1. Technical Field
The present disclosure relates to a technique for detecting and handling malicious frames transmitted within an in-vehicle network or the like over which electronic control units perform communication.
2. Description of the Related Art
Systems in recent automobiles accommodate multiple devices called electronic control units (ECUs). A network connecting these ECUs is called an in-vehicle network. There exist multiple standards for the in-vehicle network. Among these standards, a standard called CAN (Controller Area Network) specified in ISO 11898-1 is one of the most mainstream in-vehicle network standards (see CAN Specification 2.0 Part A, [online], CAN in Automation (CiA), searched Nov. 14, 2014, the Internet (URL: http://www.can-cia.org/fileadmin/cia/specifications/CAN20A.pdf)).
In CAN, each communication path (bus) is constituted by two cables (lines), and ECUs connected to the bus are referred to as nodes. Each node connected to a bus transmits and receives a message called a frame. A transmitting node that is to transmit a frame applies a voltage to two cables to generate a potential difference between the cables, thereby transmitting the value “1” called recessive and the value “0” called dominant. When a plurality of transmitting nodes transmit recessive and dominant values at completely the same timing, the dominant value is prioritized and transmitted. A receiving node transmits a frame called an error frame if the format of a received frame is anomalous. In an error frame, 6 consecutive dominant bits are transmitted to notify the transmitting nodes or any other receiving node of frame anomaly.
In CAN, furthermore, there is no identifier that designates a transmission destination or a transmission source. A transmitting node transmits frames each assigned an ID called a message ID (that is, sends signals to a bus), and each receiving node receives only a predetermined message ID (that is, reads a signal from the bus). In addition, the Carrier Sense Multiple Access/Collision Avoidance (CSMA/CA) scheme is adopted, and arbitration based on message IDs is performed for simultaneous transmission of a plurality of nodes so that a frame with the value of message ID being small is preferentially transmitted.
A connection of a malicious node to a bus in an in-vehicle network and a malicious transmission of a frame from the malicious node can possibly cause malicious control of the vehicle body.