In-Vehicle Network Intrusion Detection System Using CAN Frame-Aware Features

With the advancement of connected and automated vehicles (CAVs), drivers now have access to convenient features such as lane-keeping, cruise control, and more. The electronic control units (ECUs) equipped within vehicles communicate with each other through the controller area network (CAN). However, since the CAN does not possess any security mechanisms, it becomes a target for adversaries to attack. In light of this, a significant amount of research regarding intrusion detection systems (IDSs) has focused on detecting such maliciously injected CAN packets. Nevertheless, most existing machine learning-based IDSs neither calculate the exact time intervals of the CAN packets nor utilize the counter information. Precise timing intervals are a crucial feature for detecting spoofing, fuzzing, and replay attacks, and counter information is also a significant feature that can detect fuzzing and replay attacks. Therefore, in this paper, we propose a methodology for extracting two detection features that are aware of CAN frame characteristics: the interframe space (IFS) between two consecutive CAN packets, and the counter information of a CAN data payload (i.e., data field). Using these features, we introduce decision tree-based IDS. We evaluate the proposed features with popular decision tree-based models such as random forest and extreme gradient boosting (XGBoost). The results show that our proposed IDS can detect maliciously injected CAN packets with an F1 score of 99.54% in binary classification and 97.99% in multi-class classification, which are higher scores than what existing machine/deep learning-based IDSs achieve. Additionally, we measure the detection time of our proposed IDS in both online and offline testing environments.