TTIDS: Transmission-Resuming Time-Based Intrusion Detection System for Controller Area Network (CAN)

Modern vehicles are becoming complex cyber-physical systems equipped with numerous electronic control units (ECUs). Over the controller area network (CAN), these ECUs communicate with each other to share information related to vehicle status as well as commands to efficiently control the vehicle. However, the increasing complexity of modern vehicles has inadvertently expanded potential attack surfaces, making them vulnerable to cyber attacks. In light of this, researchers are currently working to demonstrate remote vehicle maneuvering by compromising ECUs, and as a countermeasure to such malicious manipulation, to study automotive intrusion detection systems (IDSs) as potential remedies. In general, CAN messages are transmitted periodically, and as such, many researchers have relied on frequency-based IDSs in their solutions proposals. However, an attacker can bypass this defense by suspending the communication of the target ECU from the network and injecting malicious messages with the same frequency as the suspended messages. As a result, an attacker is able to masquerade as the original transmission frequency. In this paper, we propose a Transmission-resuming Time-based IDS (TTIDS), which is designed to detect such attacks. TTIDS detects when an ECU periodically transmitting messages is suspended, and then it estimates when the suspended ECU resumes periodic transmission. With this projection, TTIDS detects malicious messages transmitted while the ECU is suspended. We conduct the evaluation of TTIDS on two real vehicles and present the results, which show the TTIDS is able to effectively detect an enhanced attack that bypasses existing frequency-based IDSs with a false positive rate of 0.213% and a false negative rate of 0.027%.