Abstract: A vehicle network system employing a controller area network protocol includes a bus, a first electronic control unit, and a second electronic control unit. The first electronic control unit transmits, via the bus, at least one data frame including an identifier relating to data used for a calculation for obtaining a message authentication code indicating authenticity of transmission content. The second electronic control unit receives the at least one data frame transmitted vis the bus and verifies the message authentication code in accordance with the identifier included in the at least one data frame.

Abstract: An anomaly detection device (IDS ECU) includes a detection rule generator that monitors a communication establishment frame flowing over Ethernet in a communication establishment phase of service-oriented communication and that generates, for each communication ID, a detection rule including the communication ID written in the communication establishment frame and a server (or client) address written in the communication establishment frame; an anomaly detector that monitors a communication frame flowing over the Ethernet in a communication phase of the service-oriented communication and that, by referring to a detection rule that includes a communication ID written in the communication frame, detects the communication frame as an anomalous frame when a server (or client) address written in the communication frame differs from a server (or client) address included in the detection rule; and an anomaly notifier that provides a notification of an anomaly in response to the anomalous frame being detected.

Abstract: An anomaly detection server is provided. The anomaly detection server is a server for counteracting an anomalous frame transmitted on an on-board network of a single vehicle. The anomaly detection server acquires information about multiple frames received on one or multiple on-board networks of one or multiple vehicles, including the single vehicle. The anomaly detection server, acting as an assessment unit that, based on the information about the multiple frames and information about a frame received on the on-board network of the single vehicle after the acquisition of the information about the multiple frames, assesses an anomaly level of the frame received on the on-board network of the single vehicle.

Abstract: In an anomaly detection method that determines whether each frame in observation data constituted by a collection of frames sent and received over a communication network system is anomalous, a difference between a data distribution of a feature amount extracted from the frame in the observation data and a data distribution for a collection of frames sent and received over the communication network system, obtained at a different timing from the observation data, is calculated. A frame having a feature amount for which the difference is predetermined value or higher is determined to be an anomalous frame. An anomaly contribution level of feature amounts extracted from the frame determined to be an anomalous frame is calculated, and an anomalous payload part, which is at least one part of the payload corresponding to the feature amount for which the anomaly contribution level is at least the predetermined value, is output.

Abstract: An electronic control unit is connected to a network in an in-vehicle network system. The electronic control unit includes a first control circuit and a second control circuit. The first control circuit is connected to the network via the second control circuit. The second control circuit performs a first determination process on a frame to determine conformity of the frame with a first rule. Upon determining that the frame conforms to the first rule, the second control circuit transmits the frame to the first control circuit. The first control circuit performs a second determination process on the frame to determine conformity of the frame with a second rule. The second rule is different from the first rule.

Abstract: An integrity verification device, in which software is executed by one of one or more electronic control units connected to an in-vehicle network system, includes: a verification schedule determiner that determines a verification timing at which to verify the integrity of the software; an integrity verifier that, for the software, determines, at the verification timing determined for the software, whether first integrity information, that is information for verifying the integrity of the software and that corresponds to at least part of the software corresponding to a verification scope, matches second integrity information, that is information calculated from at least part of the software at the verification timing, and determines that the integrity of the software is ensured when the first integrity information and the second integrity information match; and a verification priority determiner that determines a verification priority that affects determining of the verification timing or the verification scop

Abstract: A monitoring system is for monitoring a vehicle or a monitoring target that operates inside the vehicle, and the monitoring system includes: a reliability manager that manages reliability indicating a security protection state of the monitoring target, according to a vehicle event of the vehicle; and a function restrictor that places a restriction on at least a part of functions of the monitoring target, according to the reliability.

Abstract: A monitoring device includes three or more monitors each monitoring, as a monitoring target, at least one of software and a communication log. The three or more monitors include a first monitor operating with a first execution privilege, a second monitor operating with a second execution privilege having a reliability level lower than the first execution privilege, and a third monitor operating with a third execution privilege having a reliability level that is the same as the second execution privilege or that is lower than the second execution privilege. The first monitor monitors software of the second monitor, and at least one of the first monitor or the second monitor monitors software of the third monitor.

Abstract: A communication log aggregation device includes: a communicator that obtains flow information including one or more flow records and first statistical information for each flow from each of collection devices, the one or more flow records each including flow identification information included in a message received by at least one observer that is disposed in a control network system, the flow being classified based on the flow identification information, the collection devices each collecting the one or more flow records and the first statistical information for each flow from the message received by the observer; and a flow aggregator that generates aggregated flow information by performing at least one of the following: (i) selecting at least one of the one or more flow records, (ii) adding second statistical information, and (iii) deleting at least one of the one or more flow records, and outputs the aggregated flow information.

Abstract: An unauthorized frame detection device that can keep an unauthorized ECU from spoofing as a legitimate server or client while suppressing an overhead during communication is provided. The unauthorized frame detection device includes a plurality of communication ports corresponding to the respective of networks, a communication controller, and an unauthorized frame detector. The plurality of communication ports are each connected to a corresponding predetermined network among the plurality of networks and each transmit or receive a frame via the predetermined network. The unauthorized frame detector determines whether an identifier of a service, a type of the service, and port information that are each included in the frame match a permission rule set in advance and outputs a result of the determination.

Abstract: A gateway that notifies a fraud detection server located outside a vehicle of information about an in-vehicle network system including an in-vehicle network includes: a priority determiner that determines a priority using at least one of: a state of the vehicle including the in-vehicle network system; an identifier of a message communicated on the in-vehicle network; and a result of fraud detection performed on the message; a frame transmitter-receiver that transmits and receives the message communicated on the in-vehicle network; a frame interpreter that extracts information about the in-vehicle network based on the message received by the frame transmitter-receiver; and a frame uploader that notifies the fraud detection server of notification information including the priority and the information about the in-vehicle network.

Abstract: In an anti-fraud control system, a first error monitoring device includes a first frame transmitting and receiving unit that receives a frame flowing on the on-board network; and a first error detector that causes transmission of an error notification frame for notifying of an occurrence of an error in the frame when detecting the occurrence of the error in the frame received by the first frame transmitting and receiving unit. Each of second error monitoring devices includes: a second frame transmitting and receiving unit that receives the error notification frame; and a second error detector that regards, as a frame to be invalidated, the frame subjected to the error and included in the received error notification frame, and shifts the second error monitoring device to an invalidation mode for invalidating reception of subsequent frames, if no error is detected in an own branch with respect to the frame.

Abstract: A gateway device is connected to a plurality of electronic controllers on-board a vehicle. The gateway device acquires firmware update information, which includes at least a part of updated firmware to be applied to a first electronic controller, patch data, and information indicating where to apply the patch data. When the gateway device determines that the first electronic controller does not include a firmware cache for performing a pre-update firmware cache operation, the gateway device executes a proxy process. In this regard, the gateway device requests the first electronic controller to transmit boot ROM data to the gateway device, merges the patch data and existing firmware to create updated boot ROM data with updated firmware, and transmits the updated boot ROM data to the first electronic controller that updates the boot ROM data and resets the first electronic controller with the updated firmware.

Abstract: An intrusion point identification device includes: a threat information collector that collects and stores threat information including identification information identifying a moving body, route information indicating a route through which the threat has intruded into the moving body, and discovery information indicating a discovery date of an attack; a vehicle log collector that collects logs, extracts, from the logs, histories of points that indicate locations of one or more moving bodies within a predetermined period, and stores the histories of the points as history information, the logs indicating points that indicate locations of the one or more moving bodies, the predetermined period being set based on the discovery information; an intrusion point identification unit that identifies an intrusion point of the threat from a first attack source through a first route among the points indicated in the history information; and an intrusion point notifier that outputs the intrusion point.

Abstract: A fraud detecting method for use in an in-vehicle network system including a plurality of electronic control units that communicate with each other via a network includes detecting whether a state of a vehicle satisfies a first condition or a second condition, and switching, upon detecting that the state of the vehicle satisfies the first condition or the second condition, an operation mode of a second electronic control unit connected to the network. A first mode in which a first type of detecting process for detecting a fraudulent message in the network is performed is switched to a second mode in which the first type of detecting process is not performed upon detecting that the state of the vehicle satisfies the first condition. Moreover, the second mode is switched to the first mode upon detecting that the state of the vehicle satisfies the second condition.

Abstract: A vehicle monitoring apparatus includes: a first communicator that receives specifying information for specifying a target vehicle from a server; and an acquirer that acquires driving information from the target vehicle, the driving information being information regarding driving of the target vehicle specified by the specifying information received by the first communicator. The first communicator transmits the driving information acquired by the acquirer to the server. For example, the acquirer may acquire the driving information obtained from the target vehicle through communication.

Abstract: A gateway device is connected via network(s) to electronic controllers on-board a vehicle, where at least one of the electronic controllers is implemented in a virtual machine. The gateway device includes one or more memories, and circuitry that acquires firmware update information. The circuitry determines whether a first electronic controller satisfies a second condition based on second information, which is whether the first electronic controller includes a firmware cache for performing a pre-update firmware cache operation. The circuitry also causes, when the second condition is not satisfied, the gateway device to execute a proxy process, where the gateway device requests the first electronic controller to transmit boot ROM data to the gateway device, creates updated boot ROM data with the updated firmware, and transmits the updated boot ROM data to the first electronic controller that updates the boot ROM and resets the first electronic controller with the updated firmware.

Abstract: A log generation method for generating a log of communication on an in-vehicle network includes: performing a plurality of determination processes for determining, by using different methods, whether or not a message sent to the in-vehicle network is anomalous; generating a log in accordance with results of the plurality of determination processes; and transmitting the generated log. In the generating, information items to be included in the log are determined in accordance with a combination of the results of the plurality of determination processes so that the log does not include identical information items.

Abstract: A gateway that notifies a fraud detection server located outside a vehicle of information about an in-vehicle network system including an in-vehicle network includes: a priority determiner that determines a priority using at least one of: a state of the vehicle including the in-vehicle network system; an identifier of a message communicated on the in-vehicle network; and a result of fraud detection performed on the message; a frame transmitter-receiver that transmits and receives the message communicated on the in-vehicle network; a frame interpreter that extracts information about the in-vehicle network based on the message received by the frame transmitter-receiver; and a frame uploader that notifies the fraud detection server of notification information including the priority and the information about the in-vehicle network.

Abstract: An anomalous vehicle detection server includes an anomaly score calculator that detects a suspicious behavior different from a predetermined driving behavior based on pieces of vehicle information that are received from a plurality of vehicles, respectively, and are each based on a vehicle log including the content of an event that has occurred in a vehicle system provided in the vehicle, and acquires an anomaly score of each of the plurality of vehicles that indicates a likelihood that reverse engineering is performed on the vehicle; and an anomalous vehicle determiner that determines whether one vehicle of the plurality of vehicles is an anomalous vehicle based on the anomaly score of the one vehicle and a statistical value of the anomaly scores of two or more vehicles of the plurality of vehicles.