Abstract: A monitoring device includes three or more monitors each monitoring, as a monitoring target, at least one of software and a communication log. The three or more monitors include a first monitor operating with a first execution privilege, a second monitor operating with a second execution privilege having a reliability level lower than the first execution privilege, and a third monitor operating with a third execution privilege having a reliability level that is the same as the second execution privilege or that is lower than the second execution privilege. The first monitor monitors software of the second monitor, and at least one of the first monitor or the second monitor monitors software of the third monitor.

Abstract: In an anomaly determination method for determining an anomaly in a received message, a plurality of messages which include messages that are periodic and each of which includes a first field having a fixed value and a second field having a variable value are each received as the received message, and one of a plurality of combinations to be used for determination each of which includes at least one of a plurality of anomaly determinations including an anomaly determination utilizing a reception timing based on the periodicity or the number of received messages, an anomaly determination utilizing the first field, and an anomaly determination utilizing the second field, is selected according to one or more criteria among available execution time of the anomaly determination method, a load amount, a data amount, and the number of messages.

Abstract: An ECU (Electronic Control Unit) includes a HV (HyperVisor), and a first VM (Virtual Machine) and a second VM that operate on the HV. The first VM detects an abnormality in a process in the first VM. When the first VM detects an abnormality, the first VM notifies the second VM of information related to the abnormality via the HV. The second VM executes a process responsive to the abnormality, based on the information related to the abnormality provided from the first VM.

Abstract: In an anomaly determination method for determining an anomaly in a received message, a plurality of messages which include messages that are periodic and each of which includes a first field having a fixed value and a second field having a variable value are each received as the received message, and one of a plurality of combinations to be used for determination each of which includes at least one of a plurality of anomaly determinations including an anomaly determination utilizing a reception timing based on the periodicity or the number of received messages, an anomaly determination utilizing the first field, and an anomaly determination utilizing the second field, is selected according to one or more criteria among available execution time of the anomaly determination method, a load amount, a data amount, and the number of messages.

Abstract: The monitoring system is a system that monitors a virtualization system, the system including: a VM monitor and a request monitor each of which has a different authority, monitors the virtualization system, and detects an anomaly; and a determiner that determines a state of the virtualization system based on monitoring results from the VM monitor and the request monitor.

Abstract: An information processing device includes a guest OS and a host OS that accesses a sector group in response to an access request from the guest OS. The host OS includes: an access log analyzer that generates, by reference to a sector-group database, a sector-group access log from the access request; a sector-group access determiner that determines, based on the sector-group access log, whether the access request seeks to access the sector group related to an application; and a manager that updates, based on a developer definition policy, a sector-group access rule database and the sector-group database if it is determined that the access request seeks to access the sector group and the guest OS makes a change to an application storage area.

Abstract: An information processing device includes: a guest OS; a host OS that accesses a sector group stored in an external storage device in response to an access request from the guest OS; a virtualization control system that is executed on a hardware and controls execution of the guest OS and the host OS. The host OS includes: a back-end device driver that obtains the access request from the guest OS; and a sector group access determiner that determines whether or not the access request is anomalous, based on a sector group access rule database indicating a rule for accessing the sector group stored in the external storage device.

Abstract: An information processing device includes: a storage that stores determination criterion information indicating a determination criterion for determining whether or not a behavior of an application operating on a device provided to a vehicle is normal; and a detector that obtains behavior information indicating the behavior of the application, and detects an anomaly in the behavior of the application, based on (i) state information that indicates a state of the mobility and is obtained via the mobility network and (ii) the behavior information obtained and the determination criterion information stored in the storage.

Abstract: In an anomaly determination method for determining an anomaly in a received message, a plurality of messages which include messages that are periodic and each of which includes a first field having a fixed value and a second field having a variable value are each received as the received message, and one of a plurality of combinations to be used for determination each of which includes at least one of a plurality of anomaly determinations including an anomaly determination utilizing a reception timing based on the periodicity or the number of received messages, an anomaly determination utilizing the first field, and an anomaly determination utilizing the second field, is selected according to one or more criteria among available execution time of the anomaly determination method, a load amount, a data amount, and the number of messages.

Abstract: In an anomaly determination method for determining an anomaly in a received message, a plurality of messages which include messages that are periodic and each of which includes a first field having a fixed value and a second field having a variable value are each received as the received message, and one of a plurality of combinations to be used for determination each of which includes at least one of a plurality of anomaly determinations including an anomaly determination utilizing a reception timing based on the periodicity or the number of received messages, an anomaly determination utilizing the first field, and an anomaly determination utilizing the second field, is selected according to one or more criteria among available execution time of the anomaly determination method, a load amount, a data amount, and the number of messages.

Abstract: In an ECU, virtualization software operates a first virtual machine (VM) and a second VM. A transfer unit of the second VM acknowledges communication data transmitted from the first VM and destined to the second VM. A transfer unit generates a parameter related to communication between the VMs, based on the communication data acknowledged. A detection unit of the second VM detects abnormal communication, based on the parameter generated by the transfer unit.

Abstract: An information processing device includes: a storage that stores determination criterion information indicating a determination criterion for determining whether or not a behavior of an application operating on a device provided to a vehicle is normal; and a detector that obtains behavior information indicating the behavior of the application, and detects an anomaly in the behavior of the application, based on (i) state information that indicates a state of the mobility and is obtained via the mobility network and (ii) the behavior information obtained and the determination criterion information stored in the storage.

Abstract: An information processing apparatus includes: a communication device that communicates with an external apparatus outside the information processing apparatus; a memory that includes a protected region and an unprotected region; a processor that operates in a first mode and a second mode, the first mode being a mode in which access to the protected region and access to the unprotected region are allowed, the second mode being a mode in which access to the protected region is prohibited and access to the unprotected region is allowed; a first device controller that controls the communication device by the processor operating in the first mode; a virtual machine manager that causes one or more virtual machines to operate by the processor operating in the second mode; and a second device controller that controls the communication device by the processor operating in the second mode.

Abstract: An analysis ECU acquires information related to a first flow and information related to a second flow, the first flow and the second flow organizing packets transferred in a monitored system into respective groups. The analysis ECU acquires information related to a conversion that takes the first flow as input and the second flow as output. The analysis ECU acknowledges alert information generated in the monitored system and including information capable of identifying at least one flow. The analysis ECU generates, when the second flow is identified by the alert information, route information that includes at least one of the information related to the conversion and the information related to the first flow associated with the second flow in the information related to the conversion.

Abstract: In an anomaly determination method for determining an anomaly in a received message, a plurality of messages which include messages that are periodic and each of which includes a first field having a fixed value and a second field having a variable value are each received as the received message, and one of a plurality of combinations to be used for determination each of which includes at least one of a plurality of anomaly determinations including an anomaly determination utilizing a reception timing based on the periodicity or the number of received messages, an anomaly determination utilizing the first field, and an anomaly determination utilizing the second field, is selected according to one or more criteria among available execution time of the anomaly determination method, a load amount, a data amount, and the number of messages.

Abstract: A vehicle system is a vehicle system used for a vehicle, and includes: a plurality of in-vehicle apparatuses installed in the vehicle; and at least one of (i) a controller that, in accordance with a depth of penetration of a malicious attack carried out on the plurality of in-vehicle apparatuses, changes at least one of a communication method with an outside of the vehicle, a defense method against the malicious attack, or a storage method for logs pertaining to the plurality of in-vehicle apparatuses, or (ii) a determiner that determines whether or not the malicious attack is being carried out based on anomaly detection in the plurality of in-vehicle apparatuses.

Abstract: An analysis ECU acquires information related to a first flow and information related to a second flow, the first flow and the second flow organizing packets transferred in a monitored system into respective groups. The analysis ECU acquires information related to a conversion that takes the first flow as input and the second flow as output. The analysis ECU acknowledges alert information generated in the monitored system and including information capable of identifying at least one flow. The analysis ECU generates, when the second flow is identified by the alert information, route information that includes at least one of the information related to the conversion and the information related to the first flow associated with the second flow in the information related to the conversion.

Abstract: A monitoring apparatus includes a storage unit, a reception unit, a collation information generation unit, and a response unit. The storage unit stores a criterion for determining normality of a frame transmitted from a first electronic device. The reception unit receives the frame from a bus network. The collation information generation unit generates, when the reception unit receives a frame of a first identifier (ID) transmitted from the first electronic device, collation information which is information for collation with the criterion stored in the storage unit, based on the frame. The response unit transmits, when the reception unit receives a frame of a second ID transmitted from the second electronic device, information which is based on the criterion stored in the storage unit and the collation information generated by the collation information generation unit and which enables a check whether the first electronic device is valid, to the second electronic device.

Abstract: A monitoring device is one of a plurality of monitoring devices to be attached to mobility. The monitoring device is configured to monitor an abnormal state of a first object to be monitored. The monitoring device includes a receiver and a controller. The receiver is configured to receive a result of detection of an abnormality detected by another monitoring device that monitors an abnormal state of a second object to be monitored that is different from the first object to be monitored. The controller is configured to change a process to be performed by the monitoring device, according to the result of detection of the abnormality detected by the other monitoring device.

Abstract: A monitoring apparatus includes a storage unit, a reception unit, a collation information generation unit, and a response unit. The storage unit stores a criterion for determining normality of a frame transmitted from a first electronic device. The reception unit receives the frame from a bus network. The collation information generation unit generates, when the reception unit receives a frame of a first identifier (ID) transmitted from the first electronic device, collation information which is information for collation with the criterion stored in the storage unit, based on the frame. The response unit transmits, when the reception unit receives a frame of a second ID transmitted from the second electronic device, information which is based on the criterion stored in the storage unit and the collation information generated by the collation information generation unit and which enables a check whether the first electronic device is valid, to the second electronic device.