Evaluating lightweight unsupervised online IDS for masquerade attacks in CAN

TL;DR

This paper compares four lightweight, non-deep learning unsupervised online intrusion detection systems for detecting masquerade attacks in vehicular CAN networks, emphasizing real-time streaming conditions and practical applicability.

Contribution

It provides a comparative evaluation of four different non-DL-based IDS methods under realistic streaming conditions using the ROAD dataset.

Findings

The hierarchical clustering change detection method performs best.

None of the evaluated IDS detect all attack types.

The best method has higher computational overhead.

Abstract

Vehicular controller area networks (CANs) are susceptible to masquerade attacks by malicious adversaries. In masquerade attacks, adversaries silence a targeted ID and then send malicious frames with forged content at the expected timing of benign frames. As masquerade attacks could seriously harm vehicle functionality and are the stealthiest attacks to detect in CAN, recent work has devoted attention to compare frameworks for detecting masquerade attacks in CAN. However, most existing works report offline evaluations using CAN logs already collected using simulations that do not comply with the domain's real-time constraints. Here we contribute to advance the state of the art by presenting a comparative evaluation of four different non-deep learning (DL)-based unsupervised online intrusion detection systems (IDS) for masquerade attacks in CAN. Our approach differs from existing comparative evaluations in that we analyze the effect of controlling streaming data conditions in a sliding window setting. In doing so, we use realistic masquerade attacks being replayed from the ROAD dataset. We show that although evaluated IDS are not effective at detecting every attack type, the method that relies on detecting changes in the hierarchical structure of clusters of time series produces the best results at the expense of higher computational overhead. We discuss limitations, open challenges, and how the evaluated methods can be used for practical unsupervised online CAN IDS for masquerade attacks.