G-IDCS: Graph-Based Intrusion Detection and Classification System for CAN protocol

The security of in-vehicle networks has become an important issue as automobiles become more connected and automated. In this paper, we propose a window-based intrusion detection and classification technology, named G-IDCS, which aims to enhance the security of the in-vehicle controller area network (CAN) protocol. Existing intrusion detection systems (IDSs) using graph theory suffer from limitations, such as requiring a large number of CAN messages for detection and being unable to classify attack types despite analyzing numerous messages. Meanwhile, machine learning or deep learning-based systems have limited sensitivity to environmental changes such as attack type change due to model overfitting, and are unable to provide explanations for classification decisions. Using various graph features, our threshold-based intrusion detection method overcomes these limitations by integrating a threshold-based IDS and a machine learning-based attack type classifier. Our threshold-based intrusion detection method of G-IDCS reduces the number of CAN messages required for detection by more than 1/30 and improves the accuracy of combined attack detection by over 9% compared to an existing intrusion detection method that uses graph theory. Furthermore, unlike existing machine learning and deep learning-based intrusion detection systems, our threshold classifier is robust to changes in attack types and can provide explanations for the features used in attack detection. In addition, our machine learning-based attack type classifier outperforms existing techniques in all performance metrics and can serve as a digital forensic tool for investigating cyber attacks on in-vehicle networks. Using the classifier to identify attack types can facilitate the design of corresponding protection methods, thereby enhancing the security of in-vehicle networks.