Controller Area Network (CAN) is an essential networking protocol that connects multiple electronic control units (ECUs) in a vehicle. However, CAN-based in-vehicle networks (IVNs) face security risks owing to the CAN mechanisms. An adversary can sabotage a vehicle by leveraging the security risks if they can access the CAN bus. Thus, recent actions and cybersecurity regulations (e.g., UNR 155) require carmakers to implement intrusion detection systems (IDSs) in their vehicles. An IDS should detect cyberattacks and provide a forensic capability to analyze attacks. Although many IDSs have been proposed, considerations regarding their feasibility and explainability remain lacking. This study proposes X-CANIDS, which is a novel IDS for CAN-based IVNs. X-CANIDS dissects the payloads in CAN messages into human-understandable signals using a CAN database. The signals improve the intrusion detection performance compared with the use of bit representations of raw payloads. These signals also enable an understanding of which signal or ECU is under attack. X-CANIDS can detect zero-day attacks because it does not require any labeled dataset in the training phase. We confirmed the feasibility of the proposed method through a benchmark test on an automotive-grade embedded device with a GPU. The results of this work will be valuable to carmakers and researchers considering the installation of in-vehicle IDSs for their vehicles.

翻译：控制器局域网络（CAN）是连接车辆多个电子控制单元（ECU）的重要网络协议。然而，由于CAN机制的内在缺陷，基于CAN的车载网络面临安全风险。攻击者一旦接入CAN总线，便可利用这些安全漏洞破坏车辆。因此，近期行动与网络安全法规（如UNR 155）要求汽车制造商在车辆中部署入侵检测系统。入侵检测系统需同时具备网络攻击检测能力与攻击分析取证功能。尽管已有多种入侵检测方案被提出，但其可行性及可解释性仍缺乏充分考量。本研究提出X-CANIDS——一种面向CAN车载网络的新型入侵检测系统。X-CANIDS通过CAN数据库将CAN报文中的有效载荷解析为人类可理解的信号。相较于直接使用原始载荷的位向量表示，这些信号能显著提升入侵检测性能，同时可明确识别受攻击的具体信号或ECU。由于训练阶段无需标注数据集，X-CANIDS可检测零日攻击。我们在搭载GPU的车规级嵌入式设备上通过基准测试验证了该方法的可行性。研究成果将为考虑部署车载入侵检测系统的汽车制造商及研究人员提供重要参考价值。