JP7728063B2 - Log management device, log management method, and log management program - Google Patents

Description

The present invention relates to a log management device mounted on a mobile vehicle that manages logs generated by security sensors, as well as a log management method and a log management program executed by the log management device.

In recent years, technologies for driver assistance and autonomous driving control, including V2X (vehicle-to-everything) technologies such as vehicle-to-vehicle and vehicle-to-infrastructure communications, have been attracting attention. As a result, vehicles are increasingly equipped with communication functions, and so-called vehicle connectivity is on the rise. As a result, the possibility of vehicles becoming subject to cyberattacks is increasing.

When a cyberattack occurs against a vehicle, there is a risk that the attack could impair vehicle control, so it is important to analyze the incident in order to prevent this beforehand or to quickly respond to and recover from the attack. For example, as disclosed in Patent Document 1, it is known that a server device with abundant resources collects and analyzes logs generated by on-board devices.

Japanese Patent Application Laid-Open No. 2019-175017

However, if the communication environment between the vehicle and the server device is poor and the logs generated by the on-board device cannot be sent to the server device, the on-board device must manage and store the logs until it is able to send them to the server device.

If the inability to send logs generated by the in-vehicle device to the server device continues for a long period of time, many logs that should be sent to the server device may accumulate in the memory installed in the in-vehicle device, and the memory may reach its capacity. As a result, newly acquired logs may be discarded without being able to be saved in memory, or important logs saved in memory may be overwritten, making it impossible to collect logs necessary for analyzing incidents such as external attacks.

The present invention aims to provide a log management device or the like that can properly manage and store logs necessary for analyzing incidents such as external attacks or abnormalities occurring in on-board devices in situations where logs generated by on-board devices cannot be sent to a server device until they are sent to the server device.

The log management device (100, 200) of the present disclosure is a log management device mounted on a mobile body, and has a log acquisition unit (101) that acquires logs generated by a security sensor mounted on the mobile body, a transmission possibility determination unit (105) that determines whether the log can be transmitted outside the mobile body, and a storage area consisting of a first area and a second area, wherein the first area is an area in which overwriting of a first log, which is a log stored in the first area, is prohibited and to which a first storage capacity is allocated out of the storage capacity of the storage area, and the second area is an area in which overwriting of a second log, which is a log stored in the second area, is permitted and to which a first storage capacity of the storage area is allocated. The system includes a memory (102) that is an area allocated with a second storage capacity; a log storage area determination unit (106) that, when the transmission possibility determination unit determines that the log cannot be transmitted, determines the importance of the log and determines the first area as the log storage area in which to store the log if the importance is higher than a predetermined importance, or the second area if the importance is lower than the predetermined importance; and a memory control unit (107) that, when the free space in the log storage area is less than the data volume of the log, increases the allocation ratio of the log storage area to the storage capacity and stores the log in the log storage area.

Note that the numbers in parentheses attached to the constituent elements of the invention described in the claims and this section indicate the correspondence between the present invention and the embodiments described below, and are not intended to limit the present invention.

With the above-described configuration, even in situations where logs generated by an in-vehicle device cannot be sent to a server device, logs that are highly necessary for analysis by the server device can be stored without being lost until they are sent to the server device.

FIG. 1 is a diagram illustrating an example of the configuration of a log collection system according to each embodiment. FIG. 1 is a diagram illustrating an example of the configuration of an electronic control system including a log management device according to each embodiment. FIG. 1 is a block diagram illustrating an example of the configuration of a log management device according to a first embodiment. FIG. 1 is a diagram illustrating a memory of a log management device according to first and second embodiments. FIG. 1 is a diagram illustrating the operation of the log management device according to the first and second embodiments. FIG. 1 is a diagram illustrating the operation of the log management device according to the first and second embodiments. FIG. 1 is a diagram illustrating the operation of the log management device according to the first and second embodiments. FIG. 1 is a diagram illustrating the operation of the log management device according to the first and second embodiments. FIG. 10 is a block diagram showing an example of the configuration of a log management device according to a second embodiment. FIG. 10 is a diagram illustrating a memory according to a modified example of each embodiment.

Embodiments of the present invention will be described below with reference to the drawings.

The present invention refers to the inventions described in the claims or in the Summary of the Invention section, and is not limited to the following embodiments. Furthermore, at least the words in quotation marks refer to the words described in the claims or in the Summary of the Invention section, and are also not limited to the following embodiments.

Configurations and methods recited in dependent claims are optional configurations and methods in the invention recited in the independent claims. Configurations and methods of embodiments corresponding to configurations and methods recited in dependent claims, as well as configurations and methods recited only in embodiments without being recited in the claims, are optional configurations and methods in the present invention. Configurations and methods recited in embodiments where the recitation of the claims is broader than the recitation of the embodiments are also optional configurations and methods in the present invention, in the sense that they are examples of configurations and methods of the present invention. In either case, by being recited in an independent claim, they become essential configurations and methods of the present invention.

The effects described in the embodiments are those obtained when the configuration of the embodiment is an example of the present invention, and are not necessarily the effects of the present invention.

When there are multiple embodiments, the configurations disclosed in each embodiment are not limited to that embodiment alone, but can be combined across the embodiments. For example, a configuration disclosed in one embodiment may be combined with another embodiment. Also, the configurations disclosed in multiple embodiments may be collected and combined.

The problem described as the problem to be solved by the invention is not a publicly known problem, but was discovered independently by the inventor, and this fact, together with the configuration and method of the present invention, affirms the inventive step of the invention.

1. Configuration common to each embodiment (1) Overall configuration of the log collection system The overall configuration of the log collection system 1 common to each embodiment will be described using Figure 1. The log collection system S is composed of an electronic control system 1 "mounted" on a vehicle, which is a "mobile body," and a server device 2 located outside the vehicle. The electronic control system 1 and the server device 2 communicate with each other via a communication network 3.

Here, "mobile body" refers to an object that can move at any speed. It also naturally includes cases where the moving body is stationary. Examples include, but are not limited to, automobiles, motorcycles, bicycles, pedestrians, ships, aircraft, and objects mounted on these vehicles.
"Mounted" includes not only cases where the device is directly fixed to the mobile body, but also cases where the device is not fixed to the mobile body but moves with the mobile body. For example, cases where the device is carried by a person riding on the mobile body, or cases where the device is mounted on cargo placed on the mobile body, are included.

The configuration of the electronic control system 1 is described in detail below. In each of the following embodiments, the electronic control system 1 is described as an in-vehicle system installed in a vehicle. However, the electronic control system 1 is not limited to an in-vehicle system.

The server device 2 collects logs from the electronic control system 1 and analyzes cyber attacks and abnormalities that occur in the electronic control system 1. The server device 2 may be, for example, a workstation or a personal computer (PC), but may also be an electronic control unit (ECU), a semiconductor circuit element, a smartphone, a mobile phone, etc.

The communication network 3 may be a wireless communication network or a wired communication network. For wireless communication, standards such as IEEE 802.11 (Wi-Fi (registered trademark)), IEEE 802.16 (WiMAX (registered trademark)), W-CDMA (Wideband Code Division Multiple Access), HSPA (High Speed Packet Access), LTE (Long Term Evolution), LTE-A (Long Term Evolution Advanced), 4G, and 5G can be used. Alternatively, DSRC (Dedicated Short Range Communication) can be used. For wired communication, standards such as a LAN (Local Area Network), the Internet, or a fixed telephone line can be used. The wireless communication network may combine wireless and wired communication. For example, the electronic control system 1 and a base station device in a cellular system may be connected via wireless communication, while the base station device and the server device 2 may be connected via a wired communication system such as a telecommunications carrier's trunk line or the Internet.

(2) Configuration of Electronic Control System 1

The configuration of the electronic control system 1 will be explained using Figure 2. The electronic control system 1 has a central gateway device (hereinafter referred to as CGW) 10, an external communication electronic control unit (hereinafter referred to as external communication ECU) 11, an electronic control unit (hereinafter referred to as ECU) 12, and a network 13 connecting these.

The CGW 10 is an electronic control device that relays communications between the external communication ECU 11 and ECU 12, or between ECUs 12, via the network 13. In each embodiment described below, it is assumed that the CGW 10 functions as a log management device (100, 200). However, any of the electronic control devices that make up the electronic control system 1 may also function as a log management device.

The external communication ECU 11 is an electronic control unit that communicates with the server device 2 using the communication network 3.

ECU 12 is an electronic control unit that realizes various vehicle functions. Any ECU can be assigned to ECU 12. Examples include drive system electronic control units that control the engine, steering, brakes, etc., body electronic control units that control meters, power windows, etc., information system electronic control units such as navigation systems, and safety control system electronic control units that perform control to prevent collisions with obstacles or pedestrians.

ECU12 is equipped with a security sensor that monitors each ECU itself and its communications. The security sensor monitors the ECU itself and its communications, detects external attacks or abnormalities, and generates a security log (hereinafter referred to as "log"). The log generated by the security sensor contains information indicating the occurrence of an external attack or abnormality. The security sensor may also generate a log indicating that no attack or abnormality has occurred and that the ECU itself and its communications are in a normal state. The log may further include information indicating the time the security sensor generated the log, and information identifying the security sensor that generated the log or the ECU in which the security sensor is installed. The log generated by the security sensor is sent to CGW10.

Although not shown in FIG. 2, each ECU 12 may be provided with a log filter that selects logs generated by the security sensor. The log filter, for example, selects logs indicating the occurrence of an attack or abnormality from the logs generated by the security sensor, and transmits only the selected logs to the CGW 10.

Network 13 is a network that connects CGW 10, external communication ECU 11, and ECU 12. In each of the embodiments described below, network 13 is an in-vehicle network, and any communication method can be used, such as CAN (Controller Area Network) or LIN (Local Interconnect Network), as well as Ethernet (registered trademark), Wi-Fi (registered trademark), Bluetooth (registered trademark), etc.

2. First Embodiment (1) Configuration of Log Management Device 100 The configuration of the log management device 100 of this embodiment will be described with reference to Fig. 3. The log management device 100 includes a log acquisition unit 101, a memory 102, a control unit 103, and a transmission unit 104. The control unit 103 also implements a transmission permission determination unit 105, a log storage area determination unit 106, and a memory control unit 107.

The log management device 100 of this embodiment, which is the CGW 10, can be configured with a general-purpose CPU (Central Processing Unit), volatile memory such as RAM, non-volatile memory such as ROM, flash memory, or a hard disk, various interfaces, and an internal bus connecting these. By executing software on this hardware, it can be configured to perform the functions of each functional block shown in Figure 3. Of course, the log management device 100 can also be implemented with dedicated hardware such as an LSI.

In this embodiment, the log management device 100 is assumed to be in the form of a semi-finished electronic control unit (ECU (Electric Control Unit), hereafter abbreviated as ECU), but is not limited to this. For example, components may take the form of semiconductor circuits or semiconductor modules, and finished products may take the form of personal computers (PCs), smartphones, mobile phones, and navigation systems.

The log acquisition unit 101 acquires logs generated by security sensors provided in each ECU 12. Although not shown in FIG. 3, the logs acquired by the log acquisition unit 101 are stored in a buffer (not shown), and may then be saved in memory 102 (described below) or transmitted from the transmission unit 104.

Memory 102 stores the logs acquired by log acquisition unit 101. The memory 102 described in the following embodiments is assumed to be non-volatile memory, but may also be configured as volatile memory.

Figure 4 is a diagram illustrating the memory 102. The memory 102 has a storage area A with a predetermined storage capacity. This storage area A is an area consisting of a first area A1 and a second area A2, and stores logs acquired by the log acquisition unit 101.

The first area A1 is allocated a first storage capacity from the storage capacity of storage area A. The first storage capacity is determined by the allocation ratio of the first area A1 to the storage capacity of storage area A. Overwriting the log stored in the first area A1 (corresponding to the "first log") is prohibited.

The second area A2 is allocated a second storage capacity from the storage capacity of storage area A. The second storage capacity is determined by the allocation ratio of the second area A2 to the storage capacity of storage area A. It is possible to overwrite the log stored in the second area A2 (corresponding to the "second log").

Here, the allocation ratio of the storage capacity of storage area A to the first area A1 and the allocation ratio of the storage capacity of storage area A to the second area A2 can be changed to any value. The allocation ratios to the first area A1 and the second area A2 are controlled by the memory control unit 107, which will be described later. Note that the memory control unit 107 may change the allocation ratio of the storage capacity of storage area A to the first area A1 and the second area A2 by changing the storage capacity [Bytes] allocated to the first area A1 and the second area A2 from the specified storage capacity.

If the allocation rate to the first area A1 is increased, the allocation rate to the second area A2 will decrease accordingly. For example, Figure 4a shows a case where the allocation rate to the first area A1 of the storage capacity of storage area A is 50%, and the allocation rate to the second area A2 is 50%. In contrast, Figure 4b shows a case where the allocation rate to the first area A1 of the storage capacity of storage area A is 70%, and the allocation rate to the second area A2 is 30%.

Note that Figure 4 illustrates an example in which memory 102 has only storage area A as an area for storing logs. However, memory 102 may naturally have areas other than storage area A in which data can be stored, and logs acquired by log acquisition unit 101 or data other than logs may be stored in these areas. In other words, the storage capacity of storage area A is not necessarily equal to the storage capacity of memory 102.

The control unit 103 controls the operation of the log acquisition unit 101, memory 102, and transmission unit 104. The control unit 103 also implements the transmission permission determination unit 105, log storage area determination unit 106, and memory control unit 107.

The transmission possibility determination unit 105 determines whether the logs acquired by the log acquisition unit 101 can be transmitted to the server device 2 located outside the vehicle. For example, the transmission possibility determination unit 105 determines whether the communication network 3 between the external communication ECU 11 and the server device 2 has been established, or whether the communication speed between the external communication ECU 11 and the server device 2 is equal to or greater than a predetermined speed, and determines that transmission is not possible if the communication network 3 has not been established or if the communication speed is equal to or less than the predetermined speed. Alternatively, even if the communication network 3 has been established, if the log acquisition unit 101 acquires a large number of logs, the transmission unit 104 (described below) will not be able to immediately transmit all of the logs to the server device 2. Therefore, the transmission possibility determination unit 105 may also determine that the logs cannot be transmitted if the log acquisition unit 101 acquires more than a predetermined number or data volume of logs.

If the transmission permission determination unit 105 determines that the log cannot be transmitted, the log storage area determination unit 106 determines the "importance" of the log.

Here, "importance" is an indicator of the importance of a log determined based on predetermined evaluation criteria, and may be expressed numerically or using multiple pre-classified levels.

If the determined importance of the log is "higher" than a "predetermined" importance, the log storage area determination unit 106 further determines the first area A1 of storage area A in memory 102 as the log storage area in which to store the log. If the determined importance of the log is "lower" than a "predetermined" importance, the log storage area determination unit 106 determines the second area A2 of storage area A as the log storage area in which to store the log.

Here, "predetermined" includes not only the case where it is always constant, but also the case where it is uniquely determined depending on conditions.
The term "than" includes both cases where the value is the same as the value of the comparison target and cases where the value is not the same as the value of the comparison target.

In the following example, the log storage area determination unit 106 determines whether the importance of a log is high or low, and if it determines that the importance of a log is high, it determines that the importance is higher than a predetermined importance, and if it determines that the importance of a log is low, it determines that the importance is lower than the predetermined importance. However, the log storage area determination unit 106 may also determine the importance of a log numerically based on various parameters, and determine whether the determined numerical value is higher or lower than a numerical value set as the predetermined importance.

For example, if a log indicates an external attack or an abnormality in the ECU or communications, the log storage area determination unit 106 determines that the importance of the log is high.

As another example, the log storage area determination unit 106 determines the importance of a log based on the security sensor that generated the log. From the perspective of safe vehicle operation, it is undesirable for an ECU that implements functions related to vehicle operation (e.g., functions related to vehicle braking or steering) to be attacked from the outside or for an abnormality to occur, and there is a high need to analyze logs generated by security sensors provided in such ECUs. Therefore, the log storage area determination unit 106 determines that logs generated by a specific ECU, for example, a security sensor provided in an ECU that implements functions related to vehicle operation, are of high importance. Note that the log storage area determination unit 106 can determine the security sensor that generated the log and the ECU that is equipped with the security sensor based on the security sensor identification information included in the log.

As yet another example, the log storage area determination unit 106 determines the importance of a log based on the time the log was created. For example, if a security sensor detects an external attack, it may be possible to analyze the attack path, details of the attack, and the impact of the attack by analyzing logs created before and after the attack was detected. Therefore, the log storage area determination unit 106 determines that logs created within a predetermined time from the time the security sensor detected the attack or abnormality are of high importance. The log storage area determination unit 106 can determine the time the log was created based on the time information included in the log.

In all of the above examples, the log storage area determination unit 106 determines the importance level based on the information contained in the log. However, the security sensor provided in each ECU 12 may itself determine the importance level of the log and assign the determined importance level to the log. In this case, the log storage area determination unit 106 can determine the importance level of the log using the importance level assigned to the log.

The memory control unit 107 stores the logs in the log storage area determined by the log storage area determination unit 106. Here, the memory control unit 107 compares the free space in the log storage area with the amount of log data acquired by the log acquisition unit 101. If the free space in the log storage area is less than the amount of log data, the memory control unit 107 secures capacity for storing logs by increasing the allocation ratio of storage capacity to the log storage area relative to the storage capacity of storage area A.

A specific example of memory control by the memory control unit 107 is described below. First, we will explain the case where the importance of the log is higher than a predetermined importance and the log storage area determination unit 106 determines the first area A1 as the log storage area.

If the free space in the first area A1 is greater than the amount of log data, the memory control unit 107 stores the log in the first area A1, which is the log storage area.

In contrast, if the free space in the first area A1 is less than the amount of log data, the log cannot be saved in the first area A1. Furthermore, because overwriting logs is prohibited in the first area A1, it is not possible to save a log by overwriting a log saved in the first area A1. Therefore, the memory control unit 107 compares the free space in the second area A2, which is not a log storage area, with the amount of log data. If the free space in the second area A2 is greater than the amount of log data, the memory control unit 107 secures free space for saving logs in the first area A1 by increasing the allocation ratio of the storage capacity of the first area A1 to the storage capacity of the storage area A. The log is then saved in the first area A1, to which the increased storage capacity has been allocated. Note that the allocation ratio of the storage capacity of the second area A2 is reduced.

Furthermore, if the free space in the second area A2 is less than the amount of log data, the memory control unit 107 cannot increase the allocation rate to the storage capacity of the first area A1. Therefore, the memory control unit 107 first deletes one or more logs stored in the second area A2. This creates free space in the second area A2. Next, the memory control unit 107 secures free space for storing logs in the first area A1 by increasing the allocation rate to the storage capacity of the first area A1 relative to the storage capacity of the storage area A. The logs are then stored in the first area A1, to which the increased storage capacity has been allocated. In this case, by deleting the logs stored in the second area A2 and increasing the allocation rate to the first storage capacity, logs of higher importance than the deleted logs are stored.

Here, it is desirable for the memory control unit 107 to delete the logs stored in the second area A2 starting from the log that was generated by the security sensor, i.e., the log that contains the oldest time information.

Note that the time information of the logs acquired by the log acquisition unit 101 may be older than the time information of the logs stored in the second area A2. As shown in FIG. 2, the log management device 100, which is the CGW 10, collects logs generated by security sensors installed in multiple ECUs via the network 13. Therefore, depending on the network congestion situation, the log acquisition unit 101 may acquire each log in an order different from the order in which the logs were generated by the security sensors. In other words, there is a possibility that logs generated after the logs acquired by the log acquisition unit 101 are already stored in the memory 102. In such cases, it is undesirable to delete logs with newer time information. Therefore, the logs to be deleted from the second area A2 are those containing time information older than the logs acquired by the log acquisition unit 101. Furthermore, if the time information of all the logs stored in the second area A2 is newer than the time information included in the logs acquired by the log acquisition unit 101, the memory control unit 107 may discard the logs acquired by the log acquisition unit 101 without saving them.

Next, we will explain the case where the importance of the log is lower than the predetermined importance and the log storage area determination unit 106 determines the second area A2 as the log storage area.

If the free space in the second area A2 is greater than the amount of log data, the memory control unit 107 stores the log in the second area A2, which is the log storage area.

In contrast, if the free space in the second area A2 is less than the amount of log data, the log cannot be stored in the second area A2. Therefore, the memory control unit 107 compares the free space in the first area A1, which is not a log storage area, with the amount of log data. Here, if the free space in the first area A1 is greater than the amount of log data, the memory control unit 107 secures free space for storing logs in the second area A2 by increasing the allocation ratio of the storage capacity of the second area A2 to the storage capacity of the storage area A. Then, the log is stored in the second area A2 to which the increased storage capacity has been allocated. Note that the allocation ratio of the storage capacity of the first area A1 will decrease.

Furthermore, if the free space in the first area A1 is less than the amount of log data, the memory control unit 107 cannot increase the allocation rate to the storage capacity of the second area A2. Therefore, the memory control unit 107 overwrites the logs stored in the second area A2 and saves the logs. Here, it is desirable that the log to be overwritten is the log stored in the second area A2 that was generated by the security sensor, i.e., the log with the oldest time information included in the log. Also, as in the example above, if the time information of all the logs stored in the second area A2 is newer than the time information included in the logs acquired by the log acquisition unit 101, the memory control unit 107 discards the logs acquired by the log acquisition unit 101 without saving them.

The transmission unit 104 transmits the log to the server device 2 located outside the vehicle via the external communication ECU 11. Here, the log transmitted by the transmission unit 104 differs depending on the timing at which the transmission possibility determination unit 105 determines that the log can be transmitted. If the transmission possibility determination unit 105 determines that the log can be transmitted at the time the log acquisition unit 101 acquires the log, the transmission unit 104 transmits the log acquired by the log acquisition unit 101 as is.

In contrast, if the transmission permission determination unit 105 determines that the log cannot be transmitted when the log acquisition unit 101 acquires the log, and then the memory control unit 107 stores the log in memory 102 and the transmission permission determination unit 105 determines that the log can be transmitted, the transmission unit 104 transmits the log stored in the first area A1 or the second area A2 of memory 102. In this case, the memory control unit 107 deletes the log transmitted from the transmission unit 104 from memory 102.

The transmission unit 104 may transmit the logs stored in the memory 102 in order of importance, i.e., logs stored in the first area A1, or may transmit the logs in order of oldest time information.

(2) Operation of the Log Management Device 100 The operation of the log management device 100 will be described with reference to FIGS.
The following operations not only indicate a log management method executed by the log management device 100 but also indicate the processing procedures of a log management program that can be executed by the log management device 100 .
These processes are not limited to the order shown in Figures 5 to 8. In other words, the order may be changed as long as there are no constraints, such as a relationship in which a step uses the result of a previous step.
Explain.

The log acquisition unit 101 acquires a log generated by a security sensor provided in each ECU 12 (S101).
The transmission permission determining unit 105 determines whether the log acquired by the log acquiring unit 101 can be transmitted (S102).
Here, if the transmission possibility determination unit 105 determines that the log can be transmitted (S102: Y), the transmission unit 104 transmits the log acquired in S101 to the server device 2 located outside the vehicle (S103).
On the other hand, if the transmission possibility determination unit 105 determines that the log cannot be transmitted (S102: N), the log storage area determination unit 106 determines the importance of the log acquired in S101 and determines whether the determined importance of the log is higher than a predetermined importance (S104).
If the importance of the log is higher than the predetermined importance (S104: Y), the first area A1 is determined as the log storage area (S105), and the process proceeds to the process shown in Fig. 6. On the other hand, if the importance of the log is lower than the predetermined importance (S104: N), the second area A2 is determined as the log storage area (S106), and the process proceeds to the process shown in Fig. 7.

Next, the process after the first area A1 is determined as the log storage area (S105) in FIG. 5 will be described with reference to FIG.
The memory control unit 107 compares the free space in the first area A1, which is a log storage area, with the amount of data in the log (S201).
If the free space in the first area A1 is greater than the amount of data in the log (S201: Y), the memory control unit 107 stores the log in the first area A1 (S202).
If the free space in the first area A1 is smaller than the amount of log data (S201: N), the memory control unit 107 compares the free space in the second area A2, which is not a log storage area, with the amount of log data (S203).
In S203, if the result of comparing the free space in the second area A2 with the amount of data in the log shows that the free space in the second area A2 is greater than the amount of data in the log (S203: Y), the memory control unit 107 increases the allocation ratio of the storage capacity of the first area A1 to the storage capacity of the storage area A (S204).
Then, the log is stored in the first area A1 (S202).

Furthermore, in S203, if the result of comparing the free space in the second area A2 with the amount of data in the log shows that the free space in the second area A2 is less than the amount of data in the log (S203: N), the memory control unit 107 further determines whether a log containing time information older than the time information contained in the log obtained in S101 is stored in the second area A2 (S205).
Here, if a log containing time information older than the time information contained in the log acquired in S101 is stored in the second area A2 (S205: Y), the memory control unit 107 deletes the log (S206).
Then, the memory control unit 107 increases the allocation ratio of the storage capacity of the first area A1 to the storage capacity of the storage area A (S204), and stores the log in the first area A1 (S202).
Furthermore, if there is no log stored in the second area A2 that contains time information older than the time information contained in the log acquired in S101 (S205: N), the memory control unit 107 discards the log acquired in S101 (S207).

Next, the process after the second area A2 is determined as the log storage area (S106) in FIG. 5 will be described with reference to FIG.
The memory control 107 compares the free space in the second area A2, which is a log storage area, with the amount of log data (S301).
If the free space in the second area A2 is greater than the amount of log data (S301: Y), the memory control unit 107 stores the log in the second area A2 (S302).
If the free space in the second area A2 is smaller than the amount of log data (S301: N), the memory control unit 107 compares the free space in the first area A1, which is not a log storage area, with the amount of log data (S303).
In S303, if the result of comparing the free space in the first area A1 with the amount of data in the log shows that the free space in the first area A1 is greater than the amount of data in the log (S303: Y), the memory control unit 107 increases the allocation ratio of the storage capacity of the second area A2 to the storage capacity of the storage area A (S304).
Then, the log is stored in the second area A2 (S302).

Furthermore, in S303, if the result of comparing the free space in the first area A1 with the amount of data in the log shows that the free space in the first area A1 is less than the amount of data in the log (S303: N), the memory control unit 107 further determines whether a log containing time information older than the time information contained in the log obtained in S101 is stored in the second area A2 (S305).
Here, if a log containing time information older than the time information contained in the log obtained in S101 is stored in the second area A2 (S305: Y), the memory control unit 107 overwrites the log and saves the log obtained in S101 (S306).
Furthermore, if no log containing time information older than the time information contained in the log acquired in S101 is stored in the second area A2 (S305: N), the memory control unit 107 discards the log acquired in S101 (S307).

In the above-described embodiment, a configuration has been described in which logs that cannot be saved in storage area A of memory 102 are immediately discarded in S207 and S307. However, if the log acquired by the log acquisition unit 101 cannot be saved in storage area A, the log may not be immediately discarded, but the log saving process may simply be interrupted. In this case, the memory control unit 107 may perform the process shown in FIG. 6 or 7 again after a predetermined time has elapsed since the log saving process was interrupted. Then, if the log cannot be saved in memory after performing the memory saving process a predetermined number of times, the log may be discarded.

Next, the operation of the log management device 100 after the log has been saved in the saving area A of the memory 102 will be described with reference to FIG.
The communication possibility determination unit 105 determines whether or not it is possible to transmit a log to a server device outside the vehicle (S401).
If it is determined that communication is possible, the transmitting unit 104 transmits the log stored in the memory 102 to the server device (S402).
Then, the memory control unit 107 deletes the transmitted log from the memory 102 (S403).

(3) Summary According to this embodiment, logs with high importance are stored in an area where overwriting is prohibited, so even if logs accumulate in memory and reach the memory capacity, it is possible to prevent logs with high importance from being overwritten. Furthermore, logs with low importance are stored by overwriting older logs, so it is possible to store the latest logs.

Furthermore, according to this embodiment, by appropriately changing the allocation ratio of storage capacity to areas where overwriting is prohibited or areas where overwriting is allowed, it is possible to use memory storage areas efficiently.

2. Second Embodiment In this embodiment, an example will be described in which an electronic control device having a virtual machine realizes the function of a log management device.

Figure 9 shows an electronic control unit 200 that functions as a log management device in this embodiment. The electronic control unit 200 includes a hypervisor (HV) 210, multiple virtual machines (220, 230) managed by the hypervisor 210, and memory 102. As in embodiment 1, the electronic control unit 200 is assumed to be the CGW 10 in Figure 2, but is not limited to this.

The hypervisor 210 is software that virtualizes the electronic control unit 200. In the example of FIG. 9, the first virtual machine 220 and the second virtual machine 230 are constructed on the hypervisor 210. This example describes a configuration in which the electronic control unit 200 has only one hypervisor 210, but the electronic control unit 200 may have multiple hypervisors and virtual machines managed by multiple hypervisors.

Each virtual machine in the electronic control device 200 has a platform (hereinafter referred to as PF). In FIG. 9, the first virtual machine 220 has a first PF 222, and the second virtual machine 230 has a second PF 232. FIG. 9 also shows the applications (221, 231) running on the PF of each virtual machine.

There are various types of PFs, and any PF can be used as the first and second PFs (222, 232). For example, the first PF 222 is a platform that optimizes static functions, known as a Classic Platform (CP) in AUTOSAR (AUTomotive Open System ARchitecture). CPs are platforms primarily suited to electronic control units for vehicle control. The second PF 232 is a platform that allows for dynamic functional expansion, known as an Adaptive Platform (AP) in AUTOSAR. APs are platforms primarily suited to electronic control units for autonomous driving. By mixing multiple virtual machines with different PFs in a single electronic control unit in this way, it becomes possible to integrate multiple functions into a single electronic control unit, thereby reducing the total number of electronic control units.

In such a configuration, the virtual machine's OS may be configured, for example, to be provided between the hypervisor and the PF, or to be integrated with the hypervisor or included in the PF.

The first application 221 running on the first virtual machine 220 includes a security sensor. This security sensor has the same functions as the security sensor mounted on the ECU 12 shown in Figure 2. In other words, each security sensor monitors the operation of each virtual machine and generates a log.

The second application 231 running on the second virtual machine 230 includes a log acquisition unit 101, a transmission unit 104, a transmission permission determination unit 105, a log storage area determination unit 106, and a memory control unit 107. The functions and operations of the log acquisition unit 101, the transmission unit 104, the transmission permission determination unit 105, the log storage area determination unit 106, and the memory control unit 107 are the same as those in embodiment 1.

In the first embodiment, the log acquisition unit 101 acquires logs generated by a security sensor mounted on an electronic control unit (ECU 12) different from the electronic control unit 100, which is the log management device. In contrast, the log acquisition unit 101 in the second embodiment acquires logs generated by a security sensor mounted on an electronic control unit 200 that functions as a log management device. Naturally, the log acquisition unit 101 may also acquire logs generated by a security sensor mounted on an ECU 12 connected to the electronic control unit 200 via the network 13, as in the first embodiment.

3. Modifications of Each Embodiment (1) Modification 1
In this modification, an electronic control device (100, 200) that functions as a log management device is described as having installed thereon an application that realizes other functions in addition to the application that realizes the log management function.

Figure 10 is a diagram explaining the memory of this first variant. Unlike Figure 4, the memory 102 has a shared area and a dedicated area. The shared area is an area shared by multiple applications installed in the electronic control units 100 and 200. The dedicated area is an area that can only be used by one specific application out of the multiple applications installed in the electronic control units 100 and 200, and access from applications other than the specific application is restricted.

When the memory 102 has a shared area and a dedicated area, as in this modified example, the storage area A in this embodiment, i.e., the first area A1 and the second area A2, are provided in the dedicated area.

Naturally, the CGW 10 may not only function as a log management device, but also have other functions. Therefore, when this modification is applied to embodiment 1, in the electronic control device 100, an area that can be accessed by both the application that executes the log management function and the application that executes other functions is a shared area, and an area that can only be used by the application that executes the log management function is a dedicated area.

Furthermore, when this modification is applied to embodiment 2, the shared area is accessible to both the first application 221 and the second application 231, and the area used in common by these applications is the shared area, while the area that can be used only by either the first application 221 or the second application 231 is the dedicated area.

The logs generated by the security sensor are necessary for the server device 2 to analyze attacks and abnormalities against the ECU, and are therefore highly necessary. Therefore, by providing a dedicated area for storing logs, sufficient memory capacity is ensured for storing logs, even when other applications are using the memory.

In this modified example, if the log acquired by the log acquisition unit 101 in the above-described embodiment cannot be saved in storage area A, the log whose saving process has been interrupted may be temporarily saved in a shared area.

(2) Modification 2
In the above-described embodiment, the allocation ratio of storage capacity to the first area A1 and the second area A2 of the storage areas of the memory 102 can be constantly changed. However, the allocation ratio of the first area A1 and the second area A2 does not have to be constantly changeable, and whether or not it can be changed can be switched.

In this modified example, the memory control unit 107 switches between a first mode, in which the storage capacity allocation rate can be changed, and a second mode, in which the allocation rate cannot be changed. For example, the memory control unit 107 switches between the first mode and the second mode based on the free space in the first area A1 and the free space in the second area A2. Specifically, in the second mode, in which the storage capacity allocation rate cannot be changed, if the difference between the free space in the first area A1 and the free space in the second area A2 is large, it may be possible that logs cannot be saved even if there is free space in one area. Therefore, when the difference between the free space in the first area A1 and the free space in the second area A2 becomes larger than a predetermined value, the memory control unit 107 switches from the first mode to the second mode. Then, when the difference between the free space in the first area A1 and the free space in the second area A2 becomes smaller than the predetermined value, the memory control unit 107 switches from the second mode to the first mode.

As another example, the memory control unit 107 may switch between the first mode and the second mode in a situation where a large number of logs are being generated. For example, if the electronic control system 1 is under attack from the outside, the security sensor may detect the attack or anomaly and generate a large number of logs. In particular, the logs generated under such circumstances are likely to be logs necessary for analyzing the attack and are therefore highly important, and there is a high possibility that a large number of logs will need to be stored in the first area A1. Therefore, the memory control unit 107 switches from the second mode to the first mode when the log acquired by the log acquisition unit 101 indicates that the security sensor has detected an anomaly.

In addition, since the allocation ratios of the first area A1 and the second area A2 cannot be changed in the second mode, if, for example, the importance of the log acquired by the log acquisition unit 101 is higher than a predetermined importance and the free space in the first area A1, which is the log storage area, is less than the amount of data for the log, the log cannot be saved in the first area A1. Therefore, if the log cannot be saved in the log storage area in the second mode, the saving process for the log acquired by the log acquisition unit 101 is interrupted.

4. Summary The features of the log management device and the like in each embodiment of the present invention have been described above.
The terms used in each embodiment are merely examples and may be replaced with synonymous terms or terms having the same functions.

The block diagrams used to explain the embodiments classify and organize the device configuration by function. The blocks representing each function can be realized by any combination of hardware or software. Furthermore, because they represent functions, these block diagrams can also be understood as disclosures of method inventions and program inventions that realize those methods.

The order of the processes, flows, and blocks that can be understood as methods described in each embodiment may be changed as long as there are no constraints, such as one step using the results of another step that precedes it.

Each embodiment is based on a vehicle log management device installed in a vehicle, but the present invention also includes dedicated or general-purpose log management devices other than those for vehicles, unless otherwise limited by the claims.

In each embodiment, the log management device disclosed in each embodiment is described as being installed in a vehicle, but it may also be carried by a pedestrian.

Furthermore, examples of the form of the log management device of the present disclosure include a semiconductor element, an electronic circuit, a module, and a microcomputer.
Examples of semi-finished products include an electronic control unit (ECU) and a system board.
Examples of finished products include mobile phones, smartphones, tablets, personal computers (PCs), workstations, and servers.
Other examples include devices with communication functions, such as car navigation systems.

In addition, the log management device disclosed herein may be equipped with necessary functions, such as an antenna or a communication interface.

In addition, the present invention can be realized not only by dedicated hardware having the configuration and functions described in each embodiment, but also by a combination of a program for implementing the present invention recorded on a recording medium such as memory or a hard disk, and general-purpose hardware having a dedicated or general-purpose CPU and memory that can execute the program.

A program for the log management device of the present invention that is stored on a non-transient physical recording medium (e.g., an external storage device (hard disk, USB memory, CD/BD, etc.) or an internal storage device (RAM, ROM, etc.)) of dedicated or general-purpose hardware can also be provided to the dedicated or general-purpose hardware via the recording medium, or via a communication line from a server without using a recording medium. This allows the latest functions to be always provided through program upgrades.

The log management device of the present invention has been described primarily as an electronic control device for vehicles mounted on automobiles, but it can also be applied to all types of moving objects, including motorcycles, motorized bicycles, and trains, as well as pedestrians, ships, and aircraft.

100 Log management device, 200 Electronic control device, 101 Log acquisition unit, 102 Memory, 104 Transmission unit, 105 Transmission permission determination unit, 106 Log storage area determination unit, 107 Memory control unit

Claims (27)

A log management device mounted on a moving object,
a log acquisition unit (101) that acquires a log generated by a security sensor mounted on the moving body;
a transmission possibility determination unit (105) that determines whether or not the log can be transmitted to the outside of the mobile body;
a memory (102) having a storage area consisting of a first area and a second area, the first area being an area in which overwriting of a first log stored in the first area is prohibited and to which a first storage capacity is allocated among the storage capacity of the storage area, and the second area being an area in which overwriting of a second log stored in the second area is permitted and to which a second storage capacity is allocated among the storage capacity;
a log storage area determination unit (106) that, when the transmission permission determination unit determines that the log cannot be transmitted, determines the importance of the log, and determines the first area as the log storage area in which to store the log if the importance is higher than a predetermined importance, or the second area if the importance is lower than the predetermined importance;
a memory control unit (107) that, when the free space in the log storage area is smaller than the amount of data in the log, increases the allocation ratio of the storage capacity to the storage capacity of the log storage area and stores the log in the log storage area;
Equipped with
When the importance is higher than the predetermined importance, and when the free space of the first area, which is the log storage area, is less than the amount of data, and the free space of the second area is greater than the amount of data, the memory control unit increases the allocation rate to the first storage capacity, and stores the log in the first area to which the increased first storage capacity is allocated.
Log management device (100, 200). A log management device mounted on a moving object,
a log acquisition unit (101) that acquires a log generated by a security sensor mounted on the moving body;
a transmission possibility determination unit (105) that determines whether or not the log can be transmitted to the outside of the mobile body;
a memory (102) having a storage area consisting of a first area and a second area, the first area being an area in which overwriting of a first log stored in the first area is prohibited and to which a first storage capacity is allocated among the storage capacity of the storage area, and the second area being an area in which overwriting of a second log stored in the second area is permitted and to which a second storage capacity is allocated among the storage capacity;
a log storage area determination unit (106) that, when the transmission permission determination unit determines that the log cannot be transmitted, determines the importance of the log, and determines the first area as the log storage area in which to store the log if the importance is higher than a predetermined importance, or the second area if the importance is lower than the predetermined importance;
a memory control unit (107) that, when the free space in the log storage area is smaller than the amount of data in the log, increases the allocation ratio of the storage capacity to the storage capacity of the log storage area and stores the log in the log storage area;
Equipped with
When the importance is higher than the predetermined importance, and when the free space of the first area, which is the log storage area, is less than the data amount, and when the free space of the second area is less than the data amount, the memory control unit deletes the second log stored in the second area, increases the allocation rate to the first storage capacity, and stores the log in the first area to which the increased first storage capacity is allocated.
Log management device (100, 200). A log management device mounted on a moving object,
a log acquisition unit (101) that acquires a log generated by a security sensor mounted on the moving body;
a transmission possibility determination unit (105) that determines whether or not the log can be transmitted to the outside of the mobile body;
a memory (102) having a storage area consisting of a first area and a second area, the first area being an area in which overwriting of a first log stored in the first area is prohibited and to which a first storage capacity is allocated among the storage capacity of the storage area, and the second area being an area in which overwriting of a second log stored in the second area is permitted and to which a second storage capacity is allocated among the storage capacity;
a log storage area determination unit (106) that, when the transmission permission determination unit determines that the log cannot be transmitted, determines the importance of the log, and determines the first area as the log storage area in which to store the log if the importance is higher than a predetermined importance, or the second area if the importance is lower than the predetermined importance;
a memory control unit (107) that, when the free space in the log storage area is smaller than the amount of data in the log, increases the allocation ratio of the storage capacity to the storage capacity of the log storage area and stores the log in the log storage area;
Equipped with
When the importance is lower than the predetermined importance, and when the free space of the second area that is the log storage area is smaller than the amount of data and the free space of the first area is larger than the amount of data, the memory control unit increases the allocation rate to the second storage capacity and stores the log in the second area to which the increased second storage capacity is allocated.
Log management device (100, 200). A log management device mounted on a moving object,
a log acquisition unit (101) that acquires a log generated by a security sensor mounted on the moving body;
a transmission possibility determination unit (105) that determines whether or not the log can be transmitted to the outside of the mobile body;
a memory (102) having a storage area consisting of a first area and a second area, the first area being an area in which overwriting of a first log stored in the first area is prohibited and to which a first storage capacity is allocated among the storage capacity of the storage area, and the second area being an area in which overwriting of a second log stored in the second area is permitted and to which a second storage capacity is allocated among the storage capacity;
a log storage area determination unit (106) that, when the transmission permission determination unit determines that the log cannot be transmitted, determines the importance of the log, and determines the first area as the log storage area in which to store the log if the importance is higher than a predetermined importance, or the second area if the importance is lower than the predetermined importance;
a memory control unit (107) that, when the free space in the log storage area is smaller than the amount of data in the log, increases the allocation ratio of the storage capacity to the storage capacity of the log storage area and stores the log in the log storage area;
Equipped with
If the importance is lower than the predetermined importance, and if the free space of the second area, which is the log storage area, is less than the amount of data, and if the free space of the first area is less than the amount of data, the memory control unit overwrites the second log stored in the second area and stores the log.
Log management device (100, 200). A log management device mounted on a moving object,
a log acquisition unit (101) that acquires a log generated by a security sensor mounted on the moving object;
a transmission possibility determination unit (105) that determines whether the log can be transmitted to the outside of the mobile body;
a memory (102) having a storage area consisting of a first area and a second area, the first area being an area in which overwriting of a first log stored in the first area is prohibited and to which a first storage capacity is allocated among the storage capacity of the storage area, and the second area being an area in which overwriting of a second log stored in the second area is permitted and to which a second storage capacity is allocated among the storage capacity;
a log storage area determination unit (106) that, when the transmission permission determination unit determines that the log cannot be transmitted, determines the importance of the log, and determines the first area as the log storage area in which to store the log if the importance is higher than a predetermined importance, or the second area if the importance is lower than the predetermined importance;
a memory control unit (107) that, when the free space in the log storage area is smaller than the amount of data in the log, increases the allocation ratio of the storage capacity to the storage capacity of the log storage area and stores the log in the log storage area;
Equipped with
the memory control unit is capable of switching between a first mode in which an allocation ratio between the first storage capacity and the second storage capacity can be changed and a second mode in which an allocation ratio between the first storage capacity and the second storage capacity cannot be changed;
Log management device (100, 200). The log management device further comprises:
a transmitting unit (104) that transmits the log acquired by the log acquiring unit to an outside of the mobile object when the transmission possibility determining unit determines that the log can be transmitted;
The log management device according to any one of claims 1 to 5 . After the memory control unit stores the log in the log storage area, if the transmission permission determination unit determines that the log can be transmitted,
the transmission unit transmits the log stored in the log storage area to an outside of the mobile object ;
the memory control unit deletes the log transmitted from the transmission unit from the log storage area.
7. The log management device according to claim 6 . the log includes time information indicating a time when the security sensor generated the log;
the memory control unit deletes, from the second logs stored in the second area, second logs that include time information older than time information included in the logs acquired by the log acquisition unit.
3. The log management device according to claim 2 . When time information included in the second log stored in the second area is newer than the time information included in the log acquired by the log acquisition unit, the memory control unit suspends saving of the log in the first area.
9. The log management device according to claim 8 . the log management device is an electronic control device,
the memory has a shared area shared by a plurality of applications installed in the electronic control device and a dedicated area used by only one of the plurality of applications,
The log storage area is provided in the dedicated area.
The log management device according to any one of claims 1 to 5 . the memory control unit switches between the first mode and the second mode based on the free space of the first area and the free space of the second area.
6. The log management device according to claim 5 . the memory control unit switches from the second mode to the first mode when the log indicates that the security sensor has detected an abnormality;
6. The log management device according to claim 5 . An electronic control device mounted on a mobile body, the electronic control device having a memory (102), a first virtual machine (220), and a second virtual machine (230),
The memory includes:
a storage area consisting of a first area and a second area, wherein the first area is an area in which overwriting of a first log that is a log stored in the first area is prohibited and a first storage capacity is allocated among the storage capacity of the storage area, and the second area is an area in which overwriting of a second log that is a log stored in the second area is possible and a second storage capacity is allocated among the storage capacity;
The first virtual machine
a security sensor that generates a log;
The second virtual machine
a log acquisition unit (101) that acquires the log generated by the security sensor;
a transmission possibility determination unit (105) that determines whether or not the log can be transmitted to the outside of the mobile body;
a storage area determination unit (106) that, when the transmission permission determination unit determines that the log cannot be transmitted, determines the importance of the log, and determines the first area as a log storage area for storing the log if the importance is higher than a predetermined importance, or the second area if the importance is lower than the predetermined importance;
a memory control unit (107) that, when the free space in the log storage area is smaller than the amount of data in the log, increases the allocation rate of the storage capacity of the log storage area to the storage capacity, and stores the log in the log storage area;
When the importance is higher than the predetermined importance, and when the free space of the first area, which is the log storage area, is less than the amount of data, and the free space of the second area is greater than the amount of data, the memory control unit increases the allocation rate to the first storage capacity, and stores the log in the first area to which the increased first storage capacity is allocated.
An electronic control unit (200). An electronic control device mounted on a mobile body, the electronic control device having a memory (102), a first virtual machine (220), and a second virtual machine (230),
The memory includes:
a storage area consisting of a first area and a second area, wherein the first area is an area in which overwriting of a first log that is a log stored in the first area is prohibited and a first storage capacity is allocated among the storage capacity of the storage area, and the second area is an area in which overwriting of a second log that is a log stored in the second area is possible and a second storage capacity is allocated among the storage capacity;
The first virtual machine
a security sensor that generates a log;
The second virtual machine
a log acquisition unit (101) that acquires the log generated by the security sensor;
a transmission possibility determination unit (105) that determines whether or not the log can be transmitted to the outside of the mobile body;
a storage area determination unit (106) that, when the transmission permission determination unit determines that the log cannot be transmitted, determines the importance of the log, and determines the first area as a log storage area for storing the log if the importance is higher than a predetermined importance, or the second area if the importance is lower than the predetermined importance;
a memory control unit (107) that, when the free space in the log storage area is smaller than the amount of data in the log, increases the allocation rate of the storage capacity of the log storage area to the storage capacity, and stores the log in the log storage area;
When the importance is higher than the predetermined importance, and when the free space of the first area, which is the log storage area, is less than the data amount, and when the free space of the second area is less than the data amount, the memory control unit deletes the second log stored in the second area, increases the allocation rate to the first storage capacity, and stores the log in the first area to which the increased first storage capacity is allocated.
An electronic control unit (200). An electronic control device mounted on a mobile body, the electronic control device having a memory (102), a first virtual machine (220), and a second virtual machine (230),
The memory includes:
a storage area consisting of a first area and a second area, wherein the first area is an area in which overwriting of a first log that is a log stored in the first area is prohibited and a first storage capacity is allocated among the storage capacity of the storage area, and the second area is an area in which overwriting of a second log that is a log stored in the second area is possible and a second storage capacity is allocated among the storage capacity;
The first virtual machine
a security sensor that generates a log;
The second virtual machine
a log acquisition unit (101) that acquires the log generated by the security sensor;
a transmission possibility determination unit (105) that determines whether or not the log can be transmitted to the outside of the mobile body;
a storage area determination unit (106) that, when the transmission permission determination unit determines that the log cannot be transmitted, determines the importance of the log, and determines the first area as a log storage area for storing the log if the importance is higher than a predetermined importance, or the second area if the importance is lower than the predetermined importance;
a memory control unit (107) that, when the free space in the log storage area is smaller than the amount of data in the log, increases the allocation rate of the storage capacity of the log storage area to the storage capacity, and stores the log in the log storage area;
When the importance is lower than the predetermined importance, and when the free space of the second area that is the log storage area is smaller than the amount of data and the free space of the first area is larger than the amount of data, the memory control unit increases the allocation rate to the second storage capacity and stores the log in the second area to which the increased second storage capacity is allocated.
An electronic control unit (200). An electronic control device mounted on a mobile body, the electronic control device having a memory (102), a first virtual machine (220), and a second virtual machine (230),
The memory includes:
a storage area consisting of a first area and a second area, wherein the first area is an area in which overwriting of a first log that is a log stored in the first area is prohibited and a first storage capacity is allocated among the storage capacity of the storage area, and the second area is an area in which overwriting of a second log that is a log stored in the second area is possible and a second storage capacity is allocated among the storage capacity;
The first virtual machine
a security sensor that generates a log;
The second virtual machine
a log acquisition unit (101) that acquires the log generated by the security sensor;
a transmission possibility determination unit (105) that determines whether or not the log can be transmitted to the outside of the mobile body;
a storage area determination unit (106) that, when the transmission permission determination unit determines that the log cannot be transmitted, determines the importance of the log, and determines the first area as a log storage area for storing the log if the importance is higher than a predetermined importance, or the second area if the importance is lower than the predetermined importance;
a memory control unit (107) that, when the free space in the log storage area is smaller than the amount of data in the log, increases the allocation rate of the storage capacity of the log storage area to the storage capacity, and stores the log in the log storage area;
If the importance is lower than the predetermined importance, and if the free space of the second area, which is the log storage area, is less than the amount of data, and if the free space of the first area is less than the amount of data, the memory control unit overwrites the second log stored in the second area and stores the log.
An electronic control unit (200). An electronic control device mounted on a mobile body, the electronic control device having a memory (102), a first virtual machine (220), and a second virtual machine (230),
The memory includes:
a storage area consisting of a first area and a second area, wherein the first area is an area in which overwriting of a first log that is a log stored in the first area is prohibited and a first storage capacity is allocated among the storage capacity of the storage area, and the second area is an area in which overwriting of a second log that is a log stored in the second area is possible and a second storage capacity is allocated among the storage capacity;
The first virtual machine
a security sensor that generates a log;
The second virtual machine
a log acquisition unit (101) that acquires the log generated by the security sensor;
a transmission possibility determination unit (105) that determines whether or not the log can be transmitted to the outside of the mobile body;
a storage area determination unit (106) that, when the transmission permission determination unit determines that the log cannot be transmitted, determines the importance of the log, and determines the first area as a log storage area for storing the log if the importance is higher than a predetermined importance, or the second area if the importance is lower than the predetermined importance;
a memory control unit (107) that, when the free space in the log storage area is smaller than the amount of data in the log, increases the allocation rate of the storage capacity of the log storage area to the storage capacity, and stores the log in the log storage area;
the memory control unit is capable of switching between a first mode in which an allocation ratio between the first storage capacity and the second storage capacity can be changed and a second mode in which an allocation ratio between the first storage capacity and the second storage capacity cannot be changed;
An electronic control unit (200). A log management method executed by a log management device mounted on a moving object, comprising:
The log management device includes a memory (102) having a storage area consisting of a first area and a second area, the first area being an area in which overwriting of a first log that is a log stored in the first area is prohibited and to which a first storage capacity is allocated out of the storage capacity of the storage area, and the second area being an area in which overwriting of a second log that is a log stored in the second area is possible and to which a second storage capacity is allocated out of the storage capacity,
A log generated by a security sensor mounted on the mobile object is acquired (S101);
It is determined whether the log can be transmitted to the outside of the mobile unit (S102);
If it is determined that the log cannot be transmitted, the importance of the log is determined, and if the importance is higher than a predetermined importance, the first area is determined as the log storage area in which the log is to be stored, or if the importance is lower than the predetermined importance, the second area is determined as the log storage area in which the log is to be stored (S104, S105, S106).
In the log management method, when the free space of the log storage area is smaller than the amount of data of the log, an allocation ratio of the storage capacity of the log storage area to the storage capacity is increased, and the log is stored in the log storage area (S202, S302, S306),
If the importance is higher than the predetermined importance, and if the free space of the first area, which is the log storage area, is less than the data amount and the free space of the second area is greater than the data amount, the allocation rate to the first storage capacity is increased, and the log is stored in the first area to which the increased first storage capacity is allocated (S204, S202).
Log management methods. A log management method executed by a log management device mounted on a moving object, comprising:
The log management device includes a memory (102) having a storage area consisting of a first area and a second area, the first area being an area in which overwriting of a first log that is a log stored in the first area is prohibited and to which a first storage capacity is allocated out of the storage capacity of the storage area, and the second area being an area in which overwriting of a second log that is a log stored in the second area is possible and to which a second storage capacity is allocated out of the storage capacity,
A log generated by a security sensor mounted on the mobile object is acquired (S101);
It is determined whether or not the log can be transmitted to the outside of the mobile unit (S102);
If it is determined that the log cannot be transmitted, the importance of the log is determined, and if the importance is higher than a predetermined importance, the first area is determined as the log storage area in which the log is to be stored, or if the importance is lower than the predetermined importance, the second area is determined as the log storage area in which the log is to be stored (S104, S105, S106).
In the log management method, when the free space of the log storage area is smaller than the amount of data of the log, an allocation ratio of the storage capacity of the log storage area to the storage capacity is increased, and the log is stored in the log storage area (S202, S302, S306),
If the importance is higher than the predetermined importance, and if the free space of the first area, which is the log storage area, is less than the data amount, and the free space of the second area is less than the data amount, the second log stored in the second area is deleted, the allocation rate to the first storage capacity is increased, and the log is stored in the first area to which the increased first storage capacity is allocated (S206, S204, S202).
Log management methods. A log management method executed by a log management device mounted on a moving object, comprising:
The log management device includes a memory (102) having a storage area consisting of a first area and a second area, the first area being an area in which overwriting of a first log that is a log stored in the first area is prohibited and to which a first storage capacity is allocated out of the storage capacity of the storage area, and the second area being an area in which overwriting of a second log that is a log stored in the second area is possible and to which a second storage capacity is allocated out of the storage capacity,
A log generated by a security sensor mounted on the mobile object is acquired (S101);
It is determined whether the log can be transmitted to the outside of the mobile unit (S102);
If it is determined that the log cannot be transmitted, the importance of the log is determined, and if the importance is higher than a predetermined importance, the first area is determined as the log storage area in which the log is to be stored, or if the importance is lower than the predetermined importance, the second area is determined as the log storage area in which the log is to be stored (S104, S105, S106).
In the log management method, when the free space of the log storage area is smaller than the amount of data of the log, an allocation ratio of the storage capacity of the log storage area to the storage capacity is increased, and the log is stored in the log storage area (S202, S302, S306),
If the importance is lower than the predetermined importance, and the free space of the second area, which is the log storage area, is less than the data amount, and the free space of the first area is greater than the data amount, the allocation rate to the second storage capacity is increased, and the log is stored in the second area to which the increased second storage capacity is allocated (S304, S302).
Log management methods. A log management method executed by a log management device mounted on a moving object, comprising:
The log management device includes a memory (102) having a storage area consisting of a first area and a second area, the first area being an area in which overwriting of a first log that is a log stored in the first area is prohibited and to which a first storage capacity is allocated out of the storage capacity of the storage area, and the second area being an area in which overwriting of a second log that is a log stored in the second area is possible and to which a second storage capacity is allocated out of the storage capacity,
A log generated by a security sensor mounted on the mobile object is acquired (S101);
It is determined whether or not the log can be transmitted to the outside of the mobile unit (S102);
If it is determined that the log cannot be transmitted, the importance of the log is determined, and if the importance is higher than a predetermined importance, the first area is determined as the log storage area in which the log is to be stored, or if the importance is lower than the predetermined importance, the second area is determined as the log storage area in which the log is to be stored (S104, S105, S106).
In the log management method, when the free space of the log storage area is smaller than the amount of data of the log, an allocation ratio of the storage capacity of the log storage area to the storage capacity is increased, and the log is stored in the log storage area (S202, S302, S306),
If the importance is lower than the predetermined importance, and if the free space of the second area, which is the log storage area, is less than the data amount, and if the free space of the first area is less than the data amount, the second log stored in the second area is overwritten and the log is stored (S306, S302).
Log management methods. A log management method executed by a log management device mounted on a moving object, comprising:
The log management device
a memory (102) having a storage area consisting of a first area and a second area, the first area being an area in which overwriting of a first log that is a log stored in the first area is prohibited and to which a first storage capacity is allocated among the storage capacity of the storage area, and the second area being an area in which overwriting of a second log that is a log stored in the second area is possible and to which a second storage capacity is allocated among the storage capacity;
a first mode in which an allocation ratio between the first storage capacity and the second storage capacity can be changed, and a second mode in which an allocation ratio between the first storage capacity and the second storage capacity cannot be changed;
A log generated by a security sensor mounted on the mobile object is acquired (S101);
It is determined whether or not the log can be transmitted to the outside of the mobile unit (S102);
If it is determined that the log cannot be transmitted, the importance of the log is determined, and if the importance is higher than a predetermined importance, the first area is determined as the log storage area in which the log is to be stored, or if the importance is lower than the predetermined importance, the second area is determined as the log storage area in which the log is to be stored (S104, S105, S106).
When the free space in the log storage area is smaller than the amount of data in the log, the allocation ratio of the storage capacity to the log storage area is increased, and the log is stored in the log storage area (S202, S302, S306).
Log management methods. A log management program executable by a log management device mounted on a mobile object,
The log management device includes a memory (102) having a storage area consisting of a first area and a second area, the first area being an area in which overwriting of a first log that is a log stored in the first area is prohibited and to which a first storage capacity is allocated out of the storage capacity of the storage area, and the second area being an area in which overwriting of a second log that is a log stored in the second area is possible and to which a second storage capacity is allocated out of the storage capacity,
A log generated by a security sensor mounted on the mobile object is acquired (S101);
It is determined whether the log can be transmitted to the outside of the mobile unit (S102);
If it is determined that the log cannot be transmitted, the importance of the log is determined, and if the importance is higher than a predetermined importance, the first area is determined as the log storage area in which the log is to be stored, or if the importance is lower than the predetermined importance, the second area is determined as the log storage area in which the log is to be stored (S104, S105, S106).
In the log management program, when the free space in the log storage area is smaller than the amount of data in the log, an allocation ratio of the storage capacity to the log storage area is increased and the log is stored in the log storage area (S202, S302, S306),
If the importance is higher than the predetermined importance, and if the free space of the first area, which is the log storage area, is less than the data amount and the free space of the second area is greater than the data amount, the allocation rate to the first storage capacity is increased, and the log is stored in the first area to which the increased first storage capacity is allocated (S204, S202).
A log management program that causes the log management device to execute processing . A log management program executable by a log management device mounted on a mobile object,
The log management device includes a memory (102) having a storage area consisting of a first area and a second area, the first area being an area in which overwriting of a first log that is a log stored in the first area is prohibited and to which a first storage capacity is allocated out of the storage capacity of the storage area, and the second area being an area in which overwriting of a second log that is a log stored in the second area is possible and to which a second storage capacity is allocated out of the storage capacity,
A log generated by a security sensor mounted on the mobile object is acquired (S101);
It is determined whether or not the log can be transmitted to the outside of the mobile unit (S102);
If it is determined that the log cannot be transmitted, the importance of the log is determined, and if the importance is higher than a predetermined importance, the first area is determined as the log storage area in which the log is to be stored, or if the importance is lower than the predetermined importance, the second area is determined as the log storage area in which the log is to be stored (S104, S105, S106).
In the log management program, when the free space in the log storage area is smaller than the amount of data in the log, an allocation ratio of the storage capacity to the log storage area is increased and the log is stored in the log storage area (S202, S302, S306),
If the importance is higher than the predetermined importance, and if the free space of the first area, which is the log storage area, is less than the data amount, and the free space of the second area is less than the data amount, the second log stored in the second area is deleted, the allocation rate to the first storage capacity is increased, and the log is stored in the first area to which the increased first storage capacity is allocated (S206, S204, S202).
A log management program that causes the log management device to execute processing. A log management program executable by a log management device mounted on a mobile object,
The log management device includes a memory (102) having a storage area consisting of a first area and a second area, the first area being an area in which overwriting of a first log that is a log stored in the first area is prohibited and to which a first storage capacity is allocated out of the storage capacity of the storage area, and the second area being an area in which overwriting of a second log that is a log stored in the second area is possible and to which a second storage capacity is allocated out of the storage capacity,
A log generated by a security sensor mounted on the mobile object is acquired (S101);
It is determined whether or not the log can be transmitted to the outside of the mobile unit (S102);
If it is determined that the log cannot be transmitted, the importance of the log is determined, and if the importance is higher than a predetermined importance, the first area is determined as the log storage area in which the log is to be stored, or if the importance is lower than the predetermined importance, the second area is determined as the log storage area in which the log is to be stored (S104, S105, S106).
In the log management program, when the free space in the log storage area is smaller than the amount of data in the log, an allocation ratio of the storage capacity to the log storage area is increased and the log is stored in the log storage area (S202, S302, S306),
If the importance is lower than the predetermined importance, and the free space of the second area, which is the log storage area, is less than the data amount, and the free space of the first area is greater than the data amount, the allocation rate to the second storage capacity is increased, and the log is stored in the second area to which the increased second storage capacity is allocated (S304, S302).
A log management program that causes the log management device to execute processing. A log management program executable by a log management device mounted on a mobile object,
The log management device includes a memory (102) having a storage area consisting of a first area and a second area, the first area being an area in which overwriting of a first log that is a log stored in the first area is prohibited and to which a first storage capacity is allocated out of the storage capacity of the storage area, and the second area being an area in which overwriting of a second log that is a log stored in the second area is possible and to which a second storage capacity is allocated out of the storage capacity,
A log generated by a security sensor mounted on the mobile object is acquired (S101);
It is determined whether or not the log can be transmitted to the outside of the mobile unit (S102);
If it is determined that the log cannot be transmitted, the importance of the log is determined, and if the importance is higher than a predetermined importance, the first area is determined as the log storage area in which the log is to be stored, or if the importance is lower than the predetermined importance, the second area is determined as the log storage area in which the log is to be stored (S104, S105, S106).
In the log management program, when the free space in the log storage area is smaller than the amount of data in the log, an allocation ratio of the storage capacity to the log storage area is increased and the log is stored in the log storage area (S202, S302, S306),
If the importance is lower than the predetermined importance, and if the free space of the second area, which is the log storage area, is less than the data amount, and if the free space of the first area is less than the data amount, the second log stored in the second area is overwritten and the log is stored (S306, S302).
A log management program that causes the log management device to execute processing. A log management program executable by a log management device mounted on a mobile object,
The log management device
a memory (102) having a storage area consisting of a first area and a second area, the first area being an area in which overwriting of a first log that is a log stored in the first area is prohibited and to which a first storage capacity is allocated among the storage capacity of the storage area, and the second area being an area in which overwriting of a second log that is a log stored in the second area is possible and to which a second storage capacity is allocated among the storage capacity;
a first mode in which an allocation ratio between the first storage capacity and the second storage capacity can be changed, and a second mode in which an allocation ratio between the first storage capacity and the second storage capacity cannot be changed;
A log generated by a security sensor mounted on the mobile object is acquired (S101);
It is determined whether or not the log can be transmitted to the outside of the mobile unit (S102);
If it is determined that the log cannot be transmitted, the importance of the log is determined, and if the importance is higher than a predetermined importance, the first area is determined as the log storage area in which the log is to be stored, or if the importance is lower than the predetermined importance, the second area is determined as the log storage area in which the log is to be stored (S104, S105, S106).
When the free space in the log storage area is smaller than the amount of data in the log, the allocation ratio of the storage capacity to the log storage area is increased, and the log is stored in the log storage area (S202, S302, S306).
A log management program that causes the log management device to execute processing.