Current vehicular Intrusion Detection and Prevention Systems either incur high false-positive rates or do not capture zero-day vulnerabilities, leading to safety-critical risks. In addition, prevention is limited to few primitive options like dropping network packets or extreme options, e.g., ECU Bus-off state. To fill this gap, we introduce the concept of vehicular Intrusion Resilience Systems (IRS) that ensures the resilience of critical applications despite assumed faults or zero-day attacks, as long as threat assumptions are met. IRS enables running a vehicular application in a replicated way, i.e., as a Replicated State Machine, over several ECUs, and then requiring the replicated processes to reach a form of Byzantine agreement before changing their local state. Our study rides the mutation of modern vehicular environments, which are closing the gap between simple and resource-constrained "real-time and embedded systems", and complex and powerful "information technology" ones. It shows that current vehicle (e.g., Zonal) architectures and networks are becoming plausible for such modular fault and intrusion tolerance solutions,deemed too heavy in the past. Our evaluation on a simulated Automotive Ethernet network running two state-of-the-art agreement protocols (Damysus and Hotstuff) shows that the achieved latency and throughout are feasible for many Automotive applications.

翻译：现有车载入侵检测与防御系统要么误报率高，要么无法捕捉零日漏洞，从而导致安全关键风险。此外，防御措施仅限于少数原始选项（如丢弃网络数据包）或极端方案（如ECU总线关闭状态）。为填补这一空白，我们提出了车载入侵韧性系统（IRS）的概念，该系统在满足威胁假设的前提下，即使面临假定故障或零日攻击，也能确保关键应用的韧性。IRS通过在多个ECU上以复制方式运行车载应用（即复制状态机），并要求复制进程在更改本地状态前达成某种拜占庭共识。本研究顺应现代车载环境的演变趋势——这些环境正缩小简单且资源受限的“实时嵌入式系统”与复杂强大的“信息技术系统”之间的差距，表明当前车辆架构（如区域架构）和网络已具备支持此类过去被认为过于繁重的模块化容错与入侵容忍解决方案的可行性。我们在运行两种先进共识协议（Damysus和Hotstuff）的仿真汽车以太网网络上进行的评估表明，所实现的延迟和吞吐量对许多汽车应用是可行的。