VEHICLE SECURITY NETWORK DEVICE AND METHOD FOR CONTROLLING SAME

Abstract
A vehicle security network design device may comprise: a level assigning unit for assigning an automobile safety integrity level (ASIL) which provides a risk management standard for each of a plurality of functional elements in a vehicle that is at least temporarily implemented by a processor; a calculation unit for calculating device's controllability with respect to each of the plurality of functional elements on the basis of a connection structure between the plurality of functional elements and a difference value of the ASIL; and a management unit for generating a risk analysis model of a plurality of functional elements.
Description
TECHNICAL FIELD

Embodiments of the present invention relate to a field of vehicle system security and, more particularly, to a method of evaluating and managing security classes with respect to functional elements included in a vehicle and a device performing the same.


BACKGROUND ART

An initial automobile was an assembly of mechanical technologies. However, as gradually combined with electronic components, the automobile has enabled various functions and services such as automatic transmission, remote control and navigation and been developed to support high technology such as autonomous driving. Unlike components of general electronic products, malfunction of automobile electronic components may lead to serious accidents in some cases. With the increasing proportion of electronic components in a vehicle, the importance of “functional safety” has been emphasized. The “functional safety” refers to freedom from unreasonable risk, which means a rational risk level. The rational risk may indicate that a probability of malfunction occurrence is lowered and managed at a rational level based on classes of the electronic components.


Automobile components such as electronic components have different severities with respect to malfunction, and thus the International Organization for Standardization (ISO) 26262 standard that determines a rational risk class for each component has been established and provided as a risk analysis method for functional safety and a response method. However, the number of electronic components in a vehicle has been increased these days, and the components in the vehicle are connected to each other or other vehicles on a network. Thus, a risk analysis method considering a risk element of intended malfunction by security threats as well as malfunction caused by fault is needed. Further, the International Electrotechnical Commission (IEC) 62443 which is the industrial security standard is capable of considering a realizability of security threats, but not a characteristic of a vehicle environment.


DISCLOSURE OF INVENTION
Technical Solutions

According to an aspect of the present invention, there is provided a vehicle security network design device implemented by a processor. The vehicle security network design device may include a level assigner configured to assign an automobile safety integrity level (ASIL) which provides a risk management standard for each of a plurality of functional elements in a vehicle, a calculator configured to calculate a device's controllability with respect to each of the plurality of functional elements based on a difference in the ASIL and a connection structure between the plurality of functional elements, and a manager configured to establish and manage a risk analysis model of the plurality of functional elements based on the ASIL and the device's controllability.


The calculator may be configured to generate a graph including a vertex corresponding to each of the plurality of functional elements and an edge indicating whether data is transmitted and received between the plurality of functional elements. In further detail, the calculator may be configured to generate the graph including any one of a one-way edge and a two-way edge based on a data transmission and reception direction between two functional elements connected to each other.


The calculator may be configured to generate an edge weight matrix indicating a difference in the ASIL between two functional elements included in each edge. Further, the calculator may be configured to generate a weighted, directed graph in which the difference in the ASIL corresponding to the each edge is represented on a path of the edge.


The calculator may be configured to generate a transitive closure matrix indicating a sum of weights of at least one edge included in a path between two random vertices. Further, the calculator may be configured to calculate a difference in the ASIL between a first vertex and a second vertex as a device's controllability of a functional element corresponding to the first vertex, the second vertex maximizing the difference in the ASIL among at least one vertex having a path connected from the first vertex.


The calculator may be configured to calculate a maximum value among values of a first row of the transitive closure matrix corresponding to the first vertex as the device's controllability of the functional element corresponding to the first vertex.


The level assigner may be configured to assign a likelihood of risk occurrence with respect to each of the plurality of functional elements in the vehicle, and the manager may be configured to generate the risk analysis model of the plurality of functional elements based on the likelihood, the ASIL and the device's controllability. The level assigner may be configured to assign the likelihood according to the International Electrotechnical Commission (IEC) 62443 based on a realizability and a security vulnerability of a threat to each of the plurality of functional elements, and assign the ASIL according to the International Organization for Standardization (ISO) 26262 based on an accidental severity, an accidental exposure probability and a controllability with respect to each of the plurality of functional elements.


According to another aspect of the present invention, there is provided a method of calculating a device's controllability of a functional element in a vehicle, the method including calculating an edge weight matrix indicating a connection state of a plurality of functional elements in a vehicle based on a difference in ASIL and a connection structure between the plurality of functional elements, calculating a transitive closure matrix indicating a sum of weights of at least one edge included in a path between two random vertices using the edge weight matrix, and calculating a device's controllability of a functional element corresponding to a first vertex based on the ASIL of each of at least one vertex having a path connected from the first vertex.


The calculating of the edge weight matrix may further include generating vertices corresponding to the plurality of functional elements, and generating a graph including an edge indicating whether data is transmitted and received between two random vertices.


The generating of the graph including the edge may include generating the graph including any one of a one-way edge and a two-way edge based on a data transmission and reception direction between the two random vertices. Further, the generating of the graph including the edge may include generating a weighted, directed graph in which a difference in the ASIL between two vertices corresponding each edge is represented on a path of the each edge.


The calculating of the device's controllability may include calculating a maximum value among values of a first row of the transitive closure matrix corresponding to the first vertex as the device's controllability of the functional element corresponding to the first vertex.


The calculating of the device's controllability may include calculating a difference in the ASIL between the first vertex and a second vertex as the device's controllability of the functional element corresponding to the first vertex, the second vertex among at least one vertex having a path connected from the first vertex, and the second vertex may be a vertex which maximizes the difference in the ASIL from the first vertex.


According to still another aspect of the present invention, there is provided a program stored in a computer-readable medium, the program including an instruction set to perform a vehicle security network design method. In further detail, the instruction set may include an instruction set configured to assign a likelihood of risk occurrence with respect to each of a plurality of functional elements in a vehicle, an instruction set configured to assign an ASIL related to a risk management standard with respect to each of the plurality of functional elements in the vehicle, an instruction set configured to calculate a device's controllability with respect to each of the plurality of functional elements based on a difference in the ASIL and a connection structure between the plurality of functional elements, and an instruction set configured to generate a risk analysis model of the plurality of functional elements based on the likelihood, the ASIL and the device's controllability.





BRIEF DESCRIPTION OF DRAWINGS


FIG. 1 is a block diagram illustrating a vehicle security network design device according to an embodiment.



FIG. 2 is a flowchart illustrating a method of calculating a device's controllability of a functional element in a vehicle according to an embodiment.



FIG. 3 illustrates an example of a graph model of functional elements in a vehicle, the graph model generated by a vehicle security network design device according to an embodiment.



FIG. 4 illustrates an example of a weighted, directed graph generated using a generated edge weight matrix according to an embodiment.



FIG. 5 illustrates an example of a directed graph reflecting a device's controllability according to an embodiment.



FIG. 6 illustrates an example of a connection relationship of functional elements included in a vehicle according to an embodiment.



FIG. 7A illustrates a directed graph model generated by a vehicle security network design device according to an embodiment.



FIG. 7B illustrates a graph model reflecting a device's controllability from the directed graph model generated in FIG. 7A.





BEST MODE FOR CARRYING OUT THE INVENTION

The following detailed structural or functional description of embodiments is provided as an example only and various alterations and modifications may be made to the embodiments. Accordingly, the embodiments are not construed as being limited to the disclosure and should be understood to include all changes, equivalents, and replacements within the technical scope of the disclosure.


Terms, such as first, second, and the like, may be used herein to describe components. Each of these terminologies is not used to define an essence, order or sequence of a corresponding component but used merely to distinguish the corresponding component from other component(s). For example, a first component may be referred to as a second component, and similarly the second component may also be referred to as the first component.


It should be noted that if it is described that one component is “connected”, “coupled”, or “joined” to another component, a third component may be “connected”, “coupled”, and “joined” between the first and second components, although the first component may be directly connected, coupled, or joined to the second component.


The singular forms “a”, “an”, and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises/comprising” and/or “includes/including” when used herein, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components and/or groups thereof.


Unless otherwise defined, all terms, including technical and scientific terms, used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this disclosure pertains. Terms, such as those defined in commonly used dictionaries, are to be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art, and are not to be interpreted in an idealized or overly formal sense unless expressly so defined herein.


Hereinafter, embodiments will be described in detail with reference to the accompanying drawings. The same component or components corresponding to each other will be provided with the same reference numeral, and their detailed explanation will be omitted.



FIG. 1 is a block diagram illustrating a vehicle security network design device according to an embodiment. A vehicle security network design device 100 may include a processor. Referring to FIG. 1, the vehicle security network design device 110 may include a level assigner 110, a calculator 120 and a manager 130 that are at least temporarily implemented by the processor. The level assigner 110 may assign an automobile safety integrity level (ASIL) which provides a risk management standard with respect to each of a plurality of functional elements in a vehicle. In further detail, the level assigner 110 may assign an ASIL of each of the plurality of functional elements connected to a controller area network (CAN) of the vehicle based on the following Equation 1. However, the CAN is merely an example of an intra-vehicle network (IVN) which is managed according to embodiments, and thus description provided using the example of the CAN should not be construed as limiting the scope of the present disclosure to a specific application.





ASIL=Severity×Probability×Controllability  [Equation 1]


The level assigner 110 may assign an ASIL level by combining an accidental severity level according to a hazard occurring by a fault or functional failure of a device, a probability of exposure level reflecting an operational situation of the vehicle, and a controllability of a driver since an accident may be prevented by a control of the driver although a mechanical malfunction occurs. As an example, the International Organization for Standardization (ISO) 26262 standard may be used for the ASIL level assignment of the level assigner 110.


The level assigner 110 may determine an accidental severity level as follows to assign an ASIL class related to the risk management standard. An exemplary evaluation matrix is introduced as shown in the following Table 1.












TABLE 1








Severe injuries (life-


Description
No injuries
Light injuries
threatening)







Severity level S
S0
S1
S2









In addition, the level assigner 110 may determine a probability of exposure level related to a hazard element as follows. An exemplary evaluation matrix is introduced as shown in the following Table 2.












TABLE 2





Probability of

Probability range



exposure level E
Probability
(x)
Frequency







E0
No




E1
Very low

Once a year


E2
Low
x < 1%
Several times a year


E3
Medium
1% ≤ x < 10%
Once a month


E4
High
10% ≤ x
Often during driving









Further, the level assigner 110 may determine a controllability level as follows, the controllability level indicating a probability of escaping from the hazard by a control of the driver in a situation in which an accident is likely to occur. An exemplary evaluation matrix is introduced as shown in the following Table 3.












TABLE 3







Simply
Normally


Description
Controllable
controllable
controllable







Situation
Easy
Avoid accident at
Avoid accident at




probability of 99%
probability of 90%




or higher
or higher


Controllability level
C0
C1
C2


C









As shown above, the accidental severity level according to the hazard, the probability of exposure level reflecting the operational situation of the vehicle and the controllability of the driver are determined, and the level assigner 110 may assign the ASIL class by combining the same. An exemplary matrix is introduced as shown in the following Table 4.











TABLE 4








Probability



Severity
of exposure
Controllability level C












level S
level E
C0
C1
C2
C3





S1
E1
QM
QM
QM
QM



E2
QM
QM
QM
QM



E3
QM
QM
QM
ASIL A



E4
QM
QM
ASIL A
ASIL B


S2
E1
QM
QM
QM
QM



E2
QM
QM
QM
ASIL A



E3
QM
QM
ASIL A
ASIL B



E4
QM
ASIL A
ASIL B
ASIL C


S3
E1
QM
QM
QM
ASIL A



E2
QM
QM
ASIL A
ASIL B



E3
QM
ASIL A
ASIL B
ASIL C



E4
ASIL A
ASIL B
ASIL C
ASIL D









In Table 4, a quality management (QM) may indicate a basic quality without a special requirement. In a direction from ASIL A to ASIL D, a standard required for risk management with respect to a class may become higher. The above described evaluation levels may be represented as results ranked as shown in Table 4. However, in another example, it may also be represented as a risk level vector including each evaluation level as an element.


Further, according to an embodiment, the level assigner 110 may assign a likelihood of risk occurrence based on a predesignated standard with respect to each of the plurality of functional elements in the vehicle. In further detail, the level assigner 110 may assign the likelihood of risk occurrence based on the following Equation 2.









Likelihood
=

Likelihood





of





Exploited





Vulnerability
×
Likelihood





of





Realized





Threat





[

Equation





2

]







The level assigner 110 may assign the likelihood of risk occurrence based on a combination of a security vulnerability (likelihood of exploited vulnerability) and a threat realizability (likelihood of realized threat) as expressed by Equation 2. In further detail, the level assigner 110 may evaluate the threat realizability level as a potential likelihood with respect to a security attack, and be determined, in detail, in view of human resources of an attacker, material resources, and a required time. For example, the threat realizability level is evaluated relatively high with respect to a low level of experience and related knowledge required for attack, a low level of equipment necessary for attack, and a less time taken for attack. Exemplary evaluation matrices are introduced in the following Table 5 and Table 6.












TABLE 5





Evaluation





standard
Content
Class
Description







Required
Ordinary person
High
Person with lack of or no related knowledge


skill


or experience



Skilled person
Medium
Person having related knowledge or





experience and capable of utilizing existing





published attack method



Security expert
Low
Person having knowledge and experience





related to security attack and capable of





proposing new attack method


Attack
General/no equipment
High
Immediately available general equipment


resources
Technical/purchased
Medium
Purchasable without great effort



equipment





Ordered/manufactured
Low
Commonly unavailable or quite expensive,



equipment

or need to be made to order


Attack
Immediate
High
System malfunctions soon when attack


time


starts



Within driving time
Medium
System malfunctions by attack while vehicle





is turned on



Other long periods
Low
Case of long attack time to make vehicle





system malfunction
















TABLE 6







Threat realizability level T











Attack time











Skill
Attack resource
High
Medium
Low





High
High
T3
T3
T 3



Medium
T3
T3
T2



Low
T3
T2
T1


Medium
High
T3
T3
T2



Medium
T3
T2
T1



Low
T2
T1



Low
High
T3
T2
T1



Medium
T2
T1




Low
T1











Further, the level assigner 110 may evaluate a security vulnerability exposure level based on an openness of a target system and evaluate the same based on how information of an attack target is published to an outside, how often the information is used, and how to access the information. For example, the security vulnerability exposure level may be evaluated relatively high for a high frequency of use of the target system, a lot of information being published, and a great openness of the access level. Exemplary evaluation matrices are introduced in the following Table 7 and Table 8.












TABLE 7





Evaluation





standard
Content
Class
Description







Frequency
High
High
Every driving/Every moment


of use
Medium
Medium
Once or twice a month/Often



Low
Low
Once or twice a year/Sometimes


Information
Published
High
Published through Internet and


Publication


provided manual



Involved
Medium
Owned by service center,



worker

manufacturing company, parts





manufacturing company, etc.



Confidential
Low
Available to authorized person at



document

service center, manufacturing





company or parts manufacturing





company


Access
Open
High
Accessible through Internet or


level


by unauthorized person



General user
Medium
Accessible by driver only



Special user
Low
Accessible with authority of service





center, manufacturing company or





parts manufacturing company
















TABLE 8







Security vulnerability exposure level


Vulnerability Exploited (V)









Frequency of
Information
Access level











use
publication
High
Medium
Low





High
High
V3
V3
V3



Medium
V3
V3
V2



Low
V3
V2
V1


Medium
High
V3
V3
V2



Medium
V3
V2
V1



Low
V2
V1



Low
High
V3
V2
V1



Medium
V2
V1




Low
V1











The level assigner 110 may assign the likelihood of risk occurrence based on a combination of the assigned threat realizability level and the assigned security vulnerability exposure level, as shown in the following Table 9.









TABLE 9







Risk occurrence likelihood level D










Realizability of
Security vulnerability exposure












threat
V3
V2
V1







T3
D4
D3
D2



T2
D3
D2
D1



T1
D2
D1











The calculator 120 may calculate a device's controllability with respect to each of the plurality of functional elements based on a difference in the ASIL class and a connection structure between the plurality of functional elements in the vehicle. The calculated device's controllability is a different concept from a controllability of a user which is defined in the ISO 26262 standard and is a factor which is newly defined here to consider a controllability and a connection between functional elements on a network in the vehicle.


The calculator 120 may generate a graph including a vertex corresponding to each of the plurality of functional elements and an edge indicating whether data is transmitted and received between the plurality of functional elements. Here, the edge may be one of a one-way edge and a two-way edge based on a data transmission and reception direction between two functional elements (vertices) connected to each other. The calculator 120 may generate an edge weight matrix indicating a difference in the ASIL between two functional elements included in each edge. The calculator 120 may calculate a transitive closure matrix indicating a sum of weights of at least one edge included in a path between two random vertices. For each vertex, the calculator 120 may detect a class difference from vj having a greatest difference in the ASIL class from vi, with respect to the vertex vj (0≤j<k) which may receive data from the vertex vi, that is, which the vertex vi is reachable. This may be calculated by finding and taking a greatest value among all values of an (i+1)-th row in the transitive closure matrix T. The calculator 120 may deduce this as a device's controllability (DC) with respect to the vertex. Detailed examples will be described with reference to the following drawings.


The manager 130 may newly generate and manage a risk analysis model of the plurality of functional elements based on the ASIL, the likelihood and the device's controllability. The ASIL may denote a class calculated based on the ISO 26262 standard. Accordingly, the ASIL may consider factors such as an operational situation of the vehicle and a controllability of the driver which have effects when a potential threat leads to an accident.


However, the ISO 26262 standard assumes that a fault or error and a functional failure which cause occurrence of threats occurs stochastically. However, a security threat may be intentionally made by an attacker having intelligence, unlike a simple mechanical fault. Thus, the likelihood of risk occurrence may consider factors such as a likelihood with respect to the security threat like the IEC 62443. The vehicle security network design device may cover risk analysis factors that the two standards, the ISO 26262 and the IEC 62443, consider, thereby supplementing an accuracy of risk analysis related to each of the functional elements. The manager 130 may manage a vehicle security management class that is newly analyzed in this way as a security-ASIL (S-ASIL). Detailed description will be provided later using examples with reference to FIG. 7 and the like. In the description set forth hereinafter, a method of calculating the device's controllability with respect to each of the plurality of functional elements will be described in detail.



FIG. 2 is a flowchart illustrating a method of calculating a device's controllability of a functional element in a vehicle according to an embodiment. Referring to FIG. 2, a method of calculating a device's controllability of a functional element in a vehicle may include operation 210 of calculating an edge weight matrix based on a connection state between devices in a vehicle, operation 220 of calculating a transitive closure matrix using the edge weight matrix and operation 230 of calculating a device's controllability using the transitive closure matrix.


Today, electronic control units (ECUs), various sensors, and actuators included in a vehicle may be connected on a network and exchange a variety of data with each other. Such an organic connection relationship of a plurality of devices may enable implementation of a user-centered interface with respect to the vehicle. However, there may also exist a risk of being an attack path of an outside intruder. The intruder may indirectly attack an existing well-secured device through a vulnerability of another device. To consider the likelihood as described above as well, a vehicle security network design device may generate a risk analysis model in view of a controllability and a connection between functional elements corresponding to independent devices on the network in the vehicle.


In operation 210, the vehicle security network design device may generate a graph model based on a connection structure between a plurality of functional elements in a vehicle. In the following description, a functional element may denote a minimal unit of each of a plurality of functions associated with the vehicle and a functional unit to be performed by a single electronic component. The vehicle security network design device may generate a graph model G=(V, E) including a vertex corresponding to each of the plurality of functional elements and an edge indicating a connection relationship between the plurality of functional elements.


For example, the vertex may be defined as vi∈V(0≤i<k) which is defined as each functional element in a case in which k functional elements exist in the vehicle. In addition, the edge may indicate the connection relationship between the plurality of functional elements and whether data is transmitted and received therebetween and be defined as (vi, vj)∈E(i≠j, 0≤i, j<k). In further detail, the vehicle security network design device may generate a graph model including any one of a one-way edge and a two-way edge based on a data transmission and reception direction between two functional elements connected to each other.


In another example, the vehicle security network design device may implement a one-way uploading system to prevent a change in a directivity of data transmission and reception between functional elements in response to a security threat such as hacking and physically fix a communication direction between two devices to a predetermined direction.


The one-way uploading system may be a physical and/or software function installed at a gateway which performs routing such that the functional elements are connected on a network. For example, if it has a one-way connection edge through which data is transmitted to a vertex vi and a vertex vj, and vj is unable to transmit data to vi, the one-way uploading system may be a means to non-reciprocally maintain this directivity. The one-way uploading system may guarantee a security class evaluated with respect to the functional elements and a validity of a management model therefor. Thus, while the security class is set and managed according to embodiments, the security attacker may not access or change the one-way uploading system.


Meanwhile, in another example, the one-way uploading system may be a means physically disposed between the vertex vi and the vertex vj to prevent a change of the data transmission direction. The one-way uploading system as a network element may maintain an edge direction in the original connection topology, thereby guaranteeing an evaluation, setting and a management validity of the security class.


In addition, the one-way uploading system may be implemented by other applications applicable to the field of network and communications, and a structure and an operation of the one-way uploading system that may be deduced by a person skilled in the art although not described in detail should be construed as being employed for embodiments.


Further, in operation 210, the vehicle security network design device may calculate an edge weight matrix W based on a difference in the ASIL class and a connection structure between the plurality of functional elements using the generated directed graph model. In a case of using a configuration in which the plurality of functional elements existing on the network in the vehicle is connected through the ECUs, the vehicle security network design device may use an undirected graph model. However, in an actual vehicle, rather than a simple connection relationship like data transmission and reception from a sensor to a controller or data transmission and reception from the controller to an actuator, a direction in which data is transmitted and received may exist. The vehicle security network design device may generate a more accurate risk analysis model using the directed graph model reflecting such data flow.


In further detail, the vehicle security network design device may calculate the edge weight matrix W using the following Equation 3 and Equation 4.









W
=

(




w

0
,
0





w

0
,
1








w

0
,

k
-
1








w

1
,
0





w

1
,
1








w

1
,

k
-
1






















w


k
-
1

,
0





w


k
-
1

,
1








w


k
-
1

,

k
-
1






)





[

Equation





3

]







w

i
,
j


=

{





A


(

v
j

)


-

A


(

v
i

)







if






(


v
i

,

v
j


)



E





nil


otherwise








[

Equation





4

]







A calculator in the vehicle security network design device may define a representative value A(vi) based on the ASIL class corresponding to each of the functional elements. For example, but not limited thereto, the representative value A(vi) may be “0” if the ASIL class of the vertex vi corresponding to the functional element is QM and be defined to return values of “1” through “4”, respectively, if the ASIL class is ASIL A through ASIL D. Further, wi,j (0≤i,j<k) denotes a difference between A(vi) and A(vj) with respect to the edge (vi,vj) and may be defined as expressed by Equation 4.


Further, the vehicle security network design device may generate a weighted, directed graph in which a difference in the representative value A(vi) corresponding to each edge is represented on a path of the edge. The generated weighted, directed graph will be described further with reference to the following drawings.


In operation 220, the vehicle security network design device may generate a transitive closure matrix using the edge weight matrix calculated in operation 210. In further detail, the calculator in the vehicle security network design device may calculate the transitive closure matrix indicating a total sum of weights of all edges included in a path between two random vertices. For example, the calculator may calculate the transitive closure matrix T as expressed by the following Equation 5 and Equation 6.









T
=

(




t

0
,
0





t

0
,
1








t

0
,

k
-
1








t

1
,
0





t

1
,
1








t

1
,

k
-
1






















t


k
-
1

,
0





t


k
-
1

,
1








t


k
-
1

,

k
-
1






)





[

Equation





5

]







t

i
,
j


=

{




w

i
,
j






if






(


v
i

,

v
j


)



E







w

i
,
x


+

+

w

y
,
i







if






(


v
i

,

v
x


)


,





,


(


v
y

,

v
i


)


E






nil


otherwise








[

Equation





6

]







An element ti,j(0≤i,j<k) of the transitive closure matrix T calculated by the vehicle security network design device may indicate a total sum of weights of all edges on a path between the two vertices vi and vj. In further detail, the element ti,j may be defined as expressed by Equation 6. In Equation 6, vertices vx through vy may denote all vertices existing on a path between the two vertices vi and vj. If a value of the element ti,j is nil, it may indicate that there exists no path between the two vertices vi and vj. Otherwise, if the value of the element ti,j is present, it may indicate that there exists at least one path between the two vertices vi and vj. As a result, the value of the element ti,j may be the same as a difference between A(vi) and A(vj), and thus in a case in which there exist at least two paths, a sum of weights of all edges on each path may be the same.


In operation 230, the vehicle security network design device may calculate a device's controllability corresponding to each of the plurality of functional elements using the transitive closure matrix. In further detail, the calculator in the vehicle security network design device may calculate a maximum value among values of a first row of the transitive closure matrix corresponding to a first vertex as a device's controllability of a functional element corresponding to the first vertex. Further, the calculator may represent a greatest difference in the ASIL class between two vertices among vertices vj(0≤j<k) which the first vertex is reachable and which have a path connected from the first vertex. In addition, since a negative number in the device's controllability is meaningless, the vehicle security network design device may regard the device's controllability for a negative number as “0”.


The above description has provided a modeling algorithm and a graph model used by the vehicle security network design device to generate a list analysis model. Hereinafter, an exemplary process of generating a risk analysis model in an in-vehicle networking (IVN) environment in a vehicle will be described in further detail.



FIG. 3 illustrates an example of a graph model of functional elements in a vehicle, the graph model generated by a vehicle security network design device according to an embodiment. Referring to FIG. 3, an example of a graph model representing 23 functional elements v0 through v22 included in a vehicle and a connection relationship therebetween as directed edges. For example, the respective functional elements may be grouped into different functional regions in the vehicle. In an example, the first vertex v0 through the third vertex v2 may be included in a communication unit. In another example, the fourth vertex v3 through the seventh vertex v0 may be included in an infotainment. Similarly, the eighth vertex v7 through the fifteenth vertex v14 may be included in an advanced driver-assistance system (ADAS). Further, the seventeenth vertex v16 through the twentieth vertex v19 may be included in an engine. In addition, the twenty-first vertex v20 through the twenty-third vertex v22 may be included in a brake.


An ASIL class indicated in each vertex may represent an ASIL class assigned by a level assigner in a vehicle security network design device, as described with reference to FIG. 1. For example, but not limited thereto, each ASIL class may be evaluated based on the ISO 26262 standard.



FIG. 4 illustrates an example of a weighted, directed graph generated using a generated edge weight matrix according to an embodiment. Referring to FIG. 4, a weighted, directed graph generated with respect to the plurality of functional elements in the vehicle of FIG. 3 is illustrated. A vehicle security network design device may generate an edge weight matrix W indicating a difference in an ASIL class between two functional elements included in each edge according to Equation 3 and Equation 4.


The edge weight matrix W related to the plurality of functional elements in the vehicle in the example of FIG. 3 may be calculated as shown in the following Table 10.










TABLE 10








i






























j
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22





 0

  0























 1
0

1


0



















 2

−1























 3

























 4

























 5

  0

−1
−2

−2


















 6





2



















 7





1




3














 8





2




4














 9





0




2














10












−1
0
0










11










1


1











12






−3






1
1










13

















1


1




14






−4






0











15












1
2

2









16

















2







17






−4


















18

















3







19

















2







20






−4










0







21




















2




22




















3









For example, ASIL classes of the tenth vertex v9 and the eleventh vertex v10 may be assigned as ASIL B and ASIL D, respectively. In this example, with respect to a representative value A(vi) corresponding to an ASIL class, A(v9) may be determined to be “2”, and A(v10) may be determined to be “4”. Accordingly, the vehicle security network design device may calculate an element w9,10=A(v10)−A(v9) of the edge weight matrix W to be “2”. Similarly, the vehicle security network design device may calculate a value of each element of the edge weight matrix W. A value of nil is a non-existent value and thus, is not represented in Table 10.


The weighted, directed graph of FIG. 4 may include 23 vertices. Further, the weighted, directed graph may further include edges representing data transmission and reception relationships of functional elements respectively corresponding to the 23 vertices. The edges may each include any one of a one-way edge and a two-way edge. In addition, the weighted, directed graph may represent a difference between representative values A(vi) corresponding to ASIL classes of two vertices connected along the edge on a path of the edge.



FIG. 5 illustrates an example of a directed graph reflecting a device's controllability according to an embodiment. According to Equation 5 and Equation 6, a vehicle security network design device may calculate a transitive closure matrix T using the weighted, directed graph described with reference to FIG. 4. For example, referring to the graph of FIG. 4, there may exist two shortest paths connected from the tenth vertex v9 to the fourth vertex v13. In further detail, a first path p1 may be a path passing through the vertices v9, v10 and v13. In addition, a second path p2 may be a path passing through the vertices v9, v12 and v13.


Accordingly, a calculator in the vehicle security network design device may calculate an element t9,13=w9,10+w10,13=w9,12+w12,13 of the transitive closure matrix T to be “2”. As described above, irrespective of a path, the element ti,j may be consequentially calculated by A(vj)−A(vi), and thus a resulting value may be the same. For example, the transitive closure matrix T calculated using the weighted, directed graph described with reference to FIG. 4 may be calculated as shown in the following Table 11.










TABLE 11








i






























j
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22





 0

0
1
−1
−2
0
−2


















 1
0

1
−1
−2
0
−2


















 2
−1  
−1  

−2
−3
−1  
−3


















 3

























 4

























 5
0
0
1
−1
−2

−2


















 6
2
2
3
  1
  0
2



















 7
1
1
2
  0
−1
1
−1



3

2
3
3


3


3




 8
2
2
3
  1
  0
2
  0



4

3
4
4


4


4




 9
0
0
1
−1
−2
0
−2



2

1
2
2


2


2




10
−2  
−2  
−1  
−3
−4
−2  
−4





−1  
0
0


0


0




11
−1  
−1  
0
−2
−3
−1  
−3



1

0
1
1


1


1




12
−1  
−1  
0
−2
−3
−1  
−3






1
1


1


1




13
−2  
−2  
−1  
−3
−4
−2  
−4










0


0




14
−2  
−2  
−1  
−3
−4
−2  
−4






0



0


0




15
0
0
1
−1
−2
0
−2





1
2

2

2


2




16
0
0
1
−1
−2
0
−2










2







17
−2  
−2  
−1  
−3
−4
−2  
−4


















18
1
1
2
  0
−1
0
−1










3







19
0
0
1
−1
−2
0
−2










2







20
−2  
−2  
−1  
−3
−4
−2  
−4










0







21
0
0
1
−1
−2
0
−2










2


2




22
1
1
2
  0
−1
0
−1










3


3









Further, the vehicle security network design device may calculate a device's controllability (DC) with respect to each of the functional elements using the transitive closure matrix calculated as shown in Table 11. The vehicle security network design device may define a device's controllability of a vertex vi as DCi. For example, in a case of calculating a device's controllability of a tenth vertex v9, the vehicle security network design device may calculate a greatest value among data values of a tenth row as the device's controllability of the tenth vertex v9. In further detail, t9,j written in the tenth row of the transitive closure matrix of Table 11 are 0, 0, 1, −1, −2, . . . , 2, and the vehicle security network design device may assign “2” which is the greatest value thereamong as DC9. In this example, the device's controllability may be defined as 5 classes from DCi=0 having a least difference in the ASIL class to DCi=4 having a greatest difference in the ASIL class. However, the above description about the classes of the device's controllability are provided as an example only for better understanding of the disclosure and thus, should not construed as limiting or restricting the scope of other embodiments. For example, it is obvious to a person skilled in the art that more elaborate device's controllability classes or more convenient device's controllability classes may be assigned depending on a need of a designer. FIG. 5 illustrates the graph model reflecting device's controllabilities of all functional elements in the vehicle which are calculated by the vehicle security network design device.



FIG. 6 illustrates an example of a connection relationship of functional elements included in a vehicle according to an embodiment. A vehicle security network design device may receive data information exchanged between modules included in a predesigned vehicle as shown in the following Table 12.














TABLE 12







Functional
ASIL
Data reception
Data transmission


Domain
No
element
class
(Receiving From)
(Sending To)







ADAS
a0
Adaptive cruise
D
s0. steer wheel angle
p0. Throttle


(620)

control

s1. wheel speed of each
command






wheel
b1. Brake






s3. Front vehicle tracking
pressure






info
command






s5. Front vehicle track info,
h0. Set speed,






Lane info
headway gap







info



a1
Lane departure
D
s0. steer wheel angle
h0. Warning




warning system

s1. Wheel speed of each







wheel







S6. Lane info




a2
Lane keeping
D
s0. steer wheel angle
b1. braking




(assist) system

s1. wheel speed of each
pressure






wheel
e0. steering






s5. Lane info
torque






s6. yaw rate, lateral
h0. Warning






acceleration




a3
Highway drive
D
s0. steer wheel angle
b1. braking




assist system

s1. wheel speed of each
pressure






wheel
p0. throttle






s3. front vehicle tracking
command






info
e0. steering






s5. front vehicle track info,
torque/target






Lane info
angle






s6. Lateral acceleration, yaw
h0. current set






rate
speed, warning






h1. road condition




a4
Active front
B
s0. steer wheel angle
h0. high beam




lighting system

s1. wheel speed of each
info






wheel







s3. front vehicle tracking







info







s5. front vehicle track info,







Lane info




a5
Auto parking
D
s0. steer wheel angle
p0. throttle




system

s1. wheel speed of each
command






wheel
p1. gear engage






s4. surrounding vehicle info
command(P/R/D)






s6. yaw rate
b1. brake







pressure







command







b0. parking







brake enable







t0. target steering







wheel angle







h0. current







parking space







info


Chassis
c0
Traction control
C
s0. Steering wheel angle
p0. throttle


(640)



s1. Wheel speed
command






s6. Longitudinal
p1. transmissioin






acceleration
command(clutch







(dis)engage)







b1. target brake







pressure







h0. intervention







info



c1
Anti-lock
D
s1. wheel speed info
b1. Target brake




braking system


pressure







p1. transmission







command(clutch







control)







h0. intervention







info



c2
Active damping
C
s0. steering wheel angle
(Embedded




system

s1. wheel speed info.
actuator) Target






s6. yaw rate, lateral
damping






acceleration, longitudinal
coefficient






acceleration




c3
Electronic
D
s0. steering wheel angle
b1. target brake




stability system

s1. wheel speed info.
pressure






s6. yaw rate, lateral
h0. intervention






acceleration
info


Brake
b0
Electronic
B
a5. auto parking system
h0. parking


(650)

parking brake


brake status




system






b1
Electronic Brake
D
a0. adaptive cruise control





control

a2. lane keeping (assist)







system







a3. highway drive assist







system







a5. auto parking system







c0. traction control







c1. anti-lock braking system







c3. electronic stability







system



HMI
h0
Dashboard,
A
(Described in ADAS and



(630)

cluster unit

chassis modules)




h1
Infotainment
B

(Described in




system


ADAS module)


Power
p0
Engine
D
(Described in ADAS and



train

management

chassis modules)



(650)

system






p1
Transmission
D
(Described in ADAS and





control system

chassis modules)



Sensor
s0
Steering wheel
C

(Described in


(610)

sensor


ADAS and







chassis modules)



s1
Wheel speed
C

(Described in




sensor


ADAS and







chassis modules)



s2
Tire pressure
A

(Described in




sensor


ADAS and







chassis modules)



s3
RADAR
D

(Described in







ADAS and







chassis modules)



s4
Ultrasonic
A

(Described in




sensor


ADAS and







chassis modules)



s5
Vision (camera
D

(Described in




and tracking


ADAS and




module)


chassis modules)



s6
Inertial
C

(Described in




sensor(Acceleration,


ADAS and




yaw rate)


chassis modules)


Steer
t0
Electronic power
D
(Described in ADAS and



(650)

steering

chassis modules)









Referring to FIG. 6, a schematic example of wired and wireless networking in the vehicle defined as shown in Table 12 is illustrated.



FIG. 7A illustrates a directed graph model generated by a vehicle security network design device according to an embodiment. Referring to FIG. 7A, a directed graph model which represents ASIL classes and a connection relationship between a plurality of functional elements in wired and wireless networks in the vehicle defined as shown in Table 12 and FIG. 6 is illustrated.



FIG. 7B illustrates a graph model reflecting a device's controllability from the directed graph model generated in FIG. 7A. A vehicle security network design device may calculate an edge weight matrix W and a transitive closure matrix T from the directed graph model described with reference to FIG. 7A. Further, the vehicle security network design device may calculate a device's controllability DCi corresponding to each of functional elements using the transitive closure matrix T. The description provided above may apply to the process of calculating the device's controllability, and thus duplicate description will be omitted.


Referring to FIG. 7B, device's controllabilities DCi with respect to remaining functional elements, except for DC3 of a tire pressure sensor s2, DC1 of a radar s3, DC1 of an ultrasonic sensor s4, DC1 of a vision sensing module s5 and DC1 of an anti-lock braking system c1, may be calculated to be “0”.


A modeling algorithm related to a risk analysis model described in this example may be used to evaluate device's controllabilities of ECUs in the vehicle and to selectively detect a device to be affected when a security threat to a predetermined device occurs on a network. For example, in a case in which a security threat occurs at a predetermined node s2, s3, the vehicle security network design device may select a functional element having a higher ASIL class among functional elements existing in a range reachable from the corresponding node and display the corresponding functional element emphatically on a display of a user. In a case of a system with a huge IVN, it may not be easy to analyze functional elements with security vulnerability manually one by one. The vehicle security network design device may inspect the functional elements with security vulnerability in advance using a simulator to which the modeling algorithm related to the risk analysis model is applied, thereby increasing the safety.


The vehicle security network design device may calculate a likelihood of risk occurrence with respect to each of the plurality of functional elements in the vehicle, an ASIL which provides a risk management standard with respect to each of the plurality of functional elements and a device's controllability with respect to each of the plurality of functional elements. Further, a manager in the vehicle security network design device may generate a risk analysis model of the plurality of functional elements based on the likelihood, the ASIL and the device's controllability. For example, with respect to the IVN suggested as shown in Table 12, the vehicle security network design device may generate a risk analysis model as shown in the following Table 13.











TABLE 13







ASIL
Device's
Risk occurrence likelihood












class
controllability
D1
D2
D3
D4





QM
DC0
QM
QM
QM
QM



DC1
QM
QM
QM
S-ASIL A



DC2
QM
QM
S-ASIL A
S-ASIL B



DC3
QM
S-ASIL A
S-ASIL B
S-ASIL C



DC4
S-ASIL A
S-ASIL B
S-ASIL C
S-ASIL D


ASIL A
DC0
QM
QM
QM
S-ASIL A



DC1
QM
QM
S-ASIL A
S-ASIL B



DC2
QM
S-ASIL A
S-ASIL B
S-ASIL C



DC3
S-ASIL A
ASIL B
S-ASIL C
S-ASIL D


ASIL B
DC0
QM
QM
S-ASIL A
S-ASIL B



DC1
QM
S-ASIL A
S-ASIL B
S-ASIL C



DC2
S-ASIL A
S-ASIL B
S-ASIL C
S-ASIL D


ASIL C
DC0
QM
S-ASIL A
S-ASIL B
S-ASIL C



DC1
S-ASIL A
S-ASIL B
S-ASIL C
S-ASIL D


ASIL D
DC0
S-ASIL A
S-ASIL B
S-ASIL C
S-ASIL D









In Table 13, QM may indicate a basic quality without a special requirement. In a direction from S-ASIL A to S-ASIL D, a standard required for security threat related risk management with respect to a class may become higher.


A secure-ASIL (S-ASIL) may be a risk analysis class assigned by the vehicle security network design device and indicate a risk analysis class of each of the plurality of functional elements calculated based on the likelihood, the ASIL and the device's controllability. According to the present embodiment, an effect of increasing the safety of security may be expected in that functional elements vulnerable to security threats may be evaluated based on a device's controllability even with respect to a networking system in a complex vehicle.


The embodiments described herein may be implemented using hardware components, software components, and/or a combination thereof. For example, the processing device and the component described herein may be implemented using one or more general-purpose or special purpose computers, such as, for example, a processor, a controller and an arithmetic logic unit (ALU), a digital signal processor, a microcomputer, a field programmable gate array (FPGA), a programmable logic unit (PLU), a microprocessor, or any other device capable of responding to and executing instructions in a defined manner. The processing device may run an operating system (OS) and one or more software applications that run on the OS. The processing device also may access, store, manipulate, process, and create data in response to execution of the software. For purpose of simplicity, the description of a processing device is used as singular; however, one skilled in the art will be appreciated that a processing device may include multiple processing elements and/or multiple types of processing elements. For example, a processing device may include multiple processors or a processor and a controller. In addition, different processing configurations are possible, such as parallel processors.


The software may include a computer program, a piece of code, an instruction, or some combination thereof, to independently or collectively instruct and/or configure the processing device to operate as desired, thereby transforming the processing device into a special purpose processor. Software and data may be embodied permanently or temporarily in any type of machine, component, physical or virtual equipment, computer storage medium or device, or in a propagated signal wave capable of providing instructions or data to or being interpreted by the processing device. The software also may be distributed over network coupled computer systems so that the software is stored and executed in a distributed fashion. The software and data may be stored by one or more non-transitory computer readable recording mediums.


The methods according to the above-described example embodiments may be recorded in non-transitory computer-readable media including program instructions to implement various operations of the above-described example embodiments. The media may also include, alone or in combination with the program instructions, data files, data structures, and the like. The program instructions recorded on the media may be those specially designed and constructed for the purposes of example embodiments, or they may be of the kind well-known and available to those having skill in the computer software arts. Examples of non-transitory computer-readable media include magnetic media such as hard disks, floppy disks, and magnetic tape; optical media such as CD-ROM discs, DVDs, and/or Blue-ray discs; magneto-optical media such as optical discs; and hardware devices that are specially configured to store and perform program instructions, such as read-only memory (ROM), random access memory (RAM), flash memory (e.g., USB flash drives, memory cards, memory sticks, etc.), and the like. Examples of program instructions include both machine code, such as produced by a compiler, and files containing higher level code that may be executed by the computer using an interpreter. The above-described devices may be configured to act as one or more software modules in order to perform the operations of the above-described example embodiments, or vice versa.


A number of example embodiments have been described above. Nevertheless, it should be understood that various modifications may be made to these example embodiments. For example, suitable results may be achieved if the described techniques are performed in a different order and/or if components in a described system, architecture, device, or circuit are combined in a different manner and/or replaced or supplemented by other components or their equivalents.

Claims
  • 1.-10. (canceled)
  • 11. A method of calculating a device's controllability of a functional element in a vehicle, the method comprising: calculating an edge weight matrix indicating a connection state of a plurality of functional elements in a vehicle based on a difference in automobile safety integrity level (ASIL) and a connection structure between the plurality of functional elements;calculating a transitive closure matrix indicating a sum of weights of at least one edge included in a path between two random vertices using the edge weight matrix; andcalculating a device's controllability of a functional element corresponding to a first vertex based on the ASIL of each of at least one vertex having a path connected from the first vertex.
  • 12. The method of claim 11, wherein the calculating of the edge weight matrix further comprises generating vertices corresponding to the plurality of functional elements, and generating a graph including an edge indicating whether data is transmitted and received between two random vertices.
  • 13. The method of claim 12, wherein the generating of the graph including the edge comprises generating the graph including any one of a one-way edge and a two-way edge based on a data transmission and reception direction between the two random vertices.
  • 14. The method of claim 13, wherein the generating of the graph including the edge comprises generating a weighted, directed graph in which a difference in the ASIL between two vertices corresponding each edge is represented on a path of the each edge.
  • 15. The method of claim 11, wherein the calculating of the device's controllability comprises calculating a maximum value among values of a first row of the transitive closure matrix corresponding to the first vertex as the device's controllability of the functional element corresponding to the first vertex.
  • 16. The method of claim 11, wherein the calculating of the device's controllability comprises calculating a difference in the ASIL between the first vertex and a second vertex as the device's controllability of the functional element corresponding to the first vertex, the second vertex among at least one vertex having a path connected from the first vertex, and the second vertex is a vertex which maximizes the difference in the ASIL from the first vertex.
  • 17. A program stored in a computer-readable medium, the program including an instruction set to perform a vehicle security network design method, the instruction set comprising: an instruction set configured to assign a likelihood of risk occurrence with respect to each of a plurality of functional elements in a vehicle;an instruction set configured to assign an automobile safety integrity level (ASIL) related to a risk management standard with respect to each of the plurality of functional elements in the vehicle;an instruction set configured to calculate a device's controllability with respect to each of the plurality of functional elements based on a difference in the ASIL and a connection structure between the plurality of functional elements; and an instruction set configured to generate a risk analysis model of the plurality of functional elements based on the likelihood, the ASIL and the device's controllability.
Priority Claims (1)
Number Date Country Kind
10-2016-0006534 Jan 2016 KR national
CROSS-REFERENCE TO RELATED APPLICATIONS

The present application is a U.S. National Phase of International Patent Application Serial No. PCT/KR2017/000652 entitled “VEHICLE SECURITY NETWORK DEVICE AND METHOD FOR CONTROLLING SAME,” filed on Jan. 19, 2017. International Patent Application Serial No. PCT/KR2017/000652 claims priority to Korean Patent Application No. 10-2016-0006534, filed on Jan. 19, 2016. The entire contents of each of the above-cited applications are hereby incorporated by reference in their entirety for all purposes.

Divisions (1)
Number Date Country
Parent 16071002 Oct 2018 US
Child 17033179 US