Evaluation of the Architecture Alternatives for Real-time Intrusion Detection Systems for Connected Vehicles

TL;DR

This paper evaluates four real-time IDS architectures for connected vehicles, demonstrating that a dual-process design effectively detects cyber-attacks without message loss, enhancing vehicle cybersecurity.

Contribution

It introduces and assesses four architecture designs for real-time IDS in connected vehicles, highlighting a reliable dual-process approach for attack detection.

Findings

Dual-process architecture ensures no message loss during detection

Real-time IDS effectively detects message injection attacks

Evaluation based on CAN datasets from moving vehicles

Abstract

Attackers demonstrated the use of remote access to the in-vehicle network of connected vehicles to launch cyber-attacks and remotely take control of these vehicles. Machine-learning-based Intrusion Detection Systems (IDSs) techniques have been proposed for the detection of such attacks. The evaluation of some of these IDS demonstrated their efficacy in terms of accuracy in detecting message injections but was performed offline, which limits the confidence in their use for real-time protection scenarios. This paper evaluates four architecture designs for real-time IDS for connected vehicles using Controller Area Network (CAN) datasets collected from a moving vehicle under malicious speed reading message injections. The evaluation shows that a real-time IDS for a connected vehicle designed as two processes, a process for CAN Bus monitoring and another one for anomaly detection engine is reliable (no loss of messages) and could be used for real-time resilience mechanisms as a response to cyber-attacks.