Controller Area Network (CAN) is an essential networking protocol that connects multiple electronic control units (ECUs) in a vehicle. However, CAN-based in-vehicle networks (IVNs) face security risks owing to the CAN mechanisms. An adversary can sabotage a vehicle by leveraging the security risks if they can access the CAN bus. Thus, recent actions and cybersecurity regulations (e.g., UNR 155) require carmakers to implement intrusion detection systems (IDSs) in their vehicles. The IDS should detect cyberattacks and provide additional information to analyze conducted attacks. Although many IDSs have been proposed, considerations regarding their feasibility and explainability remain lacking. This study proposes X-CANIDS, which is a novel IDS for CAN-based IVNs. X-CANIDS dissects the payloads in CAN messages into human-understandable signals using a CAN database. The signals improve the intrusion detection performance compared with the use of bit representations of raw payloads. These signals also enable an understanding of which signal or ECU is under attack. X-CANIDS can detect zero-day attacks because it does not require any labeled dataset in the training phase. We confirmed the feasibility of the proposed method through a benchmark test on an automotive-grade embedded device with a GPU. The results of this work will be valuable to carmakers and researchers considering the installation of in-vehicle IDSs for their vehicles.

翻译：控制器局域网络（CAN）是连接车辆中多个电子控制单元（ECU）的核心网络协议。然而，基于CAN的车载网络（IVN）因其机制存在安全风险。若攻击者能够访问CAN总线，便可利用这些安全漏洞破坏车辆。因此，近期行动与网络安全法规（如UNR 155）要求汽车制造商在车辆中部署入侵检测系统（IDS）。该IDS需能检测网络攻击，并提供附加信息以分析已发生的攻击行为。尽管已有众多IDS方案被提出，但在其可行性及可解释性方面仍存在不足。本研究提出X-CANIDS——一种面向CAN-IVN的新型入侵检测系统。X-CANIDS通过CAN数据库将CAN消息中的有效载荷解析为人类可理解的信号，相较于原始有效载荷的比特表示法，这些信号显著提升了入侵检测性能。同时，这些信号可揭示受攻击的具体信号或ECU。由于X-CANIDS在训练阶段无需标注数据集，因而具备检测零日攻击的能力。我们通过在搭载GPU的车规级嵌入式设备上进行基准测试，验证了该方法的可行性。本研究结果将为考虑在车辆中部署车载IDS的汽车制造商及研究人员提供重要参考价值。