Introduction of Vehicle-Mounted Intrusion Detection and Prevention System

In this article, we will launch a detailed introduction to the countermeasure strategy for automotive cyber security risks, especially the in-vehicle intrusion detection and prevention system.

Vehicle Cyber Attack Response Strategy

With the development of automotive intelligent network connection and autonomous driving technology, the in-vehicle network provides more connection ports to meet the requirements of different applications and services, which, together with the inherent vulnerability of the in-vehicle network, makes intelligent network-connected vehicles have more potential cyber security vulnerabilities. These cyber-attacks are generally injected into the in-vehicle network through potential entry points such as telematics units, infotainment units, driver assistance units, direct interfaces and sensors, triggering different information security issues.

To effectively address these security risks, security strategies such as message authentication, data encryption, firewalls, and intrusion detection and prevention are typically used to detect and prevent physical and remote attacks and protect the in-vehicle network and systems from cyberattacks. Among them, active information security defence techniques such as authentication, access control, and encryption technologies are used to effectively protect the information transmission of the in-vehicle network by introducing fixed security mechanisms to ensure the confidentiality, integrity, and authentication of data frames and prevent attackers from gaining access to the system. These active countermeasures can protect the system from external network attacks but have limited effectiveness in protecting against internal attacks. In addition, the application of encryption and authentication mechanisms can lead to unexpected delays in security-critical real-time systems or messages in the in-vehicle network, so their deployment is largely limited by factors such as bandwidth and computing power. It can even easily compromise the security of vehicle mobility-related functions. In addition, firewall policies can separate potential attack interfaces from the in-vehicle network, but it is difficult to completely isolate threats and various sources of attacks.

In this context, the vehicle intrusion detection and prevention system (IDPS, Intrusion Detection & Prevention System) provides a new solution for in-vehicle network information security. The system can effectively collect and detect potential attacks on the in-vehicle network and misbehaviour of the out-of-vehicle connection network and perform dynamic defence and response based on the security detection results of the vehicle's current state. Among them, the Intrusion Detection System (IDS, Intrusion Detection System) can detect different types of attacks that may occur in the network, such as Denial of Service (DoS, Denial of Service)/Distributed Denial of Service (DDoS, Distributed Denial of Service), port scanning, malware or ransomware, etc. The Intrusion Prevention System (IPS) is designed to help mitigate or avoid the attacks mentioned above and prevent them from causing damage to in-vehicle systems. Compared with the above two single systems, both the detection and defence function of IDPs can make the security protection double, on the one hand, monitor the system and protect the network from intruders, on the other hand, provide reports to the administrator on the event of an attack in the network environment to help further feedback response measures. Compared with the previously mentioned active security defence mechanisms, the intrusion detection and prevention system IDPS has the characteristics of small bandwidth resources and easy deployment, which makes it more suitable for vehicle networks with limited resources and costs.

In-vehicle Intrusion Detection and Prevention System (IDPS)

Principle of IDPs

The core function of the Intrusion Detection and Prevention System IDPS is an intrusion detection and response blocking. The complete vehicle IDPS system is a dynamic defence system that combines vehicle-side and cloud-side, which can realize effective collection, detection and response of vehicle network security attacks and abnormal events.

When the vehicle is hacked, the data collection module collects message data and security status information from each component at the vehicle end or in the vehicle bus network (such as CAN/CANFD, Ethernet, etc.) in real time. It sends them to the intrusion detection module for detecting abnormal traffic in the vehicle network and abnormal behaviour in the vehicle operating system. In addition, the rules in the detection rule base can effectively support intrusion anomaly detection. When anomalies are detected, intrusion events must be reported to the IDPS event management module. The event management module performs certain processing filters on the security events and generates corresponding alarm logs and response measures. The alarm logs will be uploaded to the cloud security operation and maintenance centre (VSOC) to manage and present all vehicle-related events and statuses. At the same time, it will update the security protection policy on the vehicle side through OTA and other means to improve the vehicle's security level.

Classification of IDPs

According to the different detection objects, the vehicle intrusion detection and defence system IDPS can be classified into host-based, network-based and hybrid types, as described below.

H-IDPS, Host-based IDPs

H-IDPS mainly monitors and protects key ECUs that are vulnerable to attacks and achieves detection of abnormal system behaviour by monitoring host systems with operating systems or external interfaces such as T-BOX, central gateway, IVI, etc., and collecting and analyzing their file integrity, network connection activity, process behaviour, resource usage, log string matching, and other event characteristics.

N-IDPS, Network-based IDPs

N-IDPS mainly detects intrusion events in the internal network of vehicles and carries out activities such as traffic data monitoring, data load parsing and field matching of specific network segments or devices by collecting message data on the vehicle network bus to identify abnormal traffic and potential attack behaviours that occur in the network.

Hybrid IDPs

Hybrid IDPS is a combination of network-based IDPS and host-based IDPS. For smart connected vehicles, Hybrid IDPS is the most widely used and is more conducive to detecting and responding to suspicious threats to the vehicle in a comprehensive manner. In addition, IDPs can be further subdivided into feature-based, information-theoretic and statistical analysis-based, and machine learning-based detection mechanisms based on the differences in detection techniques, as described below.

Feature-based Detection Methods

The feature-based detection method is one of the common intrusion detection techniques and is widely used in the study of intrusion detection in-vehicle networks. This method identifies intrusions or abnormal behaviours by monitoring a vehicle's internal network and extracting different features from it. By analyzing the vehicle network architecture and network protocols, it is found that the network features that can be used for intrusion detection observation include device fingerprinting (extracted by time and frequency domain information), clock offset, frequency observation, and remote frames. Feature-based detection methods usually achieve high accuracy for specific attack models and feature short response time and low network bandwidth overhead.

Yilin Zhao et al. designed a new fingerprint-based Clock-IDS for vehicle intrusion detection and protection. The system establishes a unique fingerprint for each ECU based on clock deviation and implements intrusion detection and attack source identification functions using empirical rules and dynamic time warping. The final experiment yielded an accuracy of 98.63% for detecting three types of attacks, an average accuracy of 96.77% for identifying attack sources, and an average time cost of only 1.99ms per detection. Song et al. proposed a lightweight intrusion detection system based on a statistical analysis of message time intervals. They found that analyzing the time interval of messages is an important feature for detecting packets and that message frequency analysis can effectively detect traffic anomalies and message injection attacks.

Detection Method-based on Information Theory and Statistical Analysis

When a vehicle is subjected to malicious attacks (e.g., DOS, replay, etc.), the information entropy of the CAN bus will be significantly reduced, which is widely used in the study of intrusion in resource-limited vehicle networks, and many studies gradually focus on entropy-based anomaly detection systems. Muter and Asaj et al. first proposed using information entropy in vehicle detection networks and used it to detect message injection (MI) attacks and DoS attacks. The rationality and applicability of the approach are discussed. Mirco Marchetti et al. then introduce an entropy-based intrusion detection system and evaluate its effectiveness when applied to modern vehicular networks. Experimental results show that entropy-based anomaly detection can only detect forgery attacks if applied to all CAN messages. The method is completely independent of message content and can therefore be applied directly to the CAN bus of any vehicle, but requires the parallel execution of multiple anomaly detectors.

Machine Learning-based Detection Methods

Machine learning, neural networks and other theories are popular for studying intrusion detection techniques for vehicle networks. These detection methods introduce mechanisms such as machine learning to complete the identification of normal samples, and the technology is more universal. It does not require custom development of the adapted vehicle, but there are problems with collecting many anomaly samples and high training difficulty. Kang and Kang propose a deep neural network (DNN) based intrusion detection system. The system trains the detection model on a high-dimensional feature-extracting bitstream of in-vehicle network packets exchanged between ECUs.

For a given packet, the DNN provides the probability of each class distinguishing between normal and attack packets so that the sensor can identify any malicious attack on the vehicle. Experimental results show that this technique provides a real-time response to attacks and significantly improves the detection rate in the CAN bus. Taylor et al. propose an anomaly detector based on a long and short-term memory neural network to detect five network attacks: interleaved, dropped, discontinuous, anomalous, and reverse. The experimental results show that the method can detect anomalous messages with a high detection rate and a low false alarm rate.

Conclusion

In-vehicle network intrusion detection and prevention techniques can effectively compensate for the computational and communication overheads caused by encryption and authentication mechanisms and are more suitable for the network environment of intelligent networked vehicles with critical functions and limited resources. In the future, in-vehicle network intrusion detection and prevention technology will be an important development direction for the research of information security enhancement of intelligent network-connected vehicles.

Previous: Future Development Trends of Autonomous Driving Technology

Next: Automatic Driving L1-L5 Technology Difference