Modern vehicles are equipped with various types of electrical/electronic (E/E) systems. Electronic control units (ECUs) are used to control various E/E systems in the vehicle. For efficient information exchange between ECUs, most vehicle manufacturers use the Controller Area Network (CAN) protocol. However, CAN has security vulnerabilities because it does not have an authentication or encryption method. Since attacks on in-vehicle networks affect the safety of drivers, it is essential to develop a technology to prevent attacks. The intrusion detection system (IDS) is one of the best ways to enhance network security. Unlike the traditional IDS for network security, IDS for the in-vehicle network requires a lightweight algorithm because of the limitation of the computing power of in-vehicle ECUs. In this paper, we propose a lightweight IDS algorithm for in-vehicle CAN based on the degree of change between successive data frames. In particular, the proposed method minimizes the load on the ECU by using the CAN data frame compression algorithm based on exclusive-OR operations as a tool for calculating the degree of change.

1. Introduction

Modern vehicles are converging with advanced information and communication technology (ICT) to effectively cope with automotive emission regulations while providing users with a comfortable driving experience. This automotive-ICT convergence fusion is a new paradigm for developing next-generation automobiles [1, 2]. With the development of automobile-ICT convergence, various types of electrical/electronic (E/E) systems have begun to be installed in automobiles. The automotive E/E system consists of one or more sensors, actuators, and electronic control units (ECUs). The key element is the ECU [3]. Initially, ECU was introduced in automobiles to precisely control the engine’s core functions. However, in recent years, the ECUs have been expanded to improve vehicle performance and efficiently control various safety devices and amenities [4]. ECUs mounted inside the car have steadily increased in demand since their inception in the 1980s [5]. Various communication methods such as Controller Area Network (CAN), Local Interconnect Network (LIN), Media Oriented System Transport (MOST), and FlexRay were developed for efficient communication between ECUs as the number of ECUs mounted inside cars increased [6]. In particular, the CAN protocol was developed by BOSCH to support bus network topologies as the most representative of automotive in-vehicle network technologies [7].

The CAN protocol, established in 1993 as the “ISO 11898” standard, is an identity-based broadcast communication protocol as a serial communication technique that supports real-time communication [8, 9]. Bus-based CAN is used in many industries such as automobiles, robots, factory automation, airplanes, and medical devices with noise-resistant properties and low cost. However, CAN is vulnerable to cyberattacks because no authentication or encryption technique is applied. Because CAN operates in a multimaster manner, an attacker can read all signals sent and received on the connected bus through the approached node and can also collect and retransmit signals from other nodes [10]. Also, frequent Denial of Service attacks and Radio Frequency Jamming attacks that have often appeared in traditional IT environments can also be carried out against cars [11, 12]. In recent years, the intelligent transportation system has evolved into an Internet of Things (IoT) device where cars communicate with nearby vehicles or objects [13, 14]. As cars were recognized as IoT devices, various cyberattacks that have occurred in traditional ICT environments were transferred to the automotive environment.

In 2010, Koscher et al. [15] conducted an attack on a real car that forced the control of the ECU. In 2015, Miller and Valasek [16] published their findings on hacking connected cars at BlackHat, a global hacking conference. These findings show that cars can be targeted by cyberattacks. Automotive hacking studies conducted over the past decade point to CAN’s vulnerabilities as the biggest problem.

As CAN’s security concerns arise, various studies are being conducted to address them. There are studies that add authentication or encryption protocols [17]. Some of the proposed security techniques include the use of Identity-Based Encryption (IBE) [18]. However, applying these techniques requires modifying the CAN protocol of the ECU installed on all vehicles already on the market, which can be costly. Also, cryptographic techniques such as IBE are not suitable for applications to ECUs that own low-performance microcontroller units.

Other studies for automotive in-vehicle network security include the automotive intrusion detection system (IDS), which detects abnormal data frames in automotive in-vehicle networks. Automotive IDS analyzes the data frames sent and received from the in-vehicle network to determine whether they are in a normal or abnormal state and detects data frames that are maliciously injected due to vehicle hacking. Furthermore, automotive IDS has the advantage of not changing the system in the current automotive in-vehicle network structure.

Various types of automotive IDS techniques have been proposed. There are techniques that monitor the contents and the periodicity of the data frame. ECUs installed in the vehicle use a unique cycle to transmit data frames [19]. When attackers perform a replay or an impersonation attack, the ECU’s data frame transfer cycle changes. These characteristics allow us to detect malicious activity when an attack is carried out. However, it is not advisable to use only the data frame transfer cycle as a parameter for IDS, because if a remote frame occurs, the data frame transfer cycle may change. Several techniques utilize the properties of electric signals on the physical layer. ECUs communicate with each other via CAN transceivers. CAN transceivers of the same model have subtle differences when generating analog signals. This characteristic allows us to identify the ECUs mounted in the vehicle. That is, it can detect the data frame transmitted by the malicious module in addition to the normal ECU. These IDS techniques require hardware devices such as oscilloscopes to be installed to analyze analog signals. Adding expensive hardware devices to vehicles creates problems that increase the price of the vehicle.

This study proposes the IDS technique that can be mounted on low-performance ECUs. Our proposed IDS technique uses CAN data compression algorithms based on exclusive-OR operations to detect replay and impersonating attacks. The IDS technique we propose uses only exclusive-OR operations; therefore, it can be mounted on low-performance ECUs and does not use expensive hardware. Also, if a remote frame occurs and the data transfer cycle changes, there would be no problem performing the IDS function because it does not affect the data payload change.

The main contributions of this study are as follows:(1)Designing and developing Vehicular Multilevel Data Arrangement (V-MLDA) algorithms: we have upgraded the Multilevel Data Arrangement (MLDA) technique to use it for IDS for in-vehicle CAN.(2)V-MLDA-based IDS (V-M-IDS) design and development: we designed a V-M-IDS that uses V-MLDA to detect replay attacks and impossible attacks performed on in-vehicle CAN. A V-M-IDS algorithm design is mounted on Arduino.(3)V-M-IDS Performance Assessment: we conducted a three-step performance evaluation experiment.(i)Step 1: verify the V-M-IDS algorithm using CAN data set obtained from real vehicles(ii)Step 2: evaluate V-M-IDS performance using embedded devices(iii)Step 3: evaluate V-M-IDS performance based on automotive security living lab

This paper is organized as follows. In Section 2, we introduce the background of our work. In Section 3, we describe the related works. Section 4 presents the details of the proposed vehicular-MLDA-based IDS (V-M-IDS) technique. In Section 5, we describe the performance analysis of V-M-IDS.

2. Background

2.1. Automotive Electrical/Electronic System

The automotive electrical/electronic (E/E) system consists of one or more sensors, actuators, and ECUs. Typical automotive E/E system includes powertrain, chassis, body, and infotainment. E/E systems such as powertrains constitute subnetworks. The gateway ECU performs router functions among physically separated subnetworks. Figure 1 shows the in-vehicle subnetwork. ECUs in the E/E system use communication protocols such as CAN, LIN, FlexRay, MOST, and Ethernet to send and receive data to and from each other. Dual CAN is the most common automotive network protocol. CAN is used by powertrains and chassis subsystems that require real-time data processing.

2.2. CAN

The CAN protocol is a broadcast communication technique based on sender ID that supports bus network topology. By supporting the bus network topology, CAN dramatically reduces the complexity and length of communication lines between ECUs in the vehicle. For this reason, the automotive industry quickly introduced the CAN bus system. In 1993, it was established as the international standard of ISO (ISO11898). The CAN bus system is divided into two modes, standard CAN 2.0A (11-bit ID) and extended CAN 2.0B (29-bit ID) according to the length of the ID of the data frame.

The data frame structures of standard CAN 2.0A and extended CAN 2.0B are shown in Figure 2. Extended CAN 2.0B has an identifier of 29 bits. Unlike CAN 2.0A, CAN 2.0B has two ID fields. The IDE field separates the two ID fields. The Data Length Code (DLC) indicates the number of bytes in the data field. The data field contains data to be transmitted to other nodes and can use up to 8 bytes.

2.3. CAN Compression Algorithm

CAN data compression makes use of the fact that successive CAN data frames with the same ID do not change rapidly. ECUs use unique IDs to transmit data frames. By observing the data frame being transmitted periodically using a specific ID, it was confirmed that the CAN data field variation in the n − 1st transmitted data frame and the nth transmitted data frame was not significant. Using this characteristic, CAN compression algorithms were developed. The CAN compression algorithms developed to date have been classified into two main techniques.

The first technique is a compression technique that uses the predicted maximum measurement value (PMDV) between CAN data fields. The data compression ratio of the PMDV algorithm showed improved performance based on the accuracy of the maximum value prediction of the variation. Algorithms using PMDV had adaptive data reduction (ADR)/improved adaptive data reduction (IADR) [20, 21], enhanced data reduction (EDR) [22], and boundary of fifteen compression (BFC) algorithms [23].

The ADR/IADR algorithm transmits compressed data if the difference value of the continuous data frame is above the PMDV value, and if the PMDV value is above, the original data is transmitted. The difference between ADR and IADR algorithms is the number of IDs. ADR algorithms use two data frame IDs to distinguish between the compression data ID and the uncompressed ID. IADR algorithms represent compressed data if the first bit of the data field is one, and zero represents the original data [20, 21] to use only one data frame ID.

The EDR algorithm separates signals into two forms. Signals with a data length of five bits or more are called SDN type (signal, delta, no-change), and signals with data lengths shorter than five bits are called SN type (signal, no-change). In EDR algorithms, the first byte of a data field is used as data compression code (DCC). In DCC, zero means that the data is not compressed, and one means delta compression or it is fully compressed [22].

The BFC algorithm selects PMDV as ±15. Signals below five bits are defined as nonboundary of fifteen (NBF) signals, and signals above six bits are defined as boundary of fifteen (BF) signals. Each NBF signal is assigned a bit parameter compress (BPC) bit. The BPC is one when the NBF signal is compressed, and the BPC is zero when uncompressed. BF signals are assigned a parameter compression of two bits. It is a BF signal that is not compressed when the PC bit is 00, the BF signal is fully compressed when the PC bit is 01, the variation is positive BF signal when the PC bit is 10, and the variation is negative when the PC bit is 11 [23].

The second technique is a compression technique that uses a compression area selection (CAS) map [2427]. By using a CAS map, we avoid predicting the maximum value of the change. Also, the [2527] algorithm avoids the use of sign bits by using bitwise XOR operation when obtaining the variation between the old and current data. Section 3 describes the use of CAS maps in detail.

3.1. MLDA CAN Data Compression Algorithm

We proposed a MLDA CAN data compression algorithm to effectively reduce the amount of transmitted data [26]. In MLDA, the compression efficiency varies depending on how the CAN data is grouped and arranged in the 64-bit data field. Determination of the CAS map arrangement order to maximize the compression ratio is a necessary process in the early stage of the system, and data are transmitted/received according to the determined arrangement during system operation.

To determine the CAS map arrangement order in the MLDA algorithm, 64 bits of the CAN data field are grouped into 24-bit Sig A, Sig B, and 16-bit Sig C. When grouping CAN data, the high-order bits should consist of data with a small variation and the low-order bits should consist of data with a large variation to improve the compression ratio. When grouping three signals, it is possible to group signals in units of 8 bits, units of 4 bits, units of 2 bits, and units of 1 bit by analyzing the variation of 64 bits of the CAN data field. For example, when arranging in units of 8 bits, 64 bits of the CAN data field are expressed as B(n) (0 ≤ n ≤ 7). The XORed values of the previous and the current data frames are defined as a magnitude value (MV). The frequency value (FV) is calculated by MV. If MV is not 0, FV is 1; if MV is 0, FV is 0. Sm(n) is the sum of all the nth columns of the MV matrix, and Sf(n) is the sum of all the nth columns of the FV matrix.

Figure 3 shows a byte-level data arrangement map. Sfm(n) is a value that determines the arrangement position, and B(n) is arranged in (u0 ⟶ m0 ⟶ d0 ⟶ u1 ⟶ m1 ⟶ d1 ⟶ u2 ⟶ m2) in the order in which the value of Sfm(n) is large. The value of Sfm(n) is defined as follows:

λ is the weight factor between Sf(n) and Sm(n). Optimized λ is chosen from 0 to 3 by simulation. The 4-bit unit, 2-bit unit, and 1-bit unit arrays are extensions of the 8-bit unit array. The scope of B(n) is expanded and the process is conducted in the same way.

After dividing the CAN data into three signals, the XOR value between the previous data frame and the current data frame of each signal is calculated. If the calculated XOR value of a signal is 0, the corresponding header bit is set to 0. If the calculated XOR value of a signal is not 0, the corresponding header bit is set to 1. When composing the memory map of the CAN data field, the transmitting ECU places the 3 header bits in the least significant bit as shown in Table 1. The XOR values of the signal whose header bit is 1 are alternately arranged from the least significant. The length of the signal transmitted is the maximum value of the length of signals A, B, and C, starting at MSB, with bits having a value of 0 removed until the first 1 appears. The receiving ECU places the header bit and the received XOR value in the CAS map. The receiving ECU restores the current data by calculating the XOR value between the received XOR value and the previous data.

3.2. Automotive IDS

Automotive IDS detects normal or attack CAN data frames by analyzing various patterns and characteristics generated on the CAN bus. That is, Automotive IDS establishes a training or normal model for system behavior. The IDS then compresses the current system’s activity with previously captured normal models to detect changes in behavior and classifies deviations above a certain range as abnormal.

In [28], the authors proposed a technique for detecting an attack and identifying the ECU using clock skew (timing error) that reflects the hardware characteristics of the clock source constituting the ECU. Even ECUs that transmit data frames in the same period have different unique clock skews due to the characteristics of the hardware clock source. Therefore, when the clock skew of the CAN data frame fluctuates more than a specific value, it is detected as an attack. They also proposed VIDEN (voltage-based attacker identification) based on the characteristic that the CAN signals generated by ECUs are different due to the difference in voltage supplied to each ECU [29]. However, in the case of a technique that utilizes hardware characteristics, there is a limitation that it may be affected by the internal and external temperature of the vehicle or the driving environment. Also, there is a problem that an additional is required to analyze analog signals.

In [30], the authors proposed a technique to detect attacks by calculating the entropy of CAN data frames transmitted to the CAN bus. In an attack situation where a large number of specific CAN data frames are injected, the attack is detected based on the characteristic that the entropy value of the corresponding CAN data frames increases. The authors also showed limitations for the recognition of small-scale attacks which could be part of the normal vehicle or user behavior. In [19], the authors proposed a technique to check the period of the CAN data frame transmitted in the CAN bus. Using the characteristic that CAN data frames are transmitted at regular intervals in a normal state, data frames with a shorter or longer period than the normal period were detected as an attack. In the case of a technique that utilizes the data frame generation period, it may be greatly affected by the remote frame. When a remote frame occurs, the data frame transmission period may be changed.

4. Proposed IDS Technique

This article suggests the IDS technique that is mounted on low-performance ECUs. The IDS technique we proposed detects attacks by measuring the degree of change in the data payload in the CAN data frame that the ECUs transmitted. MLDA technique is used to quickly calculate the degree of change in data payloads, even in low-performance ECUs.

4.1. Attack Model

Figure 4 represents the attack model in this paper. The threat agent, Node B, is capable of sniffing data frames sent by other ECUs. Node A is a normal ECU. In this paper, it was assumed that the data frames transmitted by Node A were used to control the vehicle. Node B then sniffed the data frames transmitted by Node A and used them for retransmission attacks. When Node B performs the retransmission attack, it uses the same cycle as the data frame transmission cycle of Node A.

4.2. MLDA CAN Data Compression Algorithm

The MLDA method is an efficient compression algorithm that uses only exclusive-OR operations. However, the MLDA technique cannot be used in vehicle environments. The MLDA technique does not transfer data frames when the data payloads of the n-1st data frame and the nth data frame are the same; i.e., if the compression ratio is 100%, it does not transmit the data frame. However, in an automotive environment, CAN data frames must be transmitted at a fixed interval. We designed the vehicular-MLDA (V-MLDA) technique, which upgraded the basic MLDA technique to apply the MLDA technique to the vehicle environment.

The MLDA algorithm does not transmit data when the variation between the previous and current data is zero. This can reduce the busload. However, if the data do not change for a long time, the receiving ECU does not know if it is disconnected from the transmitting ECU. To solve this problem, a vehicle multilevel data arrangement algorithm is proposed. In the algorithm, when the variation between the previous and current data is zero, the transmitting ECU transmits one-byte data filled with zero bits. Since x ⊕ 0 = x, the receiving ECU restores the current data through the previous and received data. Through this, the busload increases, but the receiving ECU periodically receives the transmitting ECU data.

4.3. V-MLDA-Based IDS Technique

The ECUs that make up the automotive E/E system configure the network and transmit the information they collect to other ECUs at specific intervals. In general, the CAN protocol is used for network configuration. Therefore, ECUs periodically broadcast CAN data frames to the in-vehicle network using the data frames defined in the CAN protocol. The transmission cycle is between 10 ms and hundreds of milliseconds depending on the importance. For example, ECUs belonging to the powertrain or chassis system (the most important electronic control system in automobiles) transmit the state information they collect to surrounding ECUs every 10 ms.

Considering these characteristics of ECUs participating in the CAN network, we assume that the normal and attack states of the data frame transmitted by the ECU are as follows.

First, the degree of data change between successive data frames is small. Figure 5 illustrates the speed change of a car in seconds and milliseconds. The figure on the left shows the speed change of the car in seconds, and the figure on the right shows it in milliseconds. If an ECU transmits the vehicle’s current speed data in a 10 ms cycle, then we will have the image on the left. In the circle in the left picture, the car’s speed increases by 10 km/h for 6 seconds. During that time, the ECU divides these changes into 600 data frames and transmits them. Therefore, the difference between successive data frames is about 0.016 km/h; i.e., the data changes in the previous and current frames do not differ significantly. In other words, if the degree of change in the data frame has more variation than the normal data frame, the data frame is determined as an attack.

Second, the car’s state does not change in milliseconds, nor does it change by successive data frames. The ECU transmits the state information to the data in the CAN data frame when the car’s state changed. The changes in the vehicle’s state caused by those in the user’s behavior or surroundings are maintained for a period; i.e., a data frame that reflected the vehicle’s state change is transferred; a data frame that remained in the same state for a period is transmitted. In other words, if the car’s state is changed by successive data frames, the frame can be determined as an attack.

Third, a replay attack is done by injecting multiple data frames in succession. A replay attack is an attack that captures a normal data frame and sends it back at the time of the attack. In a normal state, the change between data frames is small. Therefore, it is common for an attacker to intensively inject large amounts of attack data to cause a catastrophic malfunction; i.e., a data frame with a large degree of change in the data frame in a normal state may appear once or twice in a row. However, if the data frame with a large degree of change in the data frame appears more than three times in a row, the data frame is determined as an attack.

The V-M-IDS technique detects intrusion into the automotive in-vehicle network by calculating the degree of change between the data that the ECU periodically transmitted based on assumptions about normal and abnormal states. In the foregoing, it was assumed that there is less change between successive data frames in the normal state. Therefore, if the degree of change is below the threshold by calculating the degree of change between the current and the previous data frames, it is considered normal. If the degree of change exceeds the threshold, an attack is assumed. Second, it is assumed that the car’s state does not change by successive data frames. Therefore, if the degree of change is below the threshold, the degree of change in the data frame sent immediately after the data frame exceeding the threshold is considered normal. However, if the degree of change in the data frame sent immediately after exceeded the threshold, an attack is assumed. Third, a replay attack is assumed to inject multiple data frames in succession. Therefore, if a data frame that exceeds the threshold in succession appears no more than three times, it was considered normal. However, if it exceeds the threshold more than three times, it is determined that an attack data frame was injected and detects that an intrusion has occurred in the network. Equation (2) shows how the degree of change in the data frame is calculated:

The algorithm of the proposed technique has been shown in Algorithm 1.

 cas_map: the data arrangement order for MLDA compression.
 threshold: maximum value of the degree of variation in normal state.
 limit_changes: maximum acceptable limit of abnormal data frames in normal state.
 prev_msg ← 0
 attack_cnt ← 0
(3)while message with ID arrives do
(4) xor_msg ← prev_msg ^ message
(5) comp_msg ← compress_with_v_mlda(xor_msg, cas_map)
(6) degree ← (bit_length(comp_msg)/bit_length(message)) ∗ 100.
(7)if degree > threshold then
(8)  attack_cnt ← attack_cnt +1
(10)  attack_cnt ← 0
(11)if attack_cnt > limit_changes then
(12)  notify_attack()
(13) prev_msg ← message

Algorithm 1 uses three parameters. The first one is the CAS map data arrangement order for MLDA compression. The second parameter is a threshold value that characterizes the degree of the calculated variation as normal or abnormal. Variations greater than the threshold are considered abnormal. The last parameter is the maximum acceptable limit of abnormal data frames. An attack is detected when the number of abnormal data frames exceeds the maximum acceptable limit, whereby the attack notification function (notify_attack()) is called, which sends an attack detection data frame (ID 0x700: Data payload FF FF FF FF FF FF FF FF).

5. Experimental Results

To analyze the performance of the proposed V-M-IDS technique, we performed a three-step performance evaluation.(i)Step 1: verify the V-M-IDS algorithm using the CAN data set obtained from a real vehicle(ii)Step 2: evaluate V-M-IDS performance using embedded devices(iii)Step 3: evaluate V-M-IDS performance based on automotive security living lab [w14]

5.1. Step 1

We used a CAN data set obtained from a real vehicle to validate the V-M-IDS algorithm. The V-M-IDS algorithm was implemented in C. The V-M-IDS algorithm was applied to the data set to detect the attack, and all data frames were determined as normal. As for V-M-IDS implementation, the entire data were scanned and the CAS map was configured; then, the MLDA compression technique was applied to calculate the degree of change. The threshold for determining whether an attack was used was 50. Table 2 shows the degree and count of changes in the 199,531 data frames of the ECU, which was the ID 0x123 of the monitoring data. Table 2 confirms that 663 data frames showed a change that exceeded the threshold of 50 but was determined to be a normal state change.

5.2. Step 2

Next, the performance evaluation of V-M-IDS was performed using embedded devices. To this end, V-M-IDS was mounted on Arduino. After implementing an ECU emulator and attack device in the lab, it was confirmed that it detected attacks in the situation of performing CAN communication.

The V-M-IDS mounted on Arduino set the threshold to 50; the same was verified by Step 1. The first 3,000 data frames were used to configure the CAS map and to perform intrusion detection from the 3,001st data frame. When an intrusion was detected, the ID 0x700 was implemented to transmit the attack detection data frame (FF FFFFFFFFFFFFFF) to the ECU. The ECU emulator and attack device were mounted on the NUCLEO board. The ECU emulator was implemented to sequentially transmit eight-byte data frames 00 FF 00 00 D0 11 11 11, 00 FF 00 00 D0 22 22 22, …, 00 FF 00 00 D0 FFFFFF in a cycle of 10 ms with ID 0x390. With a click of the black button on the board, the attack device was made to inject eight-byte attack data frames (FF FFFFFFFFFFFF FF) 10 times in a cycle of 10 ms with the same ID as the ECU emulator, 0x390. The CAN network was monitored using PCAN-Explorer. Table 3 and Figure 6 show the configuration of V-M-IDS, ECU emulator, and attack device.

Using embedded devices, Figure 7 shows the performance evaluation results of V-M-IDS. There was no detection of the normal state data frame of the ECU emulator as an attack. The attack was injected at the 101.9925 time. The attack was detected at the 102.0116 time, when there occurred data frames with a degree of change higher than 50 four times in a row. Detecting attacks could be determined using the V-M-IDS implemented on embedded devices and transmitting the attack detection data frame to the ID 0x700 ECU at the 101.0127 time.

5.3. Step 3

Finally, the automotive security living lab performed a V-M-IDS performance evaluation by connecting to the CAN communication of the actual vehicle. An automotive security living lab was established by Korea Internet & Security Agency (KISA) to create a safe use environment through security internalization by preventing and responding to security threats from the development of autonomous vehicles and autonomous driving services. Table 4 shows the main functions of the automotive security living lab.

Figure 8 shows the performance evaluation environment of the automotive security living lab.

The performance evaluation was performed as follows:(1)Connect the V-M-IDS devices built in Step 2 to the experimental ENVIRONMENT CAN network(2)Build a CAS map using 3,000 data frames in normal autonomous driving situations(3)Ensure that V-M-IDS detects normal autonomous driving data frames as attacks(4)Verify detection after conducting security threats to operate automotive security living lab handles

V-M-IDS was implemented to monitor the data frame of the handle operation ECU (ID 0x390). Embedded devices implemented by V-M-IDS were connected to the CAN network in addition to the CAN interface. Attacks on the CAN network and monitoring the CAN network were performed using the network simulator CANoe. Table 5 shows the automotive security living lab performance evaluation results. During normal autonomous driving, it did not occur to detect normal state data frames as attacks. The attack was injected at the time 705.517106. Detection of the attack occurred at the time 705.573966, the fourth consecutive time of data frames with a change of more than 50. Detecting an attack could be determined using the V-M-IDS that transmitted an attack detection data frame to the ID 0x700 ECU at the time 705.573966.

6. Conclusions

This study proposed an automotive IDS technique using CAN data frame compression algorithms. Performance evaluation of the proposed technique demonstrated that V-M-IDS could be mounted on low-spec ECUs. Three phases of experimentation were conducted for realistic performance evaluation, and final performance verification was completed on automotive security living labs to execute experiments in the same environment as real-world vehicles [31]. If the V-M-IDS technique could be integrated with the existing IDS techniques and applied to in-vehicle CAN, it would increase the detection rate of the existing IDS solutions.

Two additional future studies are needed for the V-M-IDS technique to be applied to the actual vehicle environment. First, in a vehicle environment, what is as important as the detection of cyberattacks is the postdetection response phase [32]. In the future, we plan to conduct further research to bring vehicles into a safe state based on the risk of attacks detected with V-M-IDS.

Second, if an automotive security living lab based on a digital twin [33] was developed, the initial learning process of the V-M-IDS technique would be simplified. We plan to design an automotive security living lab based on a digital twin [33] for the initial learning process of the V-M-IDS technique.

Data Availability

The data used in this study are available from the corresponding author upon request.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.


The present research was supported by the research fund of Dankook University in 2019.