As modern vehicles become increasingly connected and software-driven, securing their in-vehicle networks (IVNs)—especially the ubiquitous, vulnerable Controller Area Network (CAN)—has become paramount. However, contemporary automotive intrusion detection systems (IDSs) suffer from elevated false positive rates that significantly impact their practical effectiveness. This work aims to address these limitations by developing an enhanced rule-based IDS that incorporates adaptive pattern recognition mechanisms. We propose two novel detection rules that leverage attack-free traffic analysis to establish baseline behavioral patterns for the CAN bus. More specifically, Rule #1 analyzes message data field lengths against “normal” patterns derived from attack-free network traffic, and Rule #2 employs field classification to categorize message types for each arbitration ID, distinguishing between constant values, counters, multi-values, and sensor data. Our experimental evaluation demonstrates that the proposed detection rules achieve superior accuracy metrics while significantly reducing false positive rates compared to conventional approaches.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Towards Practical Automotive Intrusion Detection Systems: An Adaptive Rule-Based Approach

  • Lucien Kiven Tamo,
  • Brooke Kidmose,
  • Weizhi Meng,
  • Thanassis Giannetsos

摘要

As modern vehicles become increasingly connected and software-driven, securing their in-vehicle networks (IVNs)—especially the ubiquitous, vulnerable Controller Area Network (CAN)—has become paramount. However, contemporary automotive intrusion detection systems (IDSs) suffer from elevated false positive rates that significantly impact their practical effectiveness. This work aims to address these limitations by developing an enhanced rule-based IDS that incorporates adaptive pattern recognition mechanisms. We propose two novel detection rules that leverage attack-free traffic analysis to establish baseline behavioral patterns for the CAN bus. More specifically, Rule #1 analyzes message data field lengths against “normal” patterns derived from attack-free network traffic, and Rule #2 employs field classification to categorize message types for each arbitration ID, distinguishing between constant values, counters, multi-values, and sensor data. Our experimental evaluation demonstrates that the proposed detection rules achieve superior accuracy metrics while significantly reducing false positive rates compared to conventional approaches.