Abstract: An anomaly detection server is provided. The anomaly detection server is a server for counteracting an anomalous frame transmitted on an on-board network of a single vehicle. The anomaly detection server acquires information about multiple frames received on one or multiple on-board networks of one or multiple vehicles, including the single vehicle. The anomaly detection server, acting as an assessment unit that, based on the information about the multiple frames and information about a frame received on the on-board network of the single vehicle after the acquisition of the information about the multiple frames, assesses an anomaly level of the frame received on the on-board network of the single vehicle.

Abstract: A key management method serves as an electronic control unit (ECU) in an onboard network system having a plurality of ECUs that perform communication by frames via a network. The method includes storing a shared key and executing encryption processing based on the shared key. The method further includes executing inspection of a security state of the shared key stored in a case where a vehicle is in at least one of the following particular states: the vehicle is not driving and is an accessory-on state; a fuel cap of the vehicle is open, and the vehicle is not driving and is fueling; the vehicle is parked, which is indicated by the gearshift; the vehicle is in a stopped state before driving, which is indicated by the gearshift; and a charging plug is connected to the vehicle, and the vehicle is electrically charging.

Abstract: A gateway connected to a bus, a bus, and the like used by a plurality of electronic control units for communication includes a frame communication unit that receives a frame, a transfer control unit that removes verification information used to verify a frame from the content of the frame received by the frame communication unit and transfers the frame to a destination bus or that adds verification information to the content of the frame and transfers the frame to the destination bus, and the like.

Abstract: An electronic control apparatus includes: an obtaining unit configured to obtain data transmitted via a network in a system; and a judging unit configured to judge presence or absence of an anomaly in the data obtained by the obtaining unit, based on a transmission state of the data. The judging unit is configured to judge that an anomaly is present in the data, when the transmission state of the data is a transmission stopped state.

Abstract: A frame transmission prevention apparatus connected to a network of a network system including a plurality of electronic control units communicating with one another via the network is provided. The apparatus includes a processor and a memory. The memory includes at least one set of instructions that causes the processor to perform processes when executed by the processor. The processes include receiving a first frame from the network and switching whether to perform a first process for preventing transmission of the first frame on the basis of management information indicating whether prevention of transmission of a frame is permitted if the first frame satisfies a first condition.

Abstract: A security apparatus includes a receiver that receives a frame front at least one network, a parameter storage that stores at least one examination parameter defining a content of an examination on a frame, and processing circuitry that performs operations. The operations include judging whether a predetermined condition is satisfied for the frame received by the receiver. When the predetermined condition is satisfied, updating the stored at least one examination parameter, and when the predetermined condition is not satisfied, not updating the stored at least one examination parameter. The operations also include executing an examination, based on the stored at least one examination parameter, as to whether the frame received by the receiver is an attack frame, and performing a process depending on a result of the execution of the examination such that an influence of an attack frame on at least one electronic control unit is suppressed.

Abstract: An electronic control unit is connected to a network in an in-vehicle network system. The electronic control unit includes a first control circuit and a second control circuit. The first control circuit is connected to the network via the second control circuit. The second control circuit performs a first determination process on a frame to determine conformity of the frame with a first rule. Upon determining that the frame conforms to the first rule, the second control circuit transmits the frame to the first control circuit. The first control circuit performs a second determination process on the frame to determine conformity of the frame with a second rule. The second rule is different from the first rule.

Abstract: An update management method is used in an onboard network system having a plurality of electronic control units (ECUs) that performs communication via a network and connects to an external tool. The method includes a master ECU storing a shared key and an expiration date of the shared key. When the master ECU receives an update message, verifying update authority information indicating authority of the external tool, and determining whether or not a transmission of the update message is within a range of an authority of the external tool. The method also includes acquiring external point-in-time information, determining whether or not the external point-in-time information is before the expiration date, and transmitting an alert message prompting an update of the shared key. The ECUs are prioritized according to a designated level of authority, including chassis-related functions, body-related functions, safety/comfort functions, and telematics/infotainment functions.

Abstract: An electronic control unit is connected to a network in an in-vehicle network system. The electronic control unit includes a first control circuit and a second control circuit. The first control circuit is connected to the network via the second control circuit. The second control circuit performs a first determination process on a frame to determine conformity of the frame with a first rule. Upon determining that the frame conforms to the first rule, the second control circuit transmits the frame to the first control circuit. The first control circuit performs a second determination process on the frame to determine conformity of the frame with a second rule. The second rule is different from the first rule.

Abstract: A master control device is communicatively coupled to a first slave control device and a second slave control device via a first network and a second network, respectively. The master control device provides output data to the first slave control device based on input data received from the second slave control device. A monitoring apparatus which monitors an operation of the master control device stores determination data indicating a correspondence relationship between the input data and the output data, obtains the input data provided to the second network by the second slave control device and the output data provided to the first slave control device via the first network, and determines a presence or an absence of an anomaly in the operation of the master control device by determining whether the input data and the output data correspond to the determination data.

Abstract: A vehicle system is a vehicle system used for a vehicle, and includes: a plurality of in-vehicle apparatuses installed in the vehicle; and at least one of (i) a controller that, in accordance with a depth of penetration of a malicious attack carried out on the plurality of in-vehicle apparatuses, changes at least one of a communication method with an outside of the vehicle, a defense method against the malicious attack, or a storage method for logs pertaining to the plurality of in-vehicle apparatuses, or (ii) a determiner that determines whether or not the malicious attack is being carried out based on anomaly detection in the plurality of in-vehicle apparatuses.

Abstract: A fraud detection electronic control unit is connected to an electronic control unit through an in-vehicle network system. The fraud detection electronic control unit includes a storage and a determination unit. The storage stores a first regulation for determining whether the frame transmitted from the electronic control unit is fraudulent. The determination unit determines whether the frame transmitted from the electronic control unit is fraudulent in pursuant to the first regulation. When a predetermined condition is satisfied, the storage acquires a second regulation retained by the electronic control unit and updates the stored first regulation.

Abstract: A gateway connected to a bus, a bus, and the like used by a plurality of electronic control units for communication includes a frame communication unit that receives a frame, a transfer control unit that removes verification information used to verify a frame from the content of the frame received by the frame communication unit and transfers the frame to a destination bus or that adds verification information to the content of the frame and transfers the frame to the destination bus, and the like.

Abstract: A security apparatus includes a receiver that receives a frame front at least one network, a parameter storage that stores at least one examination parameter defining a content of an examination on a frame, and processing circuitry that performs operations. The operations include judging whether a predetermined condition is satisfied for the frame received by the receiver. When the predetermined condition is satisfied, updating the stored at least one examination parameter, and when the predetermined condition is not satisfied, not updating the stored at least one examination parameter. The operations also include executing an examination, based on the stored at least one examination parameter, as to whether the frame received by the receiver is an attack frame, and performing a process depending on a result of the execution of the examination such that an influence of an attack frame on at least one electronic control unit is suppressed.

Abstract: An unauthorized activity detection method is provided in an onboard network system having multiple electronic units (ECU) that perform communication via a bus, such that an occurrence of an unauthorized state can be detected by monitoring frames transmitted over the bus. The unauthorized activity detection method determines, by a monitoring electronic control unit using unauthorized activity detection rule information indicating a first condition, whether or not a set of frames received from the bus satisfies the first condition. The first condition being a condition regarding a relation in content between a first frame having a first identifier and a second frame having a second identifier that differs from the first identifier. And the method further detects the occurrence of the unauthorized state in a case where the first condition is not satisfied.

Abstract: The monitoring device includes a receiver and a processor. The receiver receives a frame from a communication network. The processor performs a first determination that determines whether the frame is illegal based on a result of message authentication for the frame and a second determination that determines whether the frame is illegal based on a state of the frame and a predetermined rule. In addition, the processor executes, in accordance with a combination of a result of the first determination and a result of the second determination, at least one of processing for the frame, processing for a transmission source device of the frame, change of contents to be notified to an external device, and change of priority of notification to the external device.

Abstract: A gateway connected to a bus, a bus, and the like used by a plurality of electronic control units for communication includes a frame communication unit that receives a frame, a transfer control unit that removes verification information used to verify a frame from the content of the frame received by the frame communication unit and transfers the frame to a destination bus or that adds verification information to the content of the frame and transfers the frame to the destination bus, and the like.

Abstract: An evaluation device for evaluating security of an electronic control system in which a plurality of electronic control units are connected to a bus used for communication includes a recording medium that holds attack procedure information indicative of contents and a transmission order of a plurality of frames, a transmitter that transmits the plurality of frames to the bus in the transmission order indicated by the attack procedure information, a monitor that monitors an actuator unit controlled by any of the plurality of electronic control units, and an evaluator that makes the evaluation on basis of a monitoring result obtained by the monitor when the transmitter transmits the plurality of frames to the bus.

Abstract: A method for verifying content data to be used in a vehicle is provided. The method includes acquiring content data, acquiring, from partial data divided from the content data, a respective plurality of first hash values, acquiring a signature generated by using the first hash values and a key, acquiring state information that indicates a state of a vehicle, determining an integer N that is greater than or equal to one based on the acquired state information, generating, from N pieces of partial data included in the partial data, respective second hash values, verifying the content data by using each of (a) a subset of the plurality of first hash values respectively generated from partial data other than the N pieces of partial data, (b) the second hash values, and (c) the signature, and outputting information that indicates a result of the verifying.

Abstract: A gateway serving as a security apparatus connected to one or a plurality of buses includes a receiver that receives a frame from a bus, a parameter storage that stores an examination parameter defining a content of an examination of the frame, an updater configured to, in a case where a predetermined condition is satisfied for the frame received by the receiver, update the examination parameter stored in the parameter storage, and an examiner that performs an examination, based on the examination parameter stored in the parameter storage, in terms of judgment of whether or not the frame received by the receiver is an attack frame.