1. Technical Field
The present disclosure relates to a technique for detecting a malicious frame transmitted within an in-vehicle network over which electronic control units perform communication.
2. Description of the Related Art
Systems in recent automobiles accommodate multiple devices called electronic control units (ECUs). A network connecting these ECUs is called an in-vehicle network. There exist multiple standards for the in-vehicle network. Among these standards, a standard called CAN (Controller Area Network) specified in ISO 11898-1 is one of the most mainstream in-vehicle network standards (see “CAN Specification 2.0 Part A”, [online], CAN in Automation (CiA), [searched Nov. 14, 2014], the Internet (URL: http://www.can-cia.org/fileadmin/cia/specifications/CAN20A.pdf)).
In CAN, each communication path (bus) is constituted by two cables (lines), and ECUs connected to the bus are referred to as nodes. Each node connected to a bus transmits and receives a message called a frame. A transmitting node that is to transmit a frame applies a voltage to two cables to generate a potential difference between the cables, thereby transmitting the value “1” called recessive and the value “0” called dominant. When a plurality of transmitting nodes transmit recessive and dominant values at completely the same timing, the dominant value is prioritized and transmitted. A receiving node transmits a frame called an error frame if the format of a received frame is anomalous. In an error frame, 6 consecutive dominant bits are transmitted to notify the transmitting nodes or any other receiving node of frame anomaly.
In CAN, furthermore, there is no identifier that designates a transmission destination or a transmission source. A transmitting node transmits frames each assigned an ID called a message ID (that is, sends signals to a bus), and each receiving node receives only a predetermined message ID (that is, reads a signal from the bus). In addition, the CSMA/CA (Carrier Sense Multiple Access/Collision Avoidance) scheme is adopted, and arbitration based on message IDs is performed for simultaneous transmission of a plurality of nodes so that a frame having a message ID whose value is small is preferentially transmitted.
Conventionally, there is also known a technique in which, in a case where a message that is anomalous is transmitted on a CAN bus, a gateway device detects the anomalous message and does not transfer the anomalous message to any other bus to suppress an increase in the load on buses (see Japanese Unexamined Patent Application Publication No. 2007-38904).
A connection of a malicious node to a bus in an in-vehicle network and a malicious transmission of a frame (message) from the malicious node can possibly cause malicious control of the vehicle body. To suppress such a possibility, there is a need for detection of a malicious message.