JP6651662B2 - Fraud detection electronic control unit and fraud detection method - Google Patents

Description

  The present disclosure relates to a technology for detecting an illegal frame transmitted in a vehicle-mounted network with which an electronic control unit communicates.

  2. Description of the Related Art In recent years, a number of devices called electronic control units (ECUs) are arranged in a system in an automobile. The network connecting these ECUs is called an in-vehicle network. There are many standards for in-vehicle networks. Among them, one of the most mainstream in-vehicle networks is a standard called CAN (Controller Area Network) defined by ISO11898-1 (see “Non-Patent Document 1”).

  In CAN, a communication path is composed of two buses, and an ECU connected to the bus is called a node. Each node connected to the bus sends and receives messages called frames. A transmitting node that transmits a frame transmits a value of “1” called recessive and a value of “0” called dominant by applying a voltage to two buses and generating a potential difference between the buses. When a plurality of transmitting nodes transmit recessive and dominant at exactly the same timing, the dominant is transmitted with priority. If the format of the received frame is abnormal, the receiving node transmits a frame called an error frame. The error frame is for notifying the transmitting node and other receiving nodes of the abnormality of the frame by continuously transmitting the dominant for 6 bits.

  Also, in CAN, there is no identifier indicating the transmission destination or the transmission source, and the transmitting node transmits the frame with an ID called message ID (that is, sends a signal to the bus), and each receiving node is determined in advance. Only the message ID is received (that is, the signal is read from the bus). In addition, a CSMA / CA (Carrier Sense Multiple Access / Collision Avoidance) method is adopted, and arbitration based on a message ID is performed at the time of simultaneous transmission of a plurality of nodes, and a frame having a small value of the message ID is transmitted preferentially.

  In addition, a technique is known in which when an abnormal message is transmitted on a CAN bus, the gateway device detects the abnormal message and does not transfer the message to another bus, thereby suppressing an increase in the load on the bus. Patent Document 1 ").

JP 2007-38904 A

"CAN Specification 2.0 Part A", [online], CAN in Automation (CiA), [Search November 14, 2014], Internet (URL: http://www.can-cia.org/fileadmin/ cia / specifications / CAN20A.pdf) RFC2104 HMAC: Keyed-Hashing for Message Authentication

  By the way, in a vehicle-mounted network, an unauthorized node is connected to a bus, and an unauthorized node may illegally transmit a frame (message), thereby controlling the vehicle body illegally. It is necessary to detect such messages.

  Thus, the present disclosure provides a fraud detection electronic control unit (fraud detection ECU) for efficiently detecting a fraudulent message transmitted to a bus in an in-vehicle network system that communicates according to a CAN protocol or the like. )I will provide a. The present disclosure also provides a fraud detection method for efficiently detecting a fraudulent message, and a vehicle-mounted network system including a fraud detection ECU.

A fraud detection electronic control unit according to an aspect of the present disclosure is a fraud detection electronic control unit in a vehicle-mounted network system including a plurality of electronic control units that communicate via one or more networks, wherein the plurality of electronic control units are: , A first electronic control unit, a second electronic control unit and the fraud detection electronic control unit, wherein the one or more networks do not include a first network and an electronic control unit related to driving driving of the vehicle. 2, the first electronic control unit is connected to the first network, the second electronic control unit is connected to the second network, and the fraud detecting electronic control unit is connected to the vehicle. The status of a vehicle equipped with a network system may indicate an incorrect message on the one or more networks. A detection unit that detects that a first condition that the device is not detected for a predetermined time or a second condition that an unauthorized message is detected on the one or more networks while the vehicle is parked is satisfied, and the detection unit When it is detected that the state of the vehicle satisfies the second condition, only the second electronic control unit issues a first type of detection process to the second operation mode. A message is transmitted, and when the detection unit detects that the state of the vehicle satisfies the first condition, the first electronic control unit and the second electronic control unit transmit the first electronic control unit to the first electronic control unit. And a transmission unit that transmits a switching instruction message to the first operation mode in which the type of detection processing is not performed.

According to another embodiment of the present disclosure, there is provided a fraud detection method according to an embodiment of the present disclosure, which is used in a fraud detection electronic control unit in a vehicle-mounted network system including a plurality of electronic control units that communicate via one or more networks. The detection method, wherein the plurality of electronic control units include a first electronic control unit and a second electronic control unit, wherein the one or more networks are related to a first network and a driving of a vehicle traveling. A second network not including an electronic control unit, wherein the first electronic control unit is connected to the first network, the second electronic control unit is connected to the second network, and the fraud detection is performed. The method comprises the steps of: detecting a state of a vehicle equipped with the in-vehicle network system on the one or more networks; A detecting step of detecting that a first condition that a message is not detected for a predetermined time or a second condition that a fraudulent message is detected on the one or more networks while the vehicle is parked is satisfied; When it is detected that the state of the vehicle satisfies the second condition, only the second electronic control unit issues a first type of detection processing to the second operation mode. A message is transmitted, and when the detection unit detects that the state of the vehicle satisfies the first condition, the first electronic control unit and the second electronic control unit transmit the first electronic control unit to the first electronic control unit. Transmitting a switching instruction message to the first operation mode in which no type of detection processing is performed.

  According to the present disclosure, for example, when an unauthorized node is connected to a bus and an unauthorized message is transmitted in an in-vehicle network system that operates on the power of an in-vehicle battery or the like, it is possible to detect that an unauthorized message is transmitted, Since the detection is omitted under the condition, battery consumption can be suppressed.

FIG. 1 is a diagram illustrating an overall configuration of an in-vehicle network system according to a first embodiment. FIG. 3 is a diagram illustrating a format of a data frame defined by a CAN protocol. FIG. 2 is a diagram illustrating a format of an error frame defined by a CAN protocol. FIG. 3 is a configuration diagram of a head unit. FIG. 5 is a diagram illustrating an example of a reception ID list. It is a block diagram of a gateway. FIG. 4 is a diagram illustrating an example of a transfer rule. FIG. 2 is a configuration diagram of an ECU according to the first embodiment. FIG. 5 is a diagram illustrating an example of a reception ID list. FIG. 3 is a diagram illustrating an example of an ID and a data field in a frame transmitted from an ECU connected to an engine. It is a figure showing an example of ID and a data field in a frame transmitted from ECU connected to a brake. It is a figure showing an example of ID and a data field in a frame transmitted from ECU connected to a door opening and closing sensor. It is a figure showing an example of ID and a data field in a frame transmitted from ECU connected to a window opening / closing sensor. FIG. 2 is a configuration diagram of a fraud detection ECU according to the first embodiment. FIG. 4 is a diagram showing an example of a regular ID list held in a fraud detection ECU. FIG. 4 is a diagram showing an example of a regular ID list held in a fraud detection ECU. It is a figure showing an example of the state of the fraud detection counter for every message ID. FIG. 6 is a sequence diagram showing an operation example relating to detection and execution prevention of an illegal frame in the first embodiment. FIG. 7 is a diagram illustrating an overall configuration of an in-vehicle network system according to a second embodiment. FIG. 9 is a configuration diagram of a fraud detection ECU according to a second embodiment. FIG. 5 is a diagram illustrating an example of a data range list held in a fraud detection ECU. FIG. 24 is a sequence diagram illustrating an example of an operation relating to detection and execution prevention of an invalid frame according to the second embodiment (continued from FIG. 23). FIG. 23 is a sequence diagram showing an operation example relating to detection and execution prevention of an illegal frame in the second embodiment (continued from FIG. 22). FIG. 13 is a diagram illustrating an overall configuration of an in-vehicle network system according to a third embodiment. FIG. 9 is a configuration diagram of an ECU according to a third embodiment. FIG. 3 is a diagram illustrating an example of an ID and a data field in a data frame transmitted from an ECU connected to an engine. FIG. 4 is a diagram illustrating an example of an ID and a data field in a data frame transmitted from an ECU connected to a brake. It is a figure showing an example of ID and a data field in a data frame transmitted from ECU connected to a door opening and closing sensor. It is a figure showing an example of ID and a data field in a data frame transmitted from ECU connected to a window opening / closing sensor. FIG. 9 is a configuration diagram of a fraud detection ECU according to a third embodiment. FIG. 14 is a diagram illustrating an example of a counter value for each message ID held in a counter holding unit according to Embodiment 3. FIG. 34 is a sequence diagram illustrating an example of an operation related to detection and execution prevention of an illegal frame according to the third embodiment (continued from FIG. 33). FIG. 33 is a sequence diagram showing an operation example relating to detection and prevention of execution of an illegal frame in the third embodiment (continued from FIG. 32). FIG. 14 is a diagram showing an overall configuration of an in-vehicle network system according to a fourth embodiment. 13 is a configuration diagram of a head unit according to Embodiment 4. FIG. FIG. 13 is a configuration diagram of a fraud detection ECU according to a fourth embodiment. 129 is a diagram illustrating an example of a transition sequence to a check mode in Embodiment 4. [FIG. 129 is a diagram illustrating an example of a transition sequence to a standby mode in Embodiment 4. [FIG. 129 is a diagram illustrating an example of a transition sequence to a standby mode in Embodiment 4. [FIG. FIG. 9 is a configuration diagram of an ECU according to another embodiment. FIG. 9 is a configuration diagram of a fraud detection ECU according to another embodiment. FIG. 9 is a configuration diagram of a fraud detection ECU according to another embodiment.

  A fraud detection method according to an aspect of the present disclosure is a fraud detection method used in an in-vehicle network system including a plurality of electronic control units that communicate via one or more buses. A detecting step of detecting that a state satisfies a certain condition; and an operation of an unauthorized detection electronic control unit connected to the bus when the detecting step detects that the state of the vehicle satisfies a certain condition. A fraud detection method including a switching step of switching a mode between a first mode for performing a predetermined type of detection processing for detecting a fraudulent message on the bus and a second mode for not performing the predetermined type of detection processing. is there. Here, the fraud detection electronic control unit (fraud detection ECU) is connected to the bus and has a function of executing a predetermined type of detection processing for detecting a fraudulent message transmitted to the bus. Whether the message is an unauthorized message is determined by the detection process based on whether a predetermined condition is satisfied. For example, when the fraud detection ECU can perform only one type of detection processing, whether or not to perform the detection processing is switched according to the operation mode. According to this fraud detection method, the fraud detection ECU can omit the detection processing of a predetermined type of fraudulent message under a certain condition according to the state of the vehicle, so that battery consumption of the vehicle can be suppressed.

  Further, the plurality of electronic control units may perform communication via the bus according to a Controller Area Network (CAN) protocol. Thus, when a fraudulent ECU is connected to an in-vehicle network system that communicates according to the CAN protocol and a fraudulent frame is transmitted, the period during which the fraudulent detection ECU detects the fraud may be limited according to the state of the vehicle. , Power consumption can be reduced.

  In the detecting step, one of the plurality of electronic control units performs the detection, and in the switching step, the one electronic control unit that performs the detection in the detecting step transmits a switching instruction message. The fraud detection electronic control unit may transmit and switch the operation mode when receiving the switching instruction message. Thereby, for example, in the second mode in which the detection process for detecting an unauthorized message is not performed, the unauthorized detection ECU only needs to detect the switching instruction message (that is, the trigger frame that triggers the switching of the operation mode). Become like That is, the fraud detection ECU does not need to have a detection unit (for example, a sensor or the like) for directly detecting the state of the vehicle.

  In the detecting step, when the one electronic control unit detects an invalid message on the bus, the one electronic control unit performs the detection assuming that the state of the vehicle satisfies the certain condition, and in the switching step, The one electronic control unit transmits a switch instruction message indicating that the mode is switched to the first mode when the detection is performed in the detection step, and the fraud detection electronic control unit when the switch instruction message is received. May switch the operation mode to the first mode. Thereby, when it is detected that an unauthorized message is transmitted on a certain bus, the unauthorized detection ECU enters the first mode (check mode for detecting an unauthorized message), and the unauthorized detection ECU is connected. Illegal messages on the bus will be detected.

  Further, in the detecting step, when the one electronic control unit does not detect an invalid message on the bus for a predetermined period, the detection is performed assuming that the state of the vehicle satisfies the predetermined condition, In the switching step, when the detection is performed in the detection step, the one electronic control unit transmits a switching instruction message indicating that the mode is switched to the second mode, and when the switching instruction message is received, The fraud detection electronic control unit may switch the operation mode to the second mode. Thereby, when it is detected that an unauthorized message has not been transmitted on a certain bus for a certain period of time, the unauthorized detection ECU enters the second mode (standby mode in which an unauthorized message is not detected) to reduce power consumption. Can be done.

  Further, the certain condition is that the use of the vehicle is started, and in the switching step, when it is detected that the use of the vehicle is started in the detection step, the operation mode is changed to the second one. The mode may be switched to one mode. The use of the vehicle means, for example, that the user drives the vehicle, prepares for the vehicle to run (opens a door, gets on the vehicle, starts the engine, and the like). In addition, for example, when traveling becomes unnecessary, parking (stopping of the engine or the like), getting off, or the like ends use. In addition, during parking in a place other than a specific parking lot such as a parking lot at the user's home (parking at a gas station or other places where the user goes out), it may be handled that the use does not end even if there is parking and getting off. . Thus, when the use of the vehicle is started, the fraud detecting ECU enters the first mode (check mode for detecting a fraudulent message), and a fraudulent message on the bus to which the fraud detecting ECU is connected is detected. Become like Therefore, for example, even if an unauthorized ECU is added to the in-vehicle network system while the user is parked and away from the vehicle, the unauthorized ECU is not authorized after the user returns to the vehicle and starts using the vehicle. If you send such a message, the fraud will be detected.

  Further, the start of use of the vehicle may be detected by detecting that an engine mounted on the vehicle has started. Thus, the fraud detection ECU is in a state of detecting a fraudulent message from when the engine is started. Therefore, even if an unauthorized ECU is added to the in-vehicle network system while the user is away from the vehicle while parked, for example, the invalid ECU will send an incorrect message after the user returns to the vehicle and starts the engine. Is transmitted, the fraud is detected.

  Further, the fraud detection method further includes, after the operation mode is switched to the first mode in the switching step, when a predetermined time has elapsed since the start of use of the vehicle, the operation mode is changed to the second mode. A re-switching step for switching to the two modes may be included. As a result, when a predetermined time has elapsed since the start of use of the vehicle, the fraud detection ECU enters the second mode (standby mode in which no fraudulent message is detected) under unconditional or constant conditions, and power consumption is reduced. Can be reduced.

  Further, the certain condition is that any of the plurality of electronic control units is in a state of starting communication with a device external to the vehicle, and in the switching step, the communication is started in the detection step. When the state is detected, the operation mode may be switched to the first mode. As a result, when communication with the outside is started, the fraud detection ECU enters a state of detecting a fraudulent message. Therefore, for example, even if an external device attacks the head unit of the in-vehicle network system and an unauthorized message (frame) is injected from the outside, it can be quickly detected. It should be noted that a case where a program or the like for transmitting an unauthorized message is supplied from the outside can be dealt with similarly.

  Further, the constant condition is that one of the plurality of electronic control units communicates with a device external to the vehicle to be in a constant state after the end of the communication. The operation mode may be switched to the second mode when it is detected that a constant state has been reached after the end of communication. Thereby, when communication with the outside ends and the possibility that an unauthorized message is transmitted on the bus is reduced, battery consumption can be suppressed by omitting detection of an unauthorized message. Note that when the possibility that an unauthorized message is transmitted is reduced, specifically, for example, when communication is interrupted, a state where a fixed time (for example, several minutes) has elapsed from the end of communication is set. And so on.

  Further, in the in-vehicle network system, a plurality of buses are used for communication of the plurality of electronic control units, and the in-vehicle network system further includes a gateway device having a function of transferring a message between the plurality of buses. In the step, among the plurality of electronic control units, one electronic control unit connected to a bus different from the fraud detection electronic control unit performs the detection, and in the switching step, the detection is performed in the detection step When one electronic control unit transmits a switching instruction message and receives the switching instruction message transferred to the gateway device, the unauthorized detection electronic control unit may switch the operation mode. Thus, each of the fraud detecting ECUs connected to one or more other buses can switch the operation mode according to the state of the vehicle detected by the ECU connected to the one bus in the vehicle-mounted network system. Become.

  Further, in the detecting step, when the state of the vehicle changes, an input relating to the necessity of switching the operation mode is received by a predetermined user interface, and when the input indicates that the switching of the operation mode is required, The detection may be performed assuming that the state of the vehicle satisfies the certain condition. Thus, the switching of the operation mode of the fraud detection ECU reflects the user's judgment, so that the operation mode can be appropriately switched according to the user's circumstances and the like.

  In the second mode, a type of detection process different from the predetermined type of detection process may be performed to the extent that an unauthorized message can be detected. For example, if the fraud detection ECU can execute a first type of detection processing with a relatively large processing amount and a second type of detection processing with a relatively small processing amount in order to detect a fraudulent message, Whether to perform the type detection processing or the second type detection processing is switched according to the operation mode. This allows the fraud detection ECU to omit a predetermined type of fraudulent message detection process (for example, a first type of detection process) under certain conditions according to the state of the vehicle, thereby suppressing battery consumption of the vehicle. obtain. The large amount of detection processing by the fraud detection ECU is not necessarily proportional to the height at which fraud can be detected, but generally tends to be related to the height at which fraudulent messages can be detected. is there. For this reason, for example, it is useful to switch the operation mode so that a detection process with a high degree of fraud detection and a large amount of processing is executed only in a certain case and a detection process with a smaller amount of processing is performed in other cases. Becomes

  Further, an in-vehicle network system according to an aspect of the present disclosure is an in-vehicle network system including a plurality of electronic control units communicating via one or more buses and a fraud detection electronic control unit connected to the bus. A detection unit that detects that a state of a vehicle equipped with the in-vehicle network system satisfies a certain condition; and a connection to the bus when the detection unit detects that the state of the vehicle satisfies a certain condition. The operation mode of the detected fraud detection electronic control unit is switched between a first mode for performing a predetermined type of detection processing for detecting a fraudulent message on the bus and a second mode for not performing the predetermined type of detection processing. An in-vehicle network system including a switching unit. Thus, under a certain condition according to the state of the vehicle, the fraud detection ECU can omit the detection processing of the predetermined type of the fraudulent message, so that the battery consumption of the vehicle can be suppressed.

  Further, a fraud detection electronic control unit (fraud detection ECU) according to an aspect of the present disclosure is a fraud detection electronic control unit in which a plurality of electronic control units communicating via one or more buses are connected to a bus used for communication. A detecting unit that detects that a state of the vehicle equipped with the plurality of electronic control units satisfies a certain condition; and a detecting unit that detects that the state of the vehicle satisfies a certain condition. A switching unit that switches an operation mode of the apparatus between a first mode for performing a predetermined type of detection processing for detecting an unauthorized message on the bus and a second mode for not performing the predetermined type of detection processing. It is a fraud detection electronic control unit. Thus, under a certain condition according to the state of the vehicle, the fraud detection ECU can omit the detection processing of the predetermined type of the fraudulent message, so that the battery consumption of the vehicle can be suppressed.

  Note that these general or specific aspects may be realized by a system, a method, an integrated circuit, a computer program or a computer-readable recording medium such as a CD-ROM, and the system, the method, the integrated circuit, and the computer. It may be realized by an arbitrary combination of a program or a recording medium.

  Hereinafter, an in-vehicle network system, a fraud detection ECU, and the like according to the embodiment will be described with reference to the drawings. Each of the embodiments described here is a specific example of the present disclosure. Therefore, the numerical values, shapes, materials, constituent elements, arrangement and connection forms of the constituent elements, steps (processes) and the order of the steps, and the like shown in the following embodiments are examples and limit the present disclosure. is not. Among the components in the following embodiments, components not described in the independent claims are components that can be arbitrarily added. In addition, each drawing is a schematic diagram, and is not necessarily strictly illustrated.

(Embodiment 1)
Hereinafter, as an embodiment of the present disclosure, an in-vehicle vehicle including a fraud detection ECU that implements a fraud countermeasure method for preventing a process based on a fraudulent frame from being executed in another node (ECU) using a message ID. The network system 10 will be described with reference to the drawings.

[1.1 Overall Configuration of In-Vehicle Network System 10]
FIG. 1 is a diagram illustrating an overall configuration of an in-vehicle network system 10 according to the first embodiment. The in-vehicle network system 10 is an example of a network communication system that communicates according to a CAN protocol, and is a network communication system in a vehicle equipped with various devices such as a control device and a sensor. The in-vehicle network system 10 includes buses 500a and 500b, and fraud detecting ECUs 100a and 100b, a head unit 200, a gateway 300, and each node connected to a bus such as an ECU such as ECUs 400a to 400d connected to various devices. It consists of. Although omitted in FIG. 1, the in-vehicle network system 10 may include any number of ECUs in addition to the ECUs 400a to 400d, but the following description focuses on the ECUs 400a to 400d for convenience. The ECU is, for example, a device including a processor (microprocessor), a digital circuit such as a memory, an analog circuit, a communication circuit, and the like. The memory is a ROM, a RAM, or the like, and can store a control program (computer program) executed by the processor. For example, when the processor operates according to a control program (computer program), the ECU realizes various functions. Note that the computer program is configured by combining a plurality of instruction codes indicating instructions to the processor in order to achieve a predetermined function. Here, description will be made on the assumption that there is a possibility that a fraudulent ECU that transmits a fraudulent frame is connected to the buses 500a and 500b.

  The fraud detecting ECUs 100a and 100b are connected to the buses 500a and 500b, respectively, and determine whether or not the frames transmitted by the ECUs 400a to 400d are fraudulent. is there.

  The ECUs 400a to 400d are connected to one of the buses, and are connected to the engine 401, the brake 402, the door open / close sensor 403, and the window open / close sensor 404, respectively. Each of the ECUs 400a to 400d acquires the state of the connected device (the engine 401 and the like) and periodically transmits a frame (a data frame to be described later) or the like indicating the state to a network (that is, a bus).

  The gateway 300 is connected to a bus 500a to which the fraud detection ECUs 100a, 400a, and 400b are connected, a bus 500b to which the fraud detection ECUs 100b, 400c, and 400d are connected, and a bus 500c to which the head unit 200 is connected, and receives from each bus. It has a function to transfer a frame to another bus. It is also possible to switch whether the received frame is transferred or not for each connected bus. The gateway 300 is also a kind of ECU.

  The head unit 200 has a function of receiving frames, a function of receiving frames transmitted from the ECUs 400a to 400d, displaying various states on a display (not shown), and presenting them to the user. The head unit 200 is also a kind of ECU.

  In this in-vehicle network system 10, each ECU exchanges frames according to the CAN protocol. The frames in the CAN protocol include a data frame, a remote frame, an overload frame, and an error frame. For convenience of explanation, first, the description will focus on data frames and error frames.

[1.2 Data frame format]
Hereinafter, a data frame which is one of frames used in a network according to the CAN protocol will be described.

  FIG. 2 is a diagram showing a format of a data frame defined by the CAN protocol. FIG. 1 shows a data frame in a standard ID format defined by the CAN protocol. The data frame includes an SOF (Start Of Frame), an ID field, an RTR (Remote Transmission Request), an IDE (Identifier Extension), a reserved bit “r”, a DLC (Data Length Code), a data field, and a CRC (Cyclic Redundancy Check) sequence. , CRC delimiter “DEL”, ACK (Acknowledgement) slot, ACK delimiter “DEL”, and EOF (End Of Frame) fields.

  The SOF is composed of a 1-bit dominant. The idle state of the bus is recessive, and the start of frame transmission is notified by changing to dominant by SOF.

  The ID field is a field configured of 11 bits and storing an ID (message ID) that is a value indicating the type of data. When a plurality of nodes start transmission at the same time, in order to perform communication arbitration in this ID field, a frame having a small ID has a higher priority.

  RTR is a value for distinguishing between a data frame and a remote frame, and a data frame is composed of one dominant bit.

  IDE and “r” are both composed of one dominant bit.

  DLC is composed of 4 bits and is a value indicating the length of the data field. In addition, IDE, "r", and DLC are collectively called a control field.

  The data field is a value indicating the content of data to be transmitted, which is composed of a maximum of 64 bits. The length can be adjusted every 8 bits. The specification of the data to be transmitted is not defined by the CAN protocol, but is defined by the vehicle-mounted network system 10. Therefore, the specifications depend on the vehicle type, the manufacturer (manufacturer), and the like.

  The CRC sequence is composed of 15 bits. It is calculated from the transmission values of the SOF, ID field, control field and data field.

  The CRC delimiter is a delimiter indicating the end of a CRC sequence composed of 1-bit recessive. Note that the CRC sequence and the CRC delimiter are collectively referred to as a CRC field.

  The ACK slot is composed of one bit. The transmitting node performs transmission by making the ACK slot recessive. The receiving node transmits the ACK slot as a dominant if the reception has been normally performed up to the CRC sequence. Since dominant is given priority over recessive, if the ACK slot is dominant after transmission, the transmitting node can confirm that any of the receiving nodes has successfully received.

  The ACK delimiter is a delimiter that indicates the end of the ACK composed of 1-bit recessive.

  The EOF is composed of 7-bit recessive and indicates the end of a data frame.

[1.3 Error frame format]
FIG. 3 is a diagram showing a format of an error frame defined by the CAN protocol. The error frame includes an error flag (primary), an error flag (secondary), and an error delimiter.

  The error flag (primary) is used to notify another node that an error has occurred. The node that has detected the error continuously transmits a 6-bit dominant to notify the other nodes of the occurrence of the error. This transmission violates the bit stuffing rule in the CAN protocol (the same value is not transmitted continuously for more than 6 bits), and causes transmission of an error frame (secondary) from another node.

  The error flag (secondary) is composed of a continuous 6-bit dominant used to notify another node of the occurrence of an error. All nodes that have received the error flag (primary) and detected the violation of the bit stuffing rule transmit the error flag (secondary).

  The error delimiter “DEL” is a continuous recessive of 8 bits and indicates the end of the error frame.

[1.4 Configuration of Head Unit 200]
The head unit 200 is provided on, for example, an instrument panel (instrument panel) of a car, and a display device such as a liquid crystal display (LCD) that displays information to be visually recognized by a driver; It is a kind of ECU provided with input means and the like for receiving the information.

  FIG. 4 is a configuration diagram of the head unit 200. The head unit 200 includes a frame transmission / reception unit 270, a frame interpretation unit 260, a reception ID determination unit 240, a reception ID list holding unit 250, a frame processing unit 220, a display control unit 210, and a frame generation unit 230. It is comprised including. Each of these components is a functional component, and each function is realized by a communication circuit in the head unit 200, an LCD, a processor that executes a control program stored in a memory, a digital circuit, or the like.

  The frame transmitting / receiving unit 270 transmits / receives a frame to / from the bus 500c according to the CAN protocol. The frame is received one bit at a time from the bus 500c and transferred to the frame interpretation unit 260. Further, the content of the frame notified from the frame generation unit 230 is transmitted to the bus 500c one bit at a time.

  The frame interpretation unit 260 receives the value of the frame from the frame transmission / reception unit 270 and interprets the value so as to map it to each field in the frame format defined by the CAN protocol. The frame interpreting section 260 transfers the value determined as the ID field to the received ID determining section 240. The frame interpretation unit 260 transfers the value of the ID field and the data field appearing after the ID field to the frame processing unit 220 according to the determination result notified from the reception ID determination unit 240, or It is determined whether to stop receiving the frame after receiving the frame (that is, to stop interpreting the frame). When the frame interpreting unit 260 determines that the frame does not conform to the CAN protocol, for example, the CRC value does not match or the item fixed as dominant is recessive, it transmits an error frame. As described above. When an error frame is received, that is, when the frame interpreting unit 260 interprets that the value is an error frame from the value in the received frame, the frame interpreting unit 260 discards the frame thereafter, that is, stops interpreting the frame. I do. For example, when an error frame is interpreted in the middle of a data frame, the interpretation of the data frame is stopped, and no special processing is performed according to the data frame.

  The reception ID determination unit 240 receives the value of the ID field notified from the frame interpretation unit 260, and receives each field of the frame after the ID field according to the message ID list held by the reception ID list holding unit 250. It is determined whether or not to do. The reception ID determination unit 240 notifies the frame interpretation unit 260 of this determination result.

  The reception ID list holding unit 250 holds a reception ID list that is a list of IDs (message IDs) received by the head unit 200. FIG. 5 is a diagram illustrating an example of the reception ID list. Head unit 200 receives a frame (message) whose message ID is “1” from ECU 400a connected to engine 401, and receives a frame whose message ID is “2” from ECU 400b connected to brake 402, A frame whose message ID is “3” is received from the ECU 400 c connected to the door opening / closing sensor 403, and a frame whose message ID is “4” is received from the ECU 400 d connected to the window opening / closing sensor 404.

  The frame processing unit 220 forms, for example, an image to be displayed on the LCD based on the content of the received frame (for example, the content of the message ID and the data field), and notifies the display control unit 210 of the image. The frame processing unit 220 holds the content of the received data field, and displays an image to be displayed on the LCD (for example, an image for displaying a vehicle speed, a window open / close state display) in response to a driver's operation received through the input unit. May be selected and notified.

  The display control unit 210 displays the content notified from the frame processing unit 220 on an LCD or the like.

  The frame generation unit 230 composes an error frame according to the notification from the frame interpretation unit 260 instructing the transmission of the error frame, and notifies the frame transmission / reception unit 270 of the error frame and transmits the error frame.

[1.5 Received ID list example 1]
FIG. 5 is a diagram illustrating an example of a reception ID list held in each of the head unit 200, the gateway 300, the ECU 400c, and the ECU 400d. The reception ID list illustrated in FIG. 3 is configured to selectively receive a frame including a message ID whose ID (message ID) is one of “1”, “2”, “3”, and “4”. Used to process. For example, if the reception ID list of FIG. 5 is held in the reception ID list holding unit 250 of the head unit 200, the frame whose message ID is not one of “1”, “2”, “3”, and “4” In, the interpretation of the frame after the ID field in the frame interpretation unit 260 is stopped.

[1.6 Configuration of Gateway 300]
FIG. 6 is a configuration diagram of the gateway 300. The gateway 300 includes a frame transmission / reception unit 360, a frame interpretation unit 350, a reception ID determination unit 330, a reception ID list holding unit 340, a frame generation unit 320, a transfer processing unit 310, and a transfer rule holding unit 370. It is comprised including. Each of these components is a functional component, and each function is realized by a communication circuit in the gateway 300, a processor or a digital circuit that executes a control program stored in a memory, or the like.

  The frame transmission / reception unit 360 transmits / receives a frame according to the CAN protocol to / from each of the buses 500a, 500b, and 500c. The frame is received one bit at a time from the bus and transferred to the frame interpretation unit 350. Further, based on the bus information indicating the transfer destination bus and the frame notified from the frame generation unit 320, the contents of the frame are transmitted to the buses 500a, 500b, 500c one bit at a time.

  The frame interpretation unit 350 receives the value of the frame from the frame transmission / reception unit 360 and interprets the value of the frame so as to map it to each field in the frame format defined by the CAN protocol. The value determined as the ID field is transferred to the reception ID determination unit 330. The frame interpretation unit 350 transfers the value of the ID field and the data field (data) appearing after the ID field to the transfer processing unit 310 according to the determination result notified from the reception ID determination unit 330, After receiving the determination result, it is determined whether the reception of the frame is stopped (that is, the interpretation as the frame is stopped). If the frame interpretation unit 350 determines that the frame does not conform to the CAN protocol, it notifies the frame generation unit 320 to transmit an error frame. Further, when the frame interpreting unit 350 receives an error frame, that is, when interpreting that an error frame has occurred based on the value in the received frame, the frame interpreting unit 350 discards the frame thereafter, that is, stops interpreting the frame. I do.

  The reception ID determination unit 330 receives the value of the ID field notified from the frame interpretation unit 350, and receives each field of the frame after the ID field in accordance with the message ID list held by the reception ID list holding unit 340. It is determined whether or not to do. The reception ID determination unit 330 notifies the frame interpretation unit 350 of this determination result.

  The reception ID list holding unit 340 holds a reception ID list (see FIG. 5) which is a list of IDs (message IDs) received by the gateway 300.

  The transfer processing unit 310 determines a bus to be transferred according to the message ID of the received frame according to the transfer rule held by the transfer rule holding unit 370, and is notified by the frame information and the bus information indicating the bus to be transferred. The generated message ID and data are notified to the frame generation unit 320. Note that the gateway 300 does not transfer an error frame received from a certain bus to another bus.

  The transfer rule holding unit 370 holds a transfer rule that is information indicating a rule for transferring a frame for each bus. FIG. 7 is a diagram illustrating an example of the transfer rule.

  The frame generation unit 320 composes an error frame according to the notification instructed to transmit the error frame notified from the frame interpretation unit 350, and notifies the frame transmission / reception unit 360 of the error frame to transmit. Also, the frame generation unit 320 configures a frame using the message ID and the data notified from the transfer processing unit 310, and notifies the frame transmission / reception unit 360 of the frame and bus information.

[1.7 Transfer rule example]
FIG. 7 shows an example of a transfer rule held by the gateway 300. In this transfer rule, a transfer source bus, a transfer destination bus, and a transfer target ID (message ID) are associated with each other. “*” In FIG. 7 indicates that the frame is transferred regardless of the message ID. In addition, "-" in FIG. 7 indicates that there is no frame to be transferred. The example in the figure shows that the frame received from the bus 500a is set to be transferred to the bus 500b and the bus 500c regardless of the message ID. Further, it is set that among the frames received from the bus 500b, all the frames are transferred to the bus 500c, but only the frame whose message ID is “3” is transferred to the bus 500a. Is shown. It also indicates that the frame received from the bus 500c is set so as not to be transferred to the bus 500a or the bus 500b.

[1.8 Configuration of ECU 400a]
FIG. 8 is a configuration diagram of the ECU 400a. ECU 400a includes a frame transmission / reception unit 460, a frame interpretation unit 450, a reception ID determination unit 430, a reception ID list holding unit 440, a frame processing unit 410, a frame generation unit 420, and a data acquisition unit 470. Be composed. Each of these components is a functional component, and each function is implemented by a communication circuit in the ECU 400a, a processor or a digital circuit that executes a control program stored in a memory, or the like.

  The frame transmitting / receiving unit 460 transmits / receives a frame to / from the bus 500a according to the CAN protocol. The frame is received one bit at a time from the bus 500 a and transferred to the frame interpreter 450. Further, the contents of the frame notified from the frame generation unit 420 are transmitted to the bus 500a.

  The frame interpreting unit 450 receives the value of the frame from the frame transmitting / receiving unit 460 and interprets the value so as to map it to each field in the frame format defined by the CAN protocol. The value determined as the ID field is transferred to the reception ID determination unit 430. The frame interpretation unit 450 transfers the value of the ID field and the data field appearing after the ID field to the frame processing unit 410 according to the determination result notified from the reception ID determination unit 430, or determines the determination result. It is determined whether to stop receiving the frame after receiving the frame (that is, to stop interpreting the frame). If the frame interpretation unit 450 determines that the frame does not conform to the CAN protocol, it notifies the frame generation unit 420 to transmit an error frame. When an error frame is received, that is, when the frame interpreting unit 450 interprets that the value is an error frame based on the value in the received frame, the frame interpreting unit 450 discards the frame thereafter, that is, stops interpreting the frame. I do.

  The reception ID determination unit 430 receives the value of the ID field notified from the frame interpretation unit 450, and receives each field of the frame after the ID field according to the message ID list held by the reception ID list holding unit 440. It is determined whether or not to do. The reception ID determination unit 430 notifies the frame interpretation unit 450 of this determination result.

  The reception ID list holding unit 440 holds a reception ID list that is a list of IDs (message IDs) received by the ECU 400a. FIG. 9 is a diagram illustrating an example of the reception ID list.

  The frame processing unit 410 performs a process related to a different function for each ECU according to the received frame data. For example, the ECU 400a connected to the engine 401 has a function of sounding an alarm when the door is open at a speed exceeding 30 km / h. The ECU 400a has, for example, a speaker for generating an alarm sound. Then, the frame processing unit 410 of the ECU 400a manages data (for example, information indicating the state of the door) received from another ECU, and sounds an alarm under a certain condition based on the speed obtained from the engine 401. I do.

  The data acquisition unit 470 acquires data indicating the state of devices, sensors, and the like connected to the ECU, and notifies the frame generation unit 420 of the data.

  The frame generation unit 420 composes an error frame according to the notification instructing the transmission of the error frame notified from the frame interpretation unit 450, and notifies the frame transmission / reception unit 460 of the error frame to transmit. Further, the frame generation unit 420 attaches a predetermined message ID to the data value notified from the data acquisition unit 470 to form a frame, and notifies the frame transmission / reception unit 460 of the frame.

  The ECUs 400b to 400d have basically the same configuration as the ECU 400a described above. However, the reception ID list held in the reception ID list holding unit 440 may have different contents for each ECU. The ECU 400b holds the reception ID list illustrated in FIG. 9, and the ECU 400c and the ECU 400d hold the reception ID list illustrated in FIG. Further, the processing content of the frame processing unit 410 differs for each ECU. For example, the processing content of the frame processing unit 410 in the ECU 400c includes a processing related to a function of sounding an alarm sound when the door is opened in a state where the brake is not applied. For example, the frame processing unit 410 in the ECU 400b and the ECU 400d does not perform any special processing. Each ECU may have functions other than those exemplified here. The contents of the frame transmitted by each of ECUs 400a to 400d will be described later with reference to FIGS.

[1.9 Received ID list example 2]
FIG. 9 is a diagram illustrating an example of the reception ID list held in each of ECU 400a and ECU 400b. The reception ID list illustrated in FIG. 3 is used for selectively receiving and processing a frame including a message ID whose ID (message ID) is one of “1”, “2”, and “3”. Used. For example, if the reception ID list shown in FIG. 9 is stored in the reception ID list storage unit 440 of the ECU 400a, the frame interpretation unit 450 may determine that the message ID is not one of “1”, “2”, and “3”. , The interpretation of the frame after the ID field is stopped.

[1.10 Example of transmission frame of ECU 400a related to engine]
FIG. 10 is a diagram showing an example of an ID (message ID) and a data field (data) in a frame transmitted from the ECU 400a connected to the engine 401. The message ID of the frame transmitted by the ECU 400a is “1”. The data represents an hourly speed (km / h), and takes a value in a range from a minimum of 0 (km / h) to a maximum of 180 (km / h), and the data length is 1 byte. From the upper row to the lower row in FIG. 10, each message ID and data corresponding to each frame sequentially transmitted from the ECU 400a are illustrated, and a state in which acceleration is performed from 0 km / hour to 1 km / hour is shown.

[1.11 Example of transmission frame of ECU 400b related to brake]
FIG. 11 is a diagram showing an example of an ID (message ID) and a data field (data) in a frame transmitted from the ECU 400b connected to the brake 402. The message ID of the frame transmitted by the ECU 400b is “2”. The data represents the degree of brake application in percentage (%), and the data length is 1 byte. This ratio is 0 (%) when no brake is applied and 100 (%) when brake is applied to the maximum. From the upper row to the lower row in FIG. 11, each message ID and data corresponding to each frame sequentially transmitted from the ECU 400b are illustrated, and the brake is gradually weakened from 100%.

[1.12 Example of transmission frame of ECU 400c related to door open / close sensor]
FIG. 12 is a diagram illustrating an example of an ID (message ID) and a data field (data) in a frame transmitted from the ECU 400c connected to the door opening / closing sensor 403. The message ID of the frame transmitted by the ECU 400c is “3”. The data indicates the open / closed state of the door, and the data length is 1 byte. The value of the data is “1” when the door is open and “0” when the door is closed. FIG. 12 illustrates the message IDs and data corresponding to the respective frames sequentially transmitted from the ECU 400c from the upper row to the lower row in FIG. 12, and illustrates a state where the door gradually shifts from the open state to the closed state. ing.

[1.13 Example of Transmission Frame of ECU 400d Related to Window Open / Close Sensor]
FIG. 13 is a diagram illustrating an example of an ID (message ID) and a data field (data) in a frame transmitted from the ECU 400d connected to the window opening / closing sensor 404. The message ID of the frame transmitted by the ECU 400d is “4”. The data represents the open / closed state of the window as a percentage (%), and the data length is 1 byte. This ratio is 0 (%) when the window is completely closed, and 100 (%) when the window is fully open. 13 illustrates message IDs and data corresponding to each frame sequentially transmitted from the ECU 400d from the upper row to the lower row, and shows a state in which the window is gradually opened from a closed state.

[1.14 Configuration of Fraud Detection ECU 100a]
FIG. 14 is a configuration diagram of the fraud detection ECU 100a. The fraud detection ECU 100a includes a frame transmission / reception unit 160, a frame interpretation unit 150, a fraudulent frame detection unit 130, a regular ID list holding unit 120, a fraud detection counter holding unit 110, and a frame generation unit 140. You. These components are functional components, and each function is realized by a communication circuit in the fraud detection ECU 100a, a processor that executes a control program stored in a memory, a digital circuit, or the like. Although the fraud detection ECU 100b basically has the same configuration, the contents of the list information (regular ID list) held by the regular ID list holding unit 120 are different between the fraud detection ECU 100a and the fraud detection ECU 100b.

  The frame transmitting / receiving unit 160 transmits / receives a frame to / from the bus 500a according to the CAN protocol. That is, the frame transmission / reception unit 160 functions as a so-called reception unit that receives a frame when transmission of a frame on the bus is started, and also functions as a so-called transmission unit that transmits an error frame or the like to the bus. That is, the frame transmission / reception unit 160 receives the frame from the bus 500a one bit at a time and transfers the frame to the frame interpretation unit 150. Also, the contents of the frame notified from the frame generation unit 140 are transmitted to the bus 500a.

  The frame interpreting unit 150 receives the value of the frame from the frame transmitting / receiving unit 160, and interprets it so as to map it to each field in the frame format specified by the CAN protocol. The value determined as the ID field is transferred to the invalid frame detection unit 130. If the frame interpretation unit 150 determines that the frame does not conform to the CAN protocol, it notifies the frame generation unit 140 to transmit an error frame. When the frame interpreting unit 150 receives an error frame, that is, when it interprets that the frame is an error frame based on the value in the received frame, it discards the frame thereafter, that is, stops interpreting the frame. I do.

  The fraudulent frame detection unit 130 receives the value of the ID field notified from the frame interpretation unit 150, and determines whether the value of the ID field satisfies a predetermined condition indicating fraud. That is, the fraudulent frame detecting unit 130 functions as a so-called determining unit that determines whether or not the content of the predetermined field in the received frame satisfies a predetermined condition indicating fraud. The predetermined condition indicating this fraud is a condition that the value of the ID field is not included in the list of message IDs held by the regular ID list holding unit 120. That is, according to the list of message IDs held by the regular ID list holding unit 120, it is determined whether the value of the notified ID field (message ID) is invalid. When a message ID not included in this list (that is, a regular ID list described later) is received, the received message ID is notified to the fraud detection counter holding unit 110 in order to increment the number of times of fraud detection. When a message ID that is not included in the formal ID list is received, the frame generation unit 140 is notified to transmit an error frame. Further, when the number of fraud detections reaches a certain number or more, an error display message (frame) is received from the fraud detection counter holding unit 110 and indicates that there is a fraudulent ECU that issues the corresponding message ID. The frame generation unit 140 is notified to transmit. The message ID of the error display message is predetermined, and the head unit 200 receives the message (frame) of the message ID and performs an error display. Although the description of the error display message is omitted for convenience, the message ID of the error display message is listed in a reception ID list held by the gateway 300 and the head unit 200 and a regular ID list described later. However, in FIGS. 15 and 16, the message ID of the error display message is omitted.

  The regular ID list holding unit 120 holds a regular ID list that is a list in which message IDs included in frames to be transmitted on the bus 500a in the vehicle-mounted network system 10 are defined in advance (see FIGS. 15 and 16). .

  The fraud detection counter holding unit 110 holds a fraud detection counter for counting the number of times of detection for each message ID, and when the message ID is notified from the fraudulent frame detection unit 130, the fraud detection counter is incremented ( To increase. When the fraud detection counter has reached a certain number (predetermined number) or more, it notifies the fraud frame detecting unit 130 that the certain number has been exceeded. An example of the certain number (predetermined number) here is a value determined according to the handling rule of the transmission error counter in the CAN protocol. In the CAN protocol, the transmission error counter counts up by 8 each time the ECU blocks transmission by an error frame. As a result, when the transmission error counter of the transmission node counts up to 128, the transmission node is set to the passive state and the frame is not transmitted. Therefore, if 17 which is larger than 128/8 (= 16) is defined as the fixed number, if the existence of a transmission node (illegal ECU) ignoring the rules related to the transmission error counter in the CAN protocol is estimated, The error display message is transmitted from the detection ECU 100a. If the invalid ECU that transmits the invalid frame conforms to the rule related to the transmission error counter in the CAN protocol, the transmission of the error frame by the invalid detection ECU 100a causes the transmission error counter of the invalid ECU to become invalid. It is incremented by eight. In this case, when the transmission error counter of the unauthorized ECU is increased to 128 by repeating the transmission of the unauthorized frame, the unauthorized ECU transitions to the passive state, and the transmission of the unauthorized frame by the unauthorized ECU is stopped. .

  The frame generation unit 140 composes an error frame in accordance with the notification instructed to transmit the error frame notified from the frame interpretation unit 150, and notifies the frame transmission / reception unit 160 of the error frame to transmit. Further, the frame generation unit 140 composes an error frame according to the notification instructed to transmit the error frame notified from the invalid frame detection unit 130, and notifies the frame transmission / reception unit 160 of the error frame to transmit. Furthermore, the frame generation unit 140 notifies the frame transmission / reception unit 160 of the error display message and transmits the error display message according to the notification instructing the transmission of the error display message notified from the invalid frame detection unit 130.

[1.15 Regular ID List Example of Fraud Detection ECU 100a]
FIG. 15 is a diagram illustrating an example of the regular ID list held in the regular ID list holding unit 120 of the fraud detection ECU 100a. The formal ID list illustrated in the drawing shows that a frame including a message ID whose ID (message ID) is one of “1”, “2”, and “3” can flow on the bus 500a. .

[1.16 Example of regular ID list of fraud detection ECU 100b]
FIG. 16 is a diagram illustrating an example of the regular ID list held in the regular ID list holding unit 120 of the fraud detection ECU 100b. The regular ID list illustrated in the figure shows that a frame including a message ID whose ID (message ID) is any one of “1”, “2”, “3”, and “4” can flow on the bus 500b. Is shown.

[1.17 Fraud detection counter save list example]
FIG. 17 is a diagram illustrating an example of the state of the fraud detection counter for each message ID. The example in the figure shows that only the fraud detection counter with the message ID “4” has detected fraud once, and has not detected it once with other message IDs. That is, in this example, the fraud detection ECU 100a detects that the message (frame) having the message ID "4" which should not originally flow on the bus 500a has been transmitted once, and the fraud detection counter corresponding to the corresponding message ID "4". Is incremented by one.

[1.18 Sequence related to detection of illegal frame]
Hereinafter, when a fraudulent ECU is connected to the bus 500a of the in-vehicle network system 10 having the above-described configuration, operations of the fraud detecting ECU 100a, the ECU 400a, the ECU 400b, the gateway 300, and the like connected to the bus 500a will be described.

  FIG. 18 is a sequence diagram illustrating an operation example in which the fraud detection ECU 100a detects a fraudulent frame (message) and prevents another ECU from performing a process corresponding to the fraudulent frame. The figure shows an example in which an unauthorized ECU transmits a data frame having a message ID of “4” and a data field (data) of “255 (0xFF)” to the bus 500a. Each sequence here means each processing procedure (step) in various devices.

  First, the unauthorized ECU starts transmission of a data frame whose message ID is "4" and whose data is "255 (0xFF)" (sequence S1001). The value of each bit constituting the frame is sequentially sent out onto the bus 500a in the order of SOF, ID field (message ID) according to the data frame format described above.

  When the unauthorized ECU has finished sending up to the ID field (message ID) to the bus 500a, the unauthorized detection ECU 100a, the ECU 400a, the ECU 400b, and the gateway 300 each receive the message ID (sequence S1002).

  ECU 400a, ECU 400b, and gateway 300 each check the message ID using the held reception ID list (sequence S1003). At this time, the fraud detection ECU 100a checks the message ID using the stored regular ID list (sequence S1004). That is, the fraud detection ECU 100a determines whether or not the content of the ID field in the transmitted frame satisfies a predetermined condition indicating fraud (not listed in the regular ID list).

  In the sequence S1003, the ECUs 400a and 400b end the reception because “4” is not included in the reception ID list held by each (see FIG. 9). That is, the unauthorized ECU does not interpret the frame for which transmission is continued and does not perform the processing corresponding to the frame. In sequence S1003, gateway 300 continues reception because “4” is included in the held reception ID list (see FIG. 5). In addition, in sequence S1004, the fraud detection ECU 100a determines that the message ID is an invalid message ID because “4” is not included in the held regular ID list, and subsequently starts preparation for issuing an error frame ( Sequence S1005).

  Subsequent to the sequence S1003, the gateway 300 continues receiving the frame. For example, while the fraud detection ECU 100a is preparing to issue an error frame, the fraudulent ECU sequentially sends out the RTR and the control fields (IDE, r, DLC), which are portions after the ID field, on the bus 500a. Then, the data field is sequentially transmitted one bit at a time. Gateway 300 receives the RTR and the control fields (IDE, r, DLC), and subsequently starts receiving the data fields (sequence S1006).

  Next, preparation for issuing an error frame is completed, and the fraud detection ECU 100a transmits an error frame (sequence S1007). The transmission of the error frame is performed before the end of the incorrect frame is transmitted (for example, before the end of the CRC sequence is transmitted). In this operation example, the operation is performed in the middle of the data field. When the transmission of the error frame is started, an intermediate portion of the data field of the frame being transmitted from the unauthorized ECU is overwritten by the error frame (a dominant bit string of priority) on the bus 500a.

  Upon receiving the error frame transmitted in sequence S1007, gateway 300 stops receiving the frame transmitted by the incorrect ECU during the reception of the data field (sequence S1008). That is, since the data field from the unauthorized ECU is overwritten with the error frame and the error frame is detected, the gateway 300 does not continue to receive the frame transmitted by the unauthorized ECU.

  Fraud detection ECU 100a increments the fraud detection counter corresponding to message ID “4” of the data frame to which the error frame was transmitted (sequence S1009).

  When the fraud detection counter corresponding to the message ID “4” becomes 17 or more as a result of the increment, the fraud detection ECU 100a transmits a frame (error display message) for notifying the head unit 200 of an error display so as to be received. (Step S1010). As a result, a process for displaying an error is performed by the frame processing unit 220 of the head unit 200, and the error is notified via the LCD or the like. The notification of the error may be made by sound output, light emission, or the like in addition to the display on the LCD or the like.

[1.19 Effects of First Embodiment]
The fraud detection ECU described in the first embodiment determines whether or not the transmitted frame (data frame) is a fraudulent frame using the regular ID list for the ID field of the frame. As a result, the fraud can be determined based on the ID field in the data frame, so that the fraudulent frame is interpreted in the existing nodes (that is, ECUs other than the fraud detecting ECU and the fraudulent ECU), and the processing corresponding to the frame is executed. Can be blocked. Further, since the determination can be made only by receiving the ID field following the SOF at the head of the data frame, bus traffic can be suppressed as compared with the case where the determination is made by receiving the rear part of the data frame or the like.

  In addition, by counting the number of times the fraud detection ECU has transmitted an error frame using the fraud detection counter, if the transmission error counter at the node transmitting the fraudulent message ID upon reception of the error frame conforms to the CAN protocol, the fraud detection ECU is in a passive state. Can be detected that has reached the upper limit value at which the transition to. This makes it possible to determine whether or not the node transmitting the invalid message ID complies with the CAN protocol error counter specification.

  Further, by using only the fraud detection ECU as the node for determining a fraudulent frame, the influence on the existing network configuration can be minimized, and the processing amount and power consumption of the entire system can be reduced. .

  It should be noted that one or more fraud detection ECUs in the above-described in-vehicle network system 10 may be capable of switching whether or not to perform detection. Then, the fraud detection ECU may not detect a fraudulent message only when the state of the vehicle is constant, for example, when a certain period has elapsed from the start of use. As a result, power consumption can be reduced, and consumption of the vehicle-mounted battery, which is the power supply source of the vehicle-mounted network system 10, can be suppressed.

(Embodiment 2)
Hereinafter, as an embodiment of the present disclosure, a fraud countermeasure method for preventing another node (ECU) from executing a process based on a fraudulent frame based on a data range permitted for each message ID. The in-vehicle network system 11 including the realized fraud detection ECU will be described.

[2.1 Overall Configuration of In-Vehicle Network System 11]
FIG. 19 is a diagram illustrating an overall configuration of the vehicle-mounted network system 11 according to the second embodiment. In-vehicle network system 11 is a modification of the in-vehicle network system 10 described in the first embodiment. The in-vehicle network system 11 includes buses 500a and 500b, and fraud detection ECUs 2100a and 2100b, a head unit 200, a gateway 300, and each node connected to a bus such as an ECU such as an ECU 400a to 400d connected to various devices. It consists of. Among the components of the in-vehicle network system 11, components having functions similar to those of the first embodiment are denoted by the same reference numerals, and description thereof is omitted.

  The fraud detecting ECUs 2100a and 2100b are connected to the buses 500a and 500b, respectively, and determine whether or not the frames transmitted by the ECUs 400a to 400d are fraudulent, and have a function of transmitting an error frame if fraudulent. is there.

[2.2 Configuration of Fraud Detection ECU 2100a]
FIG. 20 is a configuration diagram of the fraud detection ECU 2100a. The fraud detection ECU 2100a includes a frame transmission / reception unit 160, a frame interpretation unit 2150, a fraudulent frame detection unit 2130, a data range list storage unit 2120, a fraud detection counter storage unit 110, and a frame generation unit 140. You. Each of these components is a functional component, and each function is realized by a communication circuit in the fraud detection ECU 2100a, a processor that executes a control program stored in a memory, a digital circuit, or the like. The fraud detection ECU 2100a is a modification of a part of the fraud detection ECU 100a described in the first embodiment, and components having the same functions as those in the first embodiment are denoted by the same reference numerals and description thereof is omitted. The fraud detection ECU 2100b has the same configuration as the fraud detection ECU 2100a.

  The frame interpretation unit 2150 is a modification of the frame interpretation unit 150 shown in the first embodiment, receives a frame value from the frame transmission / reception unit 160, and maps it to each field in a frame format defined by the CAN protocol. Interpret as follows. When it is determined that the frame is a data frame, the value (data) determined as a data field is transferred to the invalid frame detection unit 2130 together with the ID (message ID) of the ID field. If the frame interpretation unit 2150 determines that the frame does not comply with the CAN protocol, it notifies the frame generation unit 140 to transmit an error frame. When an error frame is received, that is, when the frame interpreting unit 2150 interprets that the value is an error frame based on the value in the received frame, the frame interpreting unit 2150 discards the frame thereafter, that is, stops interpreting the frame. I do.

  The unauthorized frame detection unit 2130 is a modification of the unauthorized frame detection unit 130 described in Embodiment 1, receives the message ID notified from the frame interpretation unit 2150 and the value (data) of the data field, and It is determined whether or not the value satisfies a predetermined condition indicating invalidity. That is, the fraudulent frame detecting unit 2130 functions as a so-called determining unit that determines whether or not the content of the predetermined field in the received frame satisfies a predetermined condition indicating fraud. The predetermined condition indicating the injustice is a condition that the data does not enter a data range described in association with the message ID in the data range list held by the data range list holding unit 2120. The invalid frame detection unit 2130 determines whether or not the frame is invalid according to a data range list which is a list defining a data range for each message ID held in the data range list holding unit 2120. When receiving data outside the range indicated by the data range list, the invalid frame detection unit 2130 notifies the received message ID to the fraud detection counter holding unit 110 in order to increment the number of times of fraud detection. Since the control for transmitting the error display message so as to be received by the head unit 200 when the number of times of detecting the fraud reaches a certain number or more is as described in the first embodiment, Description is omitted. Further, when data other than the range indicated by the data range list is received, the frame generation unit 140 is notified to transmit an error frame.

  The data range list holding unit 2120 holds a data range list, which is a list in which an allowable range of data (data field value) included in a data frame transmitted on a bus in the vehicle-mounted network system 11 is defined in advance ( See FIG. 21).

[2.3 Data range list example]
FIG. 21 is a diagram illustrating an example of a data range list held in the data range list holding unit 2120 of the fraud detection ECU 2100a. This data range list associates each ID (message ID) with a data range allowed as a value (data) of a data field in a data frame of the message ID. In the example of FIG. 21, the data frame with the message ID “1” has a data range “0 to 180”, the data frame with the message ID “2” or “4” has the data range “0 to 100”, For the data frame with the message ID “3”, the data ranges “0, 1” are normal.

[2.4 Sequence for Detection of Illegal Frame]
Hereinafter, when a fraudulent ECU is connected to the bus 500a of the in-vehicle network system 11 having the above-described configuration, operations of the fraud detection ECU 2100a, the ECU 400a, the ECU 400b, the gateway 300, and the like connected to the bus 500a will be described.

  FIGS. 22 and 23 are sequence diagrams illustrating an operation example in which the fraud detection ECU 2100a detects a fraudulent frame (message) and prevents another ECU from performing a process corresponding to the fraudulent frame. In FIGS. 22 and 23, similarly to the case of FIG. 18 shown in the first embodiment, the unauthorized ECU sends the message ID “4” and the data field (data) “255 (0xFF)” to the bus 500a. 2 shows an example of a case in which a data frame is transmitted. The same sequence as the sequence described in the first embodiment is denoted by the same reference numeral, and the description is simplified here.

  First, the unauthorized ECU starts transmission of an unauthorized data frame (sequence S1001). Fraud detection ECU 2100a, ECU 400a, ECU 400b, and gateway 300 each receive the message ID (sequence S1002). ECU 400a, ECU 400b, and gateway 300 each check the message ID using the held reception ID list (sequence S1003). The ECUs 400a and 400b end the reception because “4” is not included in the reception ID list held by each (see FIG. 9). Since "4" is included in the held reception ID list (see FIG. 5), gateway 300 continues reception and receives a data field (sequence S1006a). Similarly, the fraud detection ECU 2100a also receives the data field (sequence S1006a).

  Subsequent to sequence S1006a, fraud detection ECU 2100a checks data in the data field using the data range list (see FIG. 21) (sequence S2001). That is, the fraud detection ECU 2100a determines whether or not the content of the ID field in the transmitted frame satisfies a predetermined condition indicating fraud (does not fall within the range of data described in the data range list). Since the value of “255 (0xFF)” corresponding to ID “4” is not described in the data range list, the fraud detection ECU 2100 a determines that the data frame is a fraudulent data frame, and then starts preparing for issuing an error frame. Yes (sequence S1005).

  While the fraud detecting ECU 2100a is preparing to issue an error frame, the fraudulent ECU sequentially sends out CRC fields (CRC sequence and CRC delimiter), which are portions after the data field, on the bus 500a one bit at a time. . Gateway 300 starts receiving the CRC field (sequence S2002).

  Next, preparation for issuing an error frame is completed, and the fraud detection ECU 2100a transmits an error frame (sequence S1007). By starting the transmission of the error frame, in the bus 500a, the middle part of the CRC sequence of the frame being transmitted from the unauthorized ECU is overwritten by the error frame (priority dominant bit string).

  Upon receiving the error frame transmitted in sequence S1007, gateway 300 stops receiving the data frame transmitted by the incorrect ECU during the reception of the CRC field including the CRC sequence (sequence S2003). That is, since the CRC sequence from the unauthorized ECU is overwritten with the error frame and the error frame is detected, the gateway 300 does not continue receiving the data frame transmitted by the unauthorized ECU.

  Fraud detection ECU 2100a increments the fraud detection counter corresponding to ID “4” of the data frame to which the error frame was transmitted (sequence S1009). If the result of the increment indicates that the fraud detection counter corresponding to ID “4” is 17 or more, fraud detection ECU 2100a transmits an error display message (sequence S1010).

[2.5 Effect of Second Embodiment]
The fraud detection ECU described in the second embodiment determines whether or not the transmitted frame is a fraudulent frame using the data range list for the ID field and the data field of the frame (data frame). As a result, the fraud can be determined based on the combination of the ID field and the data field in the data frame. Therefore, the existing ECU (that is, the ECU other than the fraud detecting ECU and the fraudulent ECU) interprets the fraudulent frame and responds to the frame. Processing can be prevented from being performed. Further, since the determination can be made only by receiving up to the data field of the data frame, the bus traffic can be suppressed as compared with the case where the determination is made by receiving the rear part of the data frame.

  In addition, by counting the number of times the fraud detection ECU has transmitted an error frame using the fraud detection counter, if the transmission error counter at the node transmitting the fraudulent message ID upon reception of the error frame conforms to the CAN protocol, the fraud detection ECU is in a passive state. Can be detected that has reached the upper limit value at which the transition to. This makes it possible to determine whether or not the node transmitting the invalid message ID complies with the CAN protocol error counter specification.

  Further, by using only the fraud detection ECU as the node for determining a fraudulent frame, the influence on the existing network configuration can be minimized, and the processing amount and power consumption of the entire system can be reduced. .

  Note that one or more fraud detection ECUs in the above-described in-vehicle network system 11 may be capable of switching whether or not to perform detection. Then, the fraud detection ECU may not detect a fraudulent message only when the state of the vehicle is constant, for example, when a certain period has elapsed from the start of use. This makes it possible to reduce power consumption.

(Embodiment 3)
Hereinafter, as an embodiment of the present disclosure, a process based on an invalid frame is executed in another node (ECU) using a message authentication code (MAC) calculated from a message ID, data, and a counter value. An in-vehicle network system 12 including a fraud detection ECU that realizes a fraud countermeasure method for preventing the illegal operation will be described.

[3.1 Overall Configuration of In-Vehicle Network System 12]
FIG. 24 is a diagram illustrating an overall configuration of the vehicle-mounted network system 12 according to the third embodiment. In-vehicle network system 12 is a modification of a part of in-vehicle network system 10 described in the first embodiment. The in-vehicle network system 12 includes buses 500a and 500b, and nodes connected to buses such as ECUs 3100a and 3100b, head units 200, gateways 300, and ECUs 3400a to 3400d connected to various devices. It consists of. Among the components of the in-vehicle network system 12, components having the same functions as those in the first embodiment are denoted by the same reference numerals, and description thereof will be omitted.

  The fraud detecting ECUs 3100a and 3100b are connected to the bus 500a and the bus 500b, respectively, and determine whether or not the frames transmitted by the ECUs 3400a to 3400d are fraudulent. is there.

  The ECUs 3400a to 3400d are connected to one of the buses, and are connected to the engine 401, the brake 402, the door opening / closing sensor 403, and the window opening / closing sensor 404, respectively. Each of the ECUs 3400a to 3400d acquires the state of the connected device (the engine 401 and the like) and periodically transmits a data frame indicating the state to a network (that is, a bus). The data field of the transmitted data frame is provided with a message authentication code (MAC) derived by calculation from the message ID, the data value, and the counter value incremented for each transmission.

[3.2 Configuration of ECU 3400a]
FIG. 25 is a configuration diagram of the ECU 3400a. The ECU 3400a includes a frame transmission / reception unit 460, a frame interpretation unit 450, a reception ID determination unit 430, a reception ID list holding unit 440, a frame processing unit 410, a frame generation unit 3420, a data acquisition unit 470, and a MAC generation unit. It is configured to include a unit 3410, a MAC key holding unit 3430, and a counter holding unit 3440. Each of these components is a functional component, and each function is realized by a communication circuit in the ECU 3400a, a processor or a digital circuit that executes a control program stored in a memory, or the like. ECU 3400a is a modification of ECU 400a shown in the first embodiment, and components having the same functions as those in the first embodiment are denoted by the same reference numerals and description thereof is omitted.

  Frame generating section 3420 is obtained by modifying a part of frame generating section 420 shown in the first embodiment. The frame generation unit 3420 configures an error frame according to the notification instructing the transmission of the error frame notified from the frame interpretation unit 450, and notifies the frame transmission / reception unit 460 of the error frame for transmission. Further, frame generating section 3420 notifies MAC generating section 3410 of the data value notified from data obtaining section 470 and a predetermined message ID, and receives the calculated MAC. The frame generation unit 3420 configures a frame to include a predetermined message ID, the value of the data notified from the data acquisition unit 470, and the MAC received from the MAC generation unit 3410 (see FIG. 26), and transmits and receives the frame. Notify section 460.

  The MAC generation unit 3410 holds the value (combined value) obtained by combining the message ID and the data value notified from the frame generation unit 3420 with the counter value held by the counter holding unit 3440 in the MAC key holding unit 3430 The MAC is calculated (derived by calculation) using the MAC key to be performed, and the calculated MAC is notified to the frame generation unit 3420. Here, HMAC (Hash-based Message Authentication Code) (see Non-Patent Document 2) is employed as the MAC calculation method, and the MAC key is calculated using a value obtained by padding the above combined value to a predetermined block (for example, 4 bytes). , And the first 4 bytes of the calculated result appear as MAC. Here, as the combined value used to calculate the MAC, the message ID, the value of the data, and the counter value held by the counter holding unit 3440 are used, but any one of these three values is used. Alternatively, the MAC may be calculated using a combination of the two.

  The MAC key holding unit 3430 holds a MAC key required for calculating a MAC.

  The counter holding unit 3440 holds a counter value required for calculating a MAC. The counter value is incremented each time the data transmission / reception unit 460 successfully transmits a data frame.

  Each of ECUs 3400b to 3400d is a modification of each of ECUs 400b to 400d shown in the first embodiment, and has basically the same configuration as ECU 3400a described above. However, the reception ID list held in the reception ID list holding unit 440 may have different contents for each ECU. For example, the ECU 3400a and the ECU 3400b hold the reception ID list illustrated in FIG. 9, and the ECU 3400c and the ECU 3400d hold the reception ID list illustrated in FIG. Further, the processing content of the frame processing unit 410 differs for each ECU as described in the first embodiment. Hereinafter, the contents of the frame transmitted by each of ECUs 3400a to 3400d will be described with reference to FIGS.

[3.3 Example of transmission frame of ECU 3400a related to engine]
FIG. 26 is a diagram illustrating an example of an ID (message ID) and a data field (data) in a data frame transmitted from the ECU 3400a connected to the engine 401. The message ID of the frame transmitted by the ECU 3400a is “1”. In the drawing, the data is represented by a blank space for each byte, the first 1 byte represents the speed per hour (km / h), the next 1 byte represents the counter value, and the next 4 bytes represents the MAC. In the example of FIG. 26, the MAC is represented by a hexadecimal number. The speed per hour (km / h) of the first byte takes a value in a range from 0 (km / h) at the minimum to 180 (km / h) at the maximum. From the upper row to the lower row in FIG. 26, each message ID and data corresponding to each frame sequentially transmitted from the ECU 3400a are illustrated. The counter value gradually increases, and the speed is accelerated from 0 km / hour to 1 km / hour. It shows how it is.

[3.4 Transmission Frame Example of ECU 3400b Related to Brake]
FIG. 27 is a diagram illustrating an example of an ID (message ID) and a data field (data) in a data frame transmitted from the ECU 3400b connected to the brake 402. The message ID of the frame transmitted by the ECU 3400b is “2”. In the figure, the data is divided into blanks for each byte, and the first 1 byte indicates the degree of braking (%), the next 1 byte indicates the counter value, and the next 4 bytes indicates the MAC. Represent. In the example of FIG. 27, the MAC is represented by a hexadecimal number. The degree of application of the first 1-byte brake is 0 (%) when the brake is not applied at all and 100 (%) when the brake is applied to the maximum. 27 illustrates message IDs and data corresponding to each frame sequentially transmitted from the ECU 3400b from the upper row to the lower row in FIG. 27. The counter value gradually increases, and the brake is gradually weakened from 100%. It shows how you are.

[3.5 Example of Transmission Frame of ECU 3400c Related to Door Open / Close Sensor]
FIG. 28 is a diagram illustrating an example of an ID (message ID) and a data field (data) in a data frame transmitted from the ECU 3400c connected to the door opening / closing sensor 403. The message ID of the frame transmitted by the ECU 3400c is “3”. In the drawing, the data is divided into blanks for each byte, and the first 1 byte indicates the open / closed state of the door, the next 1 byte indicates the counter value, and the next 4 bytes indicates the MAC. In the example of FIG. 28, the MAC is represented by a hexadecimal number. The open / closed state of the first 1-byte door is “1” when the door is open and “0” when the door is closed. FIG. 28 illustrates the message IDs and data corresponding to the respective frames sequentially transmitted from the ECU 3400c from the upper row to the lower row in FIG. 28, in which the counter value gradually increases and the door is gradually closed from the open state. It shows the appearance of moving to.

[3.6 Example of Transmission Frame of ECU 3400d Related to Window Open / Close Sensor]
FIG. 29 is a diagram illustrating an example of an ID (message ID) and a data field (data) in a data frame transmitted from the ECU 3400d connected to the window opening / closing sensor 404. The message ID of the frame transmitted by the ECU 3400d is “4”. In the figure, the data is shown by separating each byte with a blank space, the first 1 byte represents the open / closed state of the window by percentage (%), the next 1 byte represents the counter value, and the next 4 bytes represents the MAC. Represent. In the example of FIG. 29, the MAC is represented by a hexadecimal number. The open / closed state of the first 1-byte window is 0 (%) when the window is completely closed and 100 (%) when the window is fully open. 29 illustrates message IDs and data corresponding to each frame sequentially transmitted from the ECU 3400d from the upper row to the lower row in FIG. 29. The counter value gradually increases, and the window is gradually opened from a closed state. It shows the situation.

[3.7 Configuration of Fraud Detection ECU 3100a]
FIG. 30 is a configuration diagram of the fraud detection ECU 3100a. The fraud detection ECU 3100a includes a frame transmission / reception unit 160, a frame interpretation unit 3150, a fraudulent MAC detection unit 3130, a MAC key holding unit 3180, a counter holding unit 3190, a frame generation unit 140, a MAC generation unit 3170, It comprises a detection counter holding unit 110. Each of these components is a functional component, and each function is realized by a communication circuit in the fraud detection ECU 3100a, a processor that executes a control program stored in a memory, a digital circuit, or the like. The fraud detection ECU 3100a is a modification of a part of the fraud detection ECU 100a described in the first embodiment, and components having the same functions as those in the first embodiment are denoted by the same reference numerals and description thereof is omitted. The fraud detection ECU 3100b has the same configuration.

  The frame interpretation unit 3150 is a modification of the frame interpretation unit 150 described in the first embodiment, receives a frame value from the frame transmission / reception unit 160, and maps it to each field in the frame format defined by the CAN protocol. Interpret as follows. When it is determined that the frame is a data frame, the value (data) determined as a data field is transferred to the unauthorized MAC detection unit 3130 together with the ID (message ID) of the ID field. If the frame interpretation unit 3150 determines that the frame does not conform to the CAN protocol, it notifies the frame generation unit 140 to transmit an error frame. When an error frame is received, that is, when the frame interpreting unit 3150 interprets that the value of the received frame is an error frame, the frame interpreting unit 3150 discards the frame thereafter, that is, stops interpreting the frame. I do.

  The unauthorized MAC detection unit 3130 has a function of receiving the message ID notified from the frame interpretation unit 3150 and the value (data) of the data field and verifying the MAC in the data field. The unauthorized MAC detection unit 3130 notifies the notified message ID and the value of the data field to the MAC generation unit 3170, and acquires the MAC generated by the MAC generation unit 3170. The unauthorized MAC detection unit 3130 determines whether or not the data in the data field satisfies a predetermined condition indicating unauthorized. That is, the unauthorized MAC detection unit 3130 functions as a determination unit that determines whether or not the content of the predetermined field in the received frame satisfies the predetermined condition indicating the invalidity. The predetermined condition indicating the injustice is that the verification in a predetermined verification processing procedure (a procedure including MAC generation, MAC comparison, and the like) fails, that is, the MAC included in the data is transmitted to the MAC generation unit 3170. Is different from the MAC generated by the MAC. The unauthorized MAC detection unit 3130 determines whether or not the MAC is invalid (i.e., verifies the MAC) by comparing the MAC acquired from the MAC generation unit 3170 with the MAC in the data field. As a result of the comparison between the two MAC values, if they do not match, the received message ID is notified to the fraud detection counter holding unit 110 in order to increment the fraud detection frequency. Since the control for transmitting the error display message so as to be received by the head unit 200 when the number of times of detecting the fraud reaches a certain number or more is as described in the first embodiment, Description is omitted. If the two MAC values do not match as a result of the comparison, the frame generation unit 140 is notified to transmit an error frame. As a result of the comparison of the MAC values, when they match, the MAC generation unit 3170 is notified to increment the counter value corresponding to the message ID held by the counter holding unit 3190.

  Using the message ID notified from the unauthorized MAC detection unit 3130, the MAC generation unit 3170 obtains the corresponding MAC key from the MAC key storage unit 3180, and obtains the corresponding counter from the counter storage unit 3190. The MAC generation unit 3170 compares the value of the data field (the value of the first byte) notified from the unauthorized MAC detection unit 3130 and the counter value obtained from the counter storage unit 3190 with the MAC key obtained from the MAC key storage unit 3180. Is used to calculate the MAC (derived by calculation), and the calculated MAC is notified to the unauthorized MAC detection unit 3130. Note that the same algorithm for calculating the MAC using the MAC key is used in each of the fraud detection ECUs 3100a and 3100b and the ECUs 3400a to 3400d.

  The MAC key holding unit 3180 holds a MAC key required for calculating a MAC in association with each message ID. The MAC key held by the MAC key holding unit 3180 has a different value for each associated message ID. Note that the MAC key used in the ECU and the fraud detection ECU may be different for each transmission node, assuming that one transmission node transmits each frame of a plurality of message IDs. As the MAC key, for example, the same value may be used for frames transmitted on the same bus, the same key (value) may be used even on different buses, The same key may be used per vehicle, the same key for the same vehicle type, the same key for the same manufacturer, or the same key for different manufacturers.

  The counter holding unit 3190 holds a counter value required for calculating the MAC value for each message ID. This counter value is incremented when a frame is normally received (that is, when both MACs compared by the unauthorized MAC detection unit 3130 match).

[3.8 Example of counter value]
FIG. 31 is a diagram illustrating an example of a counter value for each message ID held in the counter holding unit 3190. In the figure, the counter with the message ID “1” is once, the counter with the message ID “2” is 10 times, the counter with the message ID “3” is 15 times, and the counter with the message ID “4” is 100. The times are shown respectively. The counter value corresponding to each message ID indicates the number of times that the frame including the message ID has been normally received.

[3.9 Sequence for Detection of Illegal Frame]
Hereinafter, when a fraudulent ECU is connected to the bus 500a of the in-vehicle network system 12 having the above-described configuration, operations of the fraud detecting ECU 3100a, the ECU 3400a, the ECU 3400b, the gateway 300, and the like connected to the bus 500a will be described.

  32 and 33 are sequence diagrams showing an operation example in which the fraud detection ECU 3100a detects a fraudulent frame (message) and prevents another ECU from performing a process corresponding to the fraudulent frame. FIGS. 32 and 33 show an example in which an unauthorized ECU is connected to the bus 500a as in the case of FIG. 18 shown in the first embodiment and FIGS. 22 and 23 shown in the second embodiment. I have. The unauthorized ECU transmits a data frame whose message ID is "4" and whose data field (data) is "0xFF FF FFFFFFFF" (6 bytes). The same sequence as the sequence described in the first or second embodiment is denoted by the same reference numeral, and the description is simplified here.

  First, the unauthorized ECU starts transmitting the above-described unauthorized data frame (sequence S1001a). Fraud detection ECU 3100a, ECU 3400a, ECU 3400b, and gateway 300 each receive the message ID (sequence S1002). ECU 3400a, ECU 3400b and gateway 300 each check the message ID using the received reception ID list (sequence S1003). The ECU 3400a and the ECU 3400b end the reception because “4” is not included in the reception ID list held by each (see FIG. 9). Since "4" is included in the held reception ID list (see FIG. 5), gateway 300 continues reception and receives a data field (sequence S1006a). Similarly, the fraud detection ECU 3100a also receives the data field (sequence S1006a).

  Subsequent to sequence S1006a, the fraud detection ECU 3100a verifies (checks) the MAC included in the data in the data field (sequence S3001). That is, the fraud detection ECU 3100a determines whether or not the content of the ID field in the transmitted frame satisfies a predetermined condition indicating fraud (failure of MAC verification). The fraud detection ECU 3100a calculates the MAC calculated using the MAC of the second half 4 bytes and the MAC key and counter corresponding to the message ID “4” for the data “0xFFFFFFFF” of 6 bytes in the data field in the data frame transmitted by the fraudulent ECU. The MAC is verified by comparing. Since the result of this comparison is inconsistent and the verification fails, the fraud detection ECU 3100a determines that the data frame is a fraudulent data frame, and then starts preparing for issuing an error frame (sequence S1005).

  While the fraud detection ECU 3100a is preparing to issue an error frame, the gateway 300 starts receiving a CRC field (sequence S2002).

  Next, preparation for issuing an error frame is completed, and the fraud detection ECU 3100a transmits an error frame (sequence S1007). By starting transmission of the error frame, an error frame overwrites a part of the CRC sequence of the frame being transmitted from the unauthorized ECU on the bus 500a.

  Upon receiving the error frame transmitted in sequence S1007, gateway 300 stops receiving the data frame transmitted by the incorrect ECU during the reception of the CRC field including the CRC sequence (sequence S2003).

  Fraud detection ECU 3100a increments the fraud detection counter corresponding to ID “4” of the data frame to which the error frame was transmitted (sequence S1009). When the result of the increment indicates that the fraud detection counter corresponding to ID “4” is 17 or more, fraud detection ECU 3100a transmits an error display message (sequence S1010).

[3.10 Effect of Third Embodiment]
The fraud detecting ECU described in the third embodiment determines whether the transmitted frame is a fraudulent frame by verifying the MAC included in the data field of the frame (data frame). As a result, it is possible to prevent the existing ECU (that is, the ECU other than the fraud detecting ECU and the fraudulent ECU) from interpreting the fraudulent frame and executing the processing corresponding to the fraudulent frame. Further, since the determination can be made only by receiving up to the data field of the data frame, the bus traffic can be suppressed as compared with the case where the determination is made by receiving the rear part of the data frame.

  In addition, by counting the number of times the fraud detection ECU has transmitted an error frame using the fraud detection counter, if the transmission error counter at the node transmitting the fraudulent message ID upon reception of the error frame conforms to the CAN protocol, the fraud detection ECU is in a passive state. Can be detected that has reached the upper limit value at which the transition to. This makes it possible to determine whether or not the node transmitting the invalid message ID complies with the CAN protocol error counter specification.

  Further, since the node for verifying the MAC is only the fraud detecting ECU, it is not necessary to perform verification by an ECU other than the fraud detecting ECU, so that the processing amount and the power consumption of the entire system can be suppressed.

  It should be noted that one or more fraud detection ECUs in the above-described in-vehicle network system 12 may be capable of switching whether or not to perform detection. Then, the fraud detection ECU may not detect a fraudulent message only when the state of the vehicle is constant, for example, when a certain period has elapsed from the start of use. This makes it possible to reduce power consumption.

(Embodiment 4)
Hereinafter, as an embodiment of the present disclosure, a fraud detection method for switching an operation mode of a fraud detection ECU according to whether or not to execute a specific detection process for detecting a fraudulent message (frame) according to a state of a vehicle. Will be described.

[4.1 Overall Configuration of In-Vehicle Network System 13]
FIG. 34 is a diagram illustrating an overall configuration of the vehicle-mounted network system 13 according to the fourth embodiment. In-vehicle network system 13 is a modification of a part of in-vehicle network system 10 described in the first embodiment. The in-vehicle network system 13 includes buses 500a to 500c and nodes connected to buses such as ECUs 4100a and 4100b, a head unit 4200, a gateway 300, and ECUs such as ECUs 400a to 400d connected to various devices. It consists of. Among the components of the in-vehicle network system 13, components having the same functions as those in the first embodiment are denoted by the same reference numerals, and description thereof will be omitted.

  The fraud detecting ECUs 4100a and 4100b are connected to the buses 500a and 500b, respectively, and determine whether the frames (messages) transmitted by the ECUs 400a to 400d are fraudulent, and transmit an error frame if fraudulent. ECU. Each of the fraud detecting ECUs 4100a and 4100b is a modification of a part of each of the fraud detecting ECUs 100a and 100b described in the first embodiment. The fraud detecting ECUs 4100a and 4100b operate as an operation mode in which a check mode (detection mode) for determining whether a frame (message) transmitted by the ECUs 400a to 400d is fraudulent, and a frame (message) transmitted by the ECUs 400a to 400d is fraudulent. There is a standby mode in which it is not determined whether or not there is. The fraud detection ECUs 4100a and 4100b have a function of switching the operation mode in response to an instruction (trigger frame) from the head unit 4200. The trigger frame is a switching instruction message serving as a trigger for switching the operation mode. When the operation mode is set to the standby mode, certain processing related to detection of an invalid message is omitted, so that the processing amount can be reduced and the power consumption can be suppressed as compared with the case of the check mode.

  The head unit 4200 has a function of transmitting and receiving frames, has a function of receiving frames transmitted from the ECUs 400a to 400d, displaying various states on a display (not shown), and presenting them to the user. Head unit 4200 is a modification of head unit 200 shown in the first embodiment. The head unit 4200 has a function of determining, for example, whether the frames transmitted by the ECUs 400a to 400d are unauthorized, and instructing the unauthorized detection ECUs 4100a and 4100b to switch to the check mode when the unauthorized frames are transmitted. That is, when the state of the vehicle satisfies a certain condition, the head unit 4200 has a function of transmitting a trigger frame to the injustice detection ECUs 4100a and 4100b to instruct to change the operation mode. The certain condition is a condition for judging occurrence of an event which affects the necessity of detecting a fraudulent message by the fraud detection ECU. Certain conditions for switching the operation mode to the check mode include, for example, in an in-vehicle network system mounted on the vehicle, when it is detected that an unauthorized message is transmitted, when the use of the vehicle is started, and when the vehicle is started. And a case where communication with an external device is started. In addition, as a certain condition when the operation mode is switched to the standby mode, for example, when an invalid message is not detected for a certain period, when a certain period of time has elapsed since the start of use of the vehicle, an external Each of the cases where the communication with the device is terminated and the state becomes a constant state, or a combination of a plurality of the cases, and the like are exemplified.

  In the present embodiment, it is assumed that the gateway 300 transfers a trigger frame between the buses 500a to 500c.

[4.2 Configuration of Head Unit 4200]
FIG. 35 is a configuration diagram of the head unit 4200. The head unit 4200 includes a frame transmission / reception unit 270, a frame interpretation unit 4260, a reception ID determination unit 240, a reception ID list holding unit 250, a frame processing unit 220, a display control unit 210, a frame generation unit 4230, It is configured to include an invalid frame detection unit 4280, a mode change instruction unit 4281, a vehicle use start detection unit 4282, and a communication start / end detection unit 4283. Each of these components is a functional component, and each function is realized by a communication circuit in the head unit 4200, an LCD, a processor that executes a control program stored in a memory, a digital circuit, or the like. Note that components having functions similar to those of the first embodiment are denoted by the same reference numerals, and description thereof is omitted.

  Frame interpreting section 4260 is obtained by modifying a part of frame interpreting section 260 shown in the first embodiment. The frame interpretation unit 4260 receives the value of the frame from the frame transmission / reception unit 270, and interprets it so as to map it to each field in the frame format defined by the CAN protocol. The frame interpretation unit 4260 transfers the value determined as the ID field to the reception ID determination unit 240. The frame interpretation unit 4260 transfers the value of the ID field and the data field appearing after the ID field to the frame processing unit 220 and the invalid frame detection unit 4280 according to the determination result notified from the reception ID determination unit 240. Or whether reception of the frame is stopped after receiving the determination result (that is, interpretation of the frame is stopped). If the frame interpretation unit 4260 determines that the frame does not conform to the CAN protocol, it notifies the frame generation unit 4230 to transmit an error frame. When an error frame is received, that is, when the frame interpreting unit 4260 interprets that the error frame is an error frame based on the value in the received frame, the frame interpreting unit 4260 discards the frame thereafter, that is, stops interpreting the frame. I do. For example, when an error frame is interpreted in the middle of a data frame, the interpretation of the data frame is stopped, and no special processing is performed according to the data frame.

  The frame transmitting / receiving unit 270 transmits / receives a frame to / from the bus 500c according to the CAN protocol. The frame is received one bit at a time from the bus 500c and transferred to the frame interpretation unit 4260. Further, it transmits the content of the frame notified from the frame generation unit 4230 to the bus 500c one bit at a time.

  The reception ID determination unit 240 receives the value of the ID field notified from the frame interpretation unit 4260, and receives each field of the frame after the ID field according to the message ID list held by the reception ID list holding unit 250. It is determined whether or not to do. The reception ID determination unit 240 notifies the frame interpretation unit 4260 of this determination result.

  Similar to frame generating section 230 of the first embodiment, frame generating section 4230 composes an error frame according to the notification from frame interpreting section 4260 instructing the transmission of the error frame, and notifies error transmitting / receiving section 270 of the frame. And send it. Further, the frame generation unit 4230 composes a trigger frame according to the request for transmission of the trigger frame from the mode change instruction unit 4281, and notifies the frame transmission / reception unit 270 of the trigger frame to transmit.

  The invalid frame detection unit 4280 receives the value of the ID field and the value of the data field notified from the frame interpretation unit 4260, and detects when an invalid frame is transmitted on the bus 500c. When detecting an invalid frame, the invalid frame detection unit 4280 requests the mode change instruction unit 4281 to notify the mode change instruction unit 4281 of an instruction to shift to the check mode of the invalid detection ECUs 4100a and 4100b. If a fraudulent frame detection unit 4280 does not detect a fraudulent frame for a certain period of time after requesting a notification of a shift instruction to the check mode, the fraudulent detection ECU 4100a, 4100b switches the mode change instructing unit 4281 to the standby mode. A notification of a transfer instruction may be requested. The method of detecting an invalid frame in the invalid frame detection unit 4280 is, for example, the same as that of the invalid frame detection unit 130 in the first embodiment. The method of detecting an invalid frame in the invalid frame detection unit 4280 is, for example, the same method as the invalid frame detection unit 2130 of the second embodiment, the same method as the invalid MAC detection unit 3130 of the third embodiment, or another method. There may be.

  The mode change instruction unit 4281 has a function of requesting the frame generation unit 4230 to transmit a trigger frame for instructing a change in the operation mode of the fraud detection ECUs 4100a and 4100b to the fraud detection ECUs 4100a and 4100b. When the state of the vehicle satisfies a certain condition, the mode change instruction unit 4281 receives a request from the illegal frame detection unit 4280, the vehicle use start detection unit 4282, or the communication start / end detection unit 4283, and sends the request to the frame generation unit 4230. Request transmission of a trigger frame. The trigger frame is a switching instruction message that triggers switching of the operation mode of the fraud detection ECU. Trigger frames include those that instruct transition from the standby mode to the check mode and those that instruct transition from the check mode to the standby mode, both of which are provided in the message ID and data fields of the ID field, for example. It is distinguished by an identifier or the like. When the trigger frame is transmitted, the gateway 300 transfers the trigger frame between the buses, and each fraud detecting ECU receives the trigger frame.

  Vehicle use start detection section 4282 detects that the use of the vehicle has been started, and requests mode change instruction section 4281 to notify the mode change instruction section 4281 of an instruction to shift to the check mode of fraud detection ECUs 4100a and 4100b. The vehicle use start detection unit 4282 detects that the use of the vehicle has been started by detecting, for example, a door lock release, a door open, an engine start, or the like by a message or the like from each ECU. . As a result, for example, even when a fraudulent ECU is attached to a vehicle parked in a parking lot, when the vehicle is subsequently started to be used, the fraud detection ECUs 4100a and 4100b enter the check mode and can detect the fraudulent ECU. Become like Note that even before the vehicle is started to be used, the vehicle-mounted network system can operate if power is supplied from a battery or the like. In addition, vehicle use start detection unit 4282 detects that a predetermined time has elapsed after detecting that use of the vehicle has been started, and provides mode change instructing unit 4281 to instruct fraud detection ECUs 4100a and 4100b to enter the standby mode. Request notification of migration instructions. This period of time is assumed to be necessary for the unauthorized ECU to send an unauthorized message after the vehicle starts to be used if the unauthorized ECU is connected to the bus of the in-vehicle network system before the vehicle is started to be used. This is a longer time (eg, several minutes).

  The communication start / end detection unit 4283 detects that the head unit 4200 has started communication with the outside, and requests the mode change instruction unit 4281 to notify the fraud detection ECUs 4100a and 4100b of an instruction to shift to the check mode. As a result, for example, when an illegal frame is illegally transmitted on the bus of the in-vehicle network system via the head unit 4200 by communication from the outside, the illegality can be detected by the illegality detection ECUs 4100a and 4100b in the check mode. It is assumed that the control program of the head unit 4200 is illegally rewritten by external communication, and the illegal frame detection unit 4280, the mode change instruction unit 4281, and the like do not function. However, by instructing the fraud detection ECUs 4100a and 4100b to shift to the check mode before communicating with the outside, even if the fraudulent frame detection unit 4280, the mode change instructing unit 4281, and the like do not function, the fraudulent detection will be performed. Frames can be detected. In addition, communication start / end detection section 4283 detects that head unit 4200 has reached a constant state after the end of communication with the outside, and instructs mode change instructing section 4281 to enter the standby mode of fraud detection ECUs 4100a and 4100b. Request notification of the migration instruction. The certain state after the end of the communication with the outside is, for example, a state where the communication with the outside is finished. Further, the certain state after the end of the communication with the outside may be a state where a certain time has elapsed after the end of the communication with the outside. Accordingly, it is possible to cope with a case where a control program that is illegally rewritten by communication with the outside transmits an illegal frame after the communication with the outside ends. In this case, the certain time is longer than the time that is assumed to be required for executing the program and transmitting the invalid message after the communication is completed in the case where an invalid program or the like is supplied from the outside in the communication with the outside. (For example, for several minutes).

  The mode change instructing unit 4281 cooperates with the illegal frame detecting unit 4280, the car use start detecting unit 4282, and the communication start / end detecting unit 4283, in a situation where no invalid message is detected for a certain period of time, and An instruction to shift to the standby mode is issued only when a certain period of time has elapsed since the start of use of the vehicle, and when communication with an external device of the vehicle has ended and the vehicle is in a certain state. The frame generation unit 4230 may be requested to transmit a trigger frame. The mode change instructing unit 4281 can hold a predetermined rule as a criterion on what condition is satisfied according to the state of the vehicle to request transmission of the trigger frame. This rule may be single or plural. The rules may be set at the time of shipment of the head unit 4200, at the time of shipment, or at the time of sale of a vehicle equipped with the onboard network system. Further, the head unit 4200 may acquire and update the rule by communication from outside. Further, the head unit 4200 may be configured such that a recording medium that holds the rule is detachable. Note that a rule may be defined on the assumption that the state of the vehicle is detected during parking, stopping, refueling, charging, communicating with the outside, and the like. By changing the content of the trigger frame (for example, in the data field) to include, for example, information for individually identifying the fraud detecting ECU, the change of the operation mode may be instructed only to a specific fraud detecting ECU. For example, when an unauthorized frame is detected during communication with the outside while the vehicle is parked, and a notification of an instruction to shift to the check mode of the unauthorized detection ECUs 4100a and 4100b is requested from the unauthorized frame detection unit 4280, only the unauthorized detection ECU 4100b performs the check mode. A rule may be set to determine that a trigger frame for instructing the transition to the state is transmitted. This is because, if the vehicle is parked, an invalid frame that affects the operation of the engine 401 and the brake 402 is not transmitted, or if an invalid frame is transmitted, there is no problem if the vehicle is parked. This is an example of the rule. When the trigger frame is configured to instruct a specific fraud detecting ECU to change the operation mode, the gateway 300 triggers only a bus necessary for transmitting the trigger frame to the specific fraud detecting ECU. Frame transfer may be performed.

[4.3 Configuration of Fraud Detection ECU 4100a]
FIG. 36 is a configuration diagram of the fraud detection ECU 4100a. The fraud detection ECU 4100a includes a frame transmission / reception unit 160, a frame interpretation unit 4150, a fraudulent frame detection unit 130, a regular ID list storage unit 120, a fraud detection counter storage unit 110, a frame generation unit 140, a trigger frame detection unit 4170 and a mode holding unit 4180. Each of these components is a functional component, and each function is realized by a communication circuit in the fraud detection ECU 4100a, a processor that executes a control program stored in a memory, a digital circuit, or the like. Components having functions similar to those of the first embodiment are denoted by the same reference numerals, and description thereof is omitted. The fraud detection ECU 4100b basically has the same configuration.

  The frame interpreting unit 4150 receives the value of the frame from the frame transmitting / receiving unit 160 and interprets it so as to map it to each field in the frame format defined by the CAN protocol, similarly to the frame interpreting unit 150 of the first embodiment. Also, the frame interpreting unit 4150 acquires the operation mode of the fraud detection ECU 4100a from the mode holding unit 4180, and determines the transfer destination of the received frame value according to the operation mode. For example, when the fraud detecting ECU 4100a is in the check mode, the value of the ID field is transferred to the fraudulent frame detecting unit 130 and the trigger frame detecting unit 4170, and the value of the data field after the ID field is transferred to the trigger frame detecting unit 4170. Transfer to When the fraud detection ECU 4100a is in the standby mode, the value of the ID field and the value of the subsequent data field are transferred only to the trigger frame detection unit 4170. As a result, only when the operation mode is the check mode, the fraud detection by the fraudulent frame detecting unit 130 is performed. That is, when the operation mode is the standby mode, the processing related to the detection of the fraud by the fraudulent frame detecting unit 130 is not performed.

  Trigger frame detection section 4170 determines whether or not the frame received by fraud detection ECU 4100a is a trigger frame transmitted by head unit 4200. When the frame received by the fraud detection ECU 4100a is a trigger frame, the trigger frame detection unit 4170 records a check mode or a standby mode as an operation mode in the mode holding unit 4180. That is, if the received frame is a trigger frame indicating transition from the standby mode to the check mode, the trigger frame detecting unit 4170 records that the mode is the check mode. If the received frame is a trigger frame instructing a transition from the check mode to the standby mode, the trigger frame detecting unit 4170 records that the mode is the standby mode.

  The mode holding unit 4180 has a function of holding, in a storage medium such as a memory, whether the operation mode of the own device (the fraud detection ECU 4100a) is the standby mode or the check mode.

[4.4 Sequence for Shifting to Check Mode]
Hereinafter, operations of the head unit 4200 and the fraud detection ECU 4100a when a fraudulent frame (message) is transmitted to the bus 500c of the vehicle-mounted network system 13 having the above-described configuration will be described.

  FIG. 37 is a sequence diagram showing an operation example in which the head unit 4200 detects an invalid message, instructs the fraud detection ECU 4100a to shift to the check mode, and the fraud detection ECU 4100a shifts to the check mode.

  At the start stage of this operation example, the fraud detection ECU 4100a is in the standby mode (sequence S4001). For example, the state is the standby mode as a result of the fraud detection ECU 4100a receiving a trigger frame instructing the shift to the standby mode before this stage. At this time, the fraud detection ECU 4100a has not detected the fraudulent message by the fraudulent frame detection unit 130.

  Head unit 4200 receives the frame (message) transmitted to bus 500c (sequence S4002).

  Head unit 4200 confirms whether or not the message received by invalid frame detecting section 4280 is an invalid message (sequence S4003). If the message is not an invalid message, the process returns to the message receiving procedure (sequence S4002).

  When the head unit 4200 detects that the received message is an unauthorized message, the head unit 4200 determines whether or not the operation mode of the unauthorized detection ECU 4100a is already in the check mode from the previous instruction history to the unauthorized detection ECU 4100a ( Sequence S4004). The unauthorized message may be transmitted, for example, when an unauthorized ECU is connected to the bus. The head unit 4200 grasps the operation mode of each fraud detecting ECU by, for example, retaining the instruction history when the fraud detecting ECU 4100a or the like is instructed by the trigger frame to shift to the check mode or to shift to the standby mode. .

  If the head unit 4200 determines that the operation mode of the fraud detection ECU 4100a is not the check mode (it is the standby mode), it instructs the shift to the check mode (sequence S4005). Specifically, head unit 4200 transmits a trigger frame instructing a transition to the check mode. If it is determined in the sequence S4004 that the operation mode of the fraud detection ECU 4100a is already in the check mode, the head unit 4200 skips the processing procedure of the instruction to shift to the check mode and ends the operation.

  The trigger frame transmitted from the head unit 4200 to the bus 500c and instructing the transition to the check mode is transferred by the gateway 300 to the buses 500a and 500b.

  Receiving the trigger frame transmitted to bus 500a, fraud detection ECU 4100a shifts the operation mode to the check mode (sequence S4006). From this time, the fraud detection ECU 4100a causes the fraudulent frame detection unit 130 to detect a fraudulent message. That is, in the check mode, the fraud detection ECU 4100a is in a state of realizing a fraud countermeasure method for preventing another node (ECU) from executing a process based on a fraudulent frame. Therefore, as described in the first embodiment, even if an unauthorized message is transmitted on the bus to which the unauthorized detection ECU 4100a is connected, it is possible to prevent processing in response to the unauthorized message. (See FIG. 18).

  Here, the description has been given focusing on the fraud detecting ECU 4100a among the fraud detecting ECUs. However, for example, the fraud detecting ECU 4100b may similarly set the operation mode to the check mode in accordance with the trigger frame transmitted in the sequence S4005. Also, the head unit 4200 may omit the determination in the sequence S4004 and issue an instruction to shift to the check mode in the sequence S4005. When the determination in the sequence S4004 is omitted, it is not necessary to know the operation mode of each fraud detection ECU, and the holding of the instruction history can be omitted. However, the sequence S4004 is useful for preventing unnecessary trigger frames from flowing to the bus.

  Except for the sequence S4003 shown here, the transition to the check mode is performed, for example, when the communication start / end detection unit 4283 detects the start of communication with the outside, or when the vehicle use start detection unit 4282 starts using the vehicle. Is performed when is detected.

[4.5 Sequence Related to Transition to Standby Mode (End of Communication with External Device)]
Hereinafter, operations of head unit 4200 and fraud detection ECU 4100a when head unit 4200 terminates communication with the outside will be described.

  FIG. 38 is a sequence diagram showing an operation example in which head unit 4200 detects the end of communication with the outside, instructs fraud detection ECU 4100a to shift to the standby mode, and fraud detection ECU 4100a shifts to the standby mode.

  At the start stage of this operation example, the fraud detection ECU 4100a is in the check mode (sequence S4101). For example, before this stage, the head unit 4200 is in the check mode as a result of receiving the trigger frame for instructing the shift to the check mode when starting communication with the outside by the fraud detection ECU 4100a. At this time, the fraud detection ECU 4100a is in a state where the fraudulent frame detection unit 130 detects a fraudulent message.

  When the end of communication with the outside is detected by communication start / end detection section 4283 (sequence S4102), head unit 4200 determines whether or not a fixed time has elapsed from the start of use of the vehicle (sequence S4103). If the fixed time has not elapsed since the start of use of the vehicle, the mode must not be shifted to the standby mode, so that a trigger frame for instructing the shift to the standby mode is not transmitted (that is, the sequences S4104 and S4105 are skipped).

  If a certain period of time has elapsed from the start of use of the vehicle, head unit 4200 determines whether an incorrect message has been detected (sequence S4104). If an invalid message is detected after the transmission of the trigger frame instructing the transition to the check mode, the transition to the standby mode is not allowed, and the trigger frame for instructing the transition to the standby mode is not transmitted (that is, Sequence S4105 is skipped).

  If it is determined in the sequence S4104 that an invalid message has not been detected, the head unit 4200 instructs a transition to a standby mode (step S4105). Specifically, head unit 4200 transmits a trigger frame instructing a transition to the standby mode.

  The trigger frame transmitted from the head unit 4200 to the bus 500c and instructing transition to the standby mode is transferred by the gateway 300 to the buses 500a and 500b.

  Receiving the trigger frame transmitted to bus 500a, fraud detection ECU 4100a shifts the operation mode to the standby mode (sequence S4106). From this time, the fraud detection ECU 4100a stops detecting the fraudulent message by the fraudulent frame detection unit 130.

  Although the description has been given focusing on the fraud detection ECU 4100a among the fraud detection ECUs, the operation mode of the fraud detection ECU 4100b may be set to the standby mode in the same manner in response to the trigger frame transmitted in the sequence S4105.

[4.6 Sequence for Transition to Standby Mode (when a certain period of time has passed since the start of vehicle use)]
Hereinafter, operations of the head unit 4200 and the fraud detection ECU 4100a when a certain period of time has elapsed since the start of use of the vehicle will be described.

  FIG. 39 is a sequence showing an operation example in which head unit 4200 detects that a predetermined time has elapsed from the start of use of the vehicle, instructs fraud detection ECU 4100a to shift to the standby mode, and fraud detection ECU 4100a shifts to the standby mode. FIG.

  At the start stage of this operation example, the fraud detection ECU 4100a is in the check mode (sequence S4201). For example, before the stage, the head unit 4200 is in the check mode as a result of receiving the trigger frame for instructing the shift to the check mode when the fraud detection ECU 4100a detects the start of use of the vehicle. At this time, the fraud detection ECU 4100a is in a state where the fraudulent frame detection unit 130 detects a fraudulent message.

  When head use 4200 detects that a certain period of time has elapsed since the start of use of the vehicle by vehicle use start detection unit 4282 (sequence S4202), it determines whether communication with the outside is in progress (step S4202). Sequence S4203). In the case of communication with the outside, a transition to the standby mode is not allowed, so that a trigger frame for instructing a transition to the standby mode is not transmitted (that is, the sequences S4204 and S4205 are skipped).

  If it is not communicating with the outside, head unit 4200 determines whether or not an invalid message has been detected (sequence S4204). If an invalid message is detected after the transmission of the trigger frame instructing the transition to the check mode, the transition to the standby mode is not allowed, and the trigger frame for instructing the transition to the standby mode is not transmitted (that is, Sequence S4205 is skipped).

  If it is determined in the sequence S4204 that no invalid message has been detected, the head unit 4200 instructs a transition to the standby mode (sequence S4205). Specifically, head unit 4200 transmits a trigger frame instructing a transition to the standby mode.

  The trigger frame transmitted from the head unit 4200 to the bus 500c and instructing transition to the standby mode is transferred by the gateway 300 to the buses 500a and 500b.

  Receiving the trigger frame transmitted to bus 500a, fraud detection ECU 4100a shifts the operation mode to the standby mode (sequence S4206). From this time, the fraud detection ECU 4100a stops detecting the fraudulent message by the fraudulent frame detection unit 130.

  Here, the description has been given by focusing on the fraud detection ECU 4100a among the fraud detection ECUs. However, for example, the fraud detection ECU 4100b may similarly set the operation mode to the standby mode corresponding to the trigger frame transmitted in the sequence S4205.

[4.7 Effect of Fourth Embodiment]
In the in-vehicle network system 13, the fraud detection ECUs 4100a and 4100b switch the operation mode between a check mode in which a fraudulent message is detected and a standby mode in which no fraudulent message is detected, according to the state of the vehicle. Thus, the power consumption can be suppressed by detecting an unauthorized message only when necessary according to the state of the vehicle. Further, the fraud detection ECUs 4100a and 4100b can obtain the timing of switching the operation mode by the trigger frame from the head unit 4200 without having a mechanism for directly detecting the state of the vehicle.

(Other embodiments, etc.)
As described above, Embodiments 1 to 4 have been described as examples of the technology according to the present disclosure. However, the technology according to the present disclosure is not limited to this, and can be applied to embodiments in which changes, replacements, additions, omissions, and the like are made as appropriate. For example, the following modifications are also included in an embodiment of the present disclosure.

  (1) In the above embodiment, an example has been described in which frames are periodically transmitted by the ECUs 400a to 400d or the ECUs 3400a to 3400d. However, a frame may be transmitted as an event for notifying a state change. For example, the ECU may transmit the frame only when the open / closed state of the door changes, instead of periodically transmitting the open / closed state of the door. Further, the ECU may transmit the frame periodically and when a state change occurs.

  (2) In the third embodiment, the example has been described in which the MAC is calculated from the data value and the counter value. However, the MAC may be calculated only from the data value. Alternatively, the MAC may be calculated only from the counter value. Also, the size of the MAC included in the frame is not limited to 4 bytes, and may be different for each transmission. Similarly, the size of a data value such as an hourly speed and the size of a counter value are not limited to 1 byte. Also, the frame does not necessarily need to include the counter value.

  (3) In the third embodiment, an example has been described in which the counter value is incremented every transmission. However, the counter value may be a value that is automatically incremented according to time. Further, the value of the time itself may be used instead of the counter. That is, if the MAC is generated based on a variable (counter, time, etc.) that changes each time a data frame is transmitted, it becomes difficult to illegally decode the MAC. In the third embodiment, the MAC generation unit 3170 in the fraud detection ECU calculates the MAC value from the message ID, the first byte of the data field, and the counter value of the counter holding unit 3190. Instead, the MAC value may be calculated from the message ID, the first byte of the data field, and the counter value that is the next 1 byte of the data field. Further, the counter value of the counter holding unit 3190 may be updated so as to match the counter value in the data field determined to be not invalid.

  (4) In the above embodiment, the data frame in the CAN protocol is described in the standard ID format, but may be in the extended ID format. In the case of the extended ID format, since the base ID of the ID position in the standard ID format and the extended ID together represent an ID (message ID) in 29 bits, the 29-bit ID is used as the ID in the above-described embodiment. (Message ID).

  (5) In the above embodiment, the MAC calculation algorithm is HMAC, but may be CBC-MAC (Cipher Block Chaining Message Authentication Code) or CMAC (Cipher-based MAC). The padding used for (1) is zero padding, ISO10126, PKCS # 1, PKCS # 5, PKCS # 7, or any other padding method that requires the data size of the block to be calculated, and blocks such as 4 bytes. Regarding the method of changing the size to, padding may be performed at any of the head, tail, and middle portions, and the data used for MAC calculation is continuous data (for example, continuous data for 4 bytes). Alternatively, the data may be collected and combined one by one according to a specific rule.

  (6) The CAN protocol described in the above embodiment has a broad meaning including derivative protocols such as TTCAN (Time-Triggered CAN) and CANFD (CAN with Flexible Data Rate). good.

  (7) In the above embodiment, an example is shown in which an unauthorized ECU is connected to a bus. However, an existing ECU such as the ECUs 400a to 400d or the ECUs 3400a to 3400d may act as an unauthorized ECU for some reason. . Even in such a case, as shown in the above embodiment, the fraud detection ECU properly detects the fraudulent frame and transmits the error frame, so that the other ECU processes the fraudulent frame. Can be blocked.

  (8) In the second embodiment, using a data range list in which a message ID and an allowed data range are associated with each other, the data of the received data frame is stored in a data range that is allowed for each message ID. Is determined based on whether or not the message ID is included in the message range. However, the message range is not included in the data range list, and the data range (for example, “ 0 to 180 ”), and it may be determined whether the message is illegal regardless of the message ID. Further, the data range list held by the fraud detecting ECU may be a list in which a message ID and a data range that can be transmitted on a bus to which the fraud detecting ECU is connected are associated. As a result, the data range list can be used also as the regular ID list described in the first embodiment. By utilizing this, the fraud detection ECU shown in the second embodiment may also check the message ID shown in the first embodiment (sequence S1004).

  (9) Instead of the data range list in which the message ID and the permitted data range are associated with each other as described in the second embodiment, the fraud detection ECU associates the message ID with the permitted data length. The attached data length list may be used. In this case, the fraud detection ECU determines whether or not the value of the control field of the received data frame satisfies a predetermined condition indicating fraud. The predetermined condition indicating this illegality is a condition that the data length (DLC) in the control field is not the data length associated with the message ID in the data length list. The fraud detecting ECU determines whether or not the received DCL is fraudulent based on whether or not the received DCL has a data length permitted for each message ID in the data length list.

  (10) In the above embodiment, the description has been made with particular attention to the data frame. However, the fraud detection ECU can detect a certain fraud also in the remote frame. For example, the fraud detection ECU may determine whether or not the message ID in the received remote frame is fraudulent using the regular ID list described in the first embodiment. Further, whether the data length (DLC) in the control field of the remote frame received by the fraud detection ECU using the above-described data length list is fraudulent or not depends on whether or not the data length is allowed for each message ID. May be determined. Further, the error frame transmitted when the fraud detection ECU shown in the above embodiment detects a fraud by receiving a fraudulent frame may be transmitted promptly after the fraud is detected. It is useful for the fraud detection ECU to transmit the error frame after the fraud is detected and before the end of the CRC sequence of the fraudulent frame is transmitted. As a result, the other ECU stops the processing of the incorrect frame due to the detection of the error frame or the error detection in the CRC check. Note that the remote frame also includes a message ID, a control field, and a CRC sequence, like the data frame.

  (11) In the above embodiment, the fraud detection ECU has been described to transmit an error display message under certain conditions. However, the ECU may not transmit the error display message. In this case, it is not necessary for the ECUs such as the gateway and the head unit to hold a configuration (such as a reception ID list for receiving an error display message) particularly corresponding to the fraud detection ECU. It should be noted that the fraud detection ECU may report the error by itself when a speaker or a display is provided instead of transmitting the error display message, or may record an error log on a storage medium or the like.

  (12) In the in-vehicle network system 13 described in the fourth embodiment, a fraud detection ECU that can switch operation modes and a fraud detection ECU that does not switch operation modes (that is, a fraud detection ECU that is the same as the normal check mode) coexist. You may. In addition to the function of detecting a fraudulent message transmitted on the bus, the fraud detection ECU has a function of executing a predetermined process according to a non-fraud message, similarly to other ECUs, or a vehicle. May have a function of detecting the state of the vehicle or executing processing such as control of the vehicle. In the case where the operation mode is the standby mode in which the specific fraud detection is not performed, in addition to the reduction in power consumption, effects such as a reduction in the processing load of the fraud detection ECU and a reduction in traffic on the bus can also occur.

  (13) In the fourth embodiment, the head unit 4200 has a function of transmitting a trigger frame when the state of the vehicle satisfies a certain condition. However, this function may be provided by another ECU. . The function of transmitting a trigger frame when the state of the vehicle satisfies a certain state may be provided by one ECU in the in-vehicle network system 13, or may be provided by a plurality of ECUs (even some ECUs). It may be an ECU.) That is, another ECU (such as ECU 400a) includes the unauthorized frame detection unit 4280, the mode change instruction unit 4281, the vehicle use start detection unit 4282, and the communication start / end detection unit 4283 of the head unit 4200 described in the fourth embodiment. It is also good to let. FIG. 40 is a configuration diagram of an ECU 4400 obtained by partially modifying the ECU 400a and including an unauthorized frame detection unit 4280, a mode change instruction unit 4281, a vehicle use start detection unit 4282, and a communication start / end detection unit 4283. The frame interpretation unit 4450 in the ECU 4400 shown in FIG. 40 is obtained by partially modifying the frame interpretation unit 450 shown in the first embodiment. The frame interpretation unit 4450 includes an illegal frame detection unit 4280, a vehicle use start detection unit 4282, and a communication start / end detection unit 4283 in addition to the data transfer to the frame processing unit 410, the frame generation unit 4420, and the reception ID determination unit 430. To transfer the received frame. This transfer may be the transfer of all received frames, or may be the transfer of only frames related to each detection unit. The invalid frame detection unit 4280 performs the same operation as the invalid frame detection unit 4280 of the fourth embodiment. The vehicle use start detection unit 4282 and the communication start / end detection unit 4283 detect, from the frame received by the ECU 4400, that the use of the vehicle body has been started, that communication has started, that communication has ended, and the like. For example, the head unit 4200 or an ECU having a function of communicating with the outside transmits a frame indicating the start or end of communication, and the communication start / end detection unit 4283 responds to the reception of the frame to start or end communication. May be detected. Mode change instructing section 4281 has the same function as that of the fourth embodiment. Frame generation section 4420 has the function of frame generation section 420 of the first embodiment. The frame generation unit 4420 further has a function of forming a trigger frame in accordance with a request for transmission of a trigger frame for mode change from the mode change instruction unit 4281, notifying the frame transmission / reception unit 270 of the trigger frame, and transmitting the frame. This ECU 4400 executes the same processing procedure as the processing procedure shown in sequence S4002 to S4005 in FIG. 37, the processing procedure shown in sequence S4102 to S4105 in FIG. 38, and the processing procedure shown in sequence S4202 to S4205 in FIG. . The function of transmitting a trigger frame when the state of the vehicle satisfies a certain state may be included in the fraud detection ECU.

  (14) The determination (see FIGS. 38 and 39) of whether or not to instruct the transition to the standby mode by the head unit 4200 described in the fourth embodiment is merely an example of a useful determination, and other determinations Is also possible. For example, an instruction to shift to the standby mode may be issued simply when the communication end is detected, or an instruction to shift to the standby mode may be issued when a predetermined time has elapsed from the start of use of the vehicle. The predetermined time may be, for example, a fixed time such as a few minutes, or a time required until a certain number of messages are transmitted on the bus after the use of the vehicle is started, and a certain processing after the start of use. It may be the time required until the procedure is executed. Alternatively, an instruction to shift to the standby mode may be given only when an invalid message is not detected on the bus for a predetermined period. That is, in order to change the operation mode of the fraud detection ECU to the check mode or the standby mode in accordance with the state of the vehicle, an arbitrary judgment method (judgment algorithm) based on any judgment material if it is useful based on experiments, theory, or the like. Etc.). For example, the head unit 4200 may not necessarily include both the vehicle use start detection unit 4282 and the communication start / end detection unit 4283, may include only one of them, or may detect the state of another vehicle. A detection unit may be included. As the detection unit, for example, a detection unit for whether or not the vehicle is parked, a detection unit for whether the vehicle is stopped, a detection unit for opening and closing a door, a detection unit for opening and closing a fuel filler, a detection unit for detecting whether or not charging, A detection unit for detecting whether or not the vehicle is seated on the seat, a detection unit for when the vehicle is getting on, a detection unit for detecting that the vehicle has been completed, a detection unit for when the vehicle is getting off, and the like. When it is detected that the state of the vehicle satisfies a certain condition, the in-vehicle network system changes the operation mode of the fraud detection ECU to a first mode for performing a predetermined type of detection processing for detecting a fraudulent message on the bus. What is necessary is just to be configured to switch between a check mode) and a second mode (standby mode or the like) in which the detection process is not performed. Further, in addition to the method of not performing any unauthorized message detection processing in the second mode, the second mode does not perform the predetermined type of detection processing, but has a smaller processing amount than the predetermined type of detection processing. A method of executing a certain kind of illegal message detection processing may be adopted. Also, the head unit 4200 may include a button for changing the operation mode of the fraud detecting ECU and other user interfaces, and instruct the fraud detecting ECU to change the operation mode according to an operation, input, or the like by the user on the user interface. . The user interface may be physical buttons, buttons displayed on a touch panel or the like, or a voice input mechanism. When a change in the state of the vehicle is detected by a detection unit such as the vehicle use start detection unit 4282 and the communication start / end detection unit 4283, whether the user needs to change the operation mode by screen display, voice output, or the like. It may be inquired whether or not. Head unit 4200, upon receiving an input relating to the necessity of changing the operation mode as a response from the user, instructs fraud detection ECU to change the operation mode if the input indicates that the operation mode needs to be changed. obtain. For example, the head unit 4200 may ask the user whether or not to shift to the standby mode when a certain time has elapsed from the start of use of the vehicle, and the user may select to continue the check mode. Also, the head unit 4200 notifies the fraud detection ECU 4100a or the like of only information on events such as the start of use of the vehicle, the start of communication, and the end of communication so that the fraud detection ECU 4100a or the like determines which operation mode should be shifted to. May be.

  (15) Although the fraud detection ECU 4100a described in the fourth embodiment includes the function of the fraud detection ECU 100a in the first embodiment, the specific implementation of the fraud detection method in the fraud detection ECU is described in the embodiment. Those shown in 2 and 3 may be used. That is, each fraud detection ECU (the fraud detection ECU 4100a and the like) in the in-vehicle network system 13 may be, for example, a fraud detection ECU 5100 including the function of the fraud detection ECU 2100a of the second embodiment as shown in FIG. Further, the fraud detection ECU 4100a and the like may be a fraud detection ECU 6100 including the function of the fraud detection ECU 3100a of the third embodiment as shown in FIG. Each of the fraud detection ECU 5100 shown in FIG. 41 and the fraud detection ECU 6100 shown in FIG. 42 includes a frame interpretation unit 4150, a trigger frame detection unit 4170, and a mode holding unit 4180, like the fraud detection ECU 4100a. Further, the fraud detection ECU 4100a may be configured to switch and execute two or more of the fraud detection processing procedures shown in each of the first to third embodiments. For example, the fraud detection ECU uses the processing procedure of the fraud detection described in the second or third embodiment in which the processing amount is relatively large in order to detect a fraudulent message and the first embodiment in which the processing amount is relatively small. The processing procedure for fraud detection may be switched depending on the operation mode. In this case, the operation mode includes, for example, a first mode in which a detection process with a relatively large processing amount is performed and a second mode in which a detection process with a relatively small processing amount is not performed without performing the detection process with a relatively large processing amount. Will be switched between.

  (16) The unauthorized frame detection unit and the unauthorized MAC detection unit described in the above embodiment may be implemented in hardware called a CAN controller or firmware that operates on a processor that operates in connection with the CAN controller. The MAC key holding unit, the counter holding unit, the regular ID list holding unit, and the data range list holding unit are provided in a hardware register called a CAN controller or firmware operating on a processor operating in connection with the CAN controller. It may be stored.

  (17) Each ECU (including the gateway and the head unit) in the above embodiment is, for example, a device including a digital circuit such as a processor and a memory, an analog circuit, a communication circuit, and the like. And other hardware components such as a keyboard and a mouse. Instead of the control program stored in the memory being executed by the processor to realize the function in software, the function may be realized by dedicated hardware (digital circuit or the like).

  (18) A part or all of the components constituting each device in the above embodiment may be constituted by one system LSI (Large Scale Integration: large scale integrated circuit). The system LSI is a super-multifunctional LSI manufactured by integrating a plurality of components on one chip, and specifically, is a computer system including a microprocessor, a ROM, a RAM, and the like. . The RAM stores a computer program. When the microprocessor operates according to the computer program, the system LSI achieves its function. In addition, each unit of the constituent elements constituting each of the above devices may be individually formed into one chip, or may be formed into one chip so as to include a part or all of the components. Although the system LSI is used here, it may be called an IC, an LSI, a super LSI, or an ultra LSI depending on the degree of integration. Further, the method of circuit integration is not limited to LSI, and may be realized by a dedicated circuit or a general-purpose processor. After the LSI is manufactured, an FPGA (Field Programmable Gate Array) that can be programmed or a reconfigurable processor that can reconfigure the connection and setting of circuit cells inside the LSI may be used. Furthermore, if an integrated circuit technology that replaces the LSI appears due to the progress of the semiconductor technology or another derivative technology, the functional blocks may be integrated using the technology. Application of biotechnology and the like are possible.

  (19) A part or all of the components constituting each of the above devices may be constituted by an IC card or a single module that can be attached to and detached from each device. The IC card or the module is a computer system including a microprocessor, a ROM, a RAM, and the like. The IC card or the module may include the above super multifunctional LSI. When the microprocessor operates according to the computer program, the IC card or the module achieves its function. The IC card or the module may have tamper resistance.

  (20) One embodiment of the present disclosure may be a method such as the fraud detection method and the fraud countermeasure method described above. Further, these methods may be a computer program that is realized by a computer, or may be a digital signal formed by the computer program. Further, as one aspect of the present disclosure, a computer-readable recording medium that can read the computer program or the digital signal, for example, a flexible disk, a hard disk, a CD-ROM, an MO, a DVD, a DVD-ROM, a DVD-RAM, a BD ( It may be recorded on a Blu-ray (registered trademark) Disc, a semiconductor memory, or the like. Further, the digital signal may be recorded on these recording media. Further, as one aspect of the present disclosure, the computer program or the digital signal may be transmitted via an electric communication line, a wireless or wired communication line, a network represented by the Internet, a data broadcast, or the like. According to another embodiment of the present disclosure, there is provided a computer system including a microprocessor and a memory, wherein the memory records the computer program, and the microprocessor operates according to the computer program. . Further, the program or the digital signal is recorded on the recording medium and transferred, or the program or the digital signal is transferred via the network or the like, so that it is implemented by another independent computer system. It is good.

  (21) A mode realized by arbitrarily combining the components and the functions described in the embodiment and the modified examples is also included in the scope of the present disclosure.

  INDUSTRIAL APPLICABILITY The present disclosure can be used in an in-vehicle network system to efficiently suppress the influence of an unauthorized ECU.

10, 11, 12, 13 In-vehicle network system 100a, 100b, 2100a, 2100b, 3100a, 3100b, 4100a, 4100b, 5100, 6100 Fraud detection electronic control unit (fraud detection ECU)
110 Fraud detection counter holding unit 120 Regular ID list holding unit 130, 2130 Fraud frame detecting unit 140, 230, 320, 420, 3420, 4230, 4420 Frame generating unit 150, 260, 350, 450, 2150, 3150, 4150, 4260 , 4450 Frame interpreter 160, 270, 360, 460 Frame transmitter / receiver 200, 4200 Head unit 210 Display controller 220, 410 Frame processor 240, 330, 430 Receive ID determiner 250, 340, 440 Receive ID list holder 300 Gateway 310 Transfer processing unit 370 Transfer rule holding unit 400a, 400b, 400c, 400d, 3400a, 3400b, 3400c, 3400d, 4400 Electronic control unit (ECU)
401 Engine 402 Brake 403 Door open / close sensor 404 Window open / close sensor 470 Data acquisition unit 500a, 500b, 500c Bus 2120 Data range list storage unit 3130 Unauthorized MAC detection unit 3410, 3170 MAC generation unit 3430, 3180 MAC key storage unit 3440, 3190 Counter Holding unit 4170 Trigger frame detecting unit 4180 Mode holding unit 4280 Illegal frame detecting unit 4281 Mode change instructing unit 4282 Car use start detecting unit 4283 Communication start / end detecting unit

Claims (5)

A fraud detection electronic control unit that you only in-vehicle network system comprising a plurality of electronic control units that communicate via one or more networks,
The plurality of electronic control units include a first electronic control unit, a second electronic control unit, and the fraud detection electronic control unit,
The one or more networks include a first network and a second network that does not include an electronic control unit for driving the travel of the vehicle;
The first electronic control unit is connected to the first network;
The second electronic control unit is connected to the second network;
The fraud detection electronic control unit,
The condition of the vehicle equipped with the on-vehicle network system is a first condition in which an unauthorized message is not detected on the one or more networks for a predetermined time , or an unauthorized message on the one or more networks while the vehicle is parked. a detecting unit for detecting that satisfies a second condition to be detected,
When the detecting unit detects that the state of the vehicle satisfies the second condition, only the second electronic control unit enters a second operation mode in which a first type of detection process is performed. Send a switch instruction message
If the state of the vehicle satisfies the first condition is detected by the front Symbol detection unit, to the first electronic control unit and the second electronic control unit, the detection of the first type fraud detection electronic control unit comprising a transmitter, a for transmitting sWITCHING instruction message to the first operation mode that does not perform processing. The second condition, moreover, that the fraud detection electronic control unit is ready to start communication with an external device of the vehicle,
The fraud detection electronic control unit according to claim 1. In the first operation mode, the degree of detection known process, perform different, second kind of detection processing and the first kind of detection processing,
The fraud detection electronic control unit according to claim 1.   The plurality of electronic control units communicate over the one or more networks according to a Controller Area Network (CAN) protocol;
  The fraud detection electronic control unit according to claim 1.   A fraud detection method used in a fraud detection electronic control unit in an in-vehicle network system including a plurality of electronic control units communicating via one or more networks,
  The plurality of electronic control units include a first electronic control unit and a second electronic control unit,
  The one or more networks include a first network and a second network that does not include an electronic control unit for driving the travel of the vehicle;
  The first electronic control unit is connected to the first network;
  The second electronic control unit is connected to the second network;
  The fraud detection method includes:
  The condition of the vehicle equipped with the on-vehicle network system is a first condition in which an unauthorized message is not detected on the one or more networks for a predetermined time, or an unauthorized message on the one or more networks while the vehicle is parked. A detecting step of detecting that a second condition to be detected is satisfied;
  When it is detected in the detection step that the state of the vehicle satisfies the second condition, only the second electronic control unit enters a second operation mode in which a first type of detection process is performed. Send a switch instruction message
  When it is detected in the detection step that the state of the vehicle satisfies the first condition, the first electronic control unit and the second electronic control unit perform the first type of detection processing. Transmitting a switching instruction message to the first operation mode in which the first operation mode is not performed.
  Fraud detection method.

Images