Vehicular controller area networks (CANs) are susceptible to masquerade attacks by malicious adversaries. In masquerade attacks, adversaries silence a targeted ID and then send malicious frames with forged content at the expected timing of benign frames. As masquerade attacks could seriously harm vehicle functionality and are the stealthiest attacks to detect in CAN, recent work has devoted attention to compare frameworks for detecting masquerade attacks in CAN. However, most existing works report offline evaluations using CAN logs already collected using simulations that do not comply with domain's real-time constraints. Here we contribute to advance the state of the art by introducing a benchmark study of four different non-deep learning (DL)-based unsupervised online intrusion detection systems (IDS) for masquerade attacks in CAN. Our approach differs from existing benchmarks in that we analyze the effect of controlling streaming data conditions in a sliding window setting. In doing so, we use realistic masquerade attacks being replayed from the ROAD dataset. We show that although benchmarked IDS are not effective at detecting every attack type, the method that relies on detecting changes at the hierarchical structure of clusters of time series produces the best results at the expense of higher computational overhead. We discuss limitations, open challenges, and how the benchmarked methods can be used for practical unsupervised online CAN IDS for masquerade attacks.

翻译：车载控制器局域网（CAN）易受恶意攻击者发起的伪装攻击。在伪装攻击中，攻击者会静默目标ID，并在良性帧预期发送的时刻发送带有伪造内容的恶意帧。由于伪装攻击可能严重损害车辆功能，且是CAN中最难检测的隐蔽攻击，近期研究致力于比较CAN中伪装攻击检测框架的性能。然而，现有工作大多使用离线评估方法，基于已收集的CAN日志进行模拟分析，这些模拟往往不符合领域的实时性约束。本文通过引入一项基准研究，对四种基于非深度学习的无监督在线入侵检测系统（IDS）在CAN伪装攻击检测中的性能进行评估，从而推动该领域的技术发展。我们的方法与现有基准的不同之处在于，我们在滑动窗口设置下分析了流数据控制条件的影响。在此过程中，我们使用了从ROAD数据集中重放的现实伪装攻击进行测试。研究表明，尽管基准测试的IDS无法有效检测所有攻击类型，但依赖于检测时间序列聚类层次结构变化的方法取得了最佳结果，但代价是更高的计算开销。我们讨论了现有局限性、开放挑战，以及如何将这些基准方法应用于实际的无监督在线CAN伪装攻击检测系统。