Conventionally, the CAN communication protocol has widely been employed in communication between multiple electronic control units (ECU) mounted in a vehicle. A communication system employing the CAN communication protocol is so configured that multiple ECUs are connected to a common CAN bus, and transmission and reception of messages are performed by an ECU at the reception side obtaining a signal output by an ECU at the transmission side to the CAN bus.
In such a communication system, technology has been studied for detecting or preventing invasion of an invalid message onto a common communication line.
Japanese Patent Application Laid-Open Publication No. 2013-38711 has proposed a communication management device for a vehicle network which restricts the input of external data. The communication management device monitors data on a CAN bus as well as data input from the outside, and if the activity rate of the CAN bus exceeds a load reference value or is predicted to exceed the load reference value along with the transfer of external data, executes transmission control of external data.
It is possible in a vehicle-mounted communication system that, for example, a malicious device is connected to the CAN bus. Such a device may, for example, transmit an invalid message to the CAN bus to cause a normal ECU or the like connected to the CAN bus to malfunction. Since the communication management device described in Japanese Patent Application Laid-Open Publication No. 2013-38711 is configured to determine whether or not the activity rate of the CAN bus exceeds the load reference value, a problem arises in that transmission control cannot be carried out in the case where the amount of message transmission by a malicious device is small.