Abstract: A control apparatus is provided in a vehicle system logically divided into a plurality of partitions. The control apparatus includes: a semantic kernel (SK) that controls, based on a static policy, communication access between two partitions 64 among a plurality of partitions; a policy decision point (PDP) that controls the communication access between the two partitions based on a dynamic policy, and a policy enforcement point (PEP) that controls the communication access between the two partitions based on the control result of the PDP. When a predetermined condition is satisfied, the PEP forces the SK to use the dynamic policy instead of a part of the static policy.

Abstract: A management device includes: an obtainer that obtains, from a processing device, a log of operation performed by the processing device and verification data for certifying that the log is valid information; a verifier that performs verification of whether the log is valid information, based on the verification data obtained by the obtainer; and a controller that performs storage control for storing the log as an analysis log for analyzing an anomaly into a storage device, in accordance with a result of the verification performed by the verifier.

Abstract: An integrated ECU is a vehicle control system provided in a vehicle, and includes: an application executor that executes an application program; an environment state determiner that determines whether the application executor is anomalous; a first resource provider that provides a resource to be used for controlling the vehicle; and a first access controller that, upon acceptance of a request for the resource from the application program, (a) prohibits provision of the resource from the resource provider to the application program, when the environment state determiner determines that the application executor is anomalous, and (b) permits the provision of the resource from the resource provider to the application program, when the environment state determiner determines that the application executor is not anomalous.

Abstract: The monitoring system is a system that monitors a virtualization system, the system including: a VM monitor and a request monitor each of which has a different authority, monitors the virtualization system, and detects an anomaly; and a determiner that determines a state of the virtualization system based on monitoring results from the VM monitor and the request monitor.

Abstract: A communication protection system includes a receiver, a transfer destination determiner, an identifier, a determiner, an encryptor/decoder (encryptor), and a data transferer. The receiver receives communication data. The transfer destination determiner determines a transfer destination of the communication data. The identifier identifies an affiliation of the sending source of the communication data and that of a transfer destination of the communication data. The determiner determines whether to encode the communication data based on the affiliation of the sending source and that of the transfer destination which are identified. The encryptor/decoder outputs the communication data encoded when the determiner has determined to encode the communication data. The data transferer transfers the communication data to the transfer destination.

Abstract: An evaluation support system includes a threat concatenator that performs first association processing for concatenating at least part of threat analysis information with first evaluation specification information, the threat analysis information indicating a result of analysis of a threat to information security of an evaluation target device, the first evaluation specification information indicating one or more evaluation specifications of the evaluation target device; a vulnerability concatenator that performs second association processing for concatenating at least part of vulnerability analysis information with the first evaluation specification information, the vulnerability analysis information indicating a result of analysis of the vulnerability of the information security of the evaluation target device; and a re-definer that generates and outputs second evaluation specification information by re-defining, based on the first association processing and the second association processing, the one or mor

Abstract: A vehicle control system includes: a detector that detects an attack on an application; a vehicle state verifier that verifies a state of a vehicle when the detector detects the attack; an influence verifier that verifies, based on a verification result of the vehicle state verifier, an influence on the vehicle assuming operation of the application subjected to the attack is stopped; a determiner that determines, based on a verification result of the influence verifier, at least one of a response method for responding to the attack or a recovery method for recovering the application subjected to the attack; and a controller that executes at least one of the response method or the recovery method determined.

Abstract: Vehicle access control system is provided in a vehicle, and includes first access controller, second access controller, and third access controller. First access controller controls communication in a first area of a segment including a plurality of areas. Second access controller controls communication in a second area of the segment. Third access controller controls communication in a third area different from the first area and the second area and has a function to convert a communication protocol. First access controller causes the third area to relay a message transmitted from the first area to the second area.

Abstract: A method for verifying content data to be used in a vehicle is provided. The method includes acquiring content data, acquiring, from partial data divided from the content data, a respective plurality of first hash values, acquiring a signature generated by using the first hash values and a key, acquiring state information that indicates a state of a vehicle, determining an integer N that is greater than or equal to one based on the acquired state information, generating, from N pieces of partial data included in the partial data, respective second hash values, verifying the content data by using each of (a) a subset of the plurality of first hash values respectively generated from partial data other than the N pieces of partial data, (b) the second hash values, and (c) the signature, and outputting information that indicates a result of the verifying.

Abstract: An electronic control unit is connected to an in-vehicle network in an in-vehicle network system. The electronic control unit includes a first control circuit that operates on a first operating system and a second control circuit that operates on a second operating system. The first control circuit is connected to the network via the second control circuit. The first control circuit performs a first determination process on a frame that is transmitted to the in-vehicle network, and determines conformity of the frame with a first rule. The second control circuit performs a second determination process on the frame, that is received from the first control circuit, and determines conformity of the frame with a second rule. Upon determining that the frame conforms to the second rule, the second control circuit transmits the frame to the in-vehicle network.

Abstract: An electronic control unit is connected to a network in an in-vehicle network system. The electronic control unit includes a first control circuit that operates on a first operating system and a second control circuit that operates on a second operating system. The first control circuit is connected to the network via the second control circuit. The second control circuit performs a first determination process on frames to determine conformity of the frames with a first rule. Upon determining that the frames conform to the first rule, the second control circuit transmits contents of the frames to the first control circuit. The first control circuit performs a second determination process on the contents of the frames to determine conformity with a second rule. The second rule is different from the first rule.

Abstract: A vehicle security apparatus includes a primary dynamic authenticator and a connection manager that are provided in an ECU included in a vehicle, wherein when an access request from an access source in the vehicle to an access destination in the vehicle is received, the primary dynamic authenticator determines, based on reliability of an application installed in the access source determined based on at least one of a state of the application of the access source or a state of the vehicle, whether to cause a secondary dynamic authenticator included in a zone ECU connected to the access destination of the access request to execute authorization determination for the access request, and when it is determined to cause the secondary dynamic authenticator that corresponds to the access destination to execute the authorization determination, the connection manager outputs the access request to the zone ECU connected to the access destination.

Abstract: A monitoring device provided in an in-vehicle system included in a vehicle includes: a monitoring unit that detects a security anomaly in the in-vehicle system; an emergency system control device (emergency system control unit 58) that switches from a first operating mode to a second operating mode different from the first operating mode when the monitoring unit detects the security anomaly; and a normal system control device (normal system control unit) that switches from the second operating mode to the first operating mode in response to, after switching to the second operating mode, completion of an update of software for resolving the security anomaly in the in-vehicle system.

Abstract: An anomaly detection server is provided. The anomaly detection server is a server for counteracting an anomalous frame transmitted on an on-board network of a single vehicle. The anomaly detection server acquires information about multiple frames received on one or multiple on-board networks of one or multiple vehicles, including the single vehicle. The anomaly detection server, acting as an assessment unit that, based on the information about the multiple frames and information about a frame received on the on-board network of the single vehicle after the acquisition of the information about the multiple frames, assesses an anomaly level of the frame received on the on-board network of the single vehicle.

Abstract: A gateway device is connected to a plurality of electronic controllers on-board a vehicle. The gateway device acquires firmware update information, which includes at least a part of updated firmware to be applied to a first electronic controller, patch data, and information indicating where to apply the patch data. When the gateway device determines that the first electronic controller does not include a firmware cache for performing a pre-update firmware cache operation, the gateway device executes a proxy process. In this regard, the gateway device requests the first electronic controller to transmit boot ROM data to the gateway device, merges the patch data and existing firmware to create updated boot ROM data with updated firmware, and transmits the updated boot ROM data to the first electronic controller that updates the boot ROM data and resets the first electronic controller with the updated firmware.

Abstract: A vehicle security system includes: a primary dynamic authenticator disposed in an integrated electronic control unit (ECU) in the vehicle; and one or more connection managers. In the vehicle security system, when an access request for access to an access destination in the vehicle is made by an access source in the vehicle, the primary dynamic authenticator dynamically performs authentication of the access request based on a state of the vehicle, and causes a connection manager located on a communication path between the access source and the access destination, among the one or more connection managers, to control a connection between the access source and the access destination, based on a result of the authentication of the access request.

Abstract: A vehicle system is a vehicle system used for a vehicle, and includes: a plurality of in-vehicle apparatuses installed in the vehicle; and at least one of (i) a controller that, in accordance with a depth of penetration of a malicious attack carried out on the plurality of in-vehicle apparatuses, changes at least one of a communication method with an outside of the vehicle, a defense method against the malicious attack, or a storage method for logs pertaining to the plurality of in-vehicle apparatuses, or (ii) a determiner that determines whether or not the malicious attack is being carried out based on anomaly detection in the plurality of in-vehicle apparatuses.

Abstract: An anomaly detection server is provided. The anomaly detection server is a server for counteracting an anomalous frame transmitted on an on-board network of a single vehicle. The anomaly detection server acquires information about multiple frames received on one or multiple on-board networks of one or multiple vehicles, including the single vehicle. The anomaly detection server, acting as an assessment unit that, based on the information about the multiple frames and information about a frame received on the on-board network of the single vehicle after the acquisition of the information about the multiple frames, assesses an anomaly level of the frame received on the on-board network of the single vehicle.

Abstract: An electronic control unit is connected to a network in an in-vehicle network system. The electronic control unit includes a first control circuit that operates on a first operating system and a second control circuit that operates on a second operating system. The first control circuit is connected to the network via the second control circuit. The second control circuit performs a first determination process on frames to determine conformity of the frames with a first rule. Upon determining that the frames conform to the first rule, the second control circuit transmits contents of the frames to the first control circuit. The first control circuit performs a second determination process on the contents of the frames to determine conformity with a second rule. The second rule is different from the first rule.

Abstract: An anomaly detection server is provided. The anomaly detection server is a server for counteracting an anomalous frame transmitted on an on-board network of a single vehicle. The anomaly detection server acquires information about multiple frames received on one or multiple on-board networks of one or multiple vehicles, including the single vehicle. The anomaly detection server, acting as an assessment unit that, based on the information about the multiple frames and information about a frame received on the on-board network of the single vehicle after the acquisition of the information about the multiple frames, assesses an anomaly level of the frame received on the on-board network of the single vehicle.