Network Anomaly Detection in Cars: A Case for Time-Sensitive Stream Filtering and Policing

TL;DR

This paper proposes a network anomaly detection system for in-vehicle Ethernet networks using Time-Sensitive Networking (TSN) filters and policies, enhancing security by identifying misbehavior at the link layer with high accuracy.

Contribution

It introduces a TSN-based anomaly detection approach that leverages traffic classification to detect misbehavior in vehicle networks at the link layer, with evaluation on real-world data.

Findings

Detection accuracy improves with precise communication specifications.

The system achieves false-positive free detection with fully specified communication matrices.

Evaluation on real attack traces demonstrates practical effectiveness.

Abstract

Connected vehicles are threatened by cyber-attacks as in-vehicle networks technologically approach (mobile) LANs with several wireless interconnects to the outside world. Malware that infiltrates a car today faces potential victims of constrained, barely shielded Electronic Control Units (ECUs). Many ECUs perform critical driving functions, which stresses the need for hardening security and resilience of in-vehicle networks in a multifaceted way. Future vehicles will comprise Ethernet backbones that differentiate services via Time-Sensitive Networking (TSN). The well-known vehicular control flows will follow predefined schedules and TSN traffic classifications. In this paper, we exploit this traffic classification to build a network anomaly detection system. We show how filters and policies of TSN can identify misbehaving traffic and thereby serve as distributed guards on the data link layer. On this lowest possible layer, our approach derives a highly efficient network protection directly from TSN. We classify link layer anomalies and micro-benchmark the detection accuracy in each class. Based on a topology derived from a real-world car and its traffic definitions we evaluate the detection system in realistic macro-benchmarks based on recorded attack traces. Our results show that the detection accuracy depends on how exact the specifications of in-vehicle communication are configured. Most notably for a fully specified communication matrix, our anomaly detection remains free of false-positive alarms, which is a significant benefit for implementing automated countermeasures in future vehicles.