DGIDS: Dynamic graph-based intrusion detection system for CAN

The Controller Area Network (CAN) is widely used in automobiles to interconnect safety-critical electronic control units (ECUs). Unfortunately, CAN does not have inherent security mechanisms as originally designed, which has drawn significant attention from the research community. Currently, the mainstream CAN protection strategy is the Intrusion Detection System (IDS). However, many statistics-based IDSs are unable to identify the identifier (ID) of the attacked message; they can only identify anomalies within a specific time window. Moreover, these systems are often tested solely on public datasets, lacking theoretical validation of their effectiveness. To address these shortcomings, we propose a real-time intrusion detection system based on a dynamic graph. The graph is dynamically constructed based on the arrival of messages, and features are extracted concurrently. By utilizing the distribution of features extracted during the offline phase, our system achieves real-time detection of incoming messages and identifies the ID of the attacked message. Additionally, we introduce a method to theoretically validate the detection system through permutation and probabilistic statistical analysis. Experiments and theoretical analysis demonstrate that our proposed IDS can effectively detect a wide range of attacks with reduced detection time and memory usage.