Design And Implementation Of In-vehicle Intrusion Detection System Based On Clock Skew

As a new industry,intelligent connected vehicle(ICV)integrates many technologies such as automobile,communication,big data and artificial intelligence,and has attracted extensive attention of governments and enterprises all over the world.Especially in recent years,the development of 5G technology and in-depth learning has promoted the informatization and intelligence of ICV.The automatic driving level of ICV has been continuously improved,and its information entertainment system also makes passengers no longer boring in the driving process.Although ICVs can better assist drivers and improve their driving experience,they have huge network security problems and are frequently attacked.This is because providing better services usually requires interaction with cloud and clients,and a large number of ports have to be opened to the outside world.This leads to the direct or indirect connection between the originally closed vehicle network and the Internet,which expands the attack surface of ICV and allows attackers to have more attack methods.At the same time,due to the loopholes in the internal system and protocol of ICV,the on-board network of ICV is not safe,especially the controller area network(CAN).This paper design a new fingerprint-based vehicle intrusion detection system(IDS)to protect the CAN,called ClockIDS.It establishes a unique fingerprint for each electronic control unit(ECU)based on clock skew,so as to establish a fingerprint database containing all ECUs on the CAN bus.On this basis,ClockIDS realizes the functions of intrusion detection and attack source identification by utilizing empirical rule and dynamic time warping.It neither occupies the bandwidth of CAN bus,nor needs to modify the CAN protocol.It can be used as a monitoring unit to access can bus directly from the open physical port of ICV,and can be simply and conveniently deployed on ICV.Meanwhile,it can also be deployed in the central gateway through system remote upgrade.Our experiments on two real vehicles show that ClockIDS can establish a unique fingerprint for ECU without being affected by the size of message period,which means that no matter what period of attack messages the attacker sends,ClockIDS can extract the correct fingerprint from the messages.Besides,ClockIDS can detect many types of attacks,including not only spoofing attacks and bus-off attacks,but also more advanced masquerade attacks.This includes almost all the current attacks against CAN bus,and the detection accuracy reaches 98.63%.Moreover,the system can identify the attack source,and the average recognition accuracy is 96.77%.This is a key step for the overall automobile defense system,which is conducive to the timely isolation or slowing down of the attack after the attack.Finally,this paper also test the real-time performance of ClockIDS.The results show that the average time cost of each detection of ClockIDS is only 1.99 ms,which has high real-time performance.Therefore,it can quickly notify the system or driver to take measures to deal with the attack,and record the intrusion data for subsequent detection and repair.