ErrIDS: An Enhanced Cumulative Timing Error-Based Automotive Intrusion Detection System

Abstract

Contemporary vehicles have undergone numerous transformations to become fully computerized machines. This computerizing process is intended to provide safety and convenience for drivers; however, there have been many studies demonstrating how to remotely maneuver a vehicle by compromising its in-vehicle electronic control units (ECU). As a countermeasure, automotive intrusion detection systems (IDSs) have also been extensively explored as potential remedies. The clock-based IDS was one of the most promising methods for an automotive IDS, but researchers have recently determined it to be insufficient, as adversaries can emulate the clock skew. In this paper, we propose a novel automotive IDS that leverages the residuals-which have traditionally been considered an error that should be removed from analysis-of average and actual timestamp intervals of two consecutive controller area network (CAN) messages. Thus, we present a rationale as to why large residuals occur in a real in-vehicle CAN network. Our method analyzes transmission periodicity so closely that any minuscule change can be detected in the event of an intrusion. We show that our method detects a vehicle intrusion with a low false-alarm rate, and that it can detect a new sophisticated attack which emulates the clock skew of an original transmission. To the best of our knowledge, this is the first approach analyzing transmission time to detect the frequency masquerading attack with clock skew emulation. Finally, our method enables the sharing of parameters determined in a vehicle with other like models, which is meaningful for manufacturers in terms of scalability.