Abstract: A vehicle network system employing a controller area network protocol includes a bus, a first electronic control unit, and a second electronic control unit. The first electronic control unit transmits, via the bus, at least one data frame including an identifier relating to data used for a calculation for obtaining a message authentication code indicating authenticity of transmission content. The second electronic control unit receives the at least one data frame transmitted vis the bus and verifies the message authentication code in accordance with the identifier included in the at least one data frame.

Abstract: An authentication method is used by an automated driving system that includes a vehicle and an external device, the external device communicating with the vehicle to cause the vehicle to implement automated driving. The vehicle holds a first certificate that certifies validity of the vehicle. The external device holds a second certificate that certifies validity of the external device. The authentication method includes: validating a third certificate that certifies validity of a combination of the vehicle and the external device, in accordance with a result of device authentication performed between the vehicle and the external device by reference to the first certificate and the second certificate.

Abstract: An anomaly detection device (IDS ECU) includes a detection rule generator that monitors a communication establishment frame flowing over Ethernet in a communication establishment phase of service-oriented communication and that generates, for each communication ID, a detection rule including the communication ID written in the communication establishment frame and a server (or client) address written in the communication establishment frame; an anomaly detector that monitors a communication frame flowing over the Ethernet in a communication phase of the service-oriented communication and that, by referring to a detection rule that includes a communication ID written in the communication frame, detects the communication frame as an anomalous frame when a server (or client) address written in the communication frame differs from a server (or client) address included in the detection rule; and an anomaly notifier that provides a notification of an anomaly in response to the anomalous frame being detected.

Abstract: An anomaly detection server is provided. The anomaly detection server is a server for counteracting an anomalous frame transmitted on an on-board network of a single vehicle. The anomaly detection server acquires information about multiple frames received on one or multiple on-board networks of one or multiple vehicles, including the single vehicle. The anomaly detection server, acting as an assessment unit that, based on the information about the multiple frames and information about a frame received on the on-board network of the single vehicle after the acquisition of the information about the multiple frames, assesses an anomaly level of the frame received on the on-board network of the single vehicle.

Abstract: An electronic control unit is connected to a network in an in-vehicle network system. The electronic control unit includes a first control circuit and a second control circuit. The first control circuit is connected to the network via the second control circuit. The second control circuit performs a first determination process on a frame to determine conformity of the frame with a first rule. Upon determining that the frame conforms to the first rule, the second control circuit transmits the frame to the first control circuit. The first control circuit performs a second determination process on the frame to determine conformity of the frame with a second rule. The second rule is different from the first rule.

Abstract: A monitoring system is for monitoring a vehicle or a monitoring target that operates inside the vehicle, and the monitoring system includes: a reliability manager that manages reliability indicating a security protection state of the monitoring target, according to a vehicle event of the vehicle; and a function restrictor that places a restriction on at least a part of functions of the monitoring target, according to the reliability.

Abstract: A monitoring device includes three or more monitors each monitoring, as a monitoring target, at least one of software and a communication log. The three or more monitors include a first monitor operating with a first execution privilege, a second monitor operating with a second execution privilege having a reliability level lower than the first execution privilege, and a third monitor operating with a third execution privilege having a reliability level that is the same as the second execution privilege or that is lower than the second execution privilege. The first monitor monitors software of the second monitor, and at least one of the first monitor or the second monitor monitors software of the third monitor.

Abstract: An integrity verification device, in which software is executed by one of one or more electronic control units connected to an in-vehicle network system, includes: a verification schedule determiner that determines a verification timing at which to verify the integrity of the software; an integrity verifier that, for the software, determines, at the verification timing determined for the software, whether first integrity information, that is information for verifying the integrity of the software and that corresponds to at least part of the software corresponding to a verification scope, matches second integrity information, that is information calculated from at least part of the software at the verification timing, and determines that the integrity of the software is ensured when the first integrity information and the second integrity information match; and a verification priority determiner that determines a verification priority that affects determining of the verification timing or the verification scop

Abstract: A communication log aggregation device includes: a communicator that obtains flow information including one or more flow records and first statistical information for each flow from each of collection devices, the one or more flow records each including flow identification information included in a message received by at least one observer that is disposed in a control network system, the flow being classified based on the flow identification information, the collection devices each collecting the one or more flow records and the first statistical information for each flow from the message received by the observer; and a flow aggregator that generates aggregated flow information by performing at least one of the following: (i) selecting at least one of the one or more flow records, (ii) adding second statistical information, and (iii) deleting at least one of the one or more flow records, and outputs the aggregated flow information.

Abstract: An unauthorized frame detection device that can keep an unauthorized ECU from spoofing as a legitimate server or client while suppressing an overhead during communication is provided. The unauthorized frame detection device includes a plurality of communication ports corresponding to the respective of networks, a communication controller, and an unauthorized frame detector. The plurality of communication ports are each connected to a corresponding predetermined network among the plurality of networks and each transmit or receive a frame via the predetermined network. The unauthorized frame detector determines whether an identifier of a service, a type of the service, and port information that are each included in the frame match a permission rule set in advance and outputs a result of the determination.

Abstract: In an anti-fraud control system, a first error monitoring device includes a first frame transmitting and receiving unit that receives a frame flowing on the on-board network; and a first error detector that causes transmission of an error notification frame for notifying of an occurrence of an error in the frame when detecting the occurrence of the error in the frame received by the first frame transmitting and receiving unit. Each of second error monitoring devices includes: a second frame transmitting and receiving unit that receives the error notification frame; and a second error detector that regards, as a frame to be invalidated, the frame subjected to the error and included in the received error notification frame, and shifts the second error monitoring device to an invalidation mode for invalidating reception of subsequent frames, if no error is detected in an own branch with respect to the frame.

Abstract: A gateway device is connected to a plurality of electronic controllers on-board a vehicle. The gateway device acquires firmware update information, which includes at least a part of updated firmware to be applied to a first electronic controller, patch data, and information indicating where to apply the patch data. When the gateway device determines that the first electronic controller does not include a firmware cache for performing a pre-update firmware cache operation, the gateway device executes a proxy process. In this regard, the gateway device requests the first electronic controller to transmit boot ROM data to the gateway device, merges the patch data and existing firmware to create updated boot ROM data with updated firmware, and transmits the updated boot ROM data to the first electronic controller that updates the boot ROM data and resets the first electronic controller with the updated firmware.

Abstract: A fraud detecting method for use in an in-vehicle network system including a plurality of electronic control units that communicate with each other via a network includes detecting whether a state of a vehicle satisfies a first condition or a second condition, and switching, upon detecting that the state of the vehicle satisfies the first condition or the second condition, an operation mode of a second electronic control unit connected to the network. A first mode in which a first type of detecting process for detecting a fraudulent message in the network is performed is switched to a second mode in which the first type of detecting process is not performed upon detecting that the state of the vehicle satisfies the first condition. Moreover, the second mode is switched to the first mode upon detecting that the state of the vehicle satisfies the second condition.

Abstract: A gateway device is connected via network(s) to electronic controllers on-board a vehicle, where at least one of the electronic controllers is implemented in a virtual machine. The gateway device includes one or more memories, and circuitry that acquires firmware update information. The circuitry determines whether a first electronic controller satisfies a second condition based on second information, which is whether the first electronic controller includes a firmware cache for performing a pre-update firmware cache operation. The circuitry also causes, when the second condition is not satisfied, the gateway device to execute a proxy process, where the gateway device requests the first electronic controller to transmit boot ROM data to the gateway device, creates updated boot ROM data with the updated firmware, and transmits the updated boot ROM data to the first electronic controller that updates the boot ROM and resets the first electronic controller with the updated firmware.

Abstract: An anomaly handling method using a device installed outside of a vehicle is disclosed. The method includes receiving, from the vehicle, an anomaly detection notification, which includes level information indicating a level affecting safety, and a location of the vehicle. The method also includes obtaining a location of another vehicle and determining whether a distance between the location of the vehicle and the location of the other vehicle is within a predetermined range. When the distance is within the predetermined range and is shorter than a first predetermined distance, not changing the level information and transmitting the received anomaly detection information to the other vehicle. When the distance is within the predetermined range and is longer than or equal to the first predetermined distance, changing to decrement a level indicated by the level information, and transmitting changed anomaly detection information to the other vehicle.

Abstract: An anomalous vehicle detection server includes an anomaly score calculator that detects a suspicious behavior different from a predetermined driving behavior based on pieces of vehicle information that are received from a plurality of vehicles, respectively, and are each based on a vehicle log including the content of an event that has occurred in a vehicle system provided in the vehicle, and acquires an anomaly score of each of the plurality of vehicles that indicates a likelihood that reverse engineering is performed on the vehicle; and an anomalous vehicle determiner that determines whether one vehicle of the plurality of vehicles is an anomalous vehicle based on the anomaly score of the one vehicle and a statistical value of the anomaly scores of two or more vehicles of the plurality of vehicles.

Abstract: A fraud detecting method for use in an in-vehicle network system including a plurality of electronic control units that communicate with each other via a network includes detecting whether a state of a vehicle satisfies a first condition or a second condition, and switching, upon detecting that the state of the vehicle satisfies the first condition or the second condition, an operation mode of a fraud-sensing electronic control unit connected to the network between a first mode in which a first type of detecting process for detecting a fraudulent message in the network is performed and a second mode in which the first type of detecting process is not performed. Moreover, in the second mode, a second type of detecting process having a different degree to which a fraudulent message is detectible than the first type of detecting process is performed.

Abstract: A service broker that is connected to each of a server unit and a client unit in a service offer system for offering a service from the server unit to the client unit by way of a service oriented communication includes: a communication controller that receives a frame for use in offer of the service, from the server unit or the client unit; and a service manager that determines whether a combination of a service identifier included in the frame received by the communication controller, an identifier indicating one of a transmission source and a destination of the frame, and a type of the frame is appropriate, and provides output of a result of the determination.

Abstract: A key management method serves as an electronic control unit (ECU) in an onboard network system having a plurality of ECUs that perform communication by frames via a network. The method includes storing, in a first-type ECU, a shared key to be mutually shared with second-type ECUs, and executing encryption processing regarding a framed transmitted or received via the network, based on the shared key. The method further includes executing, by the first-type ECU, inspection of a security state of the shared key stored by the second type ECUs in a case where a vehicle is in at least one of the following particular states, including immediately after the vehicle is not driving and is entering the accessory-on state, immediately after the vehicle is not driving and the vehicle is entering the accessory-off state, and immediately after the vehicle engine is started.

Abstract: An anomaly detecting device includes a flow collector that collects an amount of flow communication traffic in each of two or more networks in an in-vehicle network system that including the two or more networks, the amount of flow communication traffic being information obtained by tallying an amount of communication traffic of one or more frames classified according to a predetermined rule that is based on header information of a network protocol; and an anomaly detector that calculates, based on the amount of flow communication traffic, an observed ratio indicating a ratio of respective amounts of communication traffic in the two or more networks and determines whether the two or more networks are anomalous based on the observed ratio calculated and a normal ratio indicating a ratio of respective amounts of communication traffic in the two or more networks in a normal state.