Abstract: A communication unit receives a message in a network. A first anomaly detector detects an anomalous message by detecting values of a plurality of monitoring items from the message received by the communication unit and determining whether each of the detected values of the plurality of monitoring items is inside a corresponding first reference range and a corresponding second reference range. The second reference range is narrower than the first reference range. The first anomaly detector detects the message as the anomalous message, when any of the detected values is outside the first reference range, and detects the message as the anomalous message, when any of the detected values is inside the first reference range and is outside the second reference range and when a predetermined rule is satisfied.

Abstract: An electronic control unit is connected to an in-vehicle network bus in an in-vehicle network system. The electronic control unit includes a first control circuit and a second control circuit. The first control circuit is connected to the in-vehicle network bus via the second control circuit over wired communication and/or wireless communication. The first control circuit performs a first determination process on a frame to determine conformity of the frame with a first rule. The second control circuit performs a second determination process on the frame to determine conformity of the frame with a second rule, and, upon determining that the frame conforms to the second rule, transmits the frame to the in-vehicle network bus.

Abstract: An invalidity detection electronic control unit connected to a bus used by a plurality of electronic control units (ECUs) to communicate with one another in accordance with controller area network (CAN) protocol includes a receiving unit that receives a frame for which transmission is started and a transmitting unit that transmits an error frame on the bus before a tail end of the frame is transmitted if the frame received by the receiving unit meets a predetermined condition indicating invalidity and transmits a normal frame that conforms to the CAN protocol after the error frame is transmitted. Even when a reception error counter of the ECU connected to the bus is incremented due to the impact of the error frame, the reception error counter is decremented by the normal frame.

Abstract: A security device connected to a plurality of networks in a vehicle is provided. The security device determines, with regard to a frame received from a first network, whether to transmit a determination request for the frame outside the vehicle. The security device transmits the determination request outside the vehicle in a case where it is determined to transmit the determination request outside the vehicle, transmits, before obtaining a determination result from outside the vehicle in accordance with the determination request, the frame to a second network, and then obtains determination results from outside the vehicle in accordance with the determination request. The security device outputs presentation information in accordance with the determination result.

Abstract: A fraud detecting method for use in an in-vehicle network system including a plurality of electronic control units that communicate with each other via a network includes detecting whether a state of a vehicle satisfies a first condition or a second condition, and switching, upon detecting that the state of the vehicle satisfies the first condition or the second condition, an operation mode of a fraud-sensing electronic control unit connected to the network between a first mode in which a first type of detecting process for detecting a fraudulent message in the network is performed and a second mode in which the first type of detecting process is not performed.

Abstract: A gateway device for a vehicle network system, the vehicle network system including a bus, a first electronic control unit connected to the bus, and the gateway device connected to the bus. The gateway device comprising: one or more memories; and circuitry which, in operation, performs operations including: receiving a first frame transmitted to the bus by the first electronic control unit; when the first frame is received, including first control information in a second frame, the second frame including information based on content of the first frame, the first control information related to a restriction on processing, the restriction on processing being after a reception of the second frame; and transmitting the second frame to the bus.

Abstract: Provided is a network monitor for a mobility network used in a mobility entity. The mobility network is formed of a source unit, a destination unit, and one or more repeaters. Each repeater includes a network monitor that receives, from the source unit, an announcement for a bandwidth reservation. The announcement includes a value of a first bandwidth requirement for the source unit to perform first data communication. The network monitor further determines a determination result of whether to reserve the first bandwidth by comparing the value of the first bandwidth with a range of values of a second bandwidth for the first data communication specified in a white list stored in a database. The network monitor reserves the first bandwidth for performing the first data communication depending on the determination result, and transmits, to the source unit, a reservation status of the first bandwidth.

Abstract: An in-vehicle relay device prevents an anomaly of a control command exchanged over networks having different transmittable data sizes in a frame. The in-vehicle relay device relays communication between multiple control devices in a vehicle over the networks to which the control devices are connected. The in-vehicle relay device receives control data from a first control network. The control data includes, in a frame, a plurality of control commands to be executed by at least one of the control devices. The in-vehicle relay device determines, as a first determination, whether types of the control commands included in the frame form a first combination that is preset as a combination of control commands that are executable simultaneously. The in-vehicle relay device thereafter determines, as a second determination, whether the control data is anomalous by using the result of the first determination, and outputs the result of the second determination.

Abstract: A security device connected to at least one bus in a vehicle is provided. The security device determines, with regard to a frame received from the at least one bus, whether predetermined conditions are satisfied to determine whether the frame is a suspect of being an attack frame. The security device transmits, a determination request to an external device outside of the vehicle in a case where the predetermined conditions are satisfied, and obtains determination results from the external device in accordance with the determination request. The security device outputs first presentation information in the case where the predetermined conditions are satisfied, and outputs second presentation information in a case where the determination results are obtained from the external device.

Abstract: A device in an authentication system acquires a certificate revocation list along with a control command from an operating terminal to the device. The device determines the validity of the controller to which the device connects, based on the certificate revocation list acquired along with the control command.

Abstract: A fraud sensing method for use in an in-vehicle network system including a plurality of electronic control units that communicate with each other via a network includes detecting that a state of a vehicle satisfies a predetermined condition, and switching, upon detecting that the state of the vehicle satisfies the predetermined condition, an operation mode of a fraud-sensing electronic control unit connected to the network between a first mode in which a first type of sensing process for sensing a fraudulent message in the network is performed and a second mode in which the first type of sensing process is not performed.

Abstract: An anomaly detection electronic controller performs anomaly detection processing and is connected to a network, which a plurality of electronic controllers uses for communication. The anomaly detection electronic controller includes an anomaly detection processor that performs anomaly detection processing regarding a data frame. The anomaly detection controller also includes an anomaly detection processing requester that decides an anomaly detection processing timing when receiving the data frame, the anomaly detection processing timing being a reception timing of one or multiple fields in the data frame. The anomaly detection processor further performs the anomaly detection processing regarding the data frame at the anomaly detection processing timing decided by the anomaly detection processing requester.

Abstract: A communication device includes: a communication section that transmits and receives a message in a network; an acquisition unit that acquires state information on a state of an object for which the network is provided; an estimation unit that estimates the state of the object based on the state information acquired in the acquisition unit; a setting unit that sets a filtering rule based on the state estimated in the estimation unit; and a filter unit that executes filtering processing for the message in accordance with the filtering rule set in the setting unit.

Abstract: A key management method serves as an electronic control unit (ECU) in an onboard network system having a plurality of ECUs that perform communication by frames via a network. The method includes storing a shared key, acquiring a session key, and executing encryption processing using the session key. The method further includes executing inspection of a security state of the shared key stored in a case where a vehicle is in at least one of the following particular states: the vehicle is not driving and is an accessory-on state; a fuel cap of the vehicle is open, and the vehicle is not driving and is fueling; the vehicle is parked, which is indicated by the gearshift; the vehicle is in a stopped state before driving, which is indicated by the gearshift; and a charging plug is connected to the vehicle, and the vehicle is electrically charging.

Abstract: A gateway connected to a bus, a bus, and the like used by a plurality of electronic control units for communication includes a frame communication unit that receives a frame, a transfer control unit that removes verification information used to verify a frame from the content of the frame received by the frame communication unit and transfers the frame to a destination bus or that adds verification information to the content of the frame and transfers the frame to the destination bus, and the like.

Abstract: A gateway connected to a bus, a bus, and the like used by a plurality of electronic control units for communication includes a frame communication unit that receives a frame, a transfer control unit that removes verification information used to verify a frame from the content of the frame received by the frame communication unit and transfers the frame to a destination bus or that adds verification information to the content of the frame and transfers the frame to the destination bus, and the like.

Abstract: An anomaly detection electronic controller performs anomaly detection processing and is connected to a bus, which a plurality of electronic controllers use for communication to communicate following a Controller Area Network (CAN) protocol. The anomaly detection electronic controller includes an anomaly detection processor that performs anomaly detection processing regarding a data frame. The anomaly detection controller also includes an anomaly detection processing requester that decides an anomaly detection processing timing in accordance with a state of a vehicle in which the bus is installed when receiving the data frame, the anomaly detection processing timing being a reception timing of one or multiple fields in the data frame. The anomaly detection processor further performs the anomaly detection processing regarding the data frame at the anomaly detection processing timing decided by the anomaly detection processing requester.

Abstract: Provided is a key management method to secure security in an onboard network system having multiple electronic control units storing a shared key. In the key management method of the onboard network system including multiple electronic units (ECUs) that perform communication by frames via a bus, a master ECU stores a shared key to be mutually shared with one or more ECUs. Each of the ECUs acquire a session key by communication with the master ECU based on the stored shared key, and after this acquisition, executes encryption processing regarding a frame transmitted or received via the bus, using this session key. In a case where a vehicle in which the onboard network system is installed is in a particular state, the master ECU executes inspection of a security state of the shared key stored by the ECU or the like.

Abstract: A method for use in a network communication system including a plurality of electronic controllers that communicate with each other via a bus in accordance with a Controller Area Network (CAN) protocol determines whether or not content of a predetermined field in a frame which has started to be transmitted meets a predetermined condition indicating fraud. In a case where the content of the predetermined field meets the predetermined condition, an error frame is transmitted before an end of the frame is transmitted. A number of times the error frame is transmitted is recorded for each identifier (ID) represented by content of an ID field included in a plurality of frames which has been transmitted. A malicious electronic controller is determined in accordance with the number of times recorded for each ID.

Abstract: In a fraud-detection method for use in an in-vehicle network system including a plurality of electronic control units (ECUs) that exchange messages on a plurality of networks, a plurality of fraud-detection ECUs each connected to a different one of the networks, and a gateway device, a fraud-detection ECU determines whether a message transmitted on a network connected to the fraud-detection ECU is malicious by using rule information stored in a memory. The gateway device receives updated rule information transmitted to a first network among the networks, selects a second network different from the first network, and transfers the updated rule information only to the second network. A fraud-detection ECU connected to the second network acquires the updated rule information and updates the rule information stored therein by using the updated rule information.