace2" to the process in "Namespace1". Also, if the only network device belonging to "Namespace1" is eth1, it can be confirmed that "Namespace1" is correctly isolated by checking the network devices that are resources belonging to "Namespace1" and confirming that it is only eth1. Furthermore, for example, if the process ID namespace is "Namespace2", it can be confirmed that "Namespace2" is correctly isolated by verifying that no process names or process IDs (Identifications) that do not belong to "Namespace2" are displayed within "Namespace2". Expected results also include the recording of trial results from test patterns C001 and C002 as log information at one-minute intervals.

[0049] The trial unit 113 may cause the security execution unit 112 to try test patterns to verify the existence of processes or resources in other namespaces different from the namespace in question.

[0050] Figure 5 shows an example of testing test patterns D001 and D002 on seccomp, which is a security execution unit 112, and the expected results for that test. In this example as well, the abnormal events output from the security execution unit 112 are the expected results for testing test patterns D001 and D002.

[0051] Specifically, Figure 5 shows that test patterns D001 and D002 are system call tests, and are attempted periodically at random intervals every 10 minutes. Furthermore, the expected result for test pattern D001 is that the log information output from seccomp is saved to " / log / sec002", the access destination of test pattern D001 included in this log information is "Mount", and the access content is "No output". Here, since "Mount" is a system call permitted by seccomp, it is expected that information about denied system calls will not be output to the log. Similarly, the expected result for test pattern D002 is that the log information output from seccomp is saved to " / log / sec002", the access destination of test pattern D002 included in this log information is "Reboot", and the access content is " / log". Here, since "Reboot" is a system call denied by seccomp, it is expected that information about denied system calls will be output to the log. Furthermore, the expected results include the recording of trial results from test patterns D001 and D002 as log information at intervals of 10 minutes.

[0052] In this way, the trial unit 113 causes the security execution unit 112 to try test patterns so that it attempts to make permitted or impermissible system calls to seccomp, which is an example of the security execution unit 112.

[0053] Figure 5 also shows an example of testing test patterns E001 and E002 on NIDS, which is an example of a security execution unit 112, and the expected results of that test. In this example, the abnormal events output by the security execution unit 112 represent the expected results of testing test patterns E001 and E002.

[0054] Specifically, Figure 5 shows that test patterns E001 and E002 are tests related to vehicle functions, that test patterns E001 and E002 are attempted in this order, that test pattern E001 is attempted after test pattern A001, and that test pattern E002 is attempted after test pattern A002. Furthermore, the expected results for test pattern E001 are shown to be that the log information output from NIDS is saved to " / log / sec001", the access destination of test pattern E001 included in this log information is "ID0x01", the protocol is "CAN", and the access content is "01". Similarly, the expected results for test pattern E002 are shown to be that the log information output from NIDS is saved to " / log / sec002", the access destination of test pattern E002 included in this log information is "ID0x02", the protocol is "SOME / IP", and the access content is "02". Furthermore, the expected results include the log information being recorded in the order of the trial results of test patterns E001 and E002, the log information being recorded at a later time than the trial results of test pattern A001, and the log information being recorded at a later time than the trial results of test pattern E002.

[0055] In this way, the trial unit 113 causes the security execution unit 112 to try test patterns so that unauthorized access to NIDS, which is an example of the security execution unit 112, is attempted.

[0056] Figure 5 also shows an example of applying test patterns F001 and F002 to Secure Boot and dm-verity, which are part of the security execution unit 112, and the expected results of that application. In this example, the abnormal events output by the security execution unit 112 represent the expected results of applying test patterns F001 and F002.

[0057] Specifically, Figure 5 shows that test patterns F001 and F002 are integrity tests, with test pattern F001 being attempted at startup and test pattern F002 being attempted at reset. Furthermore, it is shown that, for example, the expected result for test pattern F001 is that the log information output from Secure Boot and dm-verity is saved to " / log / sec001", the access destination for test pattern F001 included in this log information is "0x0001", and the access content is "mal". Specifically, this is an operation to write [mal] to the non-volatile memory area "0x0001", and because this is an unauthorized data write, a log is output by the integrity verification of Secure Boot and dm-verity. Here, Secure Boot and dm-verity are security functions attempted at startup, but they may also be security functions aimed at monitoring software integrity that are attempted at runtime after startup. Furthermore, the expected results include the recording of the trial results using test pattern F001 as log information at startup, and the recording of the trial results using test pattern F002 as log information at reset.

[0058] In this way, the trial unit 113 causes the security execution unit 112, which is an example of the security execution unit 112, to try test patterns so that the software of the vehicle system 30 is temporarily tampered with, such as Secure Boot and dm-verity.

[0059] Figure 5 also shows an example of applying test patterns G001 and G002 to cgroup, which is an example of the security execution unit 112, and the expected results of that application. In this example, the abnormal events output by the security execution unit 112 represent the expected results of applying test patterns G001 and G002.

[0060] Specifically, Figure 5 shows that test patterns G001 and G002 are tests related to computational resource limitations, and that each test pattern G001 and G002 is attempted at one-minute intervals. Furthermore, the expected result for test pattern G001 is that the log information output from cgroup is saved to " / log / sec001", and the access content of test pattern G001 included in this log information is "CPU consumption". The trial unit 113 may increase CPU consumption by creating an infinite loop or the like. Similarly, the expected result for test pattern G002 is that the log information output from cgroup is saved to " / log / sec002", and the access content of test pattern G002 included in this log information is "memory consumption". The trial unit 113 may increase memory consumption by allocating a large amount of memory. The expected result also includes the recording of the trial results of test pattern G001 as log information at one-minute intervals.

[0061] In this way, the trial unit 113 causes the security execution unit 112 to try a test pattern so that it consumes computing resources up to a predetermined value for cgroup, which is an example of the security execution unit 112. Furthermore, by checking the setting value of cgroup, it is possible to confirm whether the setting value has been changed.

[0062] As described above, the verification unit 114 verifies whether or not there is an abnormality in the security execution unit 112 based on the output of the security execution unit 112 when the test pattern is attempted. For example, the verification unit 114 determines that there is no abnormality in the security execution unit 112 if the log information showing the output of the security execution unit 112 matches the expected result for the test pattern. Conversely, the verification unit 114 determines that there is an abnormality in the security execution unit 112 if the above log information does not match the expected result.

[0063] Figure 6 shows an example of the output of the security execution unit 112 when a test pattern is attempted.

[0064] Figure 6 shows the results of a test attempt on NIDS, an example of a security execution unit 112, using the communication test pattern A001. The figure shows that the log information output from NIDS is saved to " / log / sec001", the access destination of test pattern A001 included in this log information is "192.168.0.10", the protocol is "HTTP", and the access content is "exploit". The figure also shows that the test results of test pattern A001 were performed periodically at one-minute intervals.

[0065] In this case, the verification unit 114 determines that there is no abnormality in the security execution unit 112 because the log information output from the security execution unit 112 matches the expected result for test pattern A001. In other words, the verification unit 114 determines that there is no security abnormality in the security execution unit 112 when the log information indicating the output of the security execution unit 112 matches the abnormal event expected for the test pattern.

[0066] On the other hand, the verification unit 114 determines that the security execution unit 112 has been tampered with if the log information output from the security execution unit 112 does not match the expected result for test pattern A001. In other words, the verification unit 114 determines that the security execution unit 112 has been tampered with if the above log information does not match the expected abnormal event.

[0067] Furthermore, the verification unit 114 determines that the security execution unit 112 is disabled if there is no output from the security execution unit 112 regarding event information, including abnormal events; in other words, if there is no output at all from the security execution unit 112.

[0068] Furthermore, the verification unit 114 determines that the security execution unit 112 has been tampered with if an abnormal event is output from the security execution unit 112 at a time other than when the trial unit 113 has the security execution unit 112 try out a test pattern. In this case, the verification unit 114 may also determine that a false response was made due to the tampering.

[0069] Furthermore, the verification unit 114 may verify whether or not there is an abnormality in the security execution unit 112 by performing the trials of the trial unit 113 as shown below.

[0070] For example, the trial unit 113 causes the security execution unit 112 to try a test pattern at a predetermined timing. The verification unit 114 may determine that there is no abnormality in the security execution unit 112 if an abnormal event is output from the security execution unit 112 at a predetermined timing, or it may determine that there is an abnormality in the security execution unit 112 if no abnormal event is output from the security execution unit 112 at a predetermined timing.

[0071] For example, the trial unit 113 periodically causes the security execution unit 112 to test a test pattern. The timing for periodically testing the test pattern is, for example, every minute. The timing for periodic testing is appropriately selected from a range of 0.5 minutes to 5 minutes. The verification unit 114 may determine that there is no abnormality in the security execution unit 112 if abnormal events are output from the security execution unit 112 periodically, or it may determine that there is an abnormality in the security execution unit 112 if abnormal events are not output from the security execution unit 112 periodically.

[0072] For example, the trial unit 113 causes the security execution unit 112 to try test patterns in a predetermined order. The predetermined order is the order that is pre-stored in the storage unit 116. The verification unit 114 may determine that there is no abnormality in the security execution unit 112 if abnormal events are output from the security execution unit 112 in a predetermined order, or it may determine that there is an abnormality in the security execution unit 112 if abnormal events are not output from the security execution unit 112 in a predetermined order.

[0073] For example, the trial unit 113 randomly causes the security execution unit 112 to try test patterns. The order in which the randomly tried test patterns are stored in the storage unit 116. The verification unit 114 may determine that there is no abnormality in the security execution unit 112 if an abnormal event is output from the security execution unit 112 in the same order as the randomly tried test patterns, or it may determine that there is an abnormality in the security execution unit 112 if an abnormal event is not output from the security execution unit 112 in the same order as the randomly tried test patterns. Here, if the test patterns are completely random, the verification unit 114 cannot determine that it is an abnormal event. Therefore, randomly trying test patterns means randomness within a predetermined range, and by confirming that the output result is within the predetermined range, it is determined that it is an abnormal event. Specifically, in the case of system calls, one of 10 predetermined system calls is randomly executed, and if there is a log in which one of the 10 system calls is executed, it is determined that it is an abnormal event. For example, the trial unit 113 causes the security execution unit 112 to try test patterns when a predetermined event occurs. A predetermined event is a normal event such as when vehicle 3 stops or starts moving. The verification unit 114 may determine that there is no abnormality in the security execution unit 112 if a predetermined event occurs and an abnormal event is output from the security execution unit 112, or it may determine that there is an abnormality in the security execution unit 112 if a predetermined event occurs and no abnormal event is output from the security execution unit 112. A predetermined event is, for example, when a software update instruction is received, and by generating an abnormal event to confirm that the software integrity verification is working correctly, it is possible to determine whether or not there is an abnormality in the security execution unit 112.

[0074] The response unit 115 shown in Figure 4 takes action depending on whether or not there is an abnormality in the security execution unit 112.

[0075] Figure 7 shows an example of a response pattern when an abnormality is detected in the security execution unit 112. These response patterns are pre-stored in the storage unit 116.

[0076] The response pattern R001 indicates that if the expected result is obtained from the NIDS after trying test pattern A001, the response unit 115 will not respond. In other words, the response unit 115 will not output information indicating that there is an abnormality in the security execution unit 112 if the verification unit 114 determines that there is no abnormality in the security execution unit 112.

[0077] Response pattern R002 indicates that if the expected result is not obtained from the NIDS after attempting test pattern A001, the response unit 115 will restart the NIDS. In other words, if the security execution unit 112 that attempted the test pattern outputs an event different from an abnormal event, the response unit 115 will restart the security execution unit 112. In this case, the response unit 115 may output information indicating that there is an abnormality in the security execution unit 112. This information indicating an abnormality also includes information about the NIDS, which is the security execution unit 112.

[0078] The response pattern R003 indicates that if the expected results are obtained from DAC and SELinux after trying test pattern B001, the response unit 115 will not respond. In other words, the response unit 115 will not output information indicating that there is an abnormality in the security execution unit 112 if the verification unit 114 determines that there is no abnormality in the security execution unit 112.

[0079] Response pattern R004 indicates that if an abnormal event is output from the DAC or SELinux at a time other than when the test pattern is being tested, the response unit 115 will not restart the DAC or SELinux. In other words, if an abnormal event is output from the security execution unit 112 at a time other than when the test pattern is being tested, the response unit 115 will not restart the security execution unit 112. In this case, the response unit 115 may output information indicating that there is an abnormality in the security execution unit 112.

[0080] The security monitoring device 1 of this embodiment includes a security execution unit 112 that performs security protection for the vehicle system 30, a trial unit 113 that causes the security execution unit 112 to try out test patterns, and a verification unit 114 that verifies whether or not there is an abnormality in the security execution unit 112 based on the output of the security execution unit 112 after the test patterns have been tried out. In this way, the security status of the vehicle system 30 can be determined by verifying whether or not there is an abnormality in the security execution unit 112 based on the output of the security execution unit 112 after the test patterns have been tried out.

[0081] The above example shows the security execution unit 112, the trial unit 113, and the verification unit 114 all located on the same host computer, but this is not limited to that configuration. For example, the security execution unit 112, the trial unit 113, and the verification unit 114 may each be located on different host computers. Furthermore, the security execution unit 112, the trial unit 113, and the verification unit 114 may each be located on different ECUs.

[0082] Figure 8 is a block diagram showing another example of the configuration of the integrated ECU 100. Note that the memory unit 116 is not shown in Figure 8.

[0083] The integrated ECU 100 shown in Figure 8 comprises multiple host computers 110A and 110B, a trusted area 150, and a virtualization platform 170. Each host computer 110A and 110B is equipped with a security protected object 111 and a security monitoring device 1. In the example shown in Figure 8, host computer 110B is designed to be more secure against cyberattacks than host computer 110A.

[0084] In this example, a test pattern is sent from the security monitoring device 1 on host computer 110B to the security monitoring device 1 on host computer 110A, and the trial results of the test pattern are sent from the security monitoring device 1 on host computer 110A to the security monitoring device 1 on host computer 110B. This configuration also makes it possible to determine the security status of the vehicle system 30.

[0085] Furthermore, in the integrated ECU 100, the trial unit 113 may cause the first security execution unit 112a and the second security execution unit 112b to try test patterns in a predetermined order. The verification unit 114 may determine that there are no abnormalities in the first security execution unit 112a and the second security execution unit 112b if abnormal events are output from the first security execution unit 112a and the second security execution unit 112b in a predetermined order.

[0086] [Security monitoring methods] A security monitoring method according to an embodiment will be described with reference to Figure 9.

[0087] Figure 9 is a flowchart showing a security monitoring method according to an embodiment.

[0088] As shown in Figure 9, the security monitoring device 1 attempts a test pattern (step S10). Specifically, the trial unit 113 causes the security execution unit 112 to attempt the test pattern. The test pattern includes control information that causes the security execution unit 112 to output an abnormal event that is different from a normal event.

[0089] Next, the security monitoring device 1 determines whether or not there is output from the security execution unit 112 (step S20). Specifically, the verification unit 114 determines whether or not there is output from the security execution unit 112 by detecting log information indicating output from the security execution unit 112.

[0090] If there is output from the security execution unit 112 (Yes in S20), the security monitoring device 1 determines whether the output from the security execution unit 112 is the expected result for the test pattern (step S30).

[0091] If the security monitoring device 1 obtains the expected result for the test pattern (Yes in S30), it determines that there is no abnormality in the security execution unit 112 (step S40). On the other hand, if the security monitoring device 1 obtains the expected result for the test pattern (No in S30), it determines that there is unauthorized access to the security execution unit 112 (step S50). In this case, the security monitoring device 1 outputs information to the monitoring server 10 indicating that there is an abnormality in the security execution unit 112.

[0092] Furthermore, if there is no output from the security execution unit 112 (No in S20), the security monitoring device 1 determines whether the result of no output from the security execution unit 112 is the expected result for the test pattern (step S60).

[0093] If the security monitoring device 1 obtains the expected result for the test pattern (Yes in S60), it determines that there is no abnormality in the security execution unit 112 (step S70). On the other hand, if the security monitoring device 1 obtains the expected result for the test pattern (No in S60), it determines that the security execution unit 112 is disabled (step S80). In this case, the security monitoring device 1 outputs information to the monitoring server 10 indicating that there is an abnormality in the security execution unit 112.

[0094] By repeatedly performing these steps, the security status of the vehicle system 30 can be appropriately determined.

[0095] (summary) Examples of security monitoring devices, etc., relating to one aspect of this disclosure are given below.

[0096] The security monitoring device 1 of Example 1 includes a security execution unit 112 that performs security protection for the vehicle system 30, a trial unit 113 that causes the security execution unit 112 to try out test patterns, and a verification unit 114 that verifies whether or not there is an abnormality in the security execution unit 112 based on the output of the security execution unit 112 after the test patterns have been tried out.

[0097] In this way, the security status of the vehicle system 30 can be determined by verifying whether or not there is an abnormality in the security execution unit 112 based on the output of the security execution unit 112 after the test pattern has been tested. Furthermore, the security monitoring device 1 can determine whether or not the security execution unit 112 is operating normally with a normal policy.

[0098] The security monitoring device 1 in Example 2 is the security monitoring device described in Example 1, and the test pattern may include control information that causes the security execution unit 112 to output an abnormal event different from a normal event.

[0099] In this way, by including control information that causes abnormal events to be output in the test pattern, it is possible to verify whether or not there is an abnormality in the security execution unit 112 based on whether or not an abnormal event was output from the security execution unit 112. This makes it possible to determine the security status of the vehicle system 30.

[0100] The security monitoring device 1 in Example 3 is the security monitoring device described in Example 2, and the verification unit 114 may determine that there is no abnormality in the security execution unit 112 when the log information showing the output of the security execution unit 112 matches an abnormal event which is the expected result for the test pattern, and determine that the security execution unit 112 has been tampered with when the log information does not match an abnormal event.

[0101] In this way, by determining whether the log information showing the output of the security execution unit 112 matches the abnormal event which is the expected result for the test pattern, it is possible to determine whether the security execution unit 112 has been tampered with. This makes it possible to determine the security status of the vehicle system 30. In addition, the security monitoring device 1 can determine whether the security execution unit 112 is operating normally with a normal policy.

[0102] The security monitoring device 1 in Example 4 is the security monitoring device described in Example 2, and the verification unit 114 may determine that the security execution unit 112 is disabled if there is no output from the security execution unit 112 regarding event information including abnormal events.

[0103] According to this, it is possible to determine whether or not the security execution unit 112 is disabled. This allows the security status of the vehicle system 30 to be determined. In this case, the security monitoring device 1 can also determine that the security execution unit 112 does not have a normal policy and is not operating normally.

[0104] The security monitoring device 1 in Example 5 is the security monitoring device described in Example 2, and the verification unit 114 may determine that the security execution unit 112 is being operated illegally if an abnormal event is output from the security execution unit 112 at a time other than when the trial unit 113 has the security execution unit 112 try a test pattern.

[0105] According to this, it is possible to determine whether or not the security execution unit 112 has been tampered with. This allows the security status of the vehicle system 30 to be determined. Furthermore, the security monitoring device 1 can determine that the security execution unit 112 does not have a normal policy and is not operating normally.

[0106] The security monitoring device 1 in Example 6 is the security monitoring device described in Example 2, wherein the trial unit 113 causes the security execution unit 112 to try a test pattern at a predetermined timing, and the verification unit 114 determines that there is no abnormality in the security execution unit 112 if an abnormal event is output from the security execution unit 112 at a predetermined timing, and determines that there is an abnormality in the security execution unit 112 if no abnormal event is output from the security execution unit 112 at a predetermined timing.

[0107] According to this, for example, it is possible to determine whether or not there is an abnormality in the security execution unit 112 at a predetermined timing necessary for abnormality confirmation. This makes it possible to accurately determine the security status of the vehicle system 30.

[0108] The security monitoring device 1 in Example 7 is the security monitoring device described in Example 2, wherein the trial unit 113 periodically causes the security execution unit 112 to try out test patterns, and the verification unit 114 periodically determines that there is no abnormality in the security execution unit 112 when an abnormal event is output from the security execution unit 112, and determines that there is an abnormality in the security execution unit 112 when no abnormal events are output from the security execution unit 112.

[0109] According to this, for example, even when the vehicle system 30 is in a different state, it is possible to periodically determine whether or not there is an abnormality in the security execution unit 112. This makes it possible to accurately determine the security status of the vehicle system 30.

[0110] The security monitoring device 1 in Example 8 is the security monitoring device described in Example 2, wherein the trial unit 113 causes the security execution unit 112 to try test patterns in a predetermined order, and the verification unit 114 determines that there is no abnormality in the security execution unit 112 if abnormal events are output from the security execution unit 112 in a predetermined order, and determines that there is an abnormality in the security execution unit 112 if abnormal events are not output from the security execution unit 112 in a predetermined order.

[0111] According to this, for example, even with different protection rules, the presence or absence of abnormalities in the security execution unit 112 can be determined in a predetermined order. This allows for accurate determination of the security status of the vehicle system 30.

[0112] The security monitoring device 1 in Example 9 is the security monitoring device described in Example 2, wherein the trial unit 113 randomly causes the security execution unit 112 to try test patterns, and the verification unit 114 determines that there is no abnormality in the security execution unit 112 if an abnormal event is output from the security execution unit 112 as in the randomly tried test patterns, and determines that there is an abnormality in the security execution unit 112 if an abnormal event is not output from the security execution unit 112 as in the randomly tried test patterns.

[0113] According to this, for example, the security execution unit 112 can be made less susceptible to cyberattacks. This improves the security of the vehicle system 30.

[0114] The security monitoring device 1 in Example 10 is the security monitoring device described in Example 2, wherein the trial unit 113 causes the security execution unit 112 to try a test pattern when a predetermined event occurs, and the verification unit 114 may determine that there is no abnormality in the security execution unit 112 when a predetermined event occurs and an abnormal event is output from the security execution unit 112, or determine that there is an abnormality in the security execution unit 112 when a predetermined event occurs and no abnormal event is output from the security execution unit 112.

[0115] According to this, for example, it is possible to determine whether or not there is an abnormality in the security execution unit 112 in response to an event necessary for abnormality detection. This makes it possible to accurately determine the security status of the vehicle system 30.

[0116] The security monitoring device 1 in Example 11 is a security monitoring device described in any of Examples 1 to 10, and the security execution unit 112, the trial unit 113, and the verification unit 114 may each be provided on the same host computer.

[0117] According to this, the security status of the vehicle system 30 can be determined without adding any external devices.

[0118] The security monitoring device 1 in Example 12 is a security monitoring device described in any of Examples 1 to 10, and the security execution unit 112, the trial unit 113, and the verification unit 114 may each be provided on different host computers.

[0119] According to this, for example, the security status of the vehicle system 30 can be determined from an area that is safer than the security-protected object 111.

[0120] The security monitoring device 1 in Example 13 is a security monitoring device described in any of Examples 1 to 10, and the security execution unit 112, the trial unit 113, and the verification unit 114 may each be provided in different ECUs.

[0121] According to this, for example, the security status of the vehicle system 30 can be determined from an area that is safer than the security-protected object 111.

[0122] The security monitoring device 1 in Example 14 is a security monitoring device described in any of Examples 2 to 10, wherein the trial unit 113 causes the first security execution unit 112a and the second security execution unit 112b to try test patterns in a predetermined order, and the verification unit 114 may determine that there is no abnormality in the first security execution unit 112a and the second security execution unit 112b if abnormal events are output from the first security execution unit 112a and the second security execution unit 112b in a predetermined order.

[0123] This makes it possible to simultaneously determine whether or not there are abnormalities in the first security execution unit 112a and the second security execution unit 112b.

[0124] The security monitoring device 1 in Example 15 is a security monitoring device described in any of Examples 1 to 10, wherein the security execution unit 112 performs security protection relating to arbitrary access control or mandatory access control, and the trial unit 113 may cause the security execution unit 112 to try test patterns so that unauthorized access to the security execution unit 112 is attempted.

[0125] This makes it possible to appropriately determine whether or not there is an abnormality in the security execution unit 112.

[0126] The security monitoring device 1 in Example 16 is a security monitoring device described in any of Examples 1 to 10, wherein the security execution unit 112 performs security protection related to system call restrictions, and the trial unit 113 may cause the security execution unit 112 to try test patterns so that an unauthorized system call is attempted against the security execution unit 112.

[0127] This makes it possible to appropriately determine whether or not there is an abnormality in the security execution unit 112.

[0128] The security monitoring device 1 in Example 17 is a security monitoring device described in any of Examples 1 to 10, wherein the security execution unit 112 performs security protection related to namespace isolation, and the trial unit 113 may cause the security execution unit 112 to try test patterns to confirm the existence of processes or resources in other namespaces different from the namespace in question.

[0129] This makes it possible to appropriately determine whether or not there is an abnormality in the security execution unit 112.

[0130] The security monitoring device 1 in Example 18 is a security monitoring device described in any of Examples 1 to 10, wherein the security execution unit 112 performs security protection regarding the limitation of computing resources, and the trial unit 113 may check the setting value of the computing resources of the security execution unit 112 or cause the security execution unit 112 to try test patterns to consume up to a predetermined value.

[0131] This makes it possible to appropriately determine whether or not there is an abnormality in the security execution unit 112.

[0132] The security monitoring device 1 in Example 19 is a security monitoring device described in any of Examples 1 to 10, wherein the security execution unit 112 performs security protection related to communication monitoring, and the trial unit 113 may cause the security execution unit 112 to try test patterns so that an unauthorized signal is transmitted to the security execution unit 112.

[0133] This makes it possible to appropriately determine whether or not there is an abnormality in the security execution unit 112.

[0134] The security monitoring device 1 in Example 20 is a security monitoring device described in any of Examples 1 to 10, wherein the security execution unit 112 performs security protection for the software of the vehicle system 30, and the trial unit 113 may cause the security execution unit 112 to try test patterns so that the software is temporarily tampered with.

[0135] This makes it possible to appropriately determine whether or not there is an abnormality in the security execution unit 112.

[0136] The security monitoring device 1 in Example 21 is a security monitoring device described in any of Examples 1 to 10, and further includes a response unit 115 that takes action according to whether or not there is an abnormality in the security execution unit 112, and the response unit 115 does not have to output information indicating that there is an abnormality in the security execution unit 112 when the verification unit 114 determines that there is no abnormality in the security execution unit 112.

[0137] In this way, by not outputting information indicating an abnormality when there is no abnormality, we can suppress the increase in unnecessary processing.

[0138] The security monitoring device 1 in Example 22 is a security monitoring device described in any of Examples 1 to 10, and further includes a response unit 115 that takes action according to whether or not there is an abnormality in the security execution unit 112. The response unit 115 may output information indicating that there is an abnormality in the security execution unit 112 if an event different from an abnormal event is output from the security execution unit 112 on which the test pattern has been attempted.

[0139] According to this, it is possible to notify the security execution unit 112 that there is an abnormality.

[0140] The security monitoring device 1 in Example 23 is a security monitoring device described in any of Examples 2 to 10, and further includes a response unit 115 that takes action according to whether or not there is an abnormality in the security execution unit 112, and the response unit 115 may restart the security execution unit 112 if no abnormal event is output from the security execution unit 112 on which the test pattern has been attempted.

[0141] According to this, the security execution unit 112, which is in an abnormal state, can be restored to a normal state.

[0142] The security monitoring device 1 in Example 24 is a security monitoring device described in any of Examples 2 to 10, and further includes a response unit 115 that takes action according to whether or not there is an abnormality in the security execution unit 112, and the response unit 115 does not need to restart the security execution unit 112 if an abnormal event is output from the security execution unit 112 other than when a test pattern is attempted.

[0143] According to this, it is possible to suppress the escalation of damage caused by abnormal conditions.

[0144] The security monitoring system 2 of Example 25 comprises a security monitoring device 1 described in any of Examples 1 to 10, and a monitoring server 10 that communicates with the security monitoring device 1 via an external network 20.

[0145] A security monitoring system 2 capable of determining the security status of the vehicle system 30 can be provided.

[0146] The security monitoring method in Example 26 involves having the security execution unit 112, which performs security protection for the vehicle system 30, try a test pattern, and then verifying whether or not there is an abnormality in the security execution unit 112 based on the output of the security execution unit 112 after the test pattern has been tried.

[0147] In this way, the security status of the vehicle system 30 can be determined by verifying whether or not there is an abnormality in the security execution unit 112 based on the output of the security execution unit 112 after the test pattern has been attempted.

[0148] (Other embodiments) Although security monitoring devices, etc., relating to one or more embodiments have been described above based on the above embodiments, this disclosure is not limited to the above embodiments. Without departing from the spirit of this disclosure, various modifications that a person skilled in the art could conceive of may be applied to the above embodiments, or forms constructed by combining components from different embodiments may also be included within the scope of one or more embodiments.

[0149] In the above embodiment, each component may be implemented by dedicated hardware or by executing a computer program suitable for each component. Each component may also be implemented by a program execution unit such as a CPU or processor reading and executing a computer program recorded on a recording medium such as a hard disk or semiconductor memory.

[0150] Furthermore, some or all of the functions of the security monitoring device according to the above embodiment may be realized by a processor such as a CPU executing a computer program.

[0151] Some or all of the components constituting each of the above devices may consist of a removable IC card or a standalone module. The IC card or module is a computer system consisting of a microprocessor, ROM, RAM, etc. The IC card or module may also include the above-mentioned multi-functional LSI. The microprocessor operates according to a computer program, thereby enabling the IC card or module to achieve its function. The IC card or module may also be tamper-resistant.

[0152] This disclosure may be the methods described above. It may also be a computer program that implements these methods using a computer, or a digital signal including the computer program. Furthermore, this disclosure may be a computer-readable, non-temporary recording medium, such as a flexible disk, hard disk, CD-ROM, MO, DVD, DVD-ROM, DVD-RAM, BD (Blu-ray® Disc), semiconductor memory, etc. It may also be the digital signal recorded on such a recording medium. Furthermore, this disclosure may involve transmitting the computer program or digital signal via telecommunications lines, wireless or wired communication lines, networks such as the Internet, data broadcasting, etc. Furthermore, this disclosure may be a computer system comprising a microprocessor and memory, wherein the memory stores the computer program, and the microprocessor operates according to the computer program. Furthermore, this disclosure may be implemented by another independent computer system by recording and transferring the computer program or digital signal on the medium, or by transferring the computer program or digital signal via the network, etc.

[0153] In the above embodiment, the application of this disclosure was described as a security measure for automobiles, but the scope of application is not limited to this. For example, this disclosure may be applied not only to automobiles, but also to other forms of mobility such as construction machinery, agricultural machinery, ships, railways, or airplanes. [Industrial applicability]

[0154] The security monitoring device described herein is applicable, for example, to a virtual ECU or the like that has a function to detect abnormalities in the security state. [Explanation of Symbols]

[0155] 1. Security monitoring device 2. Security monitoring system 3 vehicles 10 Monitoring Servers 20 External Network 30 Vehicle Systems 40, 41 CAN 50, 51 Ethernet 100 Integrated ECUs 110A, 110B, Host Computer 111 Security Protection 112 Security Execution Unit 112a First security execution unit 112b Second security execution unit 113 Trial section 114 Verification Department 115 Corresponding section 116 Storage section 150 confidence zone 170 Virtualization Platforms 200 Gateway ECUs 300 Zone ECU 400a Steering ECU 400b Brake ECU 400c Front Camera ECU 400d Rear Camera ECU

Claims

1. A security execution unit that performs security protection for the vehicle system, A trial unit that causes the security execution unit to try out test patterns, A verification unit verifies whether or not there is an abnormality in the security execution unit based on the output of the security execution unit after the test pattern has been attempted, A security monitoring device equipped with the following features.

2. The test pattern includes control information that causes the security execution unit to output an abnormal event different from a normal event. The security monitoring device according to claim 1.

3. The verification unit, If the log information indicating the output of the security execution unit matches the abnormal event which is the expected result for the test pattern, the security execution unit is determined to be free of abnormalities. If the log information does not match the abnormal event, the security execution unit determines that unauthorized operation has occurred. The security monitoring device according to claim 2.

4. The verification unit determines that the security execution unit is disabled if there is no output from the security execution unit regarding event information including the abnormal event. The security monitoring device according to claim 2.

5. The verification unit determines that the security execution unit is being manipulated if the abnormal event is output from the security execution unit at a time other than when the trial unit has the security execution unit try out the test pattern. The security monitoring device according to claim 2.

6. The trial unit causes the security execution unit to test the test pattern at a predetermined timing. The verification unit, If the security execution unit outputs the abnormal event at the predetermined timing, it is determined that there is no abnormality in the security execution unit. If the security execution unit does not output the abnormal event at the predetermined timing, it is determined that there is an abnormality in the security execution unit. The security monitoring device according to claim 2.

7. The trial unit periodically causes the security execution unit to try out test patterns. The verification unit, If the security execution unit periodically outputs the abnormal event, it is determined that there is no abnormality in the security execution unit. If the security execution unit does not periodically output the abnormal event, it is determined that there is an abnormality in the security execution unit. The security monitoring device according to claim 2.

8. The trial unit causes the security execution unit to try out the test patterns in a predetermined order. The verification unit, If the abnormal events are output from the security execution unit in the predetermined order, it is determined that there is no abnormality in the security execution unit. If the security execution unit does not output the abnormal events in the predetermined order, it is determined that there is an abnormality in the security execution unit. The security monitoring device according to claim 2.

9. The trial unit randomly causes the security execution unit to try out test patterns. The verification unit, If the abnormal event is output from the security execution unit in the same way as the test pattern was randomly attempted, the security execution unit is determined to be free of abnormalities. If the abnormal event is not output from the security execution unit as described above when the test pattern is randomly attempted, it is determined that there is an abnormality in the security execution unit. The security monitoring device according to claim 2.

10. The trial unit causes the security execution unit to try out a test pattern when a predetermined event occurs. The verification unit, When the aforementioned predetermined event occurs and the security execution unit outputs the abnormal event, the security execution unit determines that there is no abnormality. If the predetermined event occurs and the abnormal event is not output from the security execution unit, it is determined that there is an abnormality in the security execution unit. The security monitoring device according to claim 2.

11. The security execution unit, the trial unit, and the verification unit are each located on the same host computer. A security monitoring device according to any one of claims 1 to 10.

12. The security execution unit, the trial unit, and the verification unit are each located on different host computers. A security monitoring device according to any one of claims 1 to 10.

13. The security execution unit, the trial unit, and the verification unit are each located on a different ECU (Electronic Control Unit). A security monitoring device according to any one of claims 1 to 10.

14. The trial unit causes the first security execution unit and the second security execution unit to try the test patterns in a predetermined order. The verification unit determines that there are no abnormalities in the first security execution unit and the second security execution unit if the abnormal events are output from the first security execution unit and the second security execution unit in the predetermined order. A security monitoring device according to any one of claims 2 to 10.

15. The security execution unit performs security protection related to arbitrary access control or mandatory access control. The trial unit causes the security execution unit to attempt test patterns so that unauthorized access to the security execution unit is attempted. A security monitoring device according to any one of claims 1 to 10.

16. The security execution unit performs security protection related to system call restrictions. The trial unit causes the security execution unit to attempt test patterns so that unauthorized system calls are attempted against the security execution unit. A security monitoring device according to any one of claims 1 to 10.

17. The security execution unit performs security protection related to namespace isolation, The trial unit causes the security execution unit to try test patterns to verify the existence of processes or resources in other namespaces different from the namespace in question. A security monitoring device according to any one of claims 1 to 10.

18. The security execution unit performs security protections related to the limitation of computing resources. The trial unit checks the settings of the computing resources of the security execution unit, or causes the security execution unit to run test patterns to consume them up to a predetermined value. A security monitoring device according to any one of claims 1 to 10.

19. The security execution unit performs security protection related to communication monitoring. The trial unit causes the security execution unit to attempt a test pattern so that an invalid signal is transmitted to the security execution unit. A security monitoring device according to any one of claims 1 to 10.

20. The security execution unit performs security protection related to the software of the vehicle system. The trial unit causes the security execution unit to try out test patterns so that the software is temporarily tampered with. A security monitoring device according to any one of claims 1 to 10.

21. Furthermore, it includes a response unit that takes action according to whether or not there is an abnormality in the security execution unit, The aforementioned response unit does not output information indicating that there is an abnormality in the security execution unit if the verification unit determines that there is no abnormality in the security execution unit. A security monitoring device according to any one of claims 1 to 10.

22. Furthermore, it includes a response unit that takes action according to whether or not there is an abnormality in the security execution unit, If the security execution unit does not output the abnormal event when the test pattern is attempted, the corresponding unit outputs information indicating that there is an abnormality in the security execution unit. A security monitoring device according to any one of claims 2 to 10.

23. Furthermore, it includes a response unit that takes action according to whether or not there is an abnormality in the security execution unit, The corresponding unit restarts the security execution unit if an event different from the abnormal event is output from the security execution unit where the test pattern was attempted. A security monitoring device according to any one of claims 2 to 10.

24. Furthermore, it includes a response unit that takes action according to whether or not there is an abnormality in the security execution unit, The aforementioned response unit will not restart the security execution unit if the abnormal event is output from the security execution unit at a time other than when the test pattern is being tested. A security monitoring device according to any one of claims 2 to 10.

25. A security monitoring device according to any one of claims 1 to 10, A monitoring server that communicates with the security monitoring device via an external network, A security monitoring system equipped with the following features.

26. The security execution unit that performs security protection for the vehicle system is made to test test patterns. Based on the output of the security execution unit after the test pattern has been attempted, the presence or absence of an abnormality in the security execution unit is verified. Security monitoring methods.