1. Technical Field
The present disclosure relates to a technology for detecting a fraudulent frame sent over an in-vehicle network in which electronic control units perform communication.
2. Description of the Related Art
In recent years, a plurality of devices called Electronic Control Units (ECUs) are disposed in a system of a motor vehicle. A network that connects the ECUs with one another is called an in-vehicle network. A plurality of standards are provided for in-vehicle networks. One of the mainstream standards is Controller Area Network (CAN) defined by ISO11898-1 (refer to “CAN Specification 2.0 Part A”, [online], CAN in Automation (CiA), [searched on Nov. 14, 2014], the Internet (URL: http://www.can-cia.org/fileadmin/cia/specifications/CAN20A.pdf)).
In CAN, the communication channel is formed from 2 buses. An ECU connected to the bus is referred to as a “node”. Each of the nodes connected to the bus receives and sends a message called a frame. A sender node that sends a frame applies voltages on the 2 buses so as to generate a potential difference between the buses. Thus, the sender node sends a value of “1” called “recessive” and a value of “0” called “dominant”. If a plurality of sender nodes send recessive and dominant at exactly the same time, dominant has higher priority and is sent. If the format of a received frame is abnormal, the receiver node sends a frame called error frame. An error frame is formed from 6 consecutively sent dominant bits. By sending the error frame, the sender node or another receiver node is notified of the abnormity of a frame.
In addition, in CAN, identifiers indicating the destination address and the sender address are not present. The sender node attaches an ID called a message ID to each of frames and sends the frame (i.e., delivers a signal to the bus). Each of the receiver nodes receives only a predetermined ID (i.e., reads the signal from the bus). Furthermore, CAN employs the CSMA/CA (Carrier Sense Multiple Access/Collision Avoidance) technique. When a plurality of nodes simultaneously send frames, arbitration using the message IDs is performed, and a frame having a smaller message ID is sent first.
When, in an in-vehicle network, a fraudulent node is connected to the bus and if the fraudulent node unauthorizedly sends a data frame, the receiver node cannot detect that a fraudulent data frame is sent, since the identifier of the sender is not present in CAN.
Accordingly, by using the characteristics that the ECU periodically sends a data frame, a technology for detecting that transmission of a data frame that is not sent at a period other than the normal period is a fraudulent data frame has been developed (refer to Satoshi OTSUKA, Tasuku ISHIOKA, “Intrusion Detection for In-Vehicle Networks without Modifying Legacy ECUs”, IPSJ SIG Technical Report, Special Interest Group on Embedded Systems, 2013-EMB-28 (6), pp. 1-5, hereinafter referred to as “NPL 1”). In addition, to indicate that a data frame has been sent from an authorized ECU, a fraud detection method using Message Authentication Code (MAC) has been developed (refer to D. K. Nilsson, U. E. Larson, E. Jonsson, “Efficient In-Vehicle Delayed Data Authentication Based on Compound Message Authentication Codes”, Vehicular Technology Conference, 2008—Fall, pp. 1-5).