A network technology called Controller Area Network (CAN) may be used for transmitting/receiving data or control information between devices that are used in an in-vehicle network of automobiles and in factory automation etc. A system that uses CAN is multiple Electronic Control Units (ECUs). Such ECUs communicate with each other by transmitting/receiving data frames. The data frames that are used for communications in CAN-bus include identification information (ID) that is used to identify each of the data frames. The ID of data frames to be received is stored in advance in each ECU. Because data frames are broadcast in CAN-bus, plural data frames reach an ECU that is connected to CAN-bus at the same time. When the transmission timing is the same between plural data frames, priorities of the data frames are determined on the basis of the value of the ID included in each of the data frames, and a higher-priority data frame is transmitted first. A lower-priority data frame is broadcast after a higher-priority data frame is transmitted. When data frames are broadcast, each ECU receives data frames with the ID set to be received by the ECU, but data frames with an ID that is not set as a reception target of the ECU are discarded.
However, an ECU, when the network is attacked by using a data frame with an ID that is set to cause the ECU to receive, would receive the frame used for the attack. Due to the reception of the frame, the ECU that received the frame used for the attack may possibly perform false operations that are not performed normally. In the meantime, when data frames are transmitted periodically, an attacking frame is transmitted at a transmission timing that deviates from the transmission timings of normal data frames. By taking this point into consideration, the method that has been attempted is a method of detecting an attack by determining whether the received frames were transmitted at the predetermined transmission timings of data frames. However, a transmission timing of a data frame may be changed in relation with transmission timings of other data frames. In view of this problem, an ECU on the receiving side prevents false detection by using a margin at the time of determining the deviation, but when the margin is too narrow, false detections may occur frequently.
FIG. 1 is a diagram explaining an example of such an attack detection method. In the case C1, for example, data frames (periodic messages) are transmitted with a period of 100 milliseconds (ms) and a margin is set to be 10 milliseconds. Assume that one of the ECUs received the first periodic message M1 at 0 ms. When the same ECU receives a periodic message M2 within a period of time (Z1) between 90 ms and 110 ms after the reception of the periodic message M1, the ECU determines, using the margin, that the periodic message M2 is not an attacking message. Assume that this ECU received the second periodic message M2 at 101 ms. The difference between the reception time of the periodic message M1 and the reception time of the periodic message M2 is 101 ms, which is within a range of the period calculated in consideration of the margin, and therefore the ECU determines that the periodic message M2 is not an attacking message. The ECU predicts that the period in which the third periodic message is to be received is from 191 ms to 211 ms after the reception of the periodic message M1, as indicated as Z2 in FIG. 1.
Next, assume that the same ECU received the third periodic message M3 at 240 ms. In this case, the difference between the reception time of the periodic message M2 and the reception time of the periodic message M3 is 139 ms, which is not within the acceptable range of the period (Z2) calculated in consideration of the margin. Therefore, the ECU would make a false detection such that the periodic message M3 is an attacking message. Furthermore, the ECU calculates the reception interval on the basis of the reception time of the periodic message M3. As illustrated in FIG. 1, when the fourth periodic message is received at 301 ms, the difference between the reception time of the periodic message M3 and the reception time of the periodic message M4 is 61 ms, and the ECU determines that the difference is not within the acceptable range of the period calculated in consideration of the margin. Consequently, the ECU makes another false detection that the periodic message M4 is an attacking message.
The case C2 is an example of setting the margin to be 40 ms when the periodic messages M1 to M4 are evaluated. In this case, when the period between reception of a periodic message and reception of the next periodic message is within 60 ms to 140 ms, it is determined that an attack has not been conducted. Then, because the difference between the reception time of the periodic message M2 and the reception time of the periodic message M3 is 139 ms, it is determined that the periodic message M3 is not an attacking message. In a similar manner, the difference between the reception time of the periodic message M3 and the reception time of the periodic message M4 is 61 ms, and it is therefore determined that the periodic message M4 is not an attacking message either. Note that in order to make a comparison with the case C1, the period of time during which it is possible for the periodic message M2 to be received is indicated as Z3 and the period of time during which it is not possible for the periodic message M3 to be received is indicated Z4 in the case C2.
As a related technology, a technology has been proposed such that when a data frame that does not follow a predetermined rule of a transmission period is received, a specific identifier in the data frame is verified, and whether the data frame is being used for an attack is determined (e.g., Patent Document 1). A system has also been proposed such that when the first data having the same identifier as that of the reference reception data and a reception interval shorter than a predetermined period is received, the system waits for data having the same identifier as that of the first data until a predetermined period elapses after the reception time of the reference reception data. When the second data having the same identifier as that of the first data is received during the period of waiting for the data having the same identifier as that of the first data, this system determines that fraud has occurred (e.g., Patent Document 2). A method that has been proposed is such that an ECU transmits messages at defined communication intervals and an ECU that receives the messages determines whether the received messages are invalid on the basis of a comparison between the communication interval of the received messages and the defined communication interval (e.g., Patent Document 3). In addition, a system has been known such that in a terminal that transmits a connection request to a management control device when a timer expires, the cycle of the timer value can be changed (e.g., Patent Document 4).