Zhengyuan Liu1, Weidong Yang2,3, Shuguang Wang4,5,*, Hongwei Fan1
Shuguang Wang
1College of Information Science and Engineering, Henan University of Technology, Zhengzhou,Henan,450000, China
2School of Artificial intelligence and Big Data, Henan University of Technology,Zhengzhou,Henan, 450000, China
3Hangzhou Institute of Technology, Xidian Universy, Hangzhou, Zhejiang,310000, China
4School of Computer Science and Technology, Xidian Universy, Xi’an, Shanxi,710126, China
5Shandong Institute of Standardization, Jinan, Shandong,250014, China
*Corresponding author
The Controller Area Network (CAN) serves as the backbone of modern vehicle networks, connecting multiple Electronic Control Units (ECUs) and providing an efficient data transmission environment for the entire vehicle control system. With the advancement of automotive intelligence, the methods for intruding upon in-vehicle CAN networks are becoming increasingly diverse, posing significant threats to driving safety. However, existing Intrusion Detection Systems (IDSs) often require considerable time to detect anomalies, potentially allowing malicious data frames to escape under current security mechanisms. Therefore, there is an urgent need for an efficient anomaly detection and defense mechanism to enhance the security of CAN networks. This paper proposes an ECU-level Intrusion Prevention System (IPS) based on statistical methods that does not require modifications to the existing ECU architecture. By analyzing matrix area features generated from CAN data frame payloads, the system can determine normal ranges for these feature parameters in an unsupervised manner. When detected data frame characteristics exceed predefined thresholds, the system identifies them as anomalies, thereby achieving effective detection and defense against potential attacks. Experimental results demonstrate that, under real attack scenarios and tampering attack scenarios, the system achieves detection rates of 99.76% and 96.5%, respectively, while maintaining a false positive rate of 0%. Additionally, the system is deployed on a low-cost STM32F407MINI development board simulating ECU functionality, with a detection process lasting only 64 µs.
Controller Area Network, Electronic Control Unit, Intrusion Prevention System, Unsupervised, Payloads
Zhengyuan Liu, Weidong Yang, Shuguang Wang, Hongwei Fan (2025). Intrusion Prevention System Against Spoofed Data Frames at the Electronic Control Unit Level. Journal of Networking and Network Applications, Volume 5, Issue 1, pp. 1–12. https://doi.org/10.33969/J-NaNA.2025.050101.
[1] K. Koscher, A. Czeskis, F. Roesner, S. Patel, T. Kohno, S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham et al., “Experimental security analysis of a modern automobile,” in 2010 IEEE symposium on security and privacy. IEEE, 2010, pp. 447–462.
[2] C. Miller and C. Valasek, “Remote exploitation of an unaltered passenger vehicle,” Black Hat USA, vol. 2015, no. S 91, pp. 1–91, 2015.
[3] L. L. Sen Nie and Y. Free-fall, “Hacking tesla from wireless to can bus,” Black Hat USA, 2017.
[4] S. Nie, L. Liu, Y. Du, and W. Zhang, “Over-the-air: How we remotely compromised the gateway, bcm, and autopilot ecus of tesla cars,” Briefing, Black Hat USA, vol. 91, pp. 1–19, 2018.
[5] A. Guzman and A. Gupta, IoT Penetration Testing Cook-book: Identify vulnerabilities and secure your smart devices. Packt Publishing Ltd, 2017.
[6] B. Groza and S. Murvay, “Efficient protocols for secure broadcast in controller area networks,” IEEE Transac-tions on Industrial Informatics, vol. 9, no. 4, pp. 2034–2042, 2013.
[7] C.-W. Lin and A. Sangiovanni-Vincentelli, “Cyber-security for the controller area network (can) commu-nication protocol,” in 2012 International Conference on Cyber Security. IEEE, 2012, pp. 1–7.
[8] B. Carnevale, F. Falaschi, L. Crocetti, H. Hunjan, S. Bisase, and L. Fanucci, “An implementation of the 802.1 ae mac security standard for in-car networks,” in 2015 IEEE 2nd World Forum on Internet of Things (WF-IoT). IEEE, 2015, pp. 24–28.
[9] M. Wolf and T. Gendrullis, “Design, implementation, and evaluation of a vehicular hardware security module,” in Information Security and Cryptology-ICISC 2011: 14th International Conference, Seoul, Korea, Novem-ber 30-December 2, 2011. Revised Selected Papers 14. Springer, 2012, pp. 302–318.
[10] J. Liu, S. Zhang, W. Sun, and Y. Shi, “In-vehicle network attacks and countermeasures: Challenges and future di-rections,” IEEE Network, vol. 31, no. 5, pp. 50–58, 2017.
[11] H. M. Song, H. R. Kim, and H. K. Kim, “Intrusion detec-tion system based on the analysis of time intervals of can messages for in-vehicle network,” in 2016 international conference on information networking (ICOIN). IEEE, 2016, pp. 63–68.
[12] J. Ning and J. Liu, “An experimental study towards attacker identification in automotive networks,” in 2019 IEEE Global Communications Conference (GLOBE-COM). IEEE, 2019, pp. 1–6.
[13] Y. Zhao, Y. Xun, and J. Liu, “Clockids: A real-time vehicle intrusion detection system based on clock skew,” IEEE Internet of Things Journal, vol. 9, no. 17, pp. 15 593–15 606, 2022.
[14] H. Lee, S. H. Jeong, and H. K. Kim, “Otids: A novel intrusion detection system for in-vehicle network by using remote frame,” in 2017 15th Annual Conference on Privacy, Security and Trust (PST). IEEE, 2017, pp. 57–5709.
[15] R. Islam, R. U. D. Refat, S. M. Yerram, and H. Malik, “Graph-based intrusion detection system for controller area networks,” IEEE Transactions on Intelligent Trans-portation Systems, vol. 23, no. 3, pp. 1727–1736, 2020.
[16] M. Hassan, M. E. Haque, M. E. Tozal, V. Raghavan, and R. Agrawal, “Intrusion detection using payload embed-dings,” IEEE Access, vol. 10, pp. 4015–4030, 2021.
[17] S. B. H. Samir, M. Raissa, H. Touati, M. Hadded, and H. Ghazzai, “Machine learning-based intrusion detection for securing in-vehicle can bus communication,” SN Computer Science, vol. 5, no. 8, p. 1082, 2024.
[18] A. Nisioti, A. Mylonas, P. D. Yoo, and V. Katos, “From intrusion detection to attacker attribution: A comprehen-sive survey of unsupervised methods,” IEEE Communi-cations Surveys & Tutorials, vol. 20, no. 4, pp. 3369–3388, 2018.
[19] H. Choi, M. Kim, G. Lee, and W. Kim, “Unsupervised learning approach for network intrusion detection system using autoencoders,” The Journal of Supercomputing, vol. 75, pp. 5597–5621, 2019.
[20] Y. Wei, C. Cheng, and G. Xie, “Ofids: online learning-enabled and fingerprint-based intrusion detection system in controller area networks,” IEEE Transactions on De-pendable and Secure Computing, vol. 20, no. 6, pp. 4607–4620, 2022.
[21] T. Matsumoto, M. Hata, M. Tanabe, K. Yoshioka, and K. Oishi, “A method of preventing unauthorized data transmission in controller area network,” in 2012 IEEE 75th Vehicular Technology Conference (VTC Spring). IEEE, 2012, pp. 1–5.
[22] S. Longari, M. Penco, M. Carminati, and S. Zanero, “Copycan: An error-handling protocol based intrusion detection system for controller area network,” in Pro-ceedings of the ACM Workshop on Cyber-Physical Sys-tems Security & Privacy, 2019, pp. 39–50.
[23] K. Cheng, Y. Bai, Y. Zhou, Y. Tang, D. Sanan, and Y. Liu, “Caneleon: Protecting can bus with frame id chameleon,” IEEE Transactions on Vehicular technology, vol. 69, no. 7, pp. 7116–7130, 2020.
[24] P. F. De Araujo-Filho, A. J. Pinheiro, G. Kaddoum, D. R. Campelo, and F. L. Soares, “An efficient intrusion prevention system for can: Hindering cyber-attacks with a low-cost platform,” IEEE Access, vol. 9, pp. 166 855–166 869, 2021.
[25] S. Longari, C. A. Pozzoli, A. Nichelini, M. Carmi-nati, and S. Zanero, “Candito: Improving payload-based detection of attacks on controller area networks,” in International Symposium on Cyber Security, Cryptology, and Machine Learning. Springer, 2023, pp. 135–150.
[26] E. Seo, H. M. Song, and H. K. Kim, “Gids: Gan based intrusion detection system for in-vehicle network,” in 2018 16th annual conference on privacy, security and trust (PST). IEEE, 2018, pp. 1–6.
[27] R. Kurachi, Y. Matsubara, H. Takada, N. Adachi, Y. Miyashita, and S. Horihata, “Cacan-centralized au-thentication system in can (controller area network),” in 14th Int. Conf. on Embedded Security in Cars (ESCAR 2014), 2014, p. 10.
[28] E. Kristianto, P.-C. Lin, and R.-H. Hwang, “Sustainable and lightweight domain-based intrusion detection system for in-vehicle network,” Sustainable Computing: Infor-matics and Systems, vol. 41, p. 100936, 2024.