Abstract: An anomaly detection server is provided. The anomaly detection server is a server for counteracting an anomalous frame transmitted on an on-board network of a single vehicle. The anomaly detection server acquires information about multiple frames received on one or multiple on-board networks of one or multiple vehicles, including the single vehicle. The anomaly detection server, acting as an assessment unit that, based on the information about the multiple frames and information about a frame received on the on-board network of the single vehicle after the acquisition of the information about the multiple frames, assesses an anomaly level of the frame received on the on-board network of the single vehicle.

Abstract: A method used in an on-board network system, having electronic controllers that exchange messages and a fraud-detecting electronic controller. The method includes receiving an inquiry for a vehicle status indicating whether a vehicle in which the fraud-detecting electronic controller is installed is running from an external device, transmitting the vehicle status to the external device, and determining whether a message transmitted conforms to fraud detection rules. The method also includes receiving from the external device the delivery data, including updated fraud detection rules and network type information indicating a network type that the updated fraud detection rules are to be applied The method further includes determining whether the vehicle is running, and whether the network type information indicates a drive network that is connected to an electronic controller related to travel of the vehicle.

Abstract: An anomaly detection electronic controller performs anomaly detection processing and is connected to a network, which a plurality of electronic controllers uses for communication. The anomaly detection electronic controller includes an anomaly detection processor that performs anomaly detection processing regarding a data frame. The anomaly detection controller also includes an anomaly detection processing requester that decides an anomaly detection processing timing when receiving the data frame, the anomaly detection processing timing being a reception timing of one or multiple fields in the data frame. The anomaly detection processor further performs the anomaly detection processing regarding the data frame at the anomaly detection processing timing decided by the anomaly detection processing requester.

Abstract: An anomaly monitoring apparatus in a remote operation system for remotely operating a mobility entity includes: a log collector that collects an operation log from an operation apparatus which remotely operates the mobility entity and a control log from a control apparatus installed in the mobility entity; an anomaly detector that detects whether an anomaly is present in the mobility entity based on at least one of the operation log or the control log; an attack origin identifier that, when the anomaly detector detects an anomaly, identifies an attack origin that caused the anomaly in the mobility entity from among a plurality of attack origins based on a result of comparing the operation log with the control log; and an anomaly notifier that makes a notification for taking a countermeasure for the attack origin identified by the attack origin identifier.

Abstract: A control mode switching apparatus switches a control mode of a robot. The control mode includes at least two of a remote control mode, a manual control mode, and an autonomous control mode. The control mode switching apparatus includes: an anomaly detector that, based on a communication message on a control network in the robot and the control mode, obtains a detection result of at least one anomaly among a user anomaly caused by user control, a robot anomaly caused by the control network, an operating environment anomaly caused by an operating environment of the robot, and an application anomaly caused by an application; and a switcher that calculates, for each type of anomaly detected, a score indicating a likelihood that the type is a cause of the anomaly in the robot, and switches the control mode based on the score calculated.

Abstract: A gateway device is connected via network(s) to electronic controllers on-board a vehicle, where at least one of the electronic controllers is implemented in a virtual machine. The gateway device includes one or more memories, and circuitry that acquires firmware update information. The circuitry determines whether a first electronic controller satisfies a second condition based on second information, which is whether the first electronic controller includes a firmware cache for performing a pre-update firmware cache operation. The circuitry also causes, when the second condition is not satisfied, the gateway device to execute a proxy process, where the gateway device requests the first electronic controller to transmit boot ROM data to the gateway device, creates updated boot ROM data with the updated firmware, and transmits the updated boot ROM data to the first electronic controller that updates the boot ROM and resets the first electronic controller with the updated firmware.

Abstract: A key management method serves as an electronic control unit (ECU) in an onboard network system having a plurality of ECUs that perform communication by frames via a network. The method includes storing, in a first-type ECU, a shared key to be mutually shared with second-type ECUs, and executing encryption processing regarding a framed transmitted or received via the network, based on the shared key. The method further includes executing, by the first-type ECU, inspection of a security state of the shared key stored by the second type ECUs in a case where a vehicle is in at least one of the following particular states, including immediately after the vehicle is not driving and is entering the accessory-on state, immediately after the vehicle is not driving and the vehicle is entering the accessory-off state, and immediately after the vehicle engine is started.

Abstract: A misuse detection method used in an electronic control unit in a vehicle network system including multiple electronic control units that communicate with one another through networks. The misuse detection method includes receiving a target data frame at one time point, and receiving a reference data frame at another time point different than the one time point. The misuse detection method further includes performing, as misuse detection for the target data frame based on a certain rule specifying a reception interval between the one time point at which the target data frame is received and the other time point at which the reference data frame is received, and determining the target data frame received is for misuse based on a length of the reception interval.

Abstract: A method used in an on-board network system, having electronic controllers that exchange messages and a fraud detecting electronic controller. The method includes determining whether a message transmitted conforms to fraud detection rules, and querying an external device whether there is delivery data for updating the fraud detection rules. When there is the delivery data for updating the fraud detection rules, receiving from an external device the delivery data, including updated fraud detection rules and network type information indicating a network type that the updated fraud detection rules are to be applied. The method also includes determining whether a vehicle in which the on-board network system is installed is running, and whether the network type information indicates a drive network that is connected to an electronic controller related to travel of the vehicle. When the network type information does not indicate the drive network, updating the fraud detection rules.

Abstract: An anomaly handling method using a device installed outside of a vehicle is disclosed. The method includes receiving, from the vehicle, an anomaly detection notification, which includes level information indicating a level affecting safety, and a location of the vehicle. The method also includes obtaining a location of another vehicle and determining whether a distance between the location of the vehicle and the location of the other vehicle is within a predetermined range. When the distance is within the predetermined range and is shorter than a first predetermined distance, not changing the level information and transmitting the received anomaly detection information to the other vehicle. When the distance is within the predetermined range and is longer than or equal to the first predetermined distance, changing to decrement a level indicated by the level information, and transmitting changed anomaly detection information to the other vehicle.

Abstract: A gateway device is connected via one or more networks to electronic controllers on-board a vehicle. The gateway device includes one or more memories, and circuitry that acquires firmware update information. The circuitry determines whether or not a first electronic controller satisfies a second condition based on second information about the first electronic controller, where the second information is whether the first electronic controller includes a firmware cache for performing a pre-update firmware cache operation. The circuitry also causes, when the second condition is not satisfied, the gateway device to execute a proxy process, where the gateway device requests the first electronic controller to transmit boot ROM data to the gateway device, creates updated boot ROM data with the updated firmware, and transmits the updated boot ROM data to the first electronic controller that updates the boot ROM and resets the first electronic controller with the updated firmware.

Abstract: A method for use in a network communication system including a plurality of electronic controllers that communicate with each other via a bus in accordance with a Controller Area Network (CAN) protocol determines whether or not content of a predetermined field in a frame which has started to be transmitted meets a predetermined condition indicating fraud. In a case where the content of the predetermined field meets the predetermined condition, a frame including predetermined consecutive dominant bits for notifying an anomaly is transmitted before an end of the frame is transmitted. A number of times the frame including the predetermined consecutive dominant bits is transmitted is recorded for each identifier (ID) represented by content of an ID field included in a plurality of frames which has been transmitted. A malicious electronic controller is determined in accordance with the number of times recorded for each ID.

Abstract: An anomaly detection server is provided. The anomaly detection server is a server for counteracting an anomalous frame transmitted on an on-board network of a single vehicle. The anomaly detection server acquires information about multiple frames received on one or multiple on-board networks of one or multiple vehicles, including the single vehicle. The anomaly detection server, acting as an assessment unit that, based on the information about the multiple frames and information about a frame received on the on-board network of the single vehicle after the acquisition of the information about the multiple frames, assesses an anomaly level of the frame received on the on-board network of the single vehicle.

Abstract: A key management method serves as an electronic control unit (ECU) in an onboard network system having a plurality of ECUs that perform communication by frames via a network. The method includes storing a shared key and executing encryption processing based on the shared key. The method further includes executing inspection of a security state of the shared key stored in a case where a vehicle is in at least one of the following particular states: the vehicle is not driving and is an accessory-on state; a fuel cap of the vehicle is open, and the vehicle is not driving and is fueling; the vehicle is parked, which is indicated by the gearshift; the vehicle is in a stopped state before driving, which is indicated by the gearshift; and a charging plug is connected to the vehicle, and the vehicle is electrically charging.

Abstract: In a fraud-detection method for use in an in-vehicle network system including a plurality of electronic control units (ECUs) that exchange messages on a plurality of networks, a plurality of fraud-detection ECUs each connected to a different one of the networks, and a gateway device, a fraud-detection ECU determines whether a message transmitted on a network connected to the fraud-detection ECU is malicious by using rule information stored in a memory. The gateway device receives updated rule information transmitted to a first network among the networks, selects a second network different from the first network, and transfers the updated rule information only to the second network. A fraud-detection ECU connected to the second network acquires the updated rule information and updates the rule information stored therein by using the updated rule information.

Abstract: A fraud detecting method for use in an in-vehicle network system including a plurality of electronic control units that communicate with each other via a network includes detecting whether a state of a vehicle satisfies a first condition or a second condition, and switching, upon detecting that the state of the vehicle satisfies the first condition or the second condition, an operation mode of a fraud-sensing electronic control unit connected to the network between a first mode in which a first type of detecting process for detecting a fraudulent message in the network is performed and a second mode in which the first type of detecting process is not performed. Moreover, in the second mode, a second type of detecting process having a different degree to which a fraudulent message is detectible than the first type of detecting process is performed.

Abstract: A communication device is a communication device connected to a mobility network which is a network mounted in a mobility and which is used by a plurality of electronic control devices for communication. The communication device includes: a holding unit which holds range information indicating a transferable path range determined for a message on the mobility network; a receiving unit which receives the message on the mobility network; and a determining unit which determines validity of the received message by using the range information.

Abstract: An anomaly handling method using a roadside device is disclosed. The method includes receiving, from a vehicle, an anomaly detection notification, which includes level information indicating a level affecting safety, and a location of the vehicle. The method also includes obtaining a location of the roadside device and determining whether a distance between the location of the vehicle and the location of the roadside device is within a predetermined range. When the distance is within the predetermined range and is shorter than a first predetermined distance, not changing the level information and transmitting the received anomaly detection notification externally from the one vehicle. When the distance is within the predetermined range and is longer than or equal to the first predetermined distance, changing to decrement a level indicated by the level information, and transmitting changed anomaly detection notification externally from the one vehicle.

Abstract: A gateway connected to a bus, a bus, and the like used by a plurality of electronic control units for communication includes a frame communication unit that receives a frame, a transfer control unit that removes verification information used to verify a frame from the content of the frame received by the frame communication unit and transfers the frame to a destination bus or that adds verification information to the content of the frame and transfers the frame to the destination bus, and the like.

Abstract: A gateway device for a vehicle network system installed in a vehicle is provided. The vehicle network system includes a network, an electronic control unit connected to the network, and the gateway device connected to the first network and configured to communicate outside the vehicle. The gateway device receives a first frame from outside the vehicle; determines whether or not the first frame is appropriate; generates a second frame when the first frame is not determined to be appropriate; and transmits the second frame to the network. The second frame includes control information and additional information based on content of the first frame. The control information restricts processing of the additional information included in the second frame by the electronic control unit, after the second frame is received by the electronic control unit.