| CPC H04L 63/1425 (2013.01) [H04L 63/20 (2013.01); H04L 67/12 (2013.01)] | 11 Claims |
|
1. An anomaly detection device in an in-vehicle network system performing service-oriented communication via Ethernet (registered trade mark), the anomaly detection device comprising:
a detection rule generator circuit
that monitors a communication establishment frame flowing over the Ethernet in a communication establishment phase of the service-oriented communication, the communication establishment frame including a communication ID, and
that dynamically generates, for the communication ID, a detection rule including the communication ID written in the communication establishment frame, and a server address or a client address written in the communication establishment frame;
an anomaly detector circuit
that monitors a communication frame flowing over the Ethernet in a communication phase of the service-oriented communication,
that determines that the communication frame includes the communication ID corresponding to the dynamically generated detection rule,
that, by referring to the dynamically generated detection rule corresponding to the communication ID written in the communication frame, detects the communication frame as an anomalous frame when a server address or a client address written in the communication frame differs from the server address or the client address specified in the dynamically generated detection rule; and
an anomaly notifier circuit that provides a notification of an anomaly in response to the anomalous frame being detected, wherein
the detection rule generator circuit generates, for each of one or more communication IDs, a plurality of detection rules that include an identical communication ID and server addresses different from each other or client addresses different from each other.
|