Abstract: An electronic control unit is connected to a network in an in-vehicle network system. The electronic control unit includes a first control circuit that operates on a first operating system and a second control circuit that operates on a second operating system. The first control circuit is connected to the network via the second control circuit. The second control circuit performs a first determination process on frames to determine conformity of the frames with a first rule. Upon determining that the frames conform to the first rule, the second control circuit transmits contents of the frames to the first control circuit. The first control circuit performs a second determination process on the contents of the frames to determine conformity with a second rule. The second rule is different from the first rule.

Abstract: A vehicle security apparatus includes a primary dynamic authenticator and a connection manager that are provided in an ECU included in a vehicle, wherein when an access request from an access source in the vehicle to an access destination in the vehicle is received, the primary dynamic authenticator determines, based on reliability of an application installed in the access source determined based on at least one of a state of the application of the access source or a state of the vehicle, whether to cause a secondary dynamic authenticator included in a zone ECU connected to the access destination of the access request to execute authorization determination for the access request, and when it is determined to cause the secondary dynamic authenticator that corresponds to the access destination to execute the authorization determination, the connection manager outputs the access request to the zone ECU connected to the access destination.

Abstract: A monitoring device provided in an in-vehicle system included in a vehicle includes: a monitoring unit that detects a security anomaly in the in-vehicle system; an emergency system control device (emergency system control unit 58) that switches from a first operating mode to a second operating mode different from the first operating mode when the monitoring unit detects the security anomaly; and a normal system control device (normal system control unit) that switches from the second operating mode to the first operating mode in response to, after switching to the second operating mode, completion of an update of software for resolving the security anomaly in the in-vehicle system.

Abstract: An anomaly detection server is provided. The anomaly detection server is a server for counteracting an anomalous frame transmitted on an on-board network of a single vehicle. The anomaly detection server acquires information about multiple frames received on one or multiple on-board networks of one or multiple vehicles, including the single vehicle. The anomaly detection server, acting as an assessment unit that, based on the information about the multiple frames and information about a frame received on the on-board network of the single vehicle after the acquisition of the information about the multiple frames, assesses an anomaly level of the frame received on the on-board network of the single vehicle.

Abstract: A gateway device is connected to a plurality of electronic controllers on-board a vehicle. The gateway device acquires firmware update information, which includes at least a part of updated firmware to be applied to a first electronic controller, patch data, and information indicating where to apply the patch data. When the gateway device determines that the first electronic controller does not include a firmware cache for performing a pre-update firmware cache operation, the gateway device executes a proxy process. In this regard, the gateway device requests the first electronic controller to transmit boot ROM data to the gateway device, merges the patch data and existing firmware to create updated boot ROM data with updated firmware, and transmits the updated boot ROM data to the first electronic controller that updates the boot ROM data and resets the first electronic controller with the updated firmware.

Abstract: A vehicle security system includes: a primary dynamic authenticator disposed in an integrated electronic control unit (ECU) in the vehicle; and one or more connection managers. In the vehicle security system, when an access request for access to an access destination in the vehicle is made by an access source in the vehicle, the primary dynamic authenticator dynamically performs authentication of the access request based on a state of the vehicle, and causes a connection manager located on a communication path between the access source and the access destination, among the one or more connection managers, to control a connection between the access source and the access destination, based on a result of the authentication of the access request.

Abstract: A vehicle system is a vehicle system used for a vehicle, and includes: a plurality of in-vehicle apparatuses installed in the vehicle; and at least one of (i) a controller that, in accordance with a depth of penetration of a malicious attack carried out on the plurality of in-vehicle apparatuses, changes at least one of a communication method with an outside of the vehicle, a defense method against the malicious attack, or a storage method for logs pertaining to the plurality of in-vehicle apparatuses, or (ii) a determiner that determines whether or not the malicious attack is being carried out based on anomaly detection in the plurality of in-vehicle apparatuses.

Abstract: An anomaly detection server is provided. The anomaly detection server is a server for counteracting an anomalous frame transmitted on an on-board network of a single vehicle. The anomaly detection server acquires information about multiple frames received on one or multiple on-board networks of one or multiple vehicles, including the single vehicle. The anomaly detection server, acting as an assessment unit that, based on the information about the multiple frames and information about a frame received on the on-board network of the single vehicle after the acquisition of the information about the multiple frames, assesses an anomaly level of the frame received on the on-board network of the single vehicle.

Abstract: An electronic control unit is connected to a network in an in-vehicle network system. The electronic control unit includes a first control circuit that operates on a first operating system and a second control circuit that operates on a second operating system. The first control circuit is connected to the network via the second control circuit. The second control circuit performs a first determination process on frames to determine conformity of the frames with a first rule. Upon determining that the frames conform to the first rule, the second control circuit transmits contents of the frames to the first control circuit. The first control circuit performs a second determination process on the contents of the frames to determine conformity with a second rule. The second rule is different from the first rule.

Abstract: An anomaly detection server is provided. The anomaly detection server is a server for counteracting an anomalous frame transmitted on an on-board network of a single vehicle. The anomaly detection server acquires information about multiple frames received on one or multiple on-board networks of one or multiple vehicles, including the single vehicle. The anomaly detection server, acting as an assessment unit that, based on the information about the multiple frames and information about a frame received on the on-board network of the single vehicle after the acquisition of the information about the multiple frames, assesses an anomaly level of the frame received on the on-board network of the single vehicle.

Abstract: An electronic control unit is connected to a network in an in-vehicle network system. The electronic control unit includes a first control circuit and a second control circuit. The first control circuit is connected to the network via the second control circuit. The second control circuit performs a first determination process on a frame to determine conformity of the frame with a first rule. Upon determining that the frame conforms to the first rule, the second control circuit transmits the frame to the first control circuit. The first control circuit performs a second determination process on the frame to determine conformity of the frame with a second rule. The second rule is different from the first rule.

Abstract: A monitoring device includes three or more monitors each monitoring, as a monitoring target, at least one of software and a communication log. The three or more monitors include a first monitor operating with a first execution privilege, a second monitor operating with a second execution privilege having a reliability level lower than the first execution privilege, and a third monitor operating with a third execution privilege having a reliability level that is the same as the second execution privilege or that is lower than the second execution privilege. The first monitor monitors software of the second monitor, and at least one of the first monitor or the second monitor monitors software of the third monitor.

Abstract: A gateway device is connected to a plurality of electronic controllers on-board a vehicle. The gateway device acquires firmware update information, which includes at least a part of updated firmware to be applied to a first electronic controller, patch data, and information indicating where to apply the patch data. When the gateway device determines that the first electronic controller does not include a firmware cache for performing a pre-update firmware cache operation, the gateway device executes a proxy process. In this regard, the gateway device requests the first electronic controller to transmit boot ROM data to the gateway device, merges the patch data and existing firmware to create updated boot ROM data with updated firmware, and transmits the updated boot ROM data to the first electronic controller that updates the boot ROM data and resets the first electronic controller with the updated firmware.

Abstract: An ECU (Electronic Control Unit) includes a HV (HyperVisor), and a first VM (Virtual Machine) and a second VM that operate on the HV. The first VM detects an abnormality in a process in the first VM. When the first VM detects an abnormality, the first VM notifies the second VM of information related to the abnormality via the HV. The second VM executes a process responsive to the abnormality, based on the information related to the abnormality provided from the first VM.

Abstract: A gateway device is connected via network(s) to electronic controllers on-board a vehicle, where at least one of the electronic controllers is implemented in a virtual machine. The gateway device includes one or more memories, and circuitry that acquires firmware update information. The circuitry determines whether a first electronic controller satisfies a second condition based on second information, which is whether the first electronic controller includes a firmware cache for performing a pre-update firmware cache operation. The circuitry also causes, when the second condition is not satisfied, the gateway device to execute a proxy process, where the gateway device requests the first electronic controller to transmit boot ROM data to the gateway device, creates updated boot ROM data with the updated firmware, and transmits the updated boot ROM data to the first electronic controller that updates the boot ROM and resets the first electronic controller with the updated firmware.

Abstract: The monitoring system is a system that monitors a virtualization system, the system including: a VM monitor and a request monitor each of which has a different authority, monitors the virtualization system, and detects an anomaly; and a determiner that determines a state of the virtualization system based on monitoring results from the VM monitor and the request monitor.

Abstract: A log generation method for generating a log of communication on an in-vehicle network includes: performing a plurality of determination processes for determining, by using different methods, whether or not a message sent to the in-vehicle network is anomalous; generating a log in accordance with results of the plurality of determination processes; and transmitting the generated log. In the generating, information items to be included in the log are determined in accordance with a combination of the results of the plurality of determination processes so that the log does not include identical information items.

Abstract: An integrated ECU is a vehicle control system provided in a vehicle, and includes: an application executor that executes an application program; an environment state determiner that determines whether the application executor is anomalous; a first resource provider that provides a resource to be used for controlling the vehicle; and a first access controller that, upon acceptance of a request for the resource from the application program, (a) prohibits provision of the resource from the resource provider to the application program, when the environment state determiner determines that the application executor is anomalous, and (b) permits the provision of the resource from the resource provider to the application program, when the environment state determiner determines that the application executor is not anomalous.

Abstract: A vehicle control system includes: a detector that detects an attack on an application; a vehicle state verifier that verifies a state of a vehicle when the detector detects the attack; an influence verifier that verifies, based on a verification result of the vehicle state verifier, an influence on the vehicle assuming operation of the application subjected to the attack is stopped; a determiner that determines, based on a verification result of the influence verifier, at least one of a response method for responding to the attack or a recovery method for recovering the application subjected to the attack; and a controller that executes at least one of the response method or the recovery method determined.

Abstract: A key management method serves as an electronic control unit (ECU) in an onboard network system having a plurality of ECUs that perform communication by frames via a network. The method includes storing, in a first-type ECU, a shared key to be mutually shared with second-type ECUs, and executing encryption processing regarding a framed transmitted or received via the network, based on the shared key. The method further includes executing, by the first-type ECU, inspection of a security state of the shared key stored by the second type ECUs in a case where a vehicle is in at least one of the following particular states, including immediately after the vehicle is not driving and is entering the accessory-on state, immediately after the vehicle is not driving and the vehicle is entering the accessory-off state, and immediately after the vehicle engine is started.