Abstract: An information processing device includes: a plurality of HIDS; a plurality of individual monitors each of which monitors an associated one of the plurality of HIDS; an integrated monitor that monitors each of the plurality of individual monitors; and a root monitor that monitors the integrated monitor. When the integrated monitor is compromised, the root monitor changes a monitoring target thereof from the integrated monitor to any of the plurality of individual monitors based on total monitoring information. When the integrated monitor is compromised, each of the plurality of individual monitors adds, to a monitoring target thereof, another individual monitor than the individual monitor based on the total monitoring information.

Abstract: A vehicle security device installed in a vehicle is provided. The vehicle includes: a first ECU including the vehicle security device; and a second ECU connected to the first ECU, which controls a device provided in the vehicle. The vehicle security device includes: a dynamic authorizer that performs, when an access request for access to an access destination in the vehicle is issued from an access source in the vehicle, an authorization determination; and a connection manager that outputs, when the access request is authorized, a log corresponding to the access request to a resource of the access destination. The connection manager includes: an obtainer that obtains the access request from the second ECU; a calculator that calculates a degree of risk in the second ECU based on the log; and a controller that controls an access volume to the dynamic authorizer according to the degree of risk.

Abstract: An anomaly detection device includes a processor and a non-transitory memory that stores a program. The processor executes the program to operate an anomaly detection device as an obtainer that obtains a first object detection result generated by a first object detection device that is included in a first apparatus which is a vehicle and detects an object in the vicinity of the first apparatus and a second object detection result generated by a second object detection device that is included in a second apparatus in the vicinity of the first apparatus and detects an object in the vicinity of the second apparatus; a determiner that determines whether at least one of the first apparatus or the second apparatus is being attacked, by comparing the first object detection result and the second object detection result; and an outputter that outputs a result of determination by the determiner.

Abstract: A server includes: an obtainer that obtains items of information including an item of frame information regarding a communication frame transmitted on an in-vehicle network of each of a plurality of vehicles; and a generator that generates an integrated rule that is suitable for the items of information obtained by the obtainer and is for anomaly detection processing in the in-vehicle network of one of the vehicles; and a provider that outputs the integrated rule generated by the generator. For example, the obtainer obtains condition information indicating a condition pertaining to each of the plurality of vehicles at a time when the communication frame is transmitted on the in-vehicle network, and the generator generates the integrated rule using the items of frame information associated with the condition information.

Abstract: An analysis support method is performed by an analysis support device that supports an analysis of an attack scenario in an event that has occurred in a monitored object, and the analysis is performed based on raw data related to the event. The analysis support method includes: obtaining the raw data by communicating with the monitored object or communicating with a database that stores the raw data obtained from the monitored object; and outputting a previous analysis result for previously obtained raw data that is similar to the raw data obtained.

Abstract: An information processing device includes: a log transmitter that transmits a monitoring log generated in the information processing device to an SOC (28); an HIDS monitor that verifies an integrity of the log transmitter; and a monitoring RoT that verifies an integrity of the HIDS monitor, and repeatedly outputs a heartbeat signal to the log transmitter. Each time the heartbeat signal is output from the monitoring RoT, the log transmitter transmits the heartbeat signal to the SOC. When the integrity of the log transmitter is anomalous, the HIDS monitor outputs, to the monitoring RoT, an output stop request signal for requesting the monitoring RoT to stop outputting the heartbeat signal. The monitoring RoT stops outputting the heartbeat signal based on the output stop request signal.

Abstract: An information processing system includes a pre-processor that obtains input data; a model processor that obtains output data by inputting the input data to part of a machine learning model, and outputs the output data; and a post-processor which obtains the output data from the model processor, and executes post-processing using the output data. The model processor obtains data indicating a feature as the output data, the data being data output from the part of the machine learning model for the input data and being obtained in the middle of the prediction performed by the data. The post-processor identifies the result of the prediction performed by the machine learning model by inputting the output data to a remaining part of the machine learning model, and executes post-processing on the result of the prediction.

Abstract: An information processing device includes: a log transmitter that transmits a monitoring log generated in the information processing device to an SOC (28); an HIDS monitor that verifies an integrity of the log transmitter; and a monitoring ROT that verifies an integrity of the HIDS monitor, and repeatedly outputs a heartbeat signal to the log transmitter. Each time the heartbeat signal is output from the monitoring ROT, the log transmitter transmits the heartbeat signal to the SOC. When the integrity of the log transmitter is anomalous, the HIDS monitor outputs, to the monitoring RoT, an output stop request signal for requesting the monitoring ROT to stop outputting the heartbeat signal. The monitoring RoT stops outputting the heartbeat signal based on the output stop request signal.

Abstract: In a security method according to one aspect of the present disclosure, when a fraudulent command is detected in an in-vehicle communication network, an electronic control unit (ECU) which can transmit a fraudulent command is specified, the specified ECU is caused to execute update of the software used by the specified ECU, and execution of update of the software by the specified ECU is prohibited after the update of the software is executed.

Abstract: An anomaly detection device is a device for detecting an anomaly in a mobile body and includes: a type determiner that determines a type of an anomaly detected; a type change determiner that determines whether or not a change has occurred between a type of an anomaly detected last time and a type of an anomaly detected this time; and an anomaly detection log transmitter that transmits an anomaly detection log related to the anomaly detected this time when the change has occurred, and does not transmit the anomaly detection log related to the anomaly detected this time when the change has not occurred.

Abstract: An attack path generation method according to the present disclosure is an attack path generation method executed by acquiring logs in devices connected to a network including at least one of a branch and a merge where each device has an attack detection function. The method includes: generating a primary-attack path without the branch and merge based on the acquired logs; generating a secondary-attack path branching from the primary-attack path or merging with the primary-attack path based on the logs; and outputting the generated primary-attack path and secondary-attack path to a device that performs attack-determination. The secondary-attack path is an attack path including an upstream or downstream device in which an event assumed to be an attack occurs within a certain period of time from an event assumed to be an attack on a device included in the primary-attack path and connected to the network merging/branching point.

Abstract: An information processing device includes: an obtainer that obtains, from an anomaly detection sensor that detects an anomaly in a network, a detection log related to the anomaly in the network and the detection time of the anomaly indicated in the detection log; an occurrence time determiner that determines the occurrence time of an attack on the network based on the obtained detection time, and records the determined occurrence time; and an end time determiner that determines the expected end time of the attack on the network based on the obtained detection log, and records the determined expected end time.

Abstract: An integrated monitoring apparatus is mounted on a vehicle. An evidence log collection unit that of the integrated monitoring apparatus starts collecting a log from an ECU mounted on the vehicle when a predetermined log collection start condition is met. A determination unit of the integrated monitoring apparatus determines whether the ECU is operating normally based on the log of the ECU collected. When the ECU is determined to be operating normally, the log collection unit of the integrated monitoring apparatus stops collecting the log from the ECU.

Abstract: An information processing device includes: an obtainer that obtains, from an anomaly detection sensor that detects an anomaly in a network, a detection log related to the anomaly in the network and the detection time of the anomaly indicated in the detection log; an occurrence time determiner that determines the occurrence time of an attack on the network based on the obtained detection time, and records the determined occurrence time; and an end time determiner that determines the expected end time of the attack on the network based on the obtained detection log, and records the determined expected end time.

Abstract: A log management module includes: an anomaly detection information receiver that receives anomaly detection information; a detection history information storage that stores detection history information; an attack route information storage that stores attack route information indicating a candidate for an attack route in the CAN bus; an attack route estimator that estimates an attack route including the specific device, based on the attack route information; and a collection target determiner that, upon receipt of the anomaly detection information by the anomaly detection information receiver, determines, as collection targets whose log information for analysis which is for analyzing presence or absence of an undetected anomaly in the CAN bus is to be collected, one or more candidate devices which have been narrowed down from the devices, are present on the attack route estimated by the attack route estimator, and have no history of anomaly detection.

Abstract: An anomaly detection device is a device for detecting an anomaly in a mobile body and includes: a type determiner that determines a type of an anomaly detected; a type change determiner that determines whether or not a change has occurred between a type of an anomaly detected last time and a type of an anomaly detected this time; and an anomaly detection log transmitter that transmits an anomaly detection log related to the anomaly detected this time when the change has occurred, and does not transmit the anomaly detection log related to the anomaly detected this time when the change has not occurred.

Abstract: An information processing device that detects an anomaly in an in-vehicle network provided in a vehicle includes: a local rule storage in which at least an individual rule which is a rule generated for the vehicle is stored; a global rule storage in which an integrated rule which is a rule generated for a plurality of vehicles including the vehicle is stored; and a processing unit that performs, using a rule stored in at least one of the local rule storage or the global rule storage, an anomaly detection process on a frame transmitted on the in-vehicle network.

Abstract: An electronic control device includes: an acquisition unit that acquires state information indicating at least one of a state of a movable body and a state of an external environment in which the movable body is moving, and a control instruction indicating at least one of a steering control instruction for steering the movable body and an acceleration control instruction for adjusting acceleration of the movable body; and a determining unit that determines whether the control instruction is a false control instruction based on the at least one state indicated by the state information acquired and control indicated by the control instruction acquired.

Abstract: An information processing device that detects an anomaly in an in-vehicle network provided in a vehicle includes: a local rule storage in which at least an individual rule which is a rule generated for the vehicle is stored; a global rule storage in which an integrated rule which is a rule generated for a plurality of vehicles including the vehicle is stored; and a processing unit that performs, using a rule stored in at least one of the local rule storage or the global rule storage, an anomaly detection process on a frame transmitted on the in-vehicle network.

Abstract: An electronic control apparatus includes: an obtaining unit configured to obtain data transmitted via a network in a system; and a judging unit configured to judge presence or absence of an anomaly in the data obtained by the obtaining unit, based on a transmission state of the data. The judging unit is configured to judge that an anomaly is present in the data, when the transmission state of the data is a transmission stopped state.