JP7006295B2 - Attack detection device and attack detection method - Google Patents

Description

The present invention relates to an attack detection device and an attack detection method.

A network technology called CAN (Controller Area Network) may be used in an in-vehicle network of an automobile. In a network using CAN, an ECU (electronic control unit) is mounted on each node.

Identification information (ID) is added to the message transmitted from the ECU. This message is broadcast to the ECU in the network. Here, each ECU recognizes the ID of the message to be acquired by itself. Then, each ECU acquires a necessary message by checking the ID of the received message.

In the CAN system having the above configuration, an attack may be performed in which an ECU is hijacked by a malicious third party and a malicious message is output from the ECU. For example, the ID used in the CAN system is given to the malicious message. Then, the ECU that receives the message may execute an unintended process.

By the way, in many CAN systems, the ECU outputs a message at a predetermined cycle. Therefore, in the case where the cycle in which the message is output is known, each ECU can detect a malicious message by comparing the estimated arrival time of the message with the actual arrival time.

Of the plurality of information processing means that are connected to the network and periodically output data to the network, and the data that each information processing means periodically outputs to the network, the data that each information processing means outputs in the shortest cycle. (For example, an in-vehicle communication system including a monitoring means for detecting a communication abnormality of an in-vehicle communication system by monitoring whether or not the data to be output in the shortest cycle is output to the network has been proposed (for example). Patent Document 1). Further, Patent Documents 2 to 4 describe related techniques.

Japanese Unexamined Patent Publication No. 2013-236184 Japanese Unexamined Patent Publication No. 2014-69742 Japanese Unexamined Patent Publication No. 2017-85663 Japanese Unexamined Patent Publication No. 2010-221771

In the above-mentioned CAN system, a message may be output from a plurality of ECUs at the same time. Here, the message is broadcast. Therefore, in order to avoid conflicts between messages, each message has a priority. This priority is represented by the ID given to each message. When the messages are output from the plurality of ECUs at the same time, the transmission of the low-priority message is executed after the communication of the high-priority message is completed. Therefore, the transmission timing of the low priority message may be delayed.

As described above, message delay may occur in the CAN system. Therefore, in the method of comparing the estimated arrival time of the message with the actual arrival time, the legitimate message may be determined to be a malicious message. Alternatively, the malicious message may not be detected.

This problem can be solved, for example, by providing a predetermined margin with respect to the estimated time of arrival of the message. However, in this method, if the transmission timing of a legitimate message is significantly delayed, the message may be determined to be a malicious message. For example, if a delay greater than the message transmission cycle occurs, the delayed message may be determined to be a malicious message. That is, in an environment where the message transmission timing is significantly delayed, the accuracy of detecting an attack may decrease.

An object of one aspect of the present invention is to improve the accuracy of detecting an attack on a network.

The attack detection device according to one aspect of the present invention includes a receiving unit that receives a message including identification information transmitted in a network, and the receiving unit within a plurality of time windows of the same length set at different timings from each other. When a plurality of counters that count the number of messages received by the network and a state in which the value of the corresponding counter exceeds a predetermined threshold is continuously detected for a predetermined number of time windows, the network attacks. It is provided with a detection unit for determining that it has been received.

According to the above aspect, the accuracy of detecting an attack on the network is improved.

It is a figure which shows an example of the network in which an attack detection device is mounted. It is a figure which shows the example of the format of the frame which transmits a message. It is a figure which shows an example of an attack detection method. It is a figure which shows an example of an attack detection device. It is a figure which shows an example of the hardware composition of the ECU in which an attack detection device is mounted. It is a figure (the 1) which shows an example of the attack detection method in 1st Embodiment. It is a figure (the 2) which shows an example of the attack detection method in 1st Embodiment. It is a figure which shows an example of the case where the attack to the network is detected in the 1st Embodiment. It is a figure which shows an example of the case where a plurality of attack messages are input to a network in 1st Embodiment. It is a figure which shows an example of the case where detection omission occurs in 1st Embodiment. It is a figure which shows an example of the attack detection method in 2nd Embodiment. It is a figure explaining the timing shift of a time window. It is a figure which shows an example of the attack detection method in 3rd Embodiment. It is a flowchart which shows an example of the attack detection method of 3rd Embodiment. It is a flowchart which shows an example of the detection process executed by each determination unit. It is a figure which shows an example of the flag array used by the determination part.

FIG. 1 shows an example of a network in which an attack detection device according to an embodiment of the present invention is mounted. The network 100 shown in FIG. 1 includes a plurality of ECUs (ECUs 0 to ECUk). The plurality of ECUs are connected to each other via a bus. Then, in this embodiment, the plurality of ECUs form a CAN (Controller Area Network) system.

Each ECU can send a message via the bus. This message is broadcast to all ECUs in the network 100. At this time, the message also arrives at the source node. In addition, identification information (ID) is attached to each message. Here, each ECU recognizes the ID of the message to be acquired by itself. Then, each ECU acquires a necessary message by checking the ID of the received message. Each ECU is an example of a "communication device".

In the network 100, an attack detection device is mounted on one of a plurality of ECUs. In the example shown in FIG. 1, it is assumed that the attack detection device is mounted on the ECU 0. The attack detection device detects an attack on the network 100. That is, the attack detection device detects a malicious message in the network 100.

Further, at least one of the ECUs 1 to ECUk has a function of transmitting a message at a predetermined cycle. In the example shown in FIG. 1, the ECU 1 transmits a message including ID_A in a predetermined cycle, the ECU 2 transmits a message including ID_B in a predetermined cycle, and the ECU 3 transmits a message including ID_C in a predetermined cycle. do. Here, the message transmission cycle is predetermined for each ID. For example, a message to which ID = 0x123 is assigned is transmitted at intervals of 10 ms, and a message to which ID = 0x456 is assigned is transmitted at intervals of 20 ms.

In the in-vehicle network, a plurality of ECUs are used to control the vehicle. For example, a message to which ID = 0x123 is given transmits data indicating an accelerator opening degree, and a message to which ID = 0x456 is given transmits data indicating a brake depression angle.

Each message transmitted on the network 100 is broadcast as described above. Therefore, all the messages arrive at each ECU. The timing chart of FIG. 1 shows a situation in which messages transmitted from ECUs 1 to 3 arrive at ECU0.

FIG. 2 shows an example of the format of a frame for transmitting a message. In addition, F1 shows the format example of the frame of the general specification, and F2 shows the format example of the frame used in the extended specification.

The general specification frame F1 includes an SOF (Start of Frame), an arbitration field, a control field, a data field, a CRC field, an ACK field, and an EOF (End of Frame). The arbitration field includes ID and RTR (Remote Transmission Request). The ID represents identification information for identifying the message. The control field includes an IDE (Identifier Extension), a reserved bit, and a DLC (Data Length Code). The CRC field contains a CRC sequence and a CRC delimiter. The ACK field contains an ACK slot and an ACK delimiter. The value shown for each information element in FIG. 2 represents the bit length. For example, the length of the ID is 11 bits and the length of the data field is variable from 0 to 64 bits.

Similar to the general specification frame F1, the frame F2 used in the extended specification also includes a SOF, an arbitration field, a control field, a data field, a CRC field, an ACK field, and an EOF. However, in the extended specification, the identification information is represented by a larger number of bits.

In the following description, it is assumed that the message is transmitted using a frame of general specifications. However, the attack detection method according to the embodiment of the present invention is also applied to the case where a message is transmitted using a frame of extended specifications. Further, the attack detection method according to the embodiment of the present invention can be applied to other specifications or standards (for example, CAN-FD).

FIG. 3 shows an example of an attack detection method. In this example, it is assumed that the message having the ID to be detected is transmitted in a predetermined period T. Then, the attack detection device determines whether or not there is an attack on the network based on the reception frequency of the message. Specifically, when the number of messages detected within a predetermined monitoring period exceeds the threshold value, it is determined that there is an attack on the network. As an example, the length of the monitoring period is 5T and the threshold is 5. In this case, if the attack detection device receives more than five messages within the monitoring period, it determines that there has been an attack on the network. In FIG. 3, a Δ mark represents a regular message and a ▲ mark represents an attack message.

In the example shown in FIG. 3A, five messages arrive at the attack detection device during the first monitoring period. In this case, the attack detection device determines that there is no attack. In the next monitoring period, one attack message is transmitted in addition to five legitimate messages. That is, during this monitoring period, six messages arrive at the attack detection device. In this case, since the number of received messages exceeds the threshold value, the attack detection device determines that there has been an attack. In this way, attacks on the network are detected based on the frequency of receiving messages.

In the example shown in FIG. 3B, the attack message does not exist, but the transmission timing of the regular message is delayed. As a result, in the second monitoring period, seven messages arrive at the attack detection device. That is, the number of messages exceeding the threshold value arrives at the attack detection device. In this case, the attack detection device determines that there was an attack even though the attack message does not actually exist. That is, if the transmission of a legitimate message is significantly delayed, the accuracy of detecting an attack may decrease.

The attack detection device according to the embodiment of the present invention has a function of solving or suppressing the above-mentioned problems. That is, the attack detection device according to the embodiment of the present invention suppresses the influence caused by the delay in the transmission timing of the message that is predetermined to be transmitted in a predetermined cycle, and improves the accuracy of detecting the attack. It has a function to make it. The attack detection according to the embodiment can handle not only a delay within one cycle time but also a delay exceeding one cycle time.

FIG. 4 shows an example of an attack detection device according to an embodiment of the present invention. As shown in FIG. 4, the attack detection device 1 includes a receiving unit 2, a plurality of determination units 3 (3A, 3B), and a secondary determination unit 4. A message transmitted from the ECU mounted on the network 100 arrives at the receiving unit 2. Then, the receiving unit 2 receives a message including the ID to be detected. The attack detection device 1 can detect the reception time for each ID assigned to each message. The message reception time is detected by using, for example, a timer (not shown) mounted on the attack detection device 1. Alternatively, the attack detection device 1 may detect the reception time from the time stamp information attached to the message.

The configurations and operations of the plurality of determination units 3 (3A, 3B) are substantially the same as each other. Then, as shown in FIG. 4, each determination unit 3 includes a plurality of counters 11-1 to 11-n and a detection unit 12.

The determination unit 3 sets a plurality of time windows for monitoring the reception frequency of messages. The lengths of multiple time windows are the same for each other. Here, the length of each time window is longer than the transmission cycle of the message to be detected. As an example, the length of each time window is an integral multiple of the transmission cycle of the message to be detected. Also, the plurality of time windows are set at different timings from each other. Specifically, the plurality of time windows are set with a phase (or timing) shifted by a predetermined time. For example, when the length of the time window is L and the number of time windows set by the determination unit 3 is n, the plurality of time windows are set in a phase (or timing) shifted by L / n. The window.

Each time window of the determination unit 3B is set by shifting by a predetermined time with respect to the corresponding time window of the determination unit 3A. As an example, each time window of the determination unit 3B is set by shifting the transmission cycle of the message to be detected by half with respect to the corresponding time window of the determination unit 3A.

Each of the counters 11-1 to 11-n counts the number of messages received by the receiving unit 2 in the corresponding time window. The detection unit 12 detects an attack on the network 100 based on the values of the counters 11-1 to 11-n. Then, the determination unit 3 outputs a determination result indicating whether or not an attack has been detected by the detection unit 12.

The secondary determination unit 4 determines whether or not the network 100 has been attacked based on the determination result by the determination unit 3A and the determination result by the determination unit 3B. As an example, the secondary determination unit 4 determines that the network 100 has been attacked when an attack on the network 100 is detected by both the determination unit 3A and the determination unit 3B within a predetermined time.

In the example shown in FIG. 4, the attack detection device 1 determines whether or not the network 100 has been attacked by using a plurality of determination units 3, but the present invention is not limited to this configuration. For example, the attack detection device 1 may determine whether or not the network 100 has been attacked by using one determination unit 3. In this case, the attack detection device 1 includes a receiving unit 2 and one determination unit 3. Then, the attack detection device 1 outputs the determination result by the determination unit 3.

FIG. 5 shows an example of the hardware configuration of the ECU in which the attack detection device 1 is mounted. In this example, the ECU 20 includes a CAN transceiver 21, a CAN controller 22, and a processing circuit 23. The processing circuit 23 includes a processor 24 and a memory 25.

The CAN transceiver 21 has a function of transmitting and receiving the frame shown in FIG. The CAN controller 22 extracts data from the received frame. At this time, the CAN controller 22 may execute a CRC check on the received frame. Further, the CAN controller 22 can measure the time when each receiving frame arrives at the ECU 20. Further, the CAN controller 22 stores data in the transmission frame. The receiving unit 2 shown in FIG. 4 is realized by, for example, a CAN transceiver 21 and a CAN controller 22.

The processor 24 realizes attack detection by executing a program stored in the memory 25. In this case, the memory 25 stores a program that describes the functions of the determination unit 3 (3A, 3B) and the secondary determination unit 4 shown in FIG. Then, the processor 24 provides the functions of the determination unit 3 (3A, 3B) and the secondary determination unit 4 by executing this program. A part of the functions of the determination unit 3 (3A, 3B) may be realized by a hardware circuit. For example, the counters 11-1 to 11-n may be realized by a hardware circuit.

<First Embodiment>
The attack detection device of the first embodiment is mounted on the ECU 0 shown in FIG. 1 and detects a malicious message (attack message) that attacks the network 100. In this example, it is assumed that the message to which the detection target ID is assigned is designed to be transmitted in a predetermined period T. Further, it is assumed that the following communication is performed in the network 100.
(1) The message may be transmitted with a delay with respect to the scheduled transmission time, but it will not be omitted. The delay may exceed the period T.
(2) When a delay occurs, the corresponding message is sent later, so the total number of messages is restored.
(3) The message is not sent before the scheduled transmission time (however, the message may be sent slightly earlier than the scheduled transmission time).

6 to 7 show an example of the attack detection method according to the first embodiment. In the following description, the "message" shall represent a message to which an ID to be detected is assigned, unless otherwise specified. Further, the Δ mark indicates the timing at which the regular message is received by the receiving unit 2.

In this embodiment, the determination unit 3 sets five time windows W1 to W5. Each time window W1 to W5 is used to monitor the frequency of receiving messages. Therefore, the determination unit 3 includes five counters 11-1 to 11-5 for counting the number of received messages in the time windows W1 to W5, respectively. That is, the counters 11-1 to 11-5 count the number of received messages in the time windows W1 to W5, respectively.

The lengths of the time windows W1 to W5 are the same as each other, and are longer than the transmission cycle T of the message to be detected. As an example, the length of each time window W1 to W5 is 5T as shown in FIGS. 6 to 7. Further, the time windows W1 to W5 are set at different timings from each other. Specifically, the time windows W1 to W5 are set with a phase (that is, timing) shifted by a predetermined time. In this example, the time windows W1 to W5 are set with a phase (that is, timing) shifted by the time T. Specifically, the time window W2 is set delayed by the time T with respect to the time window W1. Similarly, the time window W3 is set delayed by the time T with respect to the time window W2. The time window W4 is set delayed by the time T with respect to the time window W3. The time window W5 is set delayed by the time T with respect to the time window W4.

The time windows W1 to W5 are set repeatedly. Therefore, the next time window W1 is set delayed by the time T with respect to the immediately preceding time window W5. That is, the time windows W1 to W5 are cyclically set with a phase shifted by the time T.

In the situation where the time windows W1 to W5 are set as described above, the message arrives at the attack detection device 1. The numbers shown in each time window in FIG. 6 and the like represent the values of the corresponding counters.

Message M1 arrives at the attack detection device 1. At this point, only the time window W1 is set. Therefore, the counter 11-1 is incremented from zero to one. Subsequently, the message M2 arrives at the attack detection device 1. At this time, the time windows W1 and W2 are set. Therefore, the counter 11-1 is incremented from 1 to 2, and the counter 11-2 is incremented from zero to 1. Further, the message M3 arrives at the attack detection device 1. At this time, the time windows W1 to W3 are set. Therefore, the counter 11-1 is incremented from 2 to 3, the counter 11-2 is incremented from 1 to 2, and the counter 11-3 is incremented from zero to 1.

After that, similarly, each time a message arrives at the attack detection device 1, the counters 11-1 to 11-5 corresponding to the time windows W1 to W5 are incremented by 1. However, the counters 11-1 to 11-5 are reset when the corresponding time window ends and a received message is detected in the next time window. For example, the time window W1 is switched to the next window at time 5. In this case, the counter 11-1 corresponding to the time window W1 is reset at the reception timing of the message (message M4 in FIG. 6) that first arrives at the attack detection device 1 after the time 5.

The detection unit 12 monitors whether or not the values of the counters 11-1 to 11-5 each exceed the threshold value. Here, in this embodiment, when the number of time windows to be set is n (n is an integer of 2 or more), the length of each time window is n times the transmission cycle T, and the threshold value is set. Is n. In the example shown in FIGS. 6 to 7, since five time windows W1 to W5 are set, the length of each time window W1 to W5 is 5T, and the threshold value is 5. Then, after the value of the counter corresponding to the oldest time window exceeds the threshold value at a certain point in time, the detection unit 12 continuously generates a state in which the value of the counter corresponding to the oldest time window exceeds the threshold value a predetermined number of times. Occasionally, it is determined that the network 100 has been attacked. In this embodiment, the detection unit 12 determines that the network 100 has been attacked when the counter value exceeds the threshold value five or more times in succession.

Here, it is assumed that the messages M4 to M8 are transmitted with a delay with respect to the scheduled transmission time. In this case, the messages M4 to M9 arrive at the attack detection device 1 at shorter intervals than usual. As a result, the values of some counters exceed the threshold.

Specifically, when the message M9 arrives at the attack detection device 1, the oldest time window among the time windows W1 to W5 is W5. At this time, the value of the counter corresponding to the time window W5 is 6, which exceeds the threshold value. In FIG. 7, when the counter corresponding to the oldest time window exceeds the threshold value, a circle is added to the count value. When the message M10 arrives at the attack detection device 1, the old time window is W1. At this time, the value of the counter corresponding to the time window W1 is 7, which exceeds the threshold value. When the message M11 arrives at the attack detection device 1, the old time window is W2. At this time, the value of the counter corresponding to the time window W2 is 7, which exceeds the threshold value. When the message M12 arrives at the attack detector 1, the old time window is W3. At this time, the value of the counter corresponding to the time window W3 is 6, which exceeds the threshold value.

When the message M13 arrives at the attack detection device 1, the old time window is W4. However, at this time, the value of the counter corresponding to the time window W1 is 5, and the threshold value is not exceeded.

As described above, in the cases shown in FIGS. 6 to 7, since the message arrives at the attack detection device 1 temporarily at shorter intervals than usual due to the transmission delay, the values of some counters exceed the threshold value. There is. However, since the state in which the value of the counter exceeds the threshold value ends when it occurs four times in a row, the detection unit 12 does not determine that the network 100 has been attacked. That is, in the cases shown in FIGS. 6 to 7, even if the normal message temporarily arrives at the attack detection device 1 at a shorter interval than usual, no erroneous detection occurs.

It is considered that the detection unit 12 can correctly determine whether or not there is an attack on the network 100 when the message transmission delay is equal to or less than the length of the time window. In other words, if the number of time windows to be set is increased and the length of the time windows is increased, the attack detection device 1 correctly determines the presence or absence of an attack for a larger transmission delay. For example, if 10 time windows are set by shifting by time T and the length of each time window is 10T, the allowable transmission delay is 10T (10 times the transmission cycle of the message to be detected). Is.

FIG. 8 shows an example of a case where an attack on the network is detected in the first embodiment. In this example, the regular messages M1 to M13 are transmitted without delay and arrive at the attack detection device 1. However, in the fifth cycle, the attack message MX arrives at the attack detection device 1 following the regular message M5. The ▲ mark indicates the timing at which the attack message is received by the receiving unit 2.

In this case, when the attack message MX arrives at the attack detection device 1, the oldest time window is W1. At this time, the value of the counter corresponding to the time window W1 is 6, which exceeds the threshold value. After that, when the messages M6, M7, M8, and M9 arrive at the attack detection device 1, the values of the counters corresponding to the time windows W2, W3, W4, and W5 are 6, respectively, and all of them exceed the threshold value. There is. That is, the state in which the value of the counter corresponding to the oldest time window exceeds the threshold value has occurred five times in a row. Therefore, the detection unit 12 determines that the network 100 has been attacked.

FIG. 9 shows an example of a case where a plurality of attack messages are input to the network in the first embodiment. In this example, an attack message is input to the network 100 in the 6th cycle and the 9th cycle.

Due to the input of the attack message to the network 100 in the sixth cycle, the value of the counter corresponding to the oldest time window W2 exceeds the threshold value (that is, 5). Subsequently, the values of the counters corresponding to the oldest time windows W3, W4, and W5 in the 7th cycle, the 8th cycle, and the 9th cycle exceed the threshold values, respectively. At this point, the state in which the value of the counter corresponding to the oldest time window exceeds the threshold value has occurred four times in a row.

Further, in the tenth cycle, the value of the counter corresponding to the oldest time window W1 exceeds the threshold value. At this point, the state in which the value of the counter corresponding to the oldest time window exceeds the threshold value has occurred five times in a row. Therefore, the detection unit 12 determines that the network 100 has been attacked.

After that, the values of the counters corresponding to the oldest time windows W2 to W5 in the 11th to 14th cycles each exceed the threshold value. Then, the detection unit 12 detects an attack in the 11th to 14th cycles, respectively.

As described above, in the case shown in FIG. 9, the number of times that the network 100 is determined to have been attacked is larger than the actual number of attack messages. However, the presence or absence of an attack is correctly determined.

FIG. 10 shows an example of a case where a detection omission occurs in the first embodiment. In this example, after the attack message is input to the network 100 in the 6th cycle and the 7th cycle, a large delay occurs.

In this example, due to the attack messages in the 6th cycle and the 7th cycle, the value of the counter corresponding to the oldest time windows W2 to W4 in the 6th to 8th cycles exceeds the threshold value, respectively. However, after this, the transmission of the regular message is greatly delayed, and the message does not arrive at the attack detection device 1 in the 8th to 11th cycles. Therefore, in the ninth cycle, the value of the counter corresponding to the oldest time window W5 does not exceed the threshold value. That is, the state in which the value of the counter corresponding to the oldest time window exceeds the threshold value does not exceed the threshold value five times in a row, and the detection unit 12 does not determine that the network 100 has been attacked.

In the twelfth cycle, the delayed messages collectively arrive at the attack detection device 1. Therefore, the value of the counter corresponding to some time windows exceeds the threshold value, but the value of the counter corresponding to the oldest time window exceeds the threshold value only four times in a row. Therefore, even after the 12th cycle, the detection unit 12 does not determine that the network 100 has been attacked.

As described above, in the first embodiment, the detection unit 12 may not be able to detect the attack message. For example, if the legitimate message is delayed after the attack message arrives at the attack detection device 1, the attack message may not be detected. Therefore, in order to suppress detection omission, the detection unit 12 will be described as a second embodiment in addition to the algorithms shown in FIGS. 6 to 10 or instead of the algorithms shown in FIGS. 6 to 10. Monitor attack messages with the algorithm of.

<Second embodiment>
In the second embodiment, the detection unit 12 monitors the value of the counter corresponding to each time window each time a message arrives at the attack detection device 1. Then, the detection unit 12 determines that the network 100 has been attacked when the value of each counter exceeds the threshold value set for the corresponding time window.

When the attack detection device 1 monitors an attack message using five time windows (W1 to W5), the threshold values set for each time window are different from each other, and are as follows, for example.
(1) Oldest time window: n (= 5)
(2) Second oldest time window: n-1 (= 4)
(3) Third oldest time window: n-2 (= 3)
(4) Fourth oldest time window: n-3 (= 2)
(5) Newest time window: n-4 (= 1)

FIG. 11 shows an example of the attack detection method according to the second embodiment. The message arriving at the attack detection device 1 is the same in FIGS. 10 and 11. Therefore, the values of the counters corresponding to the time windows W1 to W5 are the same in FIGS. 10 and 11. Moreover, in order to make the drawing easier to see, the notation of the delimiter of each time window is omitted.

In the sixth cycle, it is assumed that the regular message M5, the attack message MX, and the regular message M6 arrive at the attack detection device 1 in order. Then, when the regular message M5 arrives at the attack detection device 1, the values of the counters corresponding to the time windows W1, W2, W3, W4, and W5 are 1, 4, 3, respectively, as shown in FIG. It is assumed that it was 2 or 1. In the following description, the value of the counter corresponding to each time window will be expressed by the following notation.
Counter: [1,4,3,2,1]

Further, in the sixth cycle, the oldest time window is W2, the second, third, and fourth oldest time windows are W3, W4, and W5, respectively, and the newest time window is W1. In this case, the threshold values corresponding to the time windows W1, W2, W3, W4, and W5 are 1, 5, 4, 3, and 2, respectively. In the following description, the threshold value corresponding to each time window will be expressed by the following notation.
Threshold: [1,5,4,3,2]

The detection unit 12 compares the value of each counter with the threshold value set for the corresponding time window. In this example, the value of each counter is less than or equal to the corresponding threshold. Therefore, the detection unit 12 does not determine that the network 100 has been attacked.

Subsequently, when the attack message MX arrives at the attack detection device 1, each counter is incremented and the following states are obtained.
Counter: [2,5,4,3,2]
At this time, the value of the counter corresponding to the time window W1 is 2, which exceeds the corresponding threshold value “1”. However, the values of the counters corresponding to the other time windows are all below the corresponding thresholds. Therefore, the detection unit 12 does not determine that the network 100 has been attacked.

Further, when the regular message M6 arrives at the attack detection device 1, each counter is incremented and the following states are obtained.
Counter: [3,6,5,4,3]
At this time, the value of each counter exceeds the corresponding threshold value. In this case, the detection unit 12 determines that the network 100 has been attacked.

After that, in the seventh cycle, the attack message MY and the regular message M7 are assumed to arrive at the attack detection device 1 in order. In the 7th period, the oldest time window is W3, the second, third, and fourth oldest time windows are W4, W5, and W1, respectively, and the newest time window is W2. In this case, the threshold values corresponding to the time windows W1, W2, W3, W4, and W5 are as follows.
Threshold: [2,1,5,4,3]

Then, when the attack message MY arrives at the attack detection device 1, each counter is incremented and the following states are obtained.
Counter: [4,1,6,5,4]
When shifting from the 6th cycle to the 7th cycle, the counter corresponding to the oldest time window W2 in the 6th cycle is reset. Therefore, when the attack message MY arrives at the attack detection device 1, the value of the counter corresponding to the time window W2 is incremented from zero to one.

Here, the detection unit 12 compares the value of each counter with the threshold value set for the corresponding time window. In this case, the value of the counter corresponding to the time window W1, W3, W4, W5 exceeds the corresponding threshold value, but the value of the counter corresponding to the time window W2 is 1, and exceeds the threshold value "1". Not. Therefore, the detection unit 12 does not determine that the network 100 has been attacked.

Subsequently, when the regular message M7 arrives at the attack detection device 1, each counter is incremented and the following states are obtained.
Counter: [5,2,7,6,5]
At this time, the value of each counter exceeds the corresponding threshold value. Therefore, in this case, the detection unit 12 determines that the network 100 has been attacked.

As described above, if the algorithm of the second embodiment is used, it may be possible to detect an attack that could not be detected by the algorithm of the first embodiment. That is, if the two algorithms are used in parallel, the accuracy of attack detection is improved. Therefore, it is preferable that the attack detection device 1 monitors the attack message by using both the algorithm of the first embodiment and the algorithm of the second embodiment.

<Third embodiment>
As described above, the length of the time window is an integral multiple of the transmission cycle T of the normal message. Information on the transmission cycle T can be obtained, for example, by deriving from the cycle assumed from the design of the automobile, or by measuring and deriving the contents of the CAN. In the embodiments shown in FIGS. 6 to 11, the length of the time window is 5T. Therefore, the attack detection device 1 executes a process of monitoring an attack message in synchronization with the transmission cycle T. Then, as shown in FIG. 12A, the time window is set so that the end timing of the time window does not match the scheduled reception time of the regular message. The Δ mark indicates the timing at which the legitimate message transmitted without delay arrives at the attack detection device 1.

However, the transmission cycle T includes an error at the source of the message. Further, a measurement error of the transmission cycle T may occur in the attack detection device 1. Here, when these errors are accumulated, the end timing of the time window may coincide with the scheduled reception time of the regular message, as shown in FIG. 12 (b). If the end timing of the time window coincides with the reception time of the message, the number of messages arriving in the time window may not be counted correctly. For example, in FIG. 12B, when both the messages M6 and M11 are counted in the time window Wx, the number of received messages detected is 7. When one of the messages M6 and M11 is counted in the time window Wx, the number of received messages detected is 6. When the messages M6 and M11 are not counted in the time window Wx, the number of received messages detected is 5. If the number of received messages is not counted correctly, the attack detection device 1 cannot accurately detect an attack on the network 100. Therefore, the attack detection device 1 of the third embodiment has a function of solving or alleviating this problem.

The attack detection device 1 of the third embodiment monitors an attack on the network 100 by using the determination unit 3A, the determination unit 3B, and the secondary determination unit 4 shown in FIG. Here, the configurations and operations of the determination units 3A and 3B are substantially the same as each other. Then, each of the determination units 3A and 3B monitors an attack on the network 100 by using the algorithm of the first embodiment and / or the algorithm of the second embodiment, respectively. However, each time window of the determination unit 3B is set by shifting the corresponding time window of the determination unit 3A by a predetermined time. As an example, each time window of the determination unit 3B is set by shifting the transmission cycle of the message to be detected by half with respect to the corresponding time window of the determination unit 3A.

However, the shift amount of the time window between the determination unit 3A and the determination unit 3B is not limited to one half of the transmission cycle. Further, the attack detection device 1 may monitor an attack on the network 100 by using three or more determination units 3. For example, in a configuration in which the attack detection device 1 includes four determination units 3, the timing of the time window of each determination unit 3 may be sequentially shifted by a quarter of the transmission cycle.

The secondary determination unit 4 determines whether or not the network 100 has been attacked based on the determination result by the determination unit 3A and the determination result by the determination unit 3B. As an example, the secondary determination unit 4 determines that the network 100 has been attacked when an attack on the network 100 is detected by both the determination unit 3A and the determination unit 3B within a predetermined time. This "predetermined time" is preferably a transmission cycle T or less, and is, for example, T / 2.

FIG. 13 shows an example of the attack detection method according to the third embodiment. In this example, each time window of the determination unit 3B is set by shifting the transmission cycle T of the message to be detected by half with respect to the corresponding time window of the determination unit 3A. For example, the time window W1 of the determination unit 3B is set to be delayed by T / 2 with respect to the time window W1 of the determination unit 3A. The same applies to the other time windows W2 to W5.

In FIG. 13, the Δ mark and the ▲ mark represent the timing at which the regular message and the attack message arrive at the attack detection device 1, respectively. Further, the numbers given to the Δ and ▲ marks indicate the order in which each message arrives at the attack detection device 1 with respect to the time when the monitor is started. In FIG. 13, the first to fourth messages are omitted.

Each of the determination units 3A and 3B monitors an attack by using both the algorithm of the first embodiment and the algorithm of the second embodiment, respectively. Then, the secondary determination unit 4 determines that the network 100 has been attacked when an attack on the network 100 is detected by both the determination units 3A and 3B within a predetermined time. The detection process shown in FIG. 13 will be described in detail later.

FIG. 14 is a flowchart showing an example of the attack detection method of the third embodiment. The processing of this flowchart is executed for each message ID to be detected.

In S1, the attack detection device 1 receives the message. At this time, the receiving unit 2 records the reception time of this message. In S2 to S3, the determination unit 3A and the determination unit 3B execute the detection process for determining the presence or absence of an attack on the network 100. The attack detection device 1 may execute S2 and S3 in order or in parallel.

In S4, the secondary determination unit 4 determines whether an attack has been detected by both the determination unit 3A and the determination unit 3B within a predetermined time. Then, when an attack is detected by both the determination unit 3A and the determination unit 3B within a predetermined time, the secondary determination unit 4 determines in S5 that the network 100 has been attacked. In this case, the attack detection device 1 outputs a warning signal indicating that the network 100 has been attacked. On the other hand, if an attack is not detected by both the determination unit 3A and the determination unit 3B within the predetermined time, S5 is skipped and the processing of the attack detection device 1 returns to S1.

As described above, in the third embodiment, the phases of the time windows set in the two determination units 3 (3A, 3B) are shifted from each other. Therefore, for example, even if the number of received messages is not correctly counted by one of the determination units 3 due to the state shown in FIG. 12B, the number of received messages is correctly counted by the other determination unit 3. , The accuracy of attack detection is improved. Further, when an attack on the network 100 actually occurs, it is considered that both determination units 3 detect the attack at a timing close to each other. Therefore, erroneous detection is suppressed by determining that the secondary determination unit 4 has attacked the network 100 only when an attack is detected by both determination units 3 within a predetermined time.

When the network 100 is an in-vehicle CAN system that controls the running of the vehicle, the ECUs 1 to ECUk may stop or decelerate the vehicle in response to a warning signal output from the attack detection device 1 (ECU0), for example. You may do it. Alternatively, the connection between the network 100 and another network may be disconnected according to the warning signal output from the attack detection device 1.

FIG. 15 is a flowchart showing an example of the detection process executed by each determination unit 3 (3A, 3B). The processing of this flowchart corresponds to S2 or S3 shown in FIG. Therefore, the processing of this flowchart is executed by each determination unit 3 when a new message arrives at the attack detection device 1.

In S11, the determination unit 3 determines whether or not the reception time of the new message (that is, the time when the message arrives at the attack detection device 1) exceeds the end of the time window. At this time, the determination unit 3 extracts a time window in which the end time of the time window appears between the reception time of the immediately preceding message and the reception time of the new message. For example, in the case shown in FIG. 13, the end time of the time window W1 is located between the reception time of the fifth message and the reception time of the sixth message. In this case, when the sixth message arrives at the attack detection device 1, it is determined that "the reception time of the new message has exceeded the end of the time window W1".

If the reception time of the message exceeds the end of the time window, in S12, the determination unit 3 resets the counter corresponding to the time window extracted in S11 to zero. Further, in S13, the determination unit 3 updates the flag corresponding to the time window extracted in S11 to zero. This flag will be described later.

In S14, the determination unit 3 increments the counter corresponding to each time window. The value of the counter represents the number of messages arriving at the attack detection device 1 in the time window.

In S15, the determination unit 3 determines whether the value of the counter corresponding to the oldest time window is larger than the threshold value. When the length of the time window is n times the transmission cycle T, the threshold value is preferably n. Then, when the value of the counter corresponding to the oldest time window is larger than the threshold value, the determination unit 3 sets the flag corresponding to the oldest time window in S16. That is, the flag indicates whether or not the value of the counter in the corresponding time window exceeds the threshold value.

FIG. 16 shows an example of a flag array used by the determination unit 3. In this example, since the determination unit 3 monitors the attack using the five time windows W1 to W5, the length of the flag array is 10 bits. The first and sixth bits are assigned to the time window W1, the second and seventh bits are assigned to the time window W2, the third and eighth bits are assigned to the time window W3, and the fourth and ninth bits are time. It is assigned to the window W4, and the fifth and tenth bits are assigned to the time window W5. The example shown in FIG. 16 shows a case where the oldest time window is W4 when a message arrives at the attack detection device 1, and the value of the counter corresponding to the time window W4 is larger than the threshold value.

In S17, the determination unit 3 determines whether or not a predetermined number or more of flags are continuously set in the flag array. In this example, the determination unit 3 determines whether or not the flags equal to or more than the number of time windows are continuously set. That is, it is determined whether or not five or more flags are continuously set. Here, the state in which m flags are continuously set in the flag array represents a state in which the value of the counter continuously exceeds a predetermined threshold value for the m time windows. Therefore, the determination unit 3 can detect how many time windows the counter value continuously exceeds the threshold value based on the state of the flag array. In addition, S16 to S17 realize the algorithm of the first embodiment.

If a predetermined number or more of the flags are continuously set (S17: Yes), the determination unit 3 determines in S19 that the network 100 has been attacked. If not (S17: No), the process of the determination unit 3 proceeds to S18.

In S18, the determination unit 3 determines whether the value of the counter in each time window is larger than the corresponding threshold value. The thresholds corresponding to each counter are different from each other. For example, when the number of time windows is n, the threshold values corresponding to each time window are n, n-1, n-2. .. .. And the threshold corresponding to the newest time window is 1. In addition, S18 realizes the algorithm of the second embodiment.

When the value of the counter in each time window is larger than the corresponding threshold value (S18: Yes), the determination unit 3 determines in S19 that the network 100 has been attacked. If not (S18: No), the determination unit 3 determines in S20 that the network 100 has not been attacked.

When the value of the counter corresponding to the oldest time window is equal to or less than the threshold value (S15: No), the determination unit 3 may determine that the network 100 has not been attacked without executing S18. good. Alternatively, the determination unit 3 may execute S18 before S15 to S17.

The processing of the flowchart shown in FIG. 15 is executed by the determination unit 3A and the determination unit 3B, respectively. Then, the secondary determination unit 4 determines whether or not the network 100 has been attacked according to the determination results.

In the above example, the number of bits in the flag array is twice the number of windows, but the present invention is not limited to this configuration. For example, the number of bits in the flag array may be the same as the number of windows.

Next, an embodiment of the third embodiment will be described with reference to the case shown in FIG. In this embodiment, it is assumed that attack detection is performed under the following conditions.
(1) The transmission cycle T of the regular message is 10 msec. (2) Each determination unit 3 includes five time windows W1 to W5. (3) The length of each time window is five times the transmission cycle T (that is, that is). 50msec)
(4) The time windows W1 to W5 are set by shifting by T (that is, by 10 ms). (5) The shift of the time window between the determination units 3A and 3B is one half of the transmission cycle T (that is, that is). 5msec)
(6) Based on the detection start time, the regular message is 9.5 msec, 19.5 msec, 29.5 msec, 39.5 msec, 49.5 msec, 59.5 msec, 69.5 msec, 112. Attack detection at 0msec, 114.0msec, 114.8msec, 117.5msec, 119.9msec, 129.5msec, 139.5msec, 149.5msec, 159.5msec, 169.5msec Arrives at device 1 (note that the first four messages are omitted in FIG. 13).
(7) That is, a transmission delay occurs in 70 to 110 msec, and the delayed message arrives at the attack detection device 1 in 110 to 120 msec. (8) The attack message reaches 72.5 msec and 84.5 msec. Arriving at the attack detection device 1 (9) The threshold value of the algorithm of the first embodiment (hereinafter, algorithm 1) is 5.
(10) The threshold values of the algorithm of the second embodiment (hereinafter, algorithm 2) are 5, 4, 3, 2, 1 in order from the oldest time window.

According to the above (2) to (5), in the determination unit 3A, the time window W1 has 0 to 50 msec, 50 to 100 msec, and 100 to 150 msec. .. .. The time window W2 is set to 10 to 60 msec, 60 to 110 msec, 110 to 160 msec. .. .. The time window W3 is set to 20 to 70 msec, 70 to 120 msec, 120 to 170 msec. .. .. The time window W4 is set to 30 to 80 msec, 80 to 130 msec, 130 to 180 msec. .. .. The time window W5 is set to 40 to 90 msec, 90 to 140 msec, 140 to 190 msec. .. .. Is set to. Further, in the determination unit 3b, the time window W1 has 5 to 55 msec, 55 to 105 msec, and 105 to 155 msec. .. .. The time window W2 is set to 15 to 65 msec, 65 to 115 msec, 115 to 165 msec. .. .. The time window W3 is set to 25 to 75 msec, 75 to 125 msec, 125 to 175 msec. .. .. The time window W4 is set to 35 to 85 msec, 85 to 135 msec, 135 to 185 msec. .. .. The time window W5 is set to 45 to 95 msec, 95 to 145 msec, and 145 to 195 msec. .. .. Is set to.

In the initial setting, all the counters are initialized to zero in the determination units 3A and 3B. Further, in the determination units 3A and 3B, each bit of the flag array shown in FIG. 16 is also initialized to zero. In the following description, the counter corresponding to the time window Wi (i = 1 to 5) may be referred to as "counter i".

(1) Reception of the first message (time 9.5 ms)
In the determination unit 3A, the time window W1 is started at time zero (the end time is 50 msec). In the determination unit 3B, the time window W1 is started at a time of 5 msec (the end time is 55 msec).

When the first message arrives at the attack detection device 1 at the time of 9.5 msec, the counter 1 of the determination unit 3A is incremented from zero to 1, and the counter 1 of the determination unit 3B is also incremented from zero to 1. When a message arrives at the attack detection device 1 exactly at the boundary time of the time window (that is, the end time of the time window), the counter corresponding to the previous time window may be incremented, or the counter corresponding to the previous time window may be incremented. The counter corresponding to may be incremented, but it is assumed that which counter is incremented is predetermined.

Upon receiving the above message, each counter is updated as follows.
Counter of determination unit 3A: [1,0,0,0,0]
Counter of determination unit 3B: [1,0,0,0,0]

The determination units 3A and 3B execute the determination shown in FIG. 15 based on the value of the counter. At this time, since none of the counters exceeds the threshold value of the algorithm 1, the determination units 3A and 3B output "not detected", respectively. The flag array is as follows.
Flag array of determination unit 3A: [0,0,0,0,0,0,0,0,0,0]
Flag array of determination unit 3B: [0,0,0,0,0,0,0,0,0,0]

(2) Receiving the second message (time 19.5 ms)
Before the receiving unit 2 receives the second message, the time window W2 is started at the time 10 msec in the determination unit 3A (the end time is 60 msec). In the determination unit 3B, the time window W2 is started at a time of 15 msec (the end time is 65 msec).

When the second message arrives at the attack detection device 1 at the time of 19.5 msec, the counters 1 and 2 of the determination unit 3A are incremented, and the counters 1 and 2 of the determination unit 3B are also incremented, respectively. As a result, each counter is updated as follows.
Counter of determination unit 3A: [2,1,0,0,0]
Counter of determination unit 3B: [2,1,0,0,0]

The determination units 3A and 3B execute the determination process based on the value of the counter. At this time, since neither of the counters exceeds the threshold values of algorithms 1 and 2, the determination units 3A and 3B output "not detected", respectively. The flag array is as follows.
Flag array of determination unit 3A: [0,0,0,0,0,0,0,0,0,0]
Flag array of determination unit 3B: [0,0,0,0,0,0,0,0,0,0]

(3) Receiving the third message (time 29.5 ms)
Before the receiving unit 2 receives the third message, the time window W3 is started at the time 20 msec in the determination unit 3A (the end time is 70 msec). In the determination unit 3B, the time window W3 is started at a time of 25 msec (the end time is 75 msec).

When the third message arrives at the attack detection device 1 at the time of 29.5 msec, the counters 1 to 3 of the determination unit 3A are incremented, and the counters 1 to 3 of the determination unit 3B are also incremented, respectively. As a result, each counter is updated as follows.
Counter of determination unit 3A: [3,2,1,0,0]
Counter of determination unit 3B: [3,2,1,0,0]

The determination units 3A and 3B execute the determination process based on the value of the counter. At this time, since neither of the counters exceeds the threshold values of algorithms 1 and 2, the determination units 3A and 3B output "not detected", respectively. The flag array is as follows.
Flag array of determination unit 3A: [0,0,0,0,0,0,0,0,0,0]
Flag array of determination unit 3B: [0,0,0,0,0,0,0,0,0,0]

(4) Receiving the fourth message (time 39.5 ms)
Before the receiving unit 2 receives the fourth message, the time window W4 is started at the time 30 msec in the determination unit 3A (the end time is 80 msec). In the determination unit 3B, the time window W4 is started at a time of 35 msec (the end time is 85 msec).

When the fourth message arrives at the attack detection device 1 at the time of 39.5 msec, the counters 1 to 4 of the determination unit 3A are incremented, and the counters 1 to 4 of the determination unit 3B are also incremented, respectively. As a result, each counter is updated as follows.
Counter of determination unit 3A: [4,3,2,1,0]
Counter of determination unit 3B: [4,3,2,1,0]

The determination units 3A and 3B execute the determination process based on the value of the counter. At this time, since neither of the counters exceeds the threshold values of algorithms 1 and 2, the determination units 3A and 3B output "not detected", respectively. The flag array is as follows.
Flag array of determination unit 3A: [0,0,0,0,0,0,0,0,0,0]
Flag array of determination unit 3B: [0,0,0,0,0,0,0,0,0,0]

(5) Receiving the fifth message (time 49.5 ms)
Before the receiving unit 2 receives the fifth message, the time window W5 is started at the time 40 msec in the determination unit 3A (the end time is 90 msec). In the determination unit 3B, the time window W5 is started at a time of 45 msec (the end time is 95 msec).

When the fifth message arrives at the attack detection device 1 at the time of 49.5 msec, the counters 1 to 5 of the determination unit 3A are incremented, and the counters 1 to 5 of the determination unit 3B are also incremented. As a result, each counter is updated as follows.
Counter of determination unit 3A: [5,4,3,2,1]
Counter of judgment unit 3B: [5,4,3,2,1]

The determination units 3A and 3B execute the determination process based on the value of the counter. At this time, since neither of the counters exceeds the threshold values of algorithms 1 and 2, the determination units 3A and 3B output "not detected", respectively. The flag array is as follows.
Flag array of determination unit 3A: [0,0,0,0,0,0,0,0,0,0]
Flag array of determination unit 3B: [0,0,0,0,0,0,0,0,0,0]

(6) Receiving the sixth message (time 59.5 ms)
Before the receiving unit 2 receives the sixth message, the time window W1 is restarted at the time 50 msec in the determination unit 3A (the end time is 100 msec). Further, in the determination unit 3B, the time window W1 is restarted at the time 55 msec (the end time is 105 msec). Therefore, the counters 1 are reset in the determination units 3A and 3B, respectively. Further, in the determination units 3A and 3B, the sixth bit of the flag array is reset.

When the receiving unit 2 receives the sixth message, the oldest time window in the determination units 3A and 3B is W2. Therefore, the threshold value of the algorithm 2 is as follows.
Judgment unit 3A threshold: [1,5,4,3,2]
Threshold of determination unit 3B: [1,5,4,3,2]

When the sixth message arrives at the attack detection device 1 at the time of 59.5 msec, the counters 1 to 5 of the determination units 3A and 3B are incremented, respectively. As a result, each counter is updated as follows.
Counter of determination unit 3A: [1,5,4,3,2]
Counter of judgment unit 3B: [1,5,4,3,2]

At this point, the oldest time windows in the determination units 3A and 3B are W2, respectively, as described above. Then, in the determination units 3A and 3B, the value of the counter 2 does not exceed the threshold value of the algorithm 1. Further, the values of the counters 1 to 5 do not exceed the corresponding threshold value of the algorithm 2. Therefore, the determination units 3A and 3B output "not detected", respectively. The flag array is as follows.
Flag array of determination unit 3A: [0,0,0,0,0,0,0,0,0,0]
Flag array of determination unit 3B: [0,0,0,0,0,0,0,0,0,0]

(7) Receiving the 7th message (time 69.5 ms)
Before the receiving unit 2 receives the seventh message, the time window W2 is restarted at the time 60 msec in the determination unit 3A (the end time is 110 msec). Further, in the determination unit 3B, the time window W2 is restarted at the time of 65 msec (the end time is 115 msec). Therefore, the counters 2 are reset in the determination units 3A and 3B, respectively. Further, in the determination units 3A and 3B, the 7th bit of the flag array is reset.

When the receiving unit 2 receives the seventh message, the oldest time window in the determination units 3A and 3B is W3. Therefore, the threshold value of the algorithm 2 is as follows.
Judgment unit 3A threshold: [2,1,5,4,3]
Threshold of determination unit 3B: [2,1,5,4,3]

When the seventh message arrives at the attack detection device 1 at the time of 69.5 msec, the counters 1 to 5 of the determination units 3A and 3B are incremented, respectively. As a result, each counter is updated as follows.
Counter of determination unit 3A: [2,1,5,4,3]
Counter of judgment unit 3B: [2,1,5,4,3]

At this point, the oldest time windows in the determination units 3A and 3B are W3, respectively, as described above. Then, in the determination units 3A and 3B, the value of the counter 3 does not exceed the threshold value of the algorithm 1. Further, the values of the counters 1 to 5 do not exceed the corresponding threshold value of the algorithm 2. Therefore, the determination units 3A and 3B output "not detected", respectively. The flag array is as follows.
Flag array of determination unit 3A: [0,0,0,0,0,0,0,0,0,0]
Flag array of determination unit 3B: [0,0,0,0,0,0,0,0,0,0]

(8) Receiving the 8th message (time 72.5msec)
Before the receiving unit 2 receives the eighth message, the time window W3 is restarted at the time 70 msec in the determination unit 3A (the end time is 120 msec). Therefore, in the determination unit 3A, the counter 3 is reset and the eighth bit of the flag array is reset. On the other hand, in the determination unit 3B, when the reception unit 2 receives the eighth message, the time window W3 set to the time 25 to 75 msec has not yet ended. Therefore, in the determination unit 3B, the counter and the flag array are not reset.

When the receiving unit 2 receives the eighth message, the oldest time window in the determination unit 3A is W4, and the oldest time window in the determination unit 3B is W3. Therefore, the threshold value of the algorithm 2 is as follows.
Judgment unit 3A threshold: [3,2,1,5,4]
Threshold of determination unit 3B: [2,1,5,4,3]

When the eighth message arrives at the attack detection device 1 at a time of 72.5 msec, the determination units 3A and 3B counters 1 to 5 are incremented, respectively. As a result, each counter is updated as follows.
Counter of determination unit 3A: [3,2,1,5,4]
Counter of judgment unit 3B: [3,2,6,5,4]

At this point, the oldest time window in the determination unit 3A is W4, as described above. The value of the counter 4 in the determination unit 3A is 5, and the value does not exceed the threshold value of the algorithm 1. Further, the values of the counters 1 to 5 do not exceed the corresponding threshold values of the algorithm 2, respectively. Therefore, the determination unit 3A outputs "not detected".

On the other hand, at this point, the oldest time window in the determination unit 3B is W3. The value of the counter 3 of the determination unit 3B is 6, which exceeds the threshold value of the algorithm 1. Therefore, the bits corresponding to the time window W3 are set in the flag array shown in FIG. Here, it is assumed that the third bit of the flag array is set. In this case, the flag array is updated as follows.
Flag array of determination unit 3A: [0,0,0,0,0,0,0,0,0,0]
Flag array of determination unit 3B: [0,0,1,0,0,0,0,0,0,0]

Here, in the flag array of the determination unit 3B, the flags are not continuously set. Therefore, the determination result of the algorithm 1 is "not detected". However, in the determination unit 3B, the values of the counters 1 to 5 are larger than the corresponding threshold values of the algorithm 2, respectively. Therefore, the determination result of the algorithm 2 is "detection". Therefore, the determination unit 3B outputs "detection (time: 72.5 ms)".

Then, the secondary determination unit 4 sets the period between the time 5 msec back from the reception time of the 8th message and the reception time of the 8th message (that is, the time 67.5 to 72.5 msec). It is determined whether or not "detection" is output from the determination unit 3A in the period). In this example, since "detection" is not output from the determination unit 3A within this period, the secondary determination unit 4 does not determine that the network 100 has been attacked.

(9) Reception of the 9th message (time 84.5msec)
Before the receiving unit 2 receives the ninth message, the time window W4 is restarted at the time 80 msec in the determination unit 3A (the end time is 130 msec). Therefore, in the determination unit 3A, the counter 4 is reset and the ninth bit of the flag array is reset. Further, in the determination unit 3B, the time window W3 is restarted at a time of 75 msec before the receiving unit 2 receives the ninth message (the end time is 125 msec). However, when the receiving unit 2 receives the ninth message, the time window W4 set to the time 35 to 85 msec has not been closed yet. Therefore, in the determination unit 3B, the counter 3 is reset, but the counter 4 is not reset. Further, the 8th bit of the flag array is reset, but the 9th bit of the flag array is not reset.

When the receiving unit 2 receives the ninth message, the oldest time window in the determination unit 3A is W5, and the oldest time window in the determination unit 3B is W4. Therefore, the threshold value of the algorithm 2 is as follows.
Judgment unit 3A threshold: [4,3,2,1,5]
Judgment unit 3B threshold: [3,2,1,5,4]

When the ninth message arrives at the attack detection device 1 at the time of 84.5 msec, the counters 1 to 5 of the determination units 3A and 3B are incremented, respectively. As a result, each counter is updated as follows.
Counter of determination unit 3A: [4,3,2,1,5]
Counter of judgment unit 3B: [4,3,1,6,5]

At this point, the oldest time window in the determination unit 3A is W5, as described above. The value of the counter 5 in the determination unit 3A is 5, and the value does not exceed the threshold value of the algorithm 1. Further, none of the counters exceeds the threshold value of Algorithm 2. Therefore, the determination unit 3A outputs "not detected".

On the other hand, at this point, the oldest time window in the determination unit 3B is W4, as described above. The value of the counter 4 of the determination unit 3B is 6, which exceeds the threshold value of the algorithm 1. Therefore, the bit corresponding to the time window W4 is set in the flag array. Here, it is assumed that the fourth bit of the flag array is set. In this case, the flag array is updated as follows.
Flag array of determination unit 3A: [0,0,0,0,0,0,0,0,0,0]
Flag array of determination unit 3B: [0,0,1,1,0,0,0,0,0,0]

Here, in the flag array of the determination unit 3B, the flags continuously set are less than 5 bits. Therefore, the determination result of the algorithm 1 is "not detected". Further, in the determination unit 3B, the value of the counter 3 does not exceed the corresponding threshold value of the algorithm 2. Therefore, the determination result of the algorithm 2 is also "not detected". As a result, the determination unit 3B outputs "not detected".

(10) Reception of the 10th message (time 112.0msec)
The 10th to 14th messages arrive at the attack detection device 1 with a large delay. Therefore, before the receiving unit 2 receives the tenth message, the time window W5 is restarted at the time 90 msec (the end time is 140 msec) in the determination unit 3A, and the time window W1 is restarted at the time 100 msec. Is restarted (the end time is 150 msec), and the time window W2 is restarted at the time 110 msec (the end time is 160 msec). Therefore, in the determination unit 3A, the counters 5, 1 and 2, respectively, are reset, and the 10th bit, the 1st bit, and the 2nd bit of the flag array are reset, respectively.

Further, in the determination unit 3B, the time window W4 is restarted at the time 85 msec (the end time is 135 msec) and the time window W5 is restarted at the time 95 msec before the receiving unit 2 receives the tenth message. Is restarted (the end time is 145 msec), and the time window W1 is restarted at the time 105 msec (the end time is 155 msec). Therefore, in the determination unit 3B, the counters 4, 5, and 1 are reset, and the 9th bit, the 10th bit, and the 1st bit of the flag array are reset, respectively.

When the receiving unit 2 receives the tenth message, the oldest time window in the determination unit 3A is W3, and the oldest time window in the determination unit 3B is W2. Therefore, the threshold value of the algorithm 2 is as follows.
Judgment unit 3A threshold: [2,1,5,4,3]
Threshold of determination unit 3B: [1,5,4,3,2]

When the tenth message arrives at the attack detection device 1 at the time of 112.0 msec, the counters 1 to 5 of the determination units 3A and 3B are incremented, respectively. As a result, each counter is updated as follows.
Counter of determination unit 3A: [1,1,3,2,1]
Counter of determination unit 3B: [1,4,2,1,1]

At this point, the oldest time window in the determination unit 3A is W3 as described above. The value of the counter 3 in the determination unit 3A is 3, and the value does not exceed the threshold value of the algorithm 1. Further, the values of the counters 1 to 5 do not exceed the corresponding threshold value of the algorithm 2. Therefore, the determination unit 3A outputs "not detected".

Further, the oldest time window in the determination unit 3B is W2 as described above. The value of the counter 2 in the determination unit 3B is 4, and the value does not exceed the threshold value of the algorithm 1. Further, the values of the counters 1 to 5 do not exceed the corresponding threshold value of the algorithm 2. Therefore, the determination unit 3B also outputs "not detected". The flag array is as follows.
Flag array of determination unit 3A: [0,0,0,0,0,0,0,0,0,0]
Flag array of determination unit 3B: [0,0,1,1,0,0,0,0,0,0]

(11) Reception of the 11th message (time 114.0 msec)
When the receiving unit 2 receives the eleventh message, the oldest time window in the determination unit 3A is W3, and the oldest time window in the determination unit 3B is W2. Therefore, the threshold value of the algorithm 2 is as follows, like the value at the time when the receiving unit 2 receives the tenth message.
Judgment unit 3A threshold: [2,1,5,4,3]
Threshold of determination unit 3B: [1,5,4,3,2]

When the eleventh message arrives at the attack detection device 1 at the time of 114.0 msec, the counters 1 to 5 of the determination units 3A and 3B are incremented, respectively. As a result, each counter is updated as follows.
Counter of determination unit 3A: [2,2,4,3,2]
Counter of determination unit 3B: [2,5,3,2,2]

At this point, the oldest time window in the determination unit 3A is W3 as described above. The value of the counter 3 in the determination unit 3A is 4, and the value does not exceed the threshold value of the algorithm 1. Further, the values of the counters 1 to 5 do not exceed the corresponding threshold value of the algorithm 2. Therefore, the determination unit 3A outputs "not detected".

Further, the oldest time window in the determination unit 3B is W2 as described above. The value of the counter 2 in the determination unit 3B is 5, which does not exceed the threshold value of the algorithm 1. Further, the values of the counters 1 to 5 do not exceed the corresponding threshold value of the algorithm 2. Therefore, the determination unit 3B also outputs "not detected". The flag array is as follows.
Flag array of determination unit 3A: [0,0,0,0,0,0,0,0,0,0]
Flag array of determination unit 3B: [0,0,1,1,0,0,0,0,0,0]

(12) Reception of the 12th message (time 114.8 msec)
When the receiving unit 2 receives the twelfth message, the oldest time window in the determination unit 3A is W3, and the oldest time window in the determination unit 3B is W2. Therefore, the threshold value of the algorithm 2 is as follows, like the value at the time when the receiving unit 2 receives the tenth message.
Judgment unit 3A threshold: [2,1,5,4,3]
Threshold of determination unit 3B: [1,5,4,3,2]

When the twelfth message arrives at the attack detection device 1 at the time of 114.8 msec, the counters 1 to 5 of the determination units 3A and 3B are incremented, respectively. As a result, each counter is updated as follows.
Counter of determination unit 3A: [3,3,5,4,3]
Counter of judgment unit 3B: [3,6,4,3,3]

At this point, the oldest time window in the determination unit 3A is W3 as described above. The value of the counter 3 in the determination unit 3A is 5, and the value does not exceed the threshold value of the algorithm 1. Further, the values of the counters 3 to 5 do not exceed the corresponding threshold value of the algorithm 2. Therefore, the determination unit 3A outputs "not detected".

On the other hand, the oldest time window in the determination unit 3B is W2 as described above. Here, the value of the counter 2 in the determination unit 3B is 6, which exceeds the threshold value of the algorithm 1. Therefore, the bit corresponding to the time window W2 is set in the flag array of the determination unit 3B. Here, it is assumed that the 7th bit of the flag array is set. In this case, the flag array is updated as follows.
Flag array of determination unit 3A: [0,0,0,0,0,0,0,0,0,0]
Flag array of determination unit 3B: [0,0,1,1,0,0,1,0,0,0]

However, in the flag array of the determination unit 3B, the flags continuously set are less than 5 bits. Therefore, the determination result of the algorithm 1 is "not detected". Further, since the values of the counters 3 and 4 do not exceed the corresponding threshold value of the algorithm 2, the determination result of the algorithm 2 is also "not detected". Therefore, the determination unit 3B outputs "not detected".

(13) Reception of the 13th message (time 117.5 msec)
Before the receiving unit 2 receives the thirteenth message, the time window W2 is restarted at the time 115 msec in the determination unit 3B (the end time is 165 msec). Therefore, in the determination unit 3B, the counter 2 is reset and the second bit of the flag array is reset.

When the receiving unit 2 receives the thirteenth message, the oldest time window in the determination units 3A and 3B is W3. Therefore, the threshold value of the algorithm 2 is as follows.
Judgment unit 3A threshold: [2,1,5,4,3]
Threshold of determination unit 3B: [2,1,5,4,3]

When the thirteenth message arrives at the attack detection device 1 at the time of 117.5 msec, the counters 1 to 5 of the determination units 3A and 3B are incremented, respectively. As a result, each counter is updated as follows.
Counter of determination unit 3A: [4,4,6,5,4]
Counter of judgment unit 3B: [4,1,5,4,4]

The operation of the determination unit 3A is as follows. That is, the oldest time window is W3 as described above. The value of the counter 3 is 6, which exceeds the threshold value of the algorithm 1. Therefore, the bit corresponding to the time window W3 is set in the flag array. Here, it is assumed that the eighth bit of the flag array is set. In this case, the flag array is updated as follows.
Flag array of determination unit 3A: [0,0,0,0,0,0,0,1,0,0]

Here, in this flag array, the flags are not set consecutively. Therefore, the determination result of the algorithm 1 is "not detected". However, the values of the counters 1 to 5 are larger than the corresponding thresholds of the algorithm 2, respectively. Therefore, the determination result of the algorithm 2 is "detection". As a result, the determination unit 3A outputs "detection (time: 117.5 msec)".

The operation of the determination unit 3B is as follows. That is, the oldest time window is W3 as described above. However, the value of the counter 3 is 5, which does not exceed the threshold value of the algorithm 1. Therefore, the determination result of the algorithm 1 is "not detected", and the flag array is as follows.
Flag array of determination unit 3B: [0,0,0,1,0,0,1,0,0,0]

Further, since the values of the counters 2 to 4 do not exceed the corresponding threshold value of the algorithm 2, the determination result of the algorithm 2 is also “not detected”. As a result, the determination unit 3B outputs "not detected".

In this way, when the thirteenth message arrives at the attack detection device 1, "detection (time: 117.5 msec)" is output from the determination unit 3A. Therefore, the secondary determination unit 4 determines whether or not "detection" is output from the determination unit 3B within the period of time 112.5 to 117.5 msec. In this example, since "detection" is not output from the determination unit 3B within this period, the secondary determination unit 4 does not determine that the network 100 has been attacked.

(14) Receiving the 14th message (time 119.9 ms)
When the receiving unit 2 receives the 14th message, the oldest time window in the determination units 3A and 3B is W3. Therefore, the threshold value of the algorithm 2 is as follows, like the value at the time when the receiving unit 2 receives the thirteenth message.
Judgment unit 3A threshold: [2,1,5,4,3]
Threshold of determination unit 3B: [2,1,5,4,3]

When the 14th message arrives at the attack detection device 1 at the time of 119.9 msec, the counters 1 to 5 of the determination units 3A and 3B are incremented, respectively. As a result, each counter is updated as follows.
Counter of determination unit 3A: [5,5,7,6,5]
Counter of judgment unit 3B: [5,2,6,5,5]

The operation of the determination unit 3A is as follows. That is, the oldest time window is W3 as described above. The value of the counter 3 is 7, which exceeds the threshold value of the algorithm 1. Therefore, the bit corresponding to the time window W3 is set in the flag array. However, this bit has already been set due to the reception of the thirteenth message. Therefore, the flag array is as follows.
Flag array of determination unit 3A: [0,0,0,0,0,0,0,1,0,0]

Here, in this flag array, the flags that are continuously set are less than 5 bits. Therefore, the determination result of the algorithm 1 is "not detected". However, the values of the counters 1 to 5 are larger than the corresponding thresholds of the algorithm 2, respectively. Therefore, the determination result of the algorithm 2 is "detection". As a result, the determination unit 3A outputs "detection (time: 119.9 ms)".

The operation of the determination unit 3B is as follows. That is, the oldest time window is W3 as described above. The value of the counter 3 is 6, which exceeds the threshold value of the algorithm 1. Therefore, the bit corresponding to the time window W3 is set in the flag array. Here, it is assumed that the eighth bit of the flag array is set. In this case, the flag array is updated as follows.
Flag array of determination unit 3B: [0,0,0,0,0,0,1,1,0,0]

Here, in this flag array, the flags that are continuously set are less than 5 bits. Therefore, the determination result of the algorithm 1 is "not detected". However, the values of the counters 1 to 5 are larger than the corresponding thresholds of the algorithm 2, respectively. Therefore, the determination result of the algorithm 2 is "detection". As a result, the determination unit 3B also outputs "detection (time: 119.9 ms)".

In this way, when the 14th message arrives at the attack detection device 1, "detection (time: 119.9 msec)" is output from both the determination units 3A and 3B. That is, "detection" is output from both the determination units 3A and 3B within a predetermined time (5 ms in this example). Therefore, the secondary determination unit 4 determines that the network 100 has been attacked.

The time indicated by "detection" output from the determination unit 3A due to the 13th message (that is, 117.5 ms) and the time output from the determination unit 3B due to the 14th message. The difference from the time indicated by "detection" (that is, 119.9 msec) is 5 msec or less. Therefore, the secondary determination unit 4 may determine that the network 100 has been attacked based on these determination results.

(15) Receiving the 15th message (time 129.5 ms)
Before the receiving unit 2 receives the 15th message, the time window W3 is restarted at the time 120 msec in the determination unit 3A (the end time is 170 msec). Further, in the determination unit 3B, the time window W3 is restarted at the time of 125 msec (the end time is 175 msec). Therefore, the counters 3 are reset in the determination units 3A and 3B, respectively. Further, in the determination units 3A and 3B, the third bit of the flag array is reset.

When the receiving unit 2 receives the fifteenth message, the oldest time window in the determination units 3A and 3B is W4. Therefore, the threshold value of the algorithm 2 is as follows.
Judgment unit 3A threshold: [3,2,1,5,4]
Judgment unit 3B threshold: [3,2,1,5,4]

When the fifteenth message arrives at the attack detection device 1 at the time of 129.5 msec, the counters 1 to 5 of the determination units 3A and 3B are incremented, respectively. As a result, each counter is updated as follows.
Counter of determination unit 3A: [6,6,1,7,6]
Counter of determination unit 3B: [6,3,1,6,6]

The operation of the determination unit 3A is as follows. That is, the oldest time window is W4 as described above. The value of the counter 4 is 7, which exceeds the threshold value of the algorithm 1. Therefore, the bit corresponding to the time window W4 is set in the flag array. In this example, the 9th bit is set and the flag array is updated as follows.
Flag array of determination unit 3A: [0,0,0,0,0,0,0,1,1,0]

Here, in this flag array, the flags that are continuously set are less than 5 bits. Therefore, the determination result of the algorithm 1 is "not detected". Further, the value of the counter 3 is equal to or less than the corresponding threshold value of the algorithm 2. Therefore, the determination result of the algorithm 2 is also "not detected". As a result, the determination unit 3A outputs "not detected".

The operation of the determination unit 3B is as follows. That is, the oldest time window is W4 as described above. The value of the counter 4 is 6, which exceeds the threshold value of the algorithm 1. Therefore, the bit corresponding to the time window W4 is set in the flag array. In this example, the 9th bit is set and the flag array is updated as follows.
Flag array of determination unit 3B: [0,0,0,0,0,0,1,1,1,0]

Here, in this flag array, the flags that are continuously set are less than 5 bits. Therefore, the determination result of the algorithm 1 is "not detected". Further, the value of the counter 3 is equal to or less than the corresponding threshold value of the algorithm 2. Therefore, the determination result of the algorithm 2 is also "not detected". As a result, the determination unit 3A outputs "not detected".

(16) Receiving the 16th message (time 139.5 ms)
Before the receiving unit 2 receives the 16th message, the time window W4 is restarted at the time 130 msec in the determination unit 3A (the end time is 180 msec). Further, in the determination unit 3B, the time window W4 is restarted at the time of 135 msec (the end time is 185 msec). Therefore, the counters 4 are reset in the determination units 3A and 3B, respectively. Further, in the determination units 3A and 3B, the fourth bit of the flag array is reset.

When the receiving unit 2 receives the 16th message, the oldest time window in the determination units 3A and 3B is W5. Therefore, the threshold value of the algorithm 2 is as follows.
Judgment unit 3A threshold: [4,3,2,1,5]
Threshold of determination unit 3B: [4,3,2,1,5]

When the 16th message arrives at the attack detection device 1 at the time of 139.5 msec, the counters 1 to 5 of the determination units 3A and 3B are incremented, respectively. As a result, each counter is updated as follows.
Counter of determination unit 3A: [7,7,2,1,7]
Counter of judgment unit 3B: [7,4,2,1,7]

The operation of the determination unit 3A is as follows. That is, the oldest time window is W5 as described above. The value of the counter 5 is 7, which exceeds the threshold value of the algorithm 1. Therefore, the bit corresponding to the time window W5 is set in the flag array. In this example, the 10th bit is set and the flag array is updated as follows.
Flag array of determination unit 3A: [0,0,0,0,0,0,0,1,1,1]

Here, in this flag array, the flags that are continuously set are less than 5 bits. Therefore, the determination result of the algorithm 1 is "not detected". Further, the values of the counters 3 and 4 are each equal to or less than the corresponding threshold value of the algorithm 2. Therefore, the determination result of the algorithm 2 is also "not detected". As a result, the determination unit 3A outputs "not detected".

The operation of the determination unit 3B is as follows. That is, the oldest time window is W5 as described above. The value of the counter 5 is 7, which exceeds the threshold value of the algorithm 1. Therefore, the bit corresponding to the time window W5 is set in the flag array. In this example, the 10th bit is set and the flag array is updated as follows.
Flag array of determination unit 3B: [0,0,0,0,0,0,1,1,1,1]

Here, in this flag array, the flags that are continuously set are less than 5 bits. Therefore, the determination result of the algorithm 1 is "not detected". Further, the values of the counters 3 and 4 are each equal to or less than the corresponding threshold value of the algorithm 2. Therefore, the determination result of the algorithm 2 is also "not detected". As a result, the determination unit 3B also outputs "not detected".

(17) Reception of the 17th message (time 149.5 ms)
Before the receiving unit 2 receives the 17th message, the time window W5 is restarted at the time 140 msec in the determination unit 3A (the end time is 190 msec). Further, in the determination unit 3B, the time window W5 is restarted at the time of 145 msec (the end time is 195 msec). Therefore, the counters 5 are reset in the determination units 3A and 3B, respectively. Further, in the determination units 3A and 3B, the fifth bit of the flag array is reset.

When the receiving unit 2 receives the 17th message, the oldest time window in the determination units 3A and 3B is W1. Therefore, the threshold value of the algorithm 2 is as follows.
Judgment unit 3A threshold: [5,4,3,2,1]
Judgment unit 3B threshold: [5,4,3,2,1]

When the 17th message arrives at the attack detection device 1 at the time of 149.5 msec, the counters 1 to 5 of the determination units 3A and 3B are incremented, respectively. As a result, each counter is updated as follows.
Counter of determination unit 3A: [8,8,3,2,1]
Counter of judgment unit 3B: [8,5,3,2,1]

The operation of the determination unit 3A is as follows. That is, the oldest time window is nW1 as described above. The value of the counter 1 is 8, which exceeds the threshold value of the algorithm 1. Therefore, the bit corresponding to the time window W1 is set in the flag array. In this example, the first bit is set and the flag array is updated as follows.
Flag array of determination unit 3A: [1,0,0,0,0,0,0,1,1,1]

Here, in this flag array, the flags that are continuously set are less than 5 bits. Therefore, the determination result of the algorithm 1 is "not detected". Further, the values of the counters 3 to 5 are each equal to or less than the corresponding threshold value of the algorithm 2. Therefore, the determination result of the algorithm 2 is also "not detected". As a result, the determination unit 3A outputs "not detected".

The operation of the determination unit 3B is as follows. That is, the oldest time window is W1 as described above. The value of the counter 1 is 8, which exceeds the threshold value of the algorithm 1. Therefore, the bit corresponding to the time window W1 is set in the flag array. In this example, the first bit is set and the flag array is updated as follows.
Flag array of determination unit 3B: [1,0,0,0,0,0,1,1,1,1]

At this time, five flags are set consecutively. Therefore, the determination result of the algorithm 1 is "detection", and the determination unit 3B outputs "detection (time: 149.5 msec)".

The secondary determination unit 4 determines whether or not "detection" is output from the determination unit 3A within the period of time 144.5 to 149.5 ms. In this example, "detection" is not output from the determination unit 3A within this period. Therefore, the secondary determination unit 4 does not determine that the network 100 has been attacked.

(18) Receiving the 18th message (time 159.5 ms)
Before the receiving unit 2 receives the 18th message, the time window W1 is restarted at the time 150 msec in the determination unit 3A (the end time is 200 msec). Further, in the determination unit 3B, the time window W1 is restarted at the time of 155 msec (the end time is 205 msec). Therefore, in the determination units 3A and 3B, the counter 1 is reset, and the sixth bit of the flag array is reset, respectively.

When the receiving unit 2 receives the 18th message, the oldest time window in the determination units 3A and 3B is W2. Therefore, the threshold value of the algorithm 2 is as follows.
Judgment unit 3A threshold: [1,5,4,3,2]
Threshold of determination unit 3B: [1,5,4,3,2]

When the 18th message arrives at the attack detection device 1 at the time of 159.5 msec, the counters 1 to 5 of the determination units 3A and 3B are incremented, respectively. As a result, each counter is updated as follows.
Counter of determination unit 3A: [1,9,4,3,2]
Counter of judgment unit 3B: [1,6,4,3,2]

The operation of the determination unit 3A is as follows. That is, the oldest time window is W2 as described above. The value of the counter 2 is 9, which exceeds the threshold value of the algorithm 1. Therefore, the bit corresponding to the time window W1 is set in the flag array. In this example, the second bit is set and the flag array is updated as follows.
Flag array of determination unit 3A: [1,1,0,0,0,0,0,1,1,1]

At this time, five flags are set consecutively. Therefore, the determination result of the algorithm 1 is "detection", and the determination unit 3A outputs "detection (time: 159.5 msec)".

The operation of the determination unit 3B is as follows. That is, the oldest time window is W2 as described above. The value of the counter 2 is 6, which exceeds the threshold value of the algorithm 1. Therefore, the bit corresponding to the time window W2 is set in the flag array. In this example, the second bit is set and the flag array is updated as follows.
Flag array of determination unit 3B: [1,1,0,0,0,0,0,1,1,1]

At this time, six flags are set consecutively. Therefore, the determination result of the algorithm 1 is "detection", and the determination unit 3B also outputs "detection (time: 159.5 msec)".

In this way, when the 18th message arrives at the attack detection device 1, "detection (time: 159.5 msec)" is output from both the determination units 3A and 3B. That is, "detection" is output from both the determination units 3A and 3B within a predetermined time (5 ms in this example). Therefore, the secondary determination unit 4 determines that the network 100 has been attacked.

(19) Reception of the 19th message (time 169.5 ms)
Before the receiving unit 2 receives the 19th message, the time window W2 is restarted at the time 160 msec in the determination unit 3A (the end time is 210 msec). Further, in the determination unit 3B, the time window W2 is restarted at the time of 165 msec (the end time is 215 msec). Therefore, in the determination units 3A and 3B, the counter 2 is reset, and the seventh bit of the flag array is reset, respectively.

When the receiving unit 2 receives the 19th message, the oldest time window in the determination units 3A and 3B is W3. Therefore, the threshold value of the algorithm 2 is as follows.
Judgment unit 3A threshold: [2,1,5,4,3]
Threshold of determination unit 3B: [2,1,5,4,3]

When the 19th message arrives at the attack detection device 1 at the time of 169.5 msec, the counters 1 to 5 of the determination units 3A and 3B are incremented, respectively. As a result, each counter is updated as follows.
Counter of determination unit 3A: [2,1,5,4,3]
Counter of judgment unit 3B: [2,1,5,4,2]

The operation of the determination unit 3A is as follows. That is, the oldest time window is W3 as described above. Here, the value of the counter 3 is 5, which is equal to or less than the threshold value of the algorithm 1. Further, the values of the counters 1 to 5 are each equal to or less than the corresponding threshold value of the algorithm 2. Therefore, the determination unit 3A outputs "not detected".

The operation of the determination unit 3B is as follows. That is, the oldest time window is W3 as described above. The value of the counter 3 is 5, which is equal to or less than the threshold value of the algorithm 1. Further, the values of the counters 1 to 5 are each equal to or less than the corresponding threshold value of the algorithm 2. Therefore, the determination unit 3B also outputs "not detected". In this way, since "not detected" is output from the determination units 3A and 3B, the secondary determination unit 4 does not determine that the network 100 has been attacked.

The start / end time of each time window may be set based on the reception time of the first message. For example, when the first message arrives at the attack detection device 1 at a time of 9.5 msec, the determination unit 3A sets the start / end time of each time window based on 12 msec (= 9.5 + 2.5). The determination unit 3B may set the start / end time of each time window based on 17 ms (= 9.5 + 2.5 + 5).

1 Attack detection device 2 Receiver 3 (3A, 3B) Judgment unit 4 Secondary judgment unit 11a to 11n Counter 12 Detection unit 21 CAN transceiver 22 CAN controller 24 Processor 25 Memory 100 Network

Claims (9)

A receiver that receives messages containing identification information transmitted within the network, and
A plurality of counters that count the number of messages received by the receiver in a plurality of time windows of the same length set at different timings, and
A detector that determines that the network has been attacked when a state in which the value of the corresponding counter exceeds a predetermined threshold value is continuously detected for a predetermined number of time windows is provided .
When the number of time windows to be set is n (n is an integer of 2 or more), the length of each time window is n of the cycle in which the message set corresponding to the identification information is transmitted. It is doubled and the threshold value is n.
The plurality of time windows are set by shifting in order by the same time as the cycle.
When a state in which the value of the corresponding counter exceeds a predetermined threshold value is continuously detected for n time windows, the detector determines that the network has been attacked.
An attack detection device characterized by this . A receiver that receives messages containing identification information transmitted within the network, and
A plurality of counters that count the number of messages received by the receiver in a plurality of time windows of the same length set at different timings, and
A detector that determines that the network has been attacked when the value of each counter exceeds different thresholds set for the corresponding time window.
For the plurality of time windows, a smaller threshold value is set for the new time window.
An attack detection device characterized by this . When the number of time windows to be set is n (n is an integer of 2 or more), the length of each time window is n of the cycle in which the message set corresponding to the identification information is transmitted. Double,
The plurality of time windows are set by shifting in order by the same time as the cycle.
The threshold value set for the oldest time window among the plurality of time windows is n, and for the other time windows, a smaller threshold value is set by 1 with respect to n in chronological order. The attack detection device according to claim 2 . A receiver that receives messages containing identification information transmitted within the network, and
A first determination unit and a second determination unit that determine the presence or absence of an attack on the network based on the frequency of messages received by the reception unit, respectively.
A secondary determination unit for determining whether or not the network has been attacked based on the determination results by the first determination unit and the second determination unit is provided.
The first determination unit and the second determination unit are, respectively.
A plurality of counters that count the number of messages received by the receiver in a plurality of time windows of the same length set at different timings, and
Includes a detector that detects an attack on the network based on the values of the plurality of counters.
Each time window of the second determination unit is set by shifting by a predetermined time with respect to the corresponding time window of the first determination unit .
The secondary determination unit determines that the network has been attacked when an attack on the network is detected by both the first determination unit and the second determination unit within a predetermined time.
An attack detection device characterized by this. Each time window of the second determination unit is only one half of the cycle in which the message set corresponding to the identification information is transmitted to the corresponding time window of the first determination unit. The attack detection device according to claim 4 , wherein the attack detection device is set by shifting. The number of received messages containing identification information is counted for each of multiple time windows of the same length set at different timings.
When the number of time windows to be set is n (n is an integer of 2 or more), the length of each time window is n of the cycle in which the message set corresponding to the identification information is transmitted. It is doubled and the threshold value is n.
The plurality of time windows are set by shifting in order by the same time as the cycle.
It is characterized in that when a state in which the corresponding count value exceeds a predetermined threshold value is continuously detected for n time windows, it is determined that the network transmitting the message containing the identification information has been attacked. Attack detection method. The number of received messages containing identification information is counted for each of multiple time windows of the same length set at different timings.
For the multiple time windows, a smaller threshold is set for the new time window.
When a state in which the corresponding count value exceeds a predetermined threshold value is continuously detected for a predetermined number of time windows among the plurality of time windows, the network transmitting the message including the identification information attacks. An attack detection method characterized by determining that it has been received . The number of received messages containing identification information is counted for each of multiple time windows of the same length set at different timings.
When the number of time windows to be set is n (n is an integer of 2 or more), the length of each time window is n of the cycle in which the message set corresponding to the identification information is transmitted. It is doubled and the threshold value is n.
The plurality of time windows are set by shifting in order by the same time as the cycle.
When the corresponding count value exceeds a predetermined threshold value is continuously detected for n time windows, the processor determines that the network transmitting the message containing the identification information has been attacked. Attack detection program to be executed. The number of received messages containing identification information is counted for each of multiple time windows of the same length set at different timings.
For the multiple time windows, a smaller threshold is set for the new time window.
When a state in which the corresponding count value exceeds a predetermined threshold is continuously detected for a predetermined number of time windows among the plurality of time windows, the network transmitting the message including the identification information attacks. An attack detection program that causes the processor to execute the process of determining that it has been received .

Images