Controller Area Network (CAN) is an essential networking protocol that connects multiple electronic control units (ECUs) in a vehicle. However, CAN-based in-vehicle networks (IVNs) face security risks owing to the CAN mechanisms. An adversary can sabotage a vehicle by leveraging the security risks if they can access the CAN bus. Thus, recent actions and cybersecurity regulations (e.g., UNR 155) require carmakers to implement intrusion detection systems (IDSs) in their vehicles. The IDS should detect cyberattacks and provide additional information to analyze conducted attacks. Although many IDSs have been proposed, considerations regarding their feasibility and explainability remain lacking. This study proposes X-CANIDS, which is a novel IDS for CAN-based IVNs. X-CANIDS dissects the payloads in CAN messages into human-understandable signals using a CAN database. The signals improve the intrusion detection performance compared with the use of bit representations of raw payloads. These signals also enable an understanding of which signal or ECU is under attack. X-CANIDS can detect zero-day attacks because it does not require any labeled dataset in the training phase. We confirmed the feasibility of the proposed method through a benchmark test on an automotive-grade embedded device with a GPU. The results of this work will be valuable to carmakers and researchers considering the installation of in-vehicle IDSs for their vehicles.

翻译：控制器局域网（CAN）是连接车辆中多个电子控制单元（ECU）的核心网络协议。然而，由于CAN机制固有的安全缺陷，基于CAN的车内网络（IVN）面临严峻安全风险。攻击者一旦能够接入CAN总线，便可能利用这些安全漏洞破坏车辆。为此，近期行动及网络安全法规（如UNR 155）要求汽车制造商在车辆中部署入侵检测系统（IDS）。该IDS需具备网络攻击检测能力，并能提供攻击分析的附加信息。尽管已有众多IDS方案被提出，但其工程可行性与可解释性方面的考量仍存在不足。本文提出X-CANIDS——一种针对CAN-IVN的新型入侵检测系统。该系统通过CAN数据库将CAN消息中的有效载荷解析为人类可理解的信号，相较于原始有效载荷的比特表示，这些信号显著提升了入侵检测性能。同时，信号机制还能明确标识受攻击的具体信号或ECU。由于无需在训练阶段使用任何标注数据集，X-CANIDS具备检测零日攻击的能力。我们通过在集成GPU的汽车级嵌入式设备上进行基准测试，验证了该方法的实际可行性。本研究结果将为考虑在车辆中部署车载IDS的汽车制造商及研究人员提供重要参考价值。