On the Application of Entropy Measures with Sliding Window for Intrusion Detection in Automotive In-Vehicle Networks.

Gianmarco Baldini

doi:10.3390/e22091044

Abstract

The evolution of modern automobiles to higher levels of connectivity and automatism has also increased the need to focus on the mitigation of potential cybersecurity risks. Researchers have proven in recent years that attacks on in-vehicle networks of automotive vehicles are possible and the research community has investigated various cybersecurity mitigation techniques and intrusion detection systems which can be adopted in the automotive sector. In comparison to conventional intrusion detection systems in large fixed networks and ICT infrastructures in general, in-vehicle systems have limited computing capabilities and other constraints related to data transfer and the management of cryptographic systems. In addition, it is important that attacks are detected in a short time-frame as cybersecurity attacks in vehicles can lead to safety hazards. This paper proposes an approach for intrusion detection of cybersecurity attacks in in-vehicle networks, which takes in consideration the constraints listed above. The approach is based on the application of an information entropy-based method based on a sliding window, which is quite efficient from time point of view, it does not require the implementation of complex cryptographic systems and it still provides a very high detection accuracy. Different entropy measures are used in the evaluation: Shannon Entropy, Renyi Entropy, Sample Entropy, Approximate Entropy, Permutation Entropy, Dispersion and Fuzzy Entropy. This paper evaluates the impact of the different hyperparameters present in the definition of entropy measures on a very large public data set of CAN-bus traffic with millions of CAN-bus messages with four different types of attacks: Denial of Service, Fuzzy Attack and two spoofing attacks related to RPM and Gear information. The sliding window approach in combination with entropy measures can detect attacks in a time-efficient way and with great accuracy for specific choices of the hyperparameters and entropy measures.

Highlights

With the evolution of the automotive industry to increased levels of connectivity and automation, the potential for cybersecurity attacks is growing as the vehicle is more exposed to digital attacks.A modern vehicle today is implemented with various electronic components including sensors, actuators, Electronic Control Unit (ECU) and communication devices, which are connected to different types of in-vehicle networks
This paper proposes an approach based on the application of an information entropy-based method based on a sliding window, which is quite efficient from time point of view, it can be flexible to adapt to changes in the operational context of the vehicle and it provides a very high detection accuracy as demonstrated by the results presented in this paper
The approach is based on the calculation of the entropy of the Controller Area Network - bus (CAN-bus) messages transmitted on the Controller Area Network (CAN)-bus network and it is based on the hypothesis that attacks modify the entropy of the CAN-bus traffic so that variation of the calculated entropy may indicate a cybersecurity threat

Summary

Introduction

With the evolution of the automotive industry to increased levels of connectivity and automation, the potential for cybersecurity attacks is growing as the vehicle is more exposed to digital attacks.A modern vehicle today is implemented with various electronic components including sensors, actuators, Electronic Control Unit (ECU) and communication devices, which are connected to different types of in-vehicle networks. The approach is based on the calculation of the entropy of the CAN-bus messages transmitted on the CAN-bus network and it is based on the hypothesis that attacks modify the entropy of the CAN-bus traffic so that variation of the calculated entropy may indicate a cybersecurity threat This idea is not new in the literature and recent studies have demonstrated its potential in comparison to other IDS techniques based on machine learning and deep learning (mostly from a time efficiency point of view), but in some cases the entropy-based approach has provided a low detection accuracy or the analysis of the attacks was limited to one or two cases.

Objectives

Results

Conclusion