1. Technical Field
The present disclosure relates to a technique for sensing fraudulent frames transmitted within an in-vehicle network over which electronic control units perform communication.
2. Description of the Related Art
Systems in recent automobiles accommodate multiple devices called electronic control units (ECUs). A network connecting these ECUs is called an in-vehicle network. There exist multiple in-vehicle network standards. Among all these standards, a standard called CAN (Controller Area Network) specified in ISO 11898-1 is one of the most mainstream in-vehicle network standards (see “CAN Specification 2.0 Part A”, [online], CAN in Automation (CiA), [searched Nov. 14, 2014], the Internet (URL:http://www.can-cia.org/fileadmin/cia/specifications/CAN20A.pdf)).
In CAN, each communication path is constituted by two buses, and ECUs connected to the buses are referred to as nodes. Each node connected to a bus transmits and receives a message called a frame. A transmitting node that is to transmit a frame applies a voltage to two buses to generate a potential difference between the buses, thereby transmitting the value “1” called recessive and the value “0” called dominant. When a plurality of transmitting nodes transmit recessive and dominant values at completely the same timing, the dominant value is prioritized and transmitted. A receiving node transmits a frame called an error frame if the format of a received frame is anomalous. In an error frame, 6 consecutive dominant bits are transmitted to notify the transmitting nodes or any other receiving node of frame anomaly.
In CAN, furthermore, there is no identifier that designates a transmission destination or a transmission source. A transmitting node transmits frames each assigned an ID called a message ID (that is, sends signals to a bus), and each receiving node receives only a predetermined message ID (that is, reads a signal from the bus). In addition, the CSMA/CA (Carrier Sense Multiple Access/Collision Avoidance) scheme is adopted, and arbitration based on message IDs is performed for simultaneous transmission of a plurality of nodes so that a frame with the value of message ID being small is preferentially transmitted.
There is also known a technique in which, in a case where a message that is anomalous is transmitted to a CAN bus, a gateway device detects the anomalous message and prevents the anomalous message from being transferred to any other bus to suppress an increase in the load on buses (see Japanese Unexamined Patent Application Publication No. 2007-38904).
Incidentally, a connection of a fraudulent node to a bus in an in-vehicle network and a fraudulent transmission of a frame (message) from the fraudulent node can possibly cause fraudulent control of the vehicle body. To suppress such a possibility, there is a need for sensing of a fraudulent message.