Connected vehicles are threatened by cyber-attacks as in-vehicle networks technologically approach (mobile) LANs with several wireless interconnects to the outside world. Malware that infiltrates a car today faces potential victims of constrained, barely shielded Electronic Control Units (ECUs). Many ECUs perform critical driving functions, which stresses the need for hardening security and resilience of in-vehicle networks in a multifaceted way. Future vehicles will comprise Ethernet backbones that differentiate services via Time-Sensitive Networking (TSN). The well-known vehicular control flows will follow predefined schedules and TSN traffic classifications. In this paper, we exploit this traffic classification to build a network anomaly detection system. We show how filters and policies of TSN can identify misbehaving traffic and thereby serve as distributed guards on the data link layer. On this lowest possible layer, our approach derives a highly efficient network protection directly from TSN. We classify link layer anomalies and micro-benchmark the detection accuracy in each class. Based on a topology derived from a real-world car and its traffic definitions we evaluate the detection system in realistic macro-benchmarks based on recorded attack traces. Our results show that the detection accuracy depends on how exact the specifications of in-vehicle communication are configured. Most notably for a fully specified communication matrix, our anomaly detection remains free of false-positive alarms, which is a significant benefit for implementing automated countermeasures in future vehicles.

翻译：网联汽车正面临网络攻击威胁，因为车载网络在技术上已接近（移动）局域网，并与外界存在多个无线互联。如今，入侵汽车的恶意软件可能攻击那些受限且防护薄弱的电子控制单元。其中许多ECU执行关键的驾驶功能，这突显了通过多种方式加强车载网络安全性和弹性的必要性。未来车辆将采用以太网骨干网络，通过时间敏感网络实现服务差异化。众所周知的车辆控制流将遵循预定义的调度和TSN流量分类。本文利用这种流量分类构建了网络异常检测系统。我们展示了TSN的过滤器和策略如何识别异常行为流量，从而在数据链路层充当分布式防护。在此最低层级上，我们的方法直接从TSN派生出高效的网络保护方案。我们分类了链路层异常，并微基准测试了每类异常的检测精度。基于真实车辆及其流量定义导出的拓扑结构，我们利用记录的攻击轨迹，在现实的宏观基准测试中评估了检测系统。结果表明，检测精度取决于车载通信规范的配置精确程度。最值得注意的是，对于完全指定的通信矩阵，我们的异常检测保持零误报，这为未来车辆实施自动化反击措施提供了显著优势。