Next Article in Journal
Total Ionizing Dose Effects in Advanced 28 nm Charge Trapping 3D NAND Flash Memory
Previous Article in Journal
A Methodology for Online Situational Awareness Provision in a Business Entity
Previous Article in Special Issue
Detection of Domain Name Server Amplification Distributed Reflection Denial of Service Attacks Using Convolutional Neural Network-Based Image Deep Learning
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Electronics
Volume 14
Issue 3
10.3390/electronics14030471
electronics-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Review

Cybersecurity of Automotive Wired Networking Systems: Evolution, Challenges, and Countermeasures

by
Nicasio Canino
1,†,
Pierpaolo Dini
1,*,†,
Stefano Mazzetti
2,†,
Daniele Rossi
1,†,
Sergio Saponara
1,† and
Ettore Soldaini
1,†
1
Department of Information Engineering, University of Pisa, Via G. Caruso n.16, 56122 Pisa, Italy
2
Embedded Software Systems (ESWS) S.r.l., Via R. Volpi n.77, 41058 Vignola, Italy
*
Author to whom correspondence should be addressed.
Authors are listed in alphabetic order.
Electronics 2025, 14(3), 471; https://doi.org/10.3390/electronics14030471
Submission received: 13 December 2024 / Revised: 15 January 2025 / Accepted: 20 January 2025 / Published: 24 January 2025
(This article belongs to the Special Issue Machine Learning and Cybersecurity—Trends and Future Challenges)
Browse Figures
Versions Notes

Abstract

:
The evolution of Electrical and Electronic (E/E) architectures in the automotive industry has been a significant factor in the transformation of vehicles from traditional mechanical systems to sophisticated, software-defined machines. With increasing vehicle connectivity and the growing threats from cyberattacks that could compromise safety and violate user privacy, the incorporation of cybersecurity into the automotive development process is becoming imperative. As vehicles evolve into sophisticated interconnected systems, understanding their vulnerabilities becomes essential to improve cybersecurity. This paper also discusses the role of evolving standards and regulations, such as ISO 26262 and ISO/SAE 21434, in ensuring both the safety and cybersecurity of modern vehicles. This paper offers a comprehensive review of the current challenges in automotive cybersecurity, with a focus on the vulnerabilities of the Controller Area Network (CAN) protocol. Additionally, we explore state-of-the-art countermeasures, focusing on Intrusion Detection Systems (IDSs), which are increasingly leveraging artificial intelligence and machine learning techniques to detect anomalies and prevent attacks in real time. Through an analysis of publicly available CAN datasets, we evaluate the effectiveness of IDS frameworks in mitigating these threats.

Graphical Abstract

1. Introduction

The automotive industry is undergoing an evolution driven by advancements in Electrical and Electronic (E/E) architectures, which have significantly enhanced vehicle functionality and user experience. This evolution is characterized by the integration of numerous Electronic Control Units (ECUs) that communicate through various vehicular communication protocols. Although the Controller Area Network (CAN) is one of the most common, the Local Interconnect Network (LIN), FlexRay, Media-Oriented System Transport (MOST), and Automotive Ethernet are also implemented depending on the specific needs [1,2,3,4]. As vehicles become increasingly interconnected, the complexity of their E/E architectures grows, leading to a broader attack surface for potential cyber threats. Reliance on these communication protocols, while facilitating enhanced vehicle performance and features, simultaneously introduces vulnerabilities that can be exploited by malicious actors.
This paper aims to provide a comprehensive overview of the current challenges in automotive cybersecurity, with a focus on the vulnerabilities of the Controller Area Network (CAN) protocol. The main objectives of this review are as follows:
  • To describe the evolution of Electrical and Electronic (E/E) architectures in vehicles, highlighting the vulnerabilities introduced in in-vehicle networks (IVNs) due to the ever-increasing attack surfaces.
  • To explore the role of evolving automotive safety and cybersecurity standards, such as ISO 26262 and ISO/SAE 21434, in securing modern vehicles.
  • To present a novel dual taxonomy for the classification of attack surfaces based on the proximity of the attacker before and during the attack.
  • To provide an overview of the security vulnerabilities of the CAN protocol and all known cyberattacks targeting it.
  • To summarize relevant CAN-based public datasets, with additional structured insights on their characteristics and their use in developing effective Intrusion Detection Systems (IDSs).
  • To discuss state-of-the-art IDS taxonomy and approaches, such as anomaly-based, rule-based, and hybrid systems, in the context of mitigating cyber threats, alongside a review of AI and machine learning techniques for real-time anomaly detection in IDSs.

1.1. Vehicular E/E Architecture

The shift from mechanical to complex electronic systems has redefined E/E architectures in vehicles, heavily incorporating software and network components. This shift has paved the way for the integration of advanced driver-assistance systems (ADASs) and autonomous driving, both of which depend on the real-time data exchange between the electronic devices. However, this connectivity raises cybersecurity concerns because conventional in-vehicle networks were not designed with security considerations. For example, the CAN protocol supports real-time communication but lacks inherent security features, exposing it to risks such as message injection, replay attacks, and unauthorized access [5,6,7]. As vehicles incorporate more V2X connectivity, the risk of cyberattacks increases, necessitating a comprehensive understanding of the vulnerability of the protocol. These attacks could have significant consequences, such as financial losses for manufacturers, legal liabilities, and diminished consumer trust. Thus, mitigating these vulnerabilities is crucial for maintaining the safety and security of contemporary vehicles.

1.2. Cybersecurity Concerns and Solutions

With a specific focus on the vulnerabilities of the CAN protocol, they have been extensively documented and demonstrated, highlighting the potential consequences of successful cyberattacks on vehicle safety and security [8,9,10]. Attackers can exploit these vulnerabilities to manipulate vehicle behavior, leading to catastrophic outcomes such as loss of control, unauthorized access to sensitive data, and even physical damage to occupants or pedestrians. Research has shown that an effective solution can be Intrusion Detection/Prevention (IDS/IPS) mechanisms to secure the CAN network, which remains a prime target for cyber threats [11,12]. To address increasing threats, numerous solutions have been proposed to secure the CAN protocol. A key approach is Intrusion Detection Systems (IDSs), which monitor network traffic for malicious activities. In particular, AI and machine learning have led to advanced IDSs, which are capable of detecting anomalies in CAN traffic. In fact, by exploiting data-driven methods to detect intrusion patterns, they offer preemptive protection against attacks [5,13,14,15]. Research continues to improve IDS detection capabilities against evolving attacks.
The development of effective Intrusion Detection Systems (IDSs) for automotive networks, particularly those focusing on the CAN protocol, is highly dependent on the quality of the datasets used. Therefore, publicly available CAN datasets play a crucial role in training and evaluating these systems, providing researchers with the necessary data to simulate various attack scenarios and assess the performance of their detection mechanisms.

1.3. Related Review Articles

In recent years, several review articles have been published on the topic of automotive cybersecurity, each addressing various aspects of the field. Here, we discuss some of the most relevant review papers and highlight how our work differs from and improves upon them.
  • Abreu et al. focused on the use of artificial intelligence (AI) technologies to improve IoT security in vehicles. They addressed key research questions related to the challenges and threats faced by IoT devices and how AI can be used to enhance their security. While their work provided valuable insights into AI-driven solutions for cyber threat detection, it did not delve deeply into the specific vulnerabilities of automotive systems or the role of standards and regulations [16].
  • Pascale et al. introduced an embedded Intrusion Detection System (IDS) for the automotive sector, designed to analyze traffic on the CAN bus and identify potential cyberattacks. The authors focused on the implementation and effectiveness of their proposed IDS but did not provide a comprehensive overview of the broader cybersecurity landscape or the integration of evolving standards and regulations [17].
  • Luo et al. conducted a systematic and comprehensive review of automotive cybersecurity testing methods and testbeds. They classified and discussed various security testing techniques and identified gaps and limitations in existing research. However, their work primarily focused on testing methodologies and did not extensively cover the practical implementation of cybersecurity frameworks or the role of AI and machine learning techniques [18].
  • Kifor et al. analyzed the current state of research regarding automotive cybersecurity, with a particular focus on frameworks, standards, monitoring, and testing technologies. While the authors provided a detailed discussion of existing standards and regulations, their work did not emphasize the practical challenges and solutions for maintaining cybersecurity throughout the vehicle’s lifecycle [19].
  • Fernandez de Arroyabe et al. addressed the challenges and solutions for maintaining cybersecurity in the automotive industry, using the technology adoption model (TAM) as a theoretical framework. Their work highlighted the importance of maintaining cybersecurity after the vehicle has been sold and proposed solutions for ongoing cybersecurity maintenance. However, their review did not provide a detailed analysis of specific cybersecurity technologies or the integration of AI-driven solutions [20].

1.4. Unique Contributions of This Work

This paper aims to provide a concise, yet comprehensive, overview of automotive cybersecurity, thus contributing with the following:
  • Detailed Analysis of CAN Protocol Vulnerabilities: Unlike previous reviews, our paper provides an in-depth analysis of the specific vulnerabilities of the Controller Area Network (CAN) protocol. We discuss various types of attacks, including frame injection, error management exploitation, suspension, and masquerade attacks, and highlight the potential consequences of these vulnerabilities on vehicle safety and security.
  • Comprehensive Review of Intrusion Detection Systems (IDSs): Our work offers a thorough review of state-of-the-art IDS techniques, including rule-based, anomaly-based, fingerprint-based, and hybrid approaches. We discuss the strengths and limitations of each approach and provide insights into the latest advancements in AI and machine learning techniques for real-time anomaly detection in IDSs.
  • Evaluation of Publicly Available CAN Datasets: We present a detailed analysis of the most valuable CAN datasets shared by the research community. Our review includes a comparison of the key features of these datasets, such as traffic type, labeling, and attack scenarios, and highlights their importance in developing and evaluating effective IDS frameworks.
  • Novel Dual Taxonomy for Attack Surface Classification: We propose a novel dual taxonomy for classifying attack surfaces based on the proximity of the attacker before and during the attack. This taxonomy provides a more comprehensive understanding of the potential entry points and methods used by attackers, which is crucial for performing effective Threat Analysis and Risk Assessment (TARA).
  • Integration of Evolving Standards and Regulations: Our paper explores the role of evolving automotive safety and cybersecurity standards, such as ISO 26262 and ISO/SAE 21434, in ensuring the security of modern vehicles. We discuss how these standards complement each other and provide a structured framework for integrating functional safety and cybersecurity into the automotive development process.
By providing a comprehensive overview of these topics, we aim to contribute to the ongoing discussion on enhancing the security of automotive systems in an increasingly connected world.

2. Search Methods and Inclusion/Exclusion Criteria

To ensure a comprehensive and systematic review of the current challenges in automotive cybersecurity, we employed a rigorous methodology to gather and evaluate relevant literature. This section details the search methods, databases consulted, keywords used, and the inclusion/exclusion criteria applied.

2.1. Search Methods

The literature search was conducted using the following electronic databases to ensure a wide coverage of relevant studies:
  • ACM Digital Library;
  • IEEE Xplore;
  • Springer Link;
  • MDPI.
The search was performed using a combination of keywords and phrases related to automotive cybersecurity. The primary keywords included the following:
  • “Automotive cybersecurity”;
  • “Vehicle E/E architecture”;
  • “Intrusion Detection Systems (IDS)”;
  • “Controller Area Network (CAN)”;
  • “In-Vehicle Network (IVN)”;
  • “ISO/SAE 21434”;
  • “Automotive Ethernet”;
  • “Vehicle-to-Everything (V2X)”.

2.2. Search Strategy

The search strategy involved the following steps:
  • Initial Search: An initial search was conducted using the primary keywords in each database. This step aimed to identify a broad range of potentially relevant articles.
  • Refinement of Search Terms: Based on the initial search results, the search terms were refined to include additional relevant keywords and phrases. Boolean operators (AND, OR) were used to combine search terms effectively.
  • Screening of Titles and Abstracts: The titles and abstracts of the retrieved articles were screened to assess their relevance to the review’s objectives. Articles that did not meet the inclusion criteria were excluded at this stage.
  • Full-Text Review: The full texts of the remaining articles were reviewed to ensure they met the inclusion criteria. Any discrepancies or uncertainties were resolved through discussion among the authors.

2.2.1. Inclusion Criteria

The following inclusion criteria were applied to select articles for the review:
  • Time Period: Articles published between 2010 and 2024 were included. This time frame was chosen to capture the most recent advancements and challenges in automotive cybersecurity.
  • Type of Publication: Only peer-reviewed journal articles, conference papers, and technical reports were considered. This criterion ensured the inclusion of high-quality and credible sources.
  • Relevance: Articles had to specifically address the cybersecurity of automotive wired networking systems, including vulnerabilities, countermeasures, and standards. Studies focusing on related topics such as Intrusion Detection Systems (IDSs), Controller Area Network (CAN), and automotive safety standards were also included.
  • Language: Only articles published in English were included to maintain consistency in language and ease of analysis.

2.2.2. Exclusion Criteria

The following exclusion criteria were applied to filter out irrelevant or redundant studies:
  • Non-English Publications: Articles not published in English were excluded to ensure consistency in language and ease of analysis.
  • Irrelevant Topics: Articles that did not focus on automotive cybersecurity or related topics were excluded. For example, studies focusing solely on mechanical aspects of vehicles without addressing cybersecurity were not considered.
  • Duplicate Studies: Duplicate studies or articles presenting the same findings were excluded to avoid redundancy. In cases where multiple articles reported similar findings, the most comprehensive and recent study was included.
  • Incomplete Data: Articles lacking sufficient data or methodological details to support their findings were excluded.

2.3. Data Extraction and Synthesis

The selected articles were subjected to a detailed data extraction process, which involved the following steps:
  • Extraction of Key Information: Key information such as the study’s objectives, methods, findings, and conclusions were extracted from each article. This information was organized into a structured format to facilitate comparison and synthesis.
  • Evaluation of Methodological Quality: The methodological quality of each study was assessed using predefined criteria. Studies with significant methodological flaws were excluded from the final synthesis.
  • Synthesis of Findings: The extracted data were synthesized to identify common themes, trends, and gaps in the literature. The synthesis process involved both qualitative and quantitative analysis, where applicable.
The search process yielded a total of [number] articles. After applying the inclusion and exclusion criteria, [number] articles were selected for full-text review. Of these, [number] articles were included in the final synthesis. The selected articles provided a comprehensive overview of the current state of automotive cybersecurity, highlighting key vulnerabilities, countermeasures, and emerging trends.

3. Evolution and Vulnerabilities of In-Vehicle Network Architecture

3.1. Evolution of E/E Architecture

The evolution of Electrical and Electronic (E/E) architectures in the automotive industry has been a significant factor in the transformation of vehicles from traditional mechanical systems to sophisticated, software-defined machines. This evolution is largely driven by the increasing demand for advanced functionality, such as automated driving, enhanced connectivity, and improved user experiences. The E/E architecture encompasses the fundamental organization of the electrical and electronic components of a vehicle, including Electronic Control Units (ECUs), sensors, actuators, wiring, power distribution, and communication systems, all of which are essential for achieving desired performance and functional goals [2,3,4,21,22]. This comprehensive framework highlights the intricate interactions and interdependencies among various components, which have become increasingly complex as vehicles integrate more advanced technologies. Over the past century, the automotive E/E architecture has undergone a paradigm shift, particularly in response to the requirements of automated driving. The advent of autonomous vehicles has imposed new challenges on existing architectures, leading to revolutionary innovations in the design of the E/E architecture [1]. The automotive industry began as a completely mechanical domain, with no starter motor to even turn on the engine electrically. By the 1970s, the industry entered an electrification era in which mechanical components started to be replaced by electronic devices, although the E/E architecture was still in its early stages. The rise of Integrated Circuits (ICs) led to the formation of large-scale automotive networks, enhancing vehicle performance through point-to-point connections [1,23]. The demand for automotive safety and efficiency since the 1980s led to the adoption of electronic control systems, which initially resulted in complex and cumbersome wiring due to point-to-point connections. To mitigate this, field buses such as the Controller Area Network (CAN) bus were introduced to facilitate efficient communication among ECUs with fewer lines.
In the following years, as car technology and features expanded, the demand for an affordable serial network emerged, since implementing the CAN bus for each car component was too costly. This prompted European car manufacturers to adopt various IVN protocols to address and cover specific tasks, such as FlexRay, Local Interconnect Network (LIN), and Media-Oriented System Transport (MOST). The complete list of automotive IVN protocols, in chronological order, is provided in Table 1, which also provides their pros and cons; for example, although it is considered cost-effective due to its requirement of only two wires, the CAN protocol cannot support the high data rates essential for applications such as infotainment and autonomous driving.
Around the beginning of the new century, E/E architectures started a rapid ramp-up towards their electrification. This evolution was supported by the adoption of centralized gateways, which became common to optimize in-vehicle networks (IVNs) and their wiring. In fact, all the ECUs were subdivided and distributed among different subnets, all connected to a common gateway. This approach increased the number of available comfort and safety services, thus increasing power demands, necessitating the transition to high-voltage systems (48 V) [1,32,33]. Also, as vehicles started to become cyber–physical systems, from purely mechanical, the introduction of a gateway was the first step toward increased cybersecurity [34,35,36]. As automated driving functions and the number of ECUs increased, the traditional network architecture became unsustainable, leading to the development of Domain Control Units (DCUs) [24,37]. They centralize the management of multiple subsystems within a vehicle domain, consolidating tasks that were traditionally handled by separate ECUs. This consolidation results in increased system efficiency through lower power consumption, simplified wiring, and reduced system complexity. Domain controllers, for example, improve subsystem integration and coordination, particularly in complex frameworks such as an ADAS. They offer scalability, facilitate easier software updates, including over-the-air updates, and reduce hardware costs. Nonetheless, they improve cybersecurity by focusing control on fewer and more secure areas, simplifying vehicle communication, reducing latency, and ensuring better real-time responsiveness. As vehicles become more automated, domain controllers are crucial for managing the complexities of modern automotive architecture. Table 2 lists the typical domains with their core functions, components (i.e., ECUs), and common IVN protocol. This E/E architecture has been widely adopted since the 2010s and continues to be in use.
Also, as in the gateway-centric architecture, each domain utilizes different communication protocols according to specific needs. Lastly, in recent years, the idea of Software-Defined Vehicles (SDVs) has become the next step to be reached to continue the evolution of the automotive domain toward new services and features provided to the end-user. In addition, a zone-based architecture has been proposed [4,24], which divides the ECUs according to their physical location rather than function. In each geographic zone of the vehicle, the electronics systems are managed by a Zone Control Unit (ZCU), which consolidates local inputs and outputs (sensors and actuators) and communicates with a central compute platform. The correlation between the zonal E/E architecture and SDVs lies in their shared goal of creating more flexible, scalable, and efficient vehicle designs by centralizing and simplifying electronic control and communication systems. The zonal architecture is essential in separating vehicle functions from particular hardware sites, enabling software-based control to prevail over the limitations imposed by physical wiring.

3.2. Overview on Automotive Safety and Cybersecurity: Standards and Regulations

As just mentioned, the rise of connected vehicles has introduced additional layers of complexity to E/E architectures. Vehicles are increasingly equipped with a variety of V2X connectivity features (Vehicle-to-Everything) that allow them to communicate with testbed networks, other vehicles, and infrastructure. This connectivity improves vehicle functionality, but also raises safety and cybersecurity concerns, as the attack surface for potential threats expands significantly to the wireless domain.
As a result, the development of robust cybersecurity measures is becoming an integral part of the E/E architecture design process [38]. Manufacturers must ensure that their systems are not only functional, but also secure against potential cyber threats that could compromise vehicle safety and user privacy. Consequently, specific safety and cybersecurity standards have been established: ISO 26262, ISO/SAE 21434, and UNECE R155 and R156, each targeting distinct elements of automotive system safety and security. ISO 26262, first introduced in 2011 and updated in 2018, is a comprehensive standard that addresses the functional safety of electronic and electrical systems within vehicles [39]. It provides extensive guidelines covering the entire lifecycle of automotive systems, from the initial concept phase to the development, production, and operation phases, and concludes with the decommissioning stage. The primary goal is to ensure that the safety principles are methodically integrated at each stage of the process [40]. ISO 26262 holds particular significance for systems that operate in safety-critical environments, as it establishes the necessary Automotive Safety Integrity Levels (ASILs). These levels determine the depth and rigor of the required safety protocols, depending on the severity and likelihood of risks associated with potential system failures [41,42,43]. With the increasing complexity of vehicle systems and their connectivity, the boundary between functional safety and cybersecurity has become blurred, requiring an all-round reliable system. A system failure due to a cyberattack can have serious safety consequences. This overlap is prompting manufacturers to consider how security breaches can trigger safety hazards. Therefore, a holistic approach is fundamental, where both safety and security measures are aligned to protect against both functional failures and cyber threats [43,44,45]. ISO/SAE 21434, released in 2021, directly addresses cybersecurity concerns in road vehicles, offering a structured approach to handling cyber threat risks throughout the vehicle lifecycle [46]. This standard highlights the necessity of integrating security protocols during the design and development stages, as well as in the operational and maintenance phases [36,47,48]. Although ISO 26262 provides the framework for preventing safety-critical failures, ISO/SAE 21434 is a fine-tuned standard focused on protecting against malicious attacks that could lead to such failures. The standard includes provisions for cybersecurity risk management, threat analysis, and vulnerability assessments, all of which are essential to ensure that vehicle systems are secure against cyber threats. A key example of the link between security and safety is in the implementation of Intrusion Detection Systems (IDSs) to monitor IVNs. Indeed, an IDS enhances the reliability of critical vehicle systems against cyberattacks, such as those targeting ECUs. By detecting and responding to potential intrusions, such systems ensure that security breaches do not escalate into safety-critical failures. This integration of cybersecurity measures strengthens the functional safety protocols initially outlined in ISO 26262, demonstrating the growing interdependence between safety and security in modern vehicle architectures. Regarding the regulations, UNECE R155 and R156 complement these standards by establishing a regulatory framework for cybersecurity and software updates in vehicles, according to the principles established in ISO/SAE 21434. UNECE R155 requires manufacturers to implement a cybersecurity management system to protect vehicles from cyber threats [49], while R156 focuses on the secure management of software updates, ensuring that vehicles remain safe and secure throughout their operating life [50]. These regulations underscore the importance of a holistic approach to vehicle and passenger safety, which integrates functional safety, cybersecurity, and ongoing software integrity. As vehicles evolve to incorporate ADASs and autonomous driving capabilities, the risks associated with both functional failures and cyber threats become more pronounced. Therefore, adherence to ISO 26262, ISO/SAE 21434, and UNECE R155 is not only a regulatory requirement but also a critical component to ensure the safety and security of future automotive innovations [41,44].
The integration of these standards into the automotive development process will ultimately contribute to building consumer trust and fostering the safe adoption of new technologies in the automotive industry.

3.3. Vehicle Attack Surfaces

As vehicles evolve into sophisticated interconnected systems, understanding their vulnerabilities becomes essential to improve cybersecurity. Two concepts can be defined to determine and classify the origin and effects of an attack, attack surface and attack vector. The attack surface of a vehicle encompasses all potential points at which an unauthorized user can gain access to vehicle systems, extract sensitive data, or disrupt functionalities. The attack vector, instead, determines the specific path, method, exploited by the attacker from the beginning to the end target of the attack [8,51,52,53,54,55]. The typical classification of attack surfaces considers only the entry point of the attacker, as listed in Table 3. They are classified into three main categories:
  • Physical, requires direct physical access to the vehicle or its components.
  • Local Wireless, requires proximity to the vehicle (within a range of 100 m) without physical access.
  • Unlimited Wireless, can be exploited without any limitation on the distance from the vehicle.
This classification can become limiting when performing a Threat Analysis and Risk Assessment (TARA) on the vehicle against its cybersecurity vulnerabilities [48]. Therefore, we propose a novel and more complete taxonomy, as depicted in Figure 1, in which the attack surface is further distinguished according to the proximity of the attacker before and during the attack:
  • Attack starting point phase: is the actual access point before the attack actually is carried out. It can require the following:
    -
    Initial physical access to the vehicle, for example, by accessing the IVN, OBD-II port, or infotainment ports;
    -
    Without any initial physical access to the vehicle, for example, exploiting wireless V2X connectivity, or tampering with the vehicle’s sensors.
  • Attack ongoing phase: defines how the attacker performs the attack, physically or remotely connected to the vehicle.
This distinction can be useful in some sophisticated attacks; for example, consider that the attacker aims to inject malicious messages into the vehicle’s IVN, starting from the OBD-II port. This would mean, without our taxonomy, that the attack surface should be classified as physical. However, if the attacker connects to the OBD-II port with an aftermarket device with wireless connectivity, in reality, the physical attack surface would become wireless indirectly. In light of the ready availability of tools of this nature, the TARA phase for the vehicle may require further consideration. In fact, the potential threat associated with physical attack surfaces may increase. This is because physical attack surfaces that would otherwise remain contained may become vulnerable due to the difficulty of carrying out prolonged attacks with the attacker physically connected to the car. Throughout the rest of this paper, a specific focus will be on the CAN protocol for two reasons. First, it is one of the most used within the vehicle domain (see the last column in Table 2) because of its high reliability and contained cost of implementation. In fact, for the physical layer, it only requires a twisted pair of wires to deliver the data information. Second, since this protocol was invented in the 1980s, it does not include security countermeasures such as message authentication, sender and receiver addresses, or message encryption. Therefore, countermeasures must be taken into account to protect critical domains that rely on the CAN bus.

3.4. CAN Bus Vulnerabilities

The CAN protocol [56], developed during the 1980s, is widely used in automotive systems to allow communication between various ECUs. This protocol functions as a multi-master serial communication system using CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance) to reduce errors and minimize data retransmissions. It utilizes a twisted pair bus, transmitting data frames in differential mode, where the logical value output is the wired-AND outcome (with logic-0 as the dominant value and logic-1 as the recessive value) of all active transmitting ECUs. As illustrated in Figure 2, multiple ECUs may initiate transmission simultaneously, requiring an arbitration procedure (leveraging the wired-AND property) to determine the ECU that will assume control of the bus and continue transmitting the CAN frame. Since bits are sent from MSB to LSB, a lower ID (identifier) value in the transmitted frame results in more dominant bits being sent initially, granting it higher priority during arbitration. However, from a cybersecurity perspective, the simplicity and convenience of implementing the CAN protocol represent significant vulnerabilities. The principal security risks associated with the CAN protocol, extensively documented in scholarly reviews [54,57,58], cover the following aspects:
  • Frame Injection Attack: Due to the broadcast characteristic of the CAN protocol and its lack of encryption mechanisms, an attacker can inject malicious messages into the CAN bus, potentially altering vehicular actions and disrupting standard IVN operations. This can be performed, for example, by physically accessing the OBD-II port or directly connecting to the targeted subnet.
  • Error Management: This mechanism within the CAN protocol, designed to improve reliability and fault tolerance, can inadvertently create vulnerabilities that malicious actors can exploit. These mechanisms include error counters (Transmit and Receive Error Counters) that track the number of transmission errors and dictate the operational state of a CAN node. Figure 3 displays the error states and the conditions under which the ECU changes its network state. Although these features are intended to isolate faulty nodes and maintain network integrity, they can also be manipulated to launch sophisticated attacks.
  • Suspension and Masquerade Attacks: Exploiting the error management functions of the CAN protocol, or by installing malicious software, attackers can suspend message transmission from the targeted ECU, posing potentially severe threats to the correct functionality of the vehicle. Also, after the ECU is suspended, masquerade tactics can be exploited, whereby a malicious ECU transmits forged data frames using identical periodicity, identifiers, and payload configurations.
  • Insider Threats: Individuals with legitimate access to vehicle systems, such as employees or contractors, may exploit their access and knowledge to manipulate ECU functionalities, thus altering the properties of some CAN messages or introducing vulnerabilities, compromising vehicle security.
  • Eavesdropping/Sniffing: Since the transmission of CAN frames occurs in unsecured plaintext over a physical layer consisting merely of two wires, attackers can intercept and scrutinize data exchanged among ECUs. Such interceptions might expose sensitive vehicle operation details and user activities, paving the way for further attacks.
Electronics 14 00471 g002
Figure 2. CAN arbitration policy: three ECUs (A, B, and C) initiate transmission at the same time, but only ECU B wins arbitration.
Figure 2. CAN arbitration policy: three ECUs (A, B, and C) initiate transmission at the same time, but only ECU B wins arbitration.
Electronics 14 00471 g002
These identified threats underscore the urgent need for comprehensive cybersecurity strategies within automotive networks that depend on the CAN protocol, especially given the growing connectivity (attack surfaces) and the increase in safety-related features in autonomous vehicles.

4. CAN-Related Cybersecurity Vulnerabilities and Solutions

Developed for the automotive domain, the CAN protocol has become a key communication technology among vehicle ECUs. Its reliability and efficiency have made it the dominant choice for real-time data transfer in contemporary vehicles. However, extensive integration of CAN has revealed significant vulnerabilities that could be exploited by malicious individuals. As vehicles move into more connected systems with expanded features, the risks related to CAN cybersecurity have increased substantially. This section presents an overview of the intrinsic weaknesses of the CAN protocol, the various types of attack it may face, and the consequences of such security gaps. By understanding these cybersecurity issues, we can recognize the necessity of robust countermeasures and how they can be designed to protect automotive networks.

4.1. Attacks to CAN Protocol

Given the intrinsic properties and vulnerabilities of the CAN protocol, a wide variety of attacks have been discovered and demonstrated [12,57,58]. Figure 4 summarizes the known attacks on CAN networks, depicting exemplifying message sequences with K as the attacker ECU, while A and B are benign ones. The following are the main properties of these attacks.
(a)
DoS Attack floods the CAN bus with an excessive number of high-priority frames, thus preventing benign ECUs from transmitting frames that have lower priority levels. The typical ID used is 0x000 (highest overall priority, but easy to detect because it is never used by benign nodes) or the highest ID typically sent in that network [59,60].
(b)
Fuzzy Attack involves injecting frames that contain random, or partially random, values across various fields of the CAN frame, namely ID, DLC (Data Length Code), and payload. This strategy seeks to inundate benign frames by introducing a high volume of randomized traffic, or to specifically target a set of benign IDs with the goal of inducing adverse vehicle behaviors [61].
(c)
Replay Attack involves an initial phase to capture valid frames by monitoring the CAN traffic, storing them, and subsequently retransmitting these frames to produce discrepancies in the information within the targeted benign IDs [62].
(d)
Spoof Attack requires an initial examination of the data embedded in the payload of the target ID(s).
The forged malicious frames, with benign ID, are then transmitted with manipulated payloads, with the intent of provoking undesired or dangerous vehicle states [63].
(e)
Suspension Attack is designed to stop the transmission of CAN frames originating from a targeted ECU. This can be executed externally by taking advantage of the error handling capabilities inherent in the CAN protocol, inducing the ECU into the Bus Off state (see Figure 3), or internally through the deployment of harmful software aimed at blocking frame transmission at a certain stage [64].
(f)
Masquerade Attack occurs after the suspension of transmission from an ECU. Using a malicious ECU, spoofed frames that match the ID, DLC, payload characteristics, and timing of the original frames are transmitted, thus seemingly maintaining an unchanged overall traffic pattern on the bus [65].
Depending on the target ECU for the suspension attack, it can become a Wormhole/Black-hole Attack, which causes an ECU that interconnects multiple distinct subnets to cease functioning.
For injection attacks, the first four in Figure 4, a distinction can be made depending on the injection delivery method, rather than only on the content of CAN frames. Three methods can be exploited: periodic, flam, and irregular. Firstly, the periodic delivery method consists of the injection of malicious CAN frames within a fixed period. The effectiveness of this method highly depends on the targeted ID, and on the chosen periodicity. Secondly, the flam delivery method is a more sophisticated option. In this case, the malicious frames are sent in immediate succession after the benign ones. This timing order between benign and injected frames ensures that the authentic message cannot physically be executed before the malicious one modifies the data [10]. The effects of flam delivery can be noticed, for example, in the information displayed on the tachometer, in which the needle may remain at a fixed position even if the vehicle is in motion. This happens because the instrument cluster ECU does not have the physical time to actuate the benign data before the injected one arrives. Lastly, the irregular delivery method encloses all CAN frames injected without a specific time property. The aforementioned attack categories focus specifically on their effects on CAN bus traffic. The specific attack vector (the technique employed by an attacker to unlawfully access an IVN or ECU) is beyond the scope of this overview and is inherently linked to the attacker’s chosen target. However, since every attack will inevitably leave traces in some part of the vehicle’s IVN, an intrusion detection system monitoring that network may be able to detect the attack.

4.2. Network IDS Taxonomy

To address security vulnerabilities in the CAN protocol, various solutions have been proposed, ranging from lightweight encryption mechanisms to Message Authentication Codes (MACs) and Intrusion Detection Systems (IDSs) that monitor abnormal traffic patterns across different layers of the protocol stack. The typical IDS taxonomy is depicted in Figure 5, in which the main characteristics of an IDS are summarized.
  • Location: the IDS can be designed to monitor the behavior and activities of an ECU (host-based), or to monitor the traffic of the targeted IVN subnet (network-based).
  • Approach: defines which architecture has been selected for the IDS, determining the detection methodology between more deterministic (rule-based) or heuristic (anomaly-based) approaches.
  • Layering: the IDS can monitor single protocol layers (single-layer), or more than one layer simultaneously (cross-layer). It depends on the available layers of the considered protocol, for example, physical, data-link, network, or application layers.
  • Reaction: classifies the post-detection behavior of the system. An Intrusion Detection System (IDS) is a passive technique that only raises an alert when an anomaly/attack is detected, while an Intrusion Prevention System (IPS) is also able to proactively take some countermeasures after the detection of the anomaly/attack.
Among these, Network-IDS plays a crucial role in continuously monitoring network activity, identifying unusual events, and triggering alerts when potential anomalies/intrusions are detected. These anomalies/intrusions can represent unauthorized attempts to gain access to vehicle systems and may originate either within vehicle internal components, such as compromised ECUs, or externally from attackers seeking to infiltrate the network. Over the years, several IDS techniques have been developed to strengthen the security of the CAN protocol [12,34,66]. These techniques focus on monitoring different aspects of CAN bus communication, from its physical properties to detecting recurring patterns in network traffic. The published IDS approaches can be classified as follows.

4.2.1. Rule-Based Approach

It operates by defining a set of pre-established rules or signatures related to the behavior of the IVN, which are known at the implementation stage of the IVN devices. These rules are typically based on specific design characteristics of vehicle communication, such as limiting the value range of certain message fields (e.g., payload fields cannot exceed predefined max and min bounds) or ensuring that values have a variability within the nominal range, between consecutive frames. Additionally, signature-based IDSs can identify known attack patterns, such as Denial of Service (DoS) attacks, by matching traffic against predefined attack signatures [35,67,68,69]. This method is highly effective for detecting known threats, but struggles against new or evolving attack techniques.

4.2.2. Anomaly-Based Approach

It monitors real-time traffic in the IVN and establishes a baseline for normal behavior using heuristic or statistical methods. Any deviation from this baseline beyond a specified threshold is flagged as abnormal behavior, triggering an alert. Typically, it is based on ML/AI techniques that analyze valuable features of network traffic, ranging from the ID sequence to the payload content or typical arrival periodicity of that ID. Anomaly-based IDSs are useful for detecting unknown or previously unseen attack types by identifying unusual patterns that deviate from normal operations [70,71,72]. Although this approach is adept at uncovering novel attacks, it can also result in a higher rate of false positives due to the challenges in precisely defining what constitutes "normal" behavior in a dynamic automotive environment.

4.2.3. Fingerprint-Based Approach

It leverages unique characteristics, or “fingerprints”, of ECUs and communication patterns to distinguish legitimate activities. By assigning specific identifiers to each ECU or communication, the system can detect discrepancies that indicate malicious behavior. The most widely used fingerprinting techniques exploit voltage or timing features of the devices in the IVN, which can be used to identify the specific ECU that transmits a given CAN frame, making it easier to detect unauthorized behavior in the network [73,74,75].
  • Voltage Fingerprinting is based on the observation that each ECU exhibits a unique electrical signature when transmitting CAN frames, due to slight variations in hardware components such as transistors, resistors, and other circuitry [73,76]. This method measures electrical characteristics, such as voltage levels and signal transitions, during message transmission on the CAN bus, which are unique identifiers for each ECU. By capturing and analyzing these signatures, an IDS can detect deviations from the expected profile, which may indicate that a malicious or compromised ECU is transmitting messages not belonging to it. Voltage fingerprinting can be highly effective in distinguishing between legitimate and illegitimate ECUs because even if the transmitted messages appear valid at the data-link layer, the underlying electrical signature of a counterfeit ECU will differ from the expected one. This method provides a low-level, hardware-based layer of security that is difficult for attackers to mimic. However, voltage fingerprinting can be sensitive to environmental conditions such as temperature or voltage fluctuations, which may introduce noise into the system and complicate the detection process [73,76]. Advanced filtering and calibration techniques are often required to ensure reliable detection under varying operational conditions.
  • Timing Fingerprinting leverages the observation that each ECU has a distinctive timing pattern when sending CAN frames [77,78]. These timing characteristics arise from subtle differences in clock precision, processing power, and the internal scheduling algorithms of different ECUs. By monitoring the inter-arrival times of CAN frames or the precise timing of bit transitions within a message, the IDS can establish a baseline of normal timing behavior for each ECU. Any significant deviation from this baseline could indicate that an unauthorized ECU is attempting to masquerade as a legitimate one, or that a timing-based attack, such as a replay attack, is being conducted. Timing fingerprinting is particularly useful because even if an attacker can replicate the content of a legitimate message, it is unlikely that they can perfectly replicate the exact timing characteristics of the genuine ECU. However, the effectiveness of timing fingerprinting can be affected by bus congestion, network latency, or jitter, which may alter the expected timing behavior without necessarily indicating an attack [77,78]. Sophisticated algorithms are therefore required to distinguish between normal timing variations and malicious activity.

4.2.4. Hybrid-Based Approach

It combines two or more of the previously mentioned approaches to exploit their strengths while mitigating their individual weaknesses. For example, a hybrid system may use a rule-based approach for known threats while employing anomaly detection for unknown patterns, resulting in a more comprehensive security framework [13,79]. Hybrid systems can be organized hierarchically, starting with coarse-grained checks and refining them to more detailed inspections to optimize both detection accuracy and computational efficiency.

4.2.5. Summary: Pros and Cons

Each of these IDS approaches has its strengths and limitations. Rule-based systems, while highly effective against well-known attack patterns, require constant updates to stay relevant as new threats emerge. Without regular updates, these systems become less effective over time. In contrast, anomaly- and fingerprint-based systems are more suitable at identifying unknown or sophisticated attacks, such as masquerading attacks, but tend to produce more false positives due to their reliance on heuristics and statistical thresholds. Moreover, the use of ML/AI in a safety-critical and resource-constrained domain, such as automotive, poses severe concerns because of their intrinsic nature. In fact, new work will inevitably tend towards eXplainable AI (XAI) and Embeddable AI (EAI) to overcome these concerns [80,81]. As vehicles become more interconnected and rely more on software, striking the right balance between detection accuracy and minimizing false positives is critical to ensuring robust IVN security. These IDS categories, along with ongoing advancements in AI-driven detection, offer a layered defense strategy that can adapt to the evolving threat landscape.

5. CAN Datasets and AI-Based IDS Solutions

Rapid advancement of artificial intelligence (AI) has significantly impacted various domains, including automotive cybersecurity. As traditional rule-based systems struggle to keep up with increasingly sophisticated cyberattacks, AI-driven solutions offer a more dynamic and adaptive approach to intrusion detection. In this section, we discuss the role of AI in enhancing the security of in-vehicle networks, particularly focusing on the Controller Area Network (CAN) protocol, as anticipated in previous sections. We will explore the most complete CAN datasets shared by the research community, which are crucial to assess the detection performances of the developed IDS architectures. Then, an overview of the AI techniques used to detect and mitigate cyber threats and their overall performance will be provided.

CAN Dataset Analysis

The analysis of CAN datasets is fundamental for developing effective IDSs in automotive cybersecurity. These datasets must provide the necessary data to simulate the highest variety of attack scenarios, while also providing a sufficient amount of normal traffic patterns. By analyzing CAN datasets collected from real vehicles, researchers can identify common attack vectors, understand the typical behavior of IVNs, and develop robust detection mechanisms. In the CAN context, datasets offer labeled traffic data, encompassing both benign actions and established attack scenarios, which help fine-tune the detection capabilities of AI-driven IDS solutions. Several publicly available CAN datasets have been developed to emulate real-world vehicular settings, capturing both legitimate network traffic and a variety of attack patterns, such as Denial of Service (DoS), message spoofing, and replay attacks. These datasets are invaluable for researchers working on machine learning models that can generalize across various attack types while minimizing false positives. The effectiveness of AI-driven IDSs is largely dependent on the quality of datasets used during model creation. Attributes such as traffic volume, the diversity of attacks, and the proportion of normal to malicious data critically affect the system’s performance. For example, an IDS model trained with imbalanced datasets might find it challenging to detect rare but crucial attacks, or it may produce an excessive number of false alarms, reducing its effectiveness in real-time automotive scenarios.
Moreover, the ability of the datasets to encompass the complete range of CAN traffic, including elements like ID, DLC (Data Length Code), payload, and timestamps, augments the model’s ability to detect subtle anomalies. Future research should emphasize the expansion and refinement of these datasets, integrating more intricate attack scenarios and real-time traffic conditions, to ensure that AI-based IDS models are robust, flexible, and prepared for deployment in next-generation vehicles. Table 4 contains some of the most recent and valuable CAN datasets for IDSs, providing the release year, organization, and URL of the shared repositories for each dataset. Then, the key features of the aforementioned CAN datasets are listed in Table 5. This information can provide valuable insights to determine the most suitable CAN dataset for IDS design and development. Therefore, we have classified the traffic categories of each attack and benign data point, with an in-depth distinction: Real, Testbed, Virtual, and Manipulated. The Real class considers only traffic (benign or attack) logged entirely from a real vehicle, without any subsequent manipulation or simulation in a virtual environment. Clearly, attacks classified as real have been performed by injecting additional CAN frames into the monitored IVN of the real vehicle, for example, via the OBD-II port. The Testbed class instead considers those datasets generated in physical testbeds, without the use of a vehicle connection during the recording, for example, by emulating a real CAN network with discrete boards.
The Virtual class is assigned when the CAN traffic is fully generated in a virtual environment, for example, in Matlab suite. Lastly, the Manipulated class is related to traffic generated in a physical environment, and then manipulated to manually add/remove CAN frames. When choosing a dataset, according to the IDS to be designed, the labeling and traffic diversity characteristics should be considered. If, for example, the designed IDS should cover at least a subset of the known attacks, then at least those attacks should be included.
Also, a key aspect could be the total duration of the dataset, and its balancing between benign and attack traffic, thus providing the most complete scenario possible to develop an IDS. However, for each chosen dataset, some preliminary steps may be required to prepare the data appropriately:
  • Preprocessing: Cleaning and organizing data to remove noise and irrelevant information, ensuring high-quality inputs for AI models.
  • Dataset Analysis: Determining the main information of the dataset and defining which CAN traffic characteristics to monitor in the IDS.
  • Feature Extraction: Identifying and extracting relevant features from the CAN data, such as message IDs, payload content, and timing information, which are crucial for detecting anomalies.
In the following, an overview of the most common AI models for Intrusion Detection Systems will be provided.

6. AI Models for IDS in Automotive Cybersecurity

6.1. Statistical Learning Models

  • In the context of vehicle cybersecurity, the Naive Bayes model is particularly useful for detecting attacks on wired networks, such as those used in the CAN bus, which is the main internal communication system in vehicles. CAN bus attacks, such as malicious message injection or manipulation of data transmitted between vehicle components, are a major security threat. Naive Bayes can be used to monitor and analyze messages transmitted over the CAN network, identifying anomalies in communication patterns, such as the message sequence, message identifier, and data length. Due to its simple structure and ability to quickly calculate probabilities, the model can detect deviations from normal behaviors, which may indicate malicious message injection. Additionally, attacks such as Denial of Service (DoS), which aim to overload the vehicle’s wired network by sending an excessive number of messages or requests, can be detected by analyzing the frequency and distribution of transmitted messages. Naive Bayes, with its low computational complexity O ( n ) , is particularly suitable for these scenarios, since it can be implemented in embedded systems with limited resources, ensuring a rapid response to attacks without compromising the vehicle performance. The model’s ability to operate in real time is crucial for the security of wired networks in vehicles, where any delay in detecting an attack could compromise the operational safety of the vehicle [90,91].
  • The K-Nearest Neighbors (KNN) model is presented as an effective solution to detect attacks on wired vehicle networks, such as those based on the CAN bus. In this type of network, the risk of attacks, such as the injection of malicious messages or the manipulation of communications between the various vehicle modules, is a serious problem, as it can compromise the security and correct functioning of the systems. KNN stands out for its simplicity and its ability to detect anomalies by comparing new data with previous examples, without the need for a complex model. In practice, the model analyzes the similarity between new observations and stored historical data, classifying messages transmitted on the CAN network based on their proximity to the most similar “neighbors”, which have been labeled as legitimate or suspicious. When a suspicious message is transmitted on the network, KNN can detect it by comparing the sequence, message identifier, and other characteristics with pre-existing data, identifying any significant deviations. Another type of attack that KNN can detect is a Denial of Service (DoS) attack, where an attacker sends a large number of messages to the network to saturate it. In this case, the model can observe the characteristics of the messages, such as frequency and temporal distribution, and determine if there are any spikes or unusual patterns that suggest an ongoing attack. The main strength of KNN is its ability to dynamically adapt to changes in the data, since as new data is acquired, the model can easily update itself, improving its ability to detect emerging threats. Although KNN can be more expensive in terms of memory and computation than simpler models such as Naive Bayes, its distance-based and proximity classification approach makes it particularly useful in scenarios where deviations from normal network behavior are subtle and difficult to detect. Additionally, KNN can be implemented on embedded systems, albeit with some resource limitations, and can run in real time, which is essential for ensuring secure communications on wired networks in vehicles. Its effectiveness depends on the choice of an appropriate value of K, which determines the number of neighbors to consider, and on the quality of the training data, which must be representative of normal conditions and possible threats [92,93].
  • In the context of vehicle cybersecurity, the linear regression model can be used to detect attacks on wired networks, such as those using the CAN bus. Although linear regression is not a classification model, its application in wired vehicle networks is beneficial for detecting anomalies in data by analyzing the relationships between different variables. The most common attacks on these networks include malicious message injection or the manipulation of data passing between various vehicle components. Linear regression can be used to monitor the relationship between various communication parameters, such as message sequence, data length, and the time interval between messages. Under normal conditions, these parameters will follow predictable, linear trends. If an attack such as malicious message injection alters these patterns, linear regression would be able to detect a discrepancy between the observed data and those predicted by the model, flagging potential threats. For example, a Denial of Service (DoS) attack could generate an abnormal amount of traffic on the CAN network, suddenly changing the relationships between the number of messages sent and the time elapsed between them. Linear regression, analyzing the historical trend of the data, could identify these changes and suggest that the network traffic is deviating from what would be considered normal. Another important aspect of linear regression is its ability to make predictions. If the model is trained on historical, normalized CAN communication data, it could provide an indication of what constitutes expected network behavior, allowing it to easily identify when current data deviate from this prediction. However, linear regression also has limitations in complex attack scenarios. Because it assumes a linear relationship between variables, it may not be able to detect attacks with more complex patterns, where the relationships between the data do not follow a simple distribution. However, this model is extremely useful for detecting anomalies in scenarios where the changes in the data are gradual or follow regular trends, such as traffic spikes or fluctuations in message flow. Although linear regression is not particularly computationally demanding and can be easily implemented on resource-constrained embedded systems, its effectiveness depends on the quality of the training data and its ability to adapt to nonlinear or unpredictable behavior, which may require more sophisticated approaches [94,95].

6.2. Machine Learning Models

  • Decision Trees are particularly useful in these scenarios because they provide a clear and interpretable representation of rule-based decisions that can distinguish between normal traffic and anomalous behavior. On the CAN bus, attacks such as malicious message injection or communication tampering can be detected by analyzing various message attributes, such as the message identifier, data length, and transmission time. A Decision Tree can be trained to create rules based on these characteristics, where each node represents a condition that separates data based on specific values, such as if the message length exceeds a certain threshold or if the time between successive messages is less than a normal value. When an attack, such as malicious message injection, tampers with the usual behavior of CAN data, the Decision Tree can identify these anomalies through the rules it has learned. For example, if network traffic suddenly spikes in the number of messages with a certain ID, or if messages are sent at irregular intervals, the Decision Tree can quickly isolate these events as anomalous compared to normal traffic patterns. This approach is also useful for detecting Denial of Service (DoS) attacks, where traffic volume suddenly increases to saturate the network. The Decision Tree, through its decision rules, can recognize these changes in state and report the attack. Another advantage of Decision Trees is their flexibility and ability to adapt to complex data without requiring linear assumptions about the relationships between variables. This makes them suitable for detecting attacks that may not follow predictable, linear patterns, allowing them to capture a wider range of anomalous behavior. However, a challenge with Decision Trees is the risk of overfitting, especially if the tree is too deep and has too many rules that may be specific to the training data. This can be mitigated through techniques such as pruning, which reduces the complexity of the tree by eliminating branches that add little or no accuracy to the predictions. Despite this, Decision Trees remain a powerful and interpretable model, particularly suitable for embedded environments in vehicles, where it is essential to have models that can run in real time and provide clear explanations for their sensing decisions [96,97].
  • Support Vector Machines (SVMs) are particularly suited to distinguish between normal and anomalous traffic in scenarios where the differences between the two classes are subtle and not easily separable. The main goal of SVMs is to find an optimal hyperplane that separates the classes with the maximum margin, which makes them ideal for detecting attacks such as malicious message injection or communication manipulation, which can be difficult to distinguish from normal data flows. In the case of the CAN bus, SVMs can analyze various characteristics of messages, such as the identifier, length, time sequence, and transmission frequency, to establish a boundary between legitimate data and potentially malicious data. When an attack occurs, such as in the case of rogue message injection, new data may fall outside the margin established by the SVM, thus signaling an anomaly. This approach is also effective for detecting DoS attacks, where traffic volume suddenly and abnormally increases. SVMs can identify these deviations from normal behavior, classifying them as potential attacks based on their distance from the separating hyperplane. A significant advantage of SVMs is their ability to handle high-dimensional spaces, making them useful in situations where there are multiple data features to consider at once. Additionally, using the kernel trick, SVMs can handle non-linearly separable problems by transforming the data into a higher-dimensional space, where a hyperplane can separate classes more effectively. This is particularly useful for detecting complex attacks that do not follow simple linear patterns. However, SVMs can be computationally intensive, especially during the training phase, and require a fair amount of resources to compute margins and support vectors, which can be a challenge in resource-constrained embedded environments. However, once trained, SVMs can operate in real time, which is critical for the security of wired vehicle networks. Their ability to generalize well to unseen data makes them a robust choice for cybersecurity applications, where accuracy and the ability to detect new forms of attack are essential [98,99].
  • Random Forest (RF) is an ensemble of Decision Trees that works by combining predictions from many trees to improve the accuracy and robustness of the model compared to a single Decision Tree. This approach is particularly useful for detecting attacks such as fraudulent message injection or communication manipulation within the CAN network, where individual message features (such as identifier, length, and transmission time) can have subtle variations that are difficult to detect with simple models. For attacks such as message injection, Random Forest can analyze each message by running through multiple Decision Trees, each trained on different portions of the data and with a different subset of features. This allows the model to capture complex patterns and reduce the risk of overfitting, which is common in single Decision Trees. When an anomalous message is detected, such as a message with an unusual ID or sent at an unusual time, the multiple trees in the Random Forest can converge to classify this message as anomalous. Random Forest is also particularly effective at detecting DoS attacks, where traffic on the CAN network suddenly increases to overload the system. Due to its ability to aggregate decisions from multiple trees, Random Forest can detect these anomalies even when the attack signals are subtle and distributed across many features. The model can handle a large number of inputs and find correlations that individual trees might miss. Another significant advantage of Random Forest is its robustness to noise in the data and its ability to handle datasets with many features, without the need for excessive preprocessing or dimension reduction. This makes it particularly suitable for the complex environment of wired vehicle networks, where each message may contain multiple attributes to analyze. However, Random Forest can be computationally more expensive than simpler models, especially during the training phase, where many trees must be built. Despite this, once trained, the model is fast and efficient at inference, making it suitable for real-time implementation in embedded vehicle systems, ensuring fast and accurate detection of attacks on wired networks [100,101].

6.3. Deep Learning Models

  • Long Short-Term Memory (LSTM) is a type of recurrent neural network (RNN) designed to learn and remember relevant information over long sequences, overcoming the limitations of traditional RNNs that suffer from vanishing gradient problems. In the CAN bus, communications occur sequentially and temporally, which makes LSTMs particularly well suited for monitoring and detecting anomalies in message flows. For example, an attack such as fraudulent message injection or traffic manipulation may not be immediately apparent based on a single instance of data, but can manifest itself through variations in the temporal pattern of transmissions. LSTMs, by being able to learn the temporal dependencies between messages, can detect when the data sequence begins to deviate from what is considered normal. If an attacker attempts to inject messages with inconsistent transmission times or with IDs that disrupt the typical sequence, LSTMs can identify these discrepancies as anomalies. DoS attacks, which aim to overload the CAN network by sending a large number of messages in rapid succession, can also be effectively detected with LSTMs. The network can observe the sudden and sustained increase in traffic, distinguishing these anomalous spikes from normal communication patterns. A key advantage of LSTMs is their ability to handle both data that exhibit short-term relationships and data with long-term relationships. This is particularly useful in detecting attacks that may have cumulative or delayed effects over time, something that traditional models may not capture effectively. However, training LSTM networks can be computationally intensive and require a significant amount of training data to generalize well, which may be a challenge in resource-constrained embedded systems in vehicles. However, once trained, LSTMs can operate in real time, allowing the immediate detection of anomalies in CAN network traffic, ensuring a high level of security for internal vehicle communications [102,103].
  • Convolutional Neural Networks (CNNs) automatically extract relevant features from complex data structures, including temporal or sequential data that can be represented as two-dimensional matrices. In the case of CAN networks, transmitted messages can be transformed into a matrix representation, where each row could represent a message and each column could represent an attribute of the message, such as the identifier, data length, and timestamp. CNNs can then be used to detect complex spatial and temporal patterns within this data, which could indicate anomalous behavior or attacks. For example, a malicious message injection attack could alter regular message patterns, introducing variations in the data that a CNN can recognize as deviations from normal behavior. DoS attacks, which produce a sudden and anomalous increase in message volume, can be detected by CNNs due to their ability to capture rapid and distinct changes in data patterns. CNNs, by applying convolutional filters, can quickly identify regions of the data where significant changes occur, signaling the presence of a possible attack. One advantage of CNNs is their ability to reduce the need for manual feature engineering, as convolutional filters can autonomously learn the most significant features from the raw data. This is particularly useful in complex environments such as wired vehicle networks, where it is difficult to determine a priori which specific features are most indicative of an attack. However, CNNs require considerable computational power, especially during the training phase, and large amounts of data to learn effectively, which can be a challenge in resource-constrained embedded systems. However, once trained, CNNs can operate efficiently in real time, providing accurate and rapid detection of anomalies in network traffic, providing an additional layer of security for vehicle communications [104,105].
  • Autoencoders are unsupervised neural networks designed to learn a compressed representation (encoding) of input data, and then reconstruct it as accurately as possible. Their ability to learn a compact and faithful representation of normal data makes them ideal for anomaly detection, as any significant deviation from normal data, such as attacks, will result in a higher reconstruction error. In the case of CAN networks, autoencoders can be trained using only legitimate, non-compromised data. During training, the network learns to compress and decompress network messages in a way that minimizes information loss. When the autoencoder is exposed to anomalous data, such as those generated by malicious message injection or denial of service attacks, the trained models cannot accurately reconstruct these new data patterns, resulting in a higher reconstruction error. This error can be used as a signal to identify potential attacks. For example, in a message injection attack, the injected message data will have temporal and structural characteristics that differ significantly from normal data. The autoencoder, trained on normal CAN data, will not be able to accurately reproduce these new data, signaling an anomaly. The same is true for DoS attacks, where the sudden and irregular increase in traffic may produce a pattern that the autoencoder cannot effectively reconstruct. A significant advantage of autoencoders is that they do not require labeled data for training, which is useful in cybersecurity contexts where obtaining a complete dataset of attacks can be difficult. However, a potential disadvantage is that they require a sufficient amount of normal data to train the model, and their ability to generalize may be limited if the training data do not well represent all the variables of normal communication scenarios. Despite these challenges, autoencoders are a powerful technique for anomaly detection, being able to operate in real time on embedded systems, offering an efficient and accurate solution to protect wired vehicle networks from potential threats [106,107].

7. Conclusions and Future Work

This paper provides a comprehensive review of the evolution of automotive E/E architectures, with a particular focus on the critical role of cybersecurity within in-vehicle networks, specifically the Controller Area Network (CAN) protocol. We have thoroughly examined the capabilities and limitations of various AI-based Intrusion Detection Systems (IDSs), including statistical learning models, machine learning approaches, and deep learning techniques. Each model was analyzed in the context of its effectiveness in detecting a range of cyberattacks prevalent in automotive networks. One of the key innovations introduced in this review is the detailed categorization and comparative analysis of AI-driven IDS methodologies tailored for the automotive domain. Unlike previous works that often provide a general overview of IDS solutions, this review emphasizes the unique challenges posed by automotive-grade embedded systems, such as limited computational resources, the necessity for real-time detection, and strict safety requirements. Additionally, we have highlighted the importance of integrating Explainable AI (XAI) and Embedded AI (EAI) to enhance the transparency and efficiency of IDSs in the automotive context. These aspects represent significant advancements over the current state of the art, providing a more focused lens on how AI can be optimized for vehicular cybersecurity. Despite these advancements, several areas warrant further investigation to ensure that IDS solutions can meet the growing demands of modern, highly connected vehicles. Future research directions include the following:
  • Scalability: With the advent of increasingly complex in-vehicle networks and the growth of autonomous driving technologies, it is imperative to develop IDS solutions that can scale to manage the rising volume and complexity of network traffic without degrading performance.
  • Transparency and Explainability: The integration of XAI techniques is critical to build trust in IDS decisions. Future work should aim at making AI-based IDS decisions interpretable by engineers and other stakeholders, which is essential for debugging, validation, and compliance with safety standards.
  • Adaptability: As cyber threats evolve, IDSs must adapt in real time to detect new, sophisticated attacks. Research should focus on incorporating online learning mechanisms to enhance the adaptive capabilities of IDS systems.
  • Performance on Embedded Platforms: The deployment of IDSs on actual automotive-grade embedded platforms must be rigorously assessed. Future work should ensure that these systems operate within the stringent real-time constraints of automotive environments without imposing significant overhead on vehicle ECUs.
  • Integration with Automotive Standards: Ensuring compliance with standards such as ISO/SAE 21434 will facilitate the adoption of IDS solutions within the industry. Future research should explore ways to align IDS development with these standards to ensure security without compromising compliance.
  • Energy Efficiency: Given the limited power resources in vehicles, future research should explore energy-efficient IDS implementations that minimize power consumption while maintaining high detection accuracy.
In conclusion, this review not only consolidates existing knowledge but also introduces novel insights into the application of AI-based IDSs in the automotive sector. By addressing the outlined research directions, future studies can contribute to the development of more robust, scalable, and efficient IDS solutions. Such advancements are crucial for safeguarding the next generation of connected and autonomous vehicles from an ever-growing landscape of cyber threats.

Author Contributions

All authors have contributed equally to this article. All authors have read and agreed to the published version of the manuscript.

Funding

This research has been partially supported by CN1 Spoke 6; by HARDNESS PE SERICS Spoke 7; MIUR project FoReLab.

Data Availability Statement

No new data have been generated.

Conflicts of Interest

Stefano Mazzetti was employed by the company ESWS. The remaining authors declare that the research was conducted in the absence of any commercial or financial relationship that could be construed as a potential conflict of interest.

References

  1. Zhu, H.; Zhou, W.; Li, Z.; Li, L.; Huang, T. Requirements-driven automotive electrical/electronic architecture: A survey and prospective trends. IEEE Access 2021, 9, 100096–100112. [Google Scholar] [CrossRef]
  2. Askaripoor, H.; Hashemi Farzaneh, M.; Knoll, A. E/E architecture synthesis: Challenges and technologies. Electronics 2022, 11, 518. [Google Scholar] [CrossRef]
  3. Bandur, V.; Selim, G.; Pantelic, V.; Lawford, M. Making the case for centralized automotive E/E architectures. IEEE Trans. Veh. Technol. 2021, 70, 1230–1245. [Google Scholar] [CrossRef]
  4. Brunner, S.; Roder, J.; Kucera, M.; Waas, T. Automotive E/E-architecture enhancements by usage of ethernet TSN. In Proceedings of the 2017 13th Workshop on Intelligent Solutions in Embedded Systems (WISES), Hamburg, Germany, 12–13 June 2017; pp. 9–13. [Google Scholar]
  5. Young, C.; Zambreno, J.; Olufowobi, H.; Bloom, G. Survey of automotive controller area network intrusion detection systems. IEEE Des. Test 2019, 36, 48–55. [Google Scholar] [CrossRef]
  6. Bozdal, M.; Samie, M.; Jennions, I. A survey on can bus protocol: Attacks, challenges, and potential solutions. In Proceedings of the 2018 International Conference on Computing, Electronics & Communications Engineering (iCCECE), Southend, UK, 16–17 August 2018; pp. 201–205. [Google Scholar]
  7. Bozdal, M.; Samie, M.; Aslam, S.; Jennions, I. Evaluation of can bus security challenges. Sensors 2020, 20, 2364. [Google Scholar] [CrossRef] [PubMed]
  8. Checkoway, S.; McCoy, D.; Kantor, B.; Anderson, D.; Shacham, H.; Savage, S.; Koscher, K.; Czeskis, A.; Roesner, F.; Kohno, T. Comprehensive experimental analyses of automotive attack surfaces. In Proceedings of the 20th USENIX Security Symposium (USENIX Security 11), San Francisco, CA, USA, 8–12 August 2011. [Google Scholar]
  9. Rouf, I.; Miller, R.; Mustafa, H.; Taylor, T.; Oh, S.; Xu, W.; Gruteser, M.; Trappe, W.; Seskar, I. Security and privacy vulnerabilities of {In-Car} wireless networks: A tire pressure monitoring system case study. In Proceedings of the 19th USENIX Security Symposium (USENIX Security 10), Washington, DC, USA, 11–13 August 2010. [Google Scholar]
  10. Hoppe, T.; Kiltz, S.; Dittmann, J. Security threats to automotive CAN networks—Practical examples and selected short-term countermeasures. Reliab. Eng. Syst. Saf. 2011, 96, 11–25. [Google Scholar] [CrossRef]
  11. Wang, Q.; Lu, Z.; Qu, G. An entropy analysis based intrusion detection system for controller area network in vehicles. In Proceedings of the 2018 31st IEEE International System-on-Chip Conference (SOCC), Arlington, VA, USA, 4–7 September 2018; pp. 90–95. [Google Scholar]
  12. Lokman, S.F.; Othman, A.T.; Abu-Bakar, M.H. Intrusion detection system for automotive Controller Area Network (CAN) bus system: A review. EURASIP J. Wirel. Commun. Netw. 2019, 2019, 184. [Google Scholar] [CrossRef]
  13. Zhang, L.; Ma, D. A hybrid approach toward efficient and accurate intrusion detection for in-vehicle networks. IEEE Access 2022, 10, 10852–10866. [Google Scholar] [CrossRef]
  14. Longari, S.; Noseda, F.; Carminati, M.; Zanero, S. Evaluating the Robustness of Automotive Intrusion Detection Systems Against Evasion Attacks. In Proceedings of the International Symposium on Cyber Security, Cryptology, and Machine Learning, Beer Sheva, Israel, 29–30 June 2023; Springer: Berlin/Heidelberg, Germany, 2023; pp. 337–352. [Google Scholar]
  15. Zhou, J.; Xie, G.; Yu, S.; Li, R. Clock-based sender identification and attack detection for automotive CAN network. IEEE Access 2020, 9, 2665–2679. [Google Scholar] [CrossRef]
  16. Abreu, R.; Simão, E.; Serôdio, C.; Branco, F.; Valente, A. Enhancing IoT Security in Vehicles: A Comprehensive Review of AI-Driven Solutions for Cyber-Threat Detection. AI 2024, 5, 2279–2299. [Google Scholar] [CrossRef]
  17. Pascale, F.; Adinolfi, E.A.; Coppola, S.; Santonicola, E. Cybersecurity in automotive: An intrusion detection system in connected vehicles. Electronics 2021, 10, 1765. [Google Scholar] [CrossRef]
  18. Luo, F.; Zhang, X.; Yang, Z.; Jiang, Y.; Wang, J.; Wu, M.; Feng, W. Cybersecurity testing for automotive domain: A survey. Sensors 2022, 22, 9211. [Google Scholar] [CrossRef]
  19. Kifor, C.V.; Popescu, A. Automotive cybersecurity: A Survey on frameworks, standards, and testing and monitoring technologies. Sensors 2024, 24, 6139. [Google Scholar] [CrossRef]
  20. Fernandez de Arroyabe, I.; Watson, T.; Phillips, I. Cybersecurity Maintenance in the Automotive Industry Challenges and Solutions: A Technology Adoption Approach. Future Internet 2024, 16, 395. [Google Scholar] [CrossRef]
  21. Jiang, S. Vehicle E/E Architecture and Its Adaptation to New Technical Trends; Technical report, SAE Technical Paper; SAE: Warrendale, PA, USA, 2019. [Google Scholar]
  22. Guissouma, H.; Hohl, C.P.; Lesniak, F.; Schindewolf, M.; Becker, J.; Sax, E. Lifecycle management of automotive safety-critical over the air updates: A systems approach. IEEE Access 2022, 10, 57696–57717. [Google Scholar] [CrossRef]
  23. Mariño, A.G.; Fons, F.; Arostegui, J.M.M. The future roadmap of in-vehicle network processing: A HW-centric (R-) evolution. IEEE Access 2022, 10, 69223–69249. [Google Scholar] [CrossRef]
  24. Hussein, H.M.; Ibrahim, A.M.; Taha, R.A.; Rafin, S.S.; Abdelrahman, M.S.; Kharchouf, I.; Mohammed, O.A. State-of-the-Art Electric Vehicle Modeling: Architectures, Control, and Regulations. Electronics 2024, 13, 3578. [Google Scholar] [CrossRef]
  25. ISO 17987; Road Vehicles—Local Interconnect Network (LIN). ISO: Geneva, Switzerland, 2016.
  26. ISO 21806; Road Vehicles—Media Oriented Systems Transport (MOST). ISO: Geneva, Switzerland, 2020.
  27. ISO 17458; Road Vehicles—FlexRay Communications System. ISO: Geneva, Switzerland, 2013.
  28. ISO 21111; Road Vehicles—In-Vehicle Ethernet. ISO: Geneva, Switzerland, 2020.
  29. ISO/IEC/IEEE 8802-1BA; Information Technology—Telecommunications and Information Exchange Between Systems—Local and Metropolitan Area Networks—Specific Requirements-Part 1BA: Audio Video Bridging (AVB) Systems. ISO: Geneva, Switzerland, 2023.
  30. ISO 11898; Road Vehicles—Controller Area Network (CAN). ISO: Geneva, Switzerland, 2024.
  31. Schulte, W. TSN-Time-Sensitive Networking; VDE Verlag GmbH: Berlin, Germany, 2020. [Google Scholar]
  32. Rodríguez, B.; Sanjurjo, E.; Tranchero, M.; Romano, C.; González, F. Thermal parameter and state estimation for digital twins of e-powertrain components. IEEE Access 2021, 9, 97384–97400. [Google Scholar] [CrossRef]
  33. Lin, M.; Xie, H.; Shan, M. A hybrid multiscale permutation entropy-based fault diagnosis and inconsistency evaluation approach for lithium battery of E-vehicles. IEEE Access 2022, 10, 104757–104768. [Google Scholar] [CrossRef]
  34. Karopoulos, G.; Kambourakis, G.; Chatzoglou, E.; Hernández-Ramos, J.L.; Kouliaridis, V. Demystifying in-vehicle intrusion detection systems: A survey of surveys and a meta-taxonomy. Electronics 2022, 11, 1072. [Google Scholar] [CrossRef]
  35. Otoum, Y.; Nayak, A. As-ids: Anomaly and signature based ids for the internet of things. J. Netw. Syst. Manag. 2021, 29, 23. [Google Scholar] [CrossRef]
  36. Dini, P.; Elhanashi, A.; Begni, A.; Saponara, S.; Zheng, Q.; Gasmi, K. Overview on intrusion detection systems design exploiting machine learning for networking cybersecurity. Appl. Sci. 2023, 13, 7507. [Google Scholar] [CrossRef]
  37. Wang, D.; Ganesan, S. Automotive domain controller. In Proceedings of the 2020 International Conference on Computing and Information Technology (ICCIT-1441), Tabuk, Saudi Arabia, 9–10 September 2020; pp. 1–5. [Google Scholar]
  38. Kilian, P.; Koller, O.; Van Bergen, P.; Gebauer, C.; Dazer, M. Safety-related availability in the power supply domain. IEEE Access 2022, 10, 47869–47880. [Google Scholar] [CrossRef]
  39. ISO 26262; Road Vehicles—Functional Safety. ISO: Geneva, Switzerland, 2018.
  40. Vdovic, H.; Babic, J.; Podobnik, V. Automotive software in connected and autonomous electric vehicles: A review. IEEE Access 2019, 7, 166365–166379. [Google Scholar] [CrossRef]
  41. De Gelder, E.; Elrofai, H.; Saberi, A.K.; Paardekooper, J.P.; Den Camp, O.O.; De Schutter, B. Risk quantification for automated driving systems in real-world driving scenarios. IEEE Access 2021, 9, 168953–168970. [Google Scholar] [CrossRef]
  42. Ranjbar, B.; Safaei, B.; Ejlali, A.; Kumar, A. FANTOM: Fault tolerant task-drop aware scheduling for mixed-criticality systems. IEEE Access 2020, 8, 187232–187248. [Google Scholar] [CrossRef]
  43. Canino, N.; Di Matteo, S.; Rossi, D.; Saponara, S. HW-SW interface design and implementation for error logging and reporting for RAS improvement. IEEE Access 2024, 12, 60081–60094. [Google Scholar] [CrossRef]
  44. Girdhar, M.; You, Y.; Song, T.J.; Ghosh, S.; Hong, J. Post-Accident Cyberattack Event Analysis for Connected and Automated Vehicles. IEEE Access 2022, 10, 83176–83194. [Google Scholar] [CrossRef]
  45. Sharma, P.; Gillanders, J. Cybersecurity and Forensics in Connected Autonomous Vehicles: A Review of the State-of-the-Art. IEEE Access 2022, 10, 108979–108996. [Google Scholar] [CrossRef]
  46. ISO/SAE 21434; Road Vehicles—Cybersecurity Engineering. ISO: Geneva, Switzerland; SAE: Warrendale, PA, USA, 2018.
  47. Costantino, G.; De Vincenzi, M.; Matteucci, I. A comparative analysis of unece wp. 29 r155 and ISO/SAE 21434. In Proceedings of the 2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), Genoa, Italy, 6–10 June 2022; pp. 340–347. [Google Scholar]
  48. Macher, G.; Schmittner, C.; Veledar, O.; Brenner, E. ISO/SAE DIS 21434 automotive cybersecurity standard-in a nutshell. In Proceedings of the Computer Safety, Reliability, and Security. SAFECOMP 2020 Workshops: DECSoS 2020, DepDevOps 2020, USDAI 2020, and WAISE 2020, Lisbon, Portugal, 15 September 2020; Proceedings 39. Springer: Berlin/Heidelberg, Germany, 2020; pp. 123–135. [Google Scholar]
  49. UNECE. UN Regulation No.155-Cyber Security and Cyber Security Management System; UNECE: Geneva, Switzerland, 2021. [Google Scholar]
  50. UNECE. UN Regulation No.156-Software Update and Software Update Management System; UNECE: Geneva, Switzerland, 2021. [Google Scholar]
  51. Miller, C. Remote exploitation of an unaltered passenger vehicle. In Proceedings of the Black Hat USA, Las Vegas, NV, USA, 1–6 August 2015. [Google Scholar]
  52. Jing, P.; Cai, Z.; Cao, Y.; Yu, L.; Du, Y.; Zhang, W.; Qian, C.; Luo, X.; Nie, S.; Wu, S. Revisiting automotive attack surfaces: A practitioners’ perspective. In Proceedings of the 2024 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 19–23 May 2024; pp. 2348–2365. [Google Scholar]
  53. Marksteiner, S.; Priller, P. A model-driven methodology for automotive cybersecurity test case generation. In Proceedings of the 2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), Vienna, Austria, 7–11 September 2021; pp. 129–135. [Google Scholar]
  54. Cho, K.T.; Shin, K.G. Error handling of in-vehicle networks makes them vulnerable. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 24–28 October 2016; pp. 1044–1055. [Google Scholar]
  55. Gumrukcu, E.; Arsalan, A.; Muriithi, G.; Joglekar, C.; Aboulebdeh, A.; Zehir, M.A.; Papari, B.; Monti, A. Impact of cyber-attacks on EV charging coordination: The case of single point of failure. In Proceedings of the 2022 4th Global Power, Energy and Communication Conference (GPECOM), Cappadocia, Turkey, 14–17 June 2022; pp. 506–511. [Google Scholar]
  56. Specification, C. Bosch. Robert Bosch Gmbh Postfach 1991, 50, 15. [Google Scholar]
  57. Koscher, K.; Czeskis, A.; Roesner, F.; Patel, S.; Kohno, T.; Checkoway, S.; McCoy, D.; Kantor, B.; Anderson, D.; Shacham, H.; et al. Experimental security analysis of a modern automobile. In Proceedings of the 2010 IEEE Symposium on Security and Privacy, Oakland, CA, USA, 16–19 May 2010; pp. 447–462. [Google Scholar]
  58. Jo, H.J.; Choi, W. A survey of attacks on controller area networks and corresponding countermeasures. IEEE Trans. Intell. Transp. Syst. 2021, 23, 6123–6141. [Google Scholar] [CrossRef]
  59. Perraud, E. Machine learning algorithm of detection of DoS attacks on an automotive telematic unit. Int. J. Comput. Netw. Commun. (IJCNC) 2019, 11, 27–43. [Google Scholar] [CrossRef]
  60. Jedh, M.; Othmane, L.B.; Ahmed, N.; Bhargava, B. Detection of message injection attacks onto the can bus using similarities of successive messages-sequence graphs. IEEE Trans. Inf. Forensics Secur. 2021, 16, 4133–4146. [Google Scholar] [CrossRef]
  61. Lee, H.; Choi, K.; Chung, K.; Kim, J.; Yim, K. Fuzzing can packets into automobiles. In Proceedings of the 2015 IEEE 29th International Conference on Advanced Information Networking and Applications, Gwangiu, Republic of Korea, 24–27 March 2015; pp. 817–821. [Google Scholar]
  62. Csikor, L.; Lim, H.W.; Wong, J.W.; Ramesh, S.; Parameswarath, R.P.; Chan, M.C. Rollback: A new time-agnostic replay attack against the automotive remote keyless entry systems. ACM Trans. Cyber-Phys. Syst. 2024, 8, 1–25. [Google Scholar] [CrossRef]
  63. Van Der Merwe, J.R.; Zubizarreta, X.; Lukčin, I.; Rügamer, A.; Felber, W. Classification of spoofing attack types. In Proceedings of the 2018 European Navigation Conference (ENC), Gothenburg, Sweden, 14–17 May 2018; pp. 91–99. [Google Scholar]
  64. Lee, S.; Choi, W.; Jo, H.J.; Lee, D.H. ErrIDS: An enhanced cumulative timing error-based automotive intrusion detection system. IEEE Trans. Intell. Transp. Syst. 2023, 24, 12406–12421. [Google Scholar] [CrossRef]
  65. Jo, H.J.; Kim, J.H.; Choi, H.Y.; Choi, W.; Lee, D.H.; Lee, I. Mauth-can: Masquerade-attack-proof authentication for in-vehicle networks. IEEE Trans. Veh. Technol. 2019, 69, 2204–2218. [Google Scholar] [CrossRef]
  66. Rajapaksha, S.; Kalutarage, H.; Al-Kadri, M.O.; Petrovski, A.; Madzudzo, G.; Cheah, M. Ai-based intrusion detection systems for in-vehicle networks: A survey. ACM Comput. Surv. 2023, 55, 1–40. [Google Scholar] [CrossRef]
  67. Studnia, I.; Alata, E.; Nicomette, V.; Kaâniche, M.; Laarouchi, Y. A language-based intrusion detection approach for automotive embedded networks. Int. J. Embed. Syst. 2018, 10, 1–12. [Google Scholar] [CrossRef]
  68. Jin, S.; Chung, J.G.; Xu, Y. Signature-based intrusion detection system (IDS) for in-vehicle CAN bus network. In Proceedings of the 2021 IEEE International Symposium on Circuits and Systems (ISCAS), Daegu, Republic of Korea, 22–28 May 2021; pp. 1–5. [Google Scholar]
  69. Tomandl, A.; Fuchs, K.P.; Federrath, H. REST-Net: A dynamic rule-based IDS for VANETs. In Proceedings of the 2014 7th IFIP Wireless and Mobile Networking Conference (WMNC), Vilamoura, Portugal, 20–22 May 2014; pp. 1–8. [Google Scholar]
  70. Groza, B.; Murvay, P.S. Efficient intrusion detection with bloom filtering in controller area networks. IEEE Trans. Inf. Forensics Secur. 2018, 14, 1037–1051. [Google Scholar] [CrossRef]
  71. Aliyu, I.; Feliciano, M.C.; Van Engelenburg, S.; Kim, D.O.; Lim, C.G. A blockchain-based federated forest for SDN-enabled in-vehicle network intrusion detection system. IEEE Access 2021, 9, 102593–102608. [Google Scholar] [CrossRef]
  72. Dini, P.; Begni, A.; Ciavarella, S.; De Paoli, E.; Fiorelli, G.; Silvestro, C.; Saponara, S. Design and testing novel one-class classifier based on polynomial interpolation with application to networking security. IEEE Access 2022, 10, 67910–67924. [Google Scholar] [CrossRef]
  73. Dini, P.; Saponara, S. Design and Experimental Assessment of Real-Time Anomaly Detection Techniques for Automotive Cybersecurity. Sensors 2023, 23, 9231. [Google Scholar] [CrossRef]
  74. Cho, K.T.; Shin, K.G. Fingerprinting electronic control units for vehicle intrusion detection. In Proceedings of the 25th USENIX Security Symposium (USENIX Security 16), Austin, TX, USA, 10–12 August 2016; pp. 911–927. [Google Scholar]
  75. Hafeez, A.; Rehman, K.; Malik, H. State of the Art Survey on Comparison of Physical Fingerprinting-Based Intrusion Detection Techniques for In-Vehicle Security; Technical report, SAE Technical Paper; SAE: Warrendale, PA, USA, 2020. [Google Scholar]
  76. Choi, W.; Joo, K.; Jo, H.J.; Park, M.C.; Lee, D.H. VoltageIDS: Low-level communication characteristics for automotive intrusion detection system. IEEE Trans. Inf. Forensics Secur. 2018, 13, 2114–2129. [Google Scholar] [CrossRef]
  77. Zhao, Y.; Xun, Y.; Liu, J. ClockIDS: A real-time vehicle intrusion detection system based on clock skew. IEEE Internet Things J. 2022, 9, 15593–15606. [Google Scholar] [CrossRef]
  78. Rosadini, C.; Chiarelli, S.; Cornelio, A.; Nesci, W.; Saponara, S.; Dini, P.; Gagliardi, A. Method for Protection from Cyber Attacks to a Vehicle Based Upon Time Analysis, and Corresponding Device. U.S. Patent Application 18/163,488, 2 February 2023. [Google Scholar]
  79. Wang, C.; Zhao, Z.; Gong, L.; Zhu, L.; Liu, Z.; Cheng, X. A distributed anomaly detection system for in-vehicle network using HTM. IEEE Access 2018, 6, 9091–9098. [Google Scholar] [CrossRef]
  80. Adadi, A.; Berrada, M. Peeking inside the black-box: A survey on explainable artificial intelligence (XAI). IEEE Access 2018, 6, 52138–52160. [Google Scholar] [CrossRef]
  81. Zhang, Z.; Li, J. A review of artificial intelligence in embedded systems. Micromachines 2023, 14, 897. [Google Scholar] [CrossRef] [PubMed]
  82. Lee, H.; Jeong, S.H.; Kim, H.K. OTIDS: A novel intrusion detection system for in-vehicle network by using remote frame. In Proceedings of the 2017 15th Annual Conference on Privacy, Security and Trust (PST), Calgary, AB, Canada, 28–30 August 2017; pp. 57–5709. [Google Scholar]
  83. Dupont, G.; Lekidis, A.; Den Hartog, J.; Etalle, S. Automotive Controller Area Network (CAN) Bus Intrusion Dataset v2. Version 2. 4TU.ResearchData. Dataset 2019. [Google Scholar] [CrossRef]
  84. Hanselmann, M.; Strauss, T.; Dormann, K.; Ulmer, H. CANet: An Unsupervised Intrusion Detection System for High Dimensional CAN Bus Data. IEEE Access 2020, 8, 58194–58205. [Google Scholar] [CrossRef]
  85. Kang, H.; Kwak, B.I.; Lee, Y.H.; Lee, H.; Lee, H.; Kim, H.K. Car hacking and defense competition on in-vehicle network. In Proceedings of the Workshop on Automotive and Autonomous Vehicle Security (AutoSec), Online, 25 February 2021; Volume 2021, p. 25. [Google Scholar]
  86. Verma, M.E.; Iannacone, M.D.; Bridges, R.A.; Hollifield, S.C.; Moriano, P.; Kay, B.; Combs, F.L. Addressing the lack of comparability & testing in can intrusion detection research: A comprehensive guide to can ids data & introduction of the road dataset. arXiv 2020, arXiv:2012.14600. [Google Scholar]
  87. Gazdag, A.; Ferenc, R.; Buttyán, L. CrySyS dataset of CAN traffic logs containing fabrication and masquerade attacks. Sci. Data 2023, 10, 903. [Google Scholar] [CrossRef]
  88. Rajapaksha, S.; Madzudzo, G.; Kalutarage, H.; Petrovski, A.; Al-Kadri, M.O. CAN-MIRGU: A Comprehensive CAN Bus Attack Dataset from Moving Vehicles for Intrusion Detection System Evaluation. In Proceedings of the Symposium on Vehicles Security and Privacy. Internet Society, San Diego, CA, USA, 26 February 2024. [Google Scholar]
  89. Jeong, S.; Lee, S.; Lee, H.; Kim, H.K. X-CANIDS: Signal-Aware Explainable Intrusion Detection System for Controller Area Network-Based In-Vehicle Network. IEEE Trans. Veh. Technol. 2024, 73, 3230–3246. [Google Scholar] [CrossRef]
  90. Islam, R.; Devnath, M.K.; Samad, M.D.; Al Kadry, S.M.J. GGNB: Graph-based Gaussian naive Bayes intrusion detection system for CAN bus. Veh. Commun. 2022, 33, 100442. [Google Scholar] [CrossRef]
  91. Lampe, B.; Meng, W. Intrusion Detection in the Automotive Domain: A Comprehensive Review. IEEE Commun. Surv. Tutor. 2023, 25, 2356–2426. [Google Scholar] [CrossRef]
  92. Anthony, C.; Elgenaidi, W.; Rao, M. Intrusion detection system for autonomous vehicles using non-tree based machine learning algorithms. Electronics 2024, 13, 809. [Google Scholar] [CrossRef]
  93. Kousar, A.; Ahmed, S.; Altamimi, A.; Khan, Z.A. A Novel Light-Weight Machine Learning Classifier for Intrusion Detection in Controller Area Network in Smart Cars. Smart Cities 2024, 7, 3289–3314. [Google Scholar] [CrossRef]
  94. Dakic, P.; Zivkovic, M.; Jovanovic, L.; Bacanin, N.; Antonijevic, M.; Kaljevic, J.; Simic, V. Intrusion detection using metaheuristic optimization within IoT/IIoT systems and software of autonomous vehicles. Sci. Rep. 2024, 14, 22884. [Google Scholar] [CrossRef] [PubMed]
  95. Bi, Z.; Xu, G.; Xu, G.; Wang, C.; Zhang, S. Bit-level automotive controller area network message reverse framework based on linear regression. Sensors 2022, 22, 981. [Google Scholar] [CrossRef] [PubMed]
  96. Azam, Z.; Islam, M.M.; Huda, M.N. Comparative Analysis of Intrusion Detection Systems and Machine Learning-Based Model Analysis Through Decision Tree. IEEE Access 2023, 11, 80348–80391. [Google Scholar] [CrossRef]
  97. Sowka, K.; Palade, V.; Jadidbonab, H.; Wooderson, P.; Nguyen, H. A review on automatic generation of attack trees and its application to automotive cybersecurity. In Artificial Intelligence and Cyber Security in Industry 4.0; Springer: Berlin/Heidelberg, Germany, 2023; pp. 165–193. [Google Scholar]
  98. Avatefipour, O.; Al-Sumaiti, A.S.; El-Sherbeeny, A.M.; Awwad, E.M.; Elmeligy, M.A.; Mohamed, M.A.; Malik, H. An Intelligent Secured Framework for Cyberattack Detection in Electric Vehicles’ CAN Bus Using Machine Learning. IEEE Access 2019, 7, 127580–127592. [Google Scholar] [CrossRef]
  99. Ashraf, M.W.A.; Singh, A.R.; Pandian, A.; Rathore, R.S.; Bajaj, M.; Zaitsev, I. A hybrid approach using support vector machine rule-based system: Detecting cyber threats in internet of things. Sci. Rep. 2024, 14, 27058. [Google Scholar] [CrossRef] [PubMed]
  100. Caivano, D.; Catalano, C.; De Vincentiis, M.; Lako, A.; Pagano, A. MaREA: Multi-class Random Forest for Automotive Intrusion Detection. In Proceedings of the International Conference on Product-Focused Software Process Improvement, Dornbirn, Austria, 10–13 December 2023; Springer: Berlin/Heidelberg, Germany, 2023; pp. 23–34. [Google Scholar]
  101. Reddy, C.M.; Anbarasi, A.; Mohankumar, N.; Ishwarya, M.V.; Murugan, S. Cloud-Based Road Safety for Real-Time Vehicle Rash Driving Alerts with Random Forest Algorithm. In Proceedings of the 2024 3rd International Conference for Innovation in Technology (INOCON), Bangalore, India, 1–3 March 2024; pp. 1–6. [Google Scholar] [CrossRef]
  102. Longari, S.; Nova Valcarcel, D.H.; Zago, M.; Carminati, M.; Zanero, S. CANnolo: An Anomaly Detection System Based on LSTM Autoencoders for Controller Area Network. IEEE Trans. Netw. Serv. Manag. 2021, 18, 1913–1924. [Google Scholar] [CrossRef]
  103. Zhang, H.; Kang, C.; Xiao, Y. Research on network security situation awareness based on the LSTM-DT model. Sensors 2021, 21, 4788. [Google Scholar] [CrossRef]
  104. Chougule, A.; Kulkarni, I.; Alladi, T.; Chamola, V.; Yu, F.R. HybridSecNet: In-Vehicle Security on Controller Area Networks Through a Hybrid Two-Step LSTM-CNN Model. IEEE Trans. Veh. Technol. 2024, 73, 14580–14591. [Google Scholar] [CrossRef]
  105. Na, I.S.; Haldorai, A.; Naik, N. Federal Deep Learning Approach of Intrusion Detection System for In-Vehicle Communication Network Security. IEEE Access 2025, 13, 2215–2228. [Google Scholar] [CrossRef]
  106. Wei, P.; Wang, B.; Dai, X.; Li, L.; He, F. A novel intrusion detection model for the CAN bus packet of in-vehicle network based on attention mechanism and autoencoder. Digit. Commun. Netw. 2023, 9, 14–21. [Google Scholar] [CrossRef]
  107. Kim, T.; Kim, J.; You, I. An Anomaly Detection Method Based on Multiple LSTM-Autoencoder Models for In-Vehicle Network. Electronics 2023, 12, 3543. [Google Scholar] [CrossRef]
Electronics 14 00471 g001
Figure 1. Taxonomy of attack surfaces from a dual point of view: starting point and ongoing phases of an attack.
Figure 1. Taxonomy of attack surfaces from a dual point of view: starting point and ongoing phases of an attack.
Electronics 14 00471 g001
Electronics 14 00471 g003
Figure 3. Error states defined by CAN protocol.
Figure 3. Error states defined by CAN protocol.
Electronics 14 00471 g003
Electronics 14 00471 g004
Figure 4. Examples of known attacks on CAN networks, highlighting the order and periodicity of considered frames. ECUs A and B are legitimate, while K is the attacker.
Figure 4. Examples of known attacks on CAN networks, highlighting the order and periodicity of considered frames. ECUs A and B are legitimate, while K is the attacker.
Electronics 14 00471 g004
Electronics 14 00471 g005
Figure 5. IDS taxonomy defining the four characteristics of the design space.
Figure 5. IDS taxonomy defining the four characteristics of the design space.
Electronics 14 00471 g005
Table 1. Comparison of in-vehicle network protocols.
Table 1. Comparison of in-vehicle network protocols.
ProtocolYearProsCons
CAN [24]1986High reliability; cost-effective; suitable for real-time and safety-critical applications.Limited bandwidth (up to 1 Mbps); not suitable for high-data-rate applications.
LIN [25]1999Low cost; ideal for low-speed tasks; simple master–slave architecture.Low data rate (20 kbps); unsuitable for real-time applications.
MOST [26]1999Optimized for multimedia; high data rate (150 Mbps); real-time transmission.Not suitable for safety-critical applications; higher complexity and cost.
FlexRay [27]2000High-speed (10 Mbps); fault-tolerant; deterministic for x-by-wire systems.Expensive; complex hardware and software.
Automotive Ethernet [28]2008Very high bandwidth (1 Gbps+); scalable; supports IP-based communication.Higher cost; complex integration and synchronization.
AVB [29]2009Time-sensitive networking; low latency for multimedia; integrates with Ethernet.Limited to multimedia; precise configuration required.
CAN-FD [30]2012Higher data rate (8 Mbps); backward compatible; increased payload size.Complex error handling; requires CAN FD-compatible hardware.
TSN [31]2012Guarantees time-sensitive data; suitable for mixed-criticality applications.High complexity; expensive for small systems.
CAN-XL [30]2019High data rate (10 Mbps); large payload (2048 bytes); backward compatible.Early adoption stage; requires new infrastructure.
Table 2. Vehicle domain functions, components, and typical network protocol [2,24,37].
Table 2. Vehicle domain functions, components, and typical network protocol [2,24,37].
Vehicle DomainFunctionComponentsProtocols
PowertrainManages engine control, transmission, and related systemsECU, TCM, throttle control, fuel injection, exhaust gas recirculationCAN, CAN FD, FlexRay
ChassisResponsible for vehicle dynamics, safety, and control systemsABS, ESC, airbags, traction control, suspension systemsFlexRay, CAN
BodyManages body control systems for convenience and user comfortCentral locking, climate control, lighting, power windowsLIN, CAN
InfotainmentHandles multimedia, navigation, and entertainment systemsAudio systems, navigation, Bluetooth, wireless connectivity, user interfaceMOST, Ethernet, AVB, CAN
ADASFocuses on semi-autonomous and autonomous driving systemsAdaptive cruise control, lane-keeping assist, radars, cameras, LIDAR, parking assistanceEthernet, CAN FD, TSN, FlexRay
Telematics and HMIManages telematics, communications, and OTATelematics Control Unit, GPS, V2V, V2I communication, 4G/5G modemEthernet, Cellular, Wi-Fi, V2X, CAN FD
HVACResponsible for climate control, ventilation, cooling, and heatingAir conditioning system, blower fans, temperature sensorsLIN, CAN
Energy Management/High Voltage (EVs)Manages energy storage, distribution, and battery systems in EVsBattery Management System (BMS), charging systems, inverters, electric motorsCAN, CAN FD, Ethernet
Table 3. Attack surfaces in the automotive domain, classified according to classical taxonomy.
Table 3. Attack surfaces in the automotive domain, classified according to classical taxonomy.
CategoryAttack Surface
PhysicalIVN protocols (CAN, LIN, FlexRay, etc.); OBD-II Port; Powertrain ECU; Body Control ECU; Infotainment ECU; ADAS; Infotainment USB Ports; SD Card Slots; Auxiliary Ports; Charging Ports (EV); Aftermarket Devices (e.g., plugged into OBD-II).
Wireless Local (<100 m)Bluetooth; Wi-Fi (in-vehicle hotspots); NFC; Keyless Entry Systems; TPMS; LIDAR/RADAR (autonomous vehicles); Cameras (autonomous vehicles); Ultrasonic Sensors.
Wireless Unlimited (>100 m)Telematics Units (GPS, Cellular); V2V Communication; V2I Communication; OTA Updates; Telematics Backend Systems; Mobile Apps and Connected Services; RFID; V2G Systems; EV Charging Networks; Cloud and Backend Systems.
Table 4. Overview of most valuable CAN datasets, in chronological order.
Table 4. Overview of most valuable CAN datasets, in chronological order.
DatasetYearOrganizationRepository URL
OTIDS [82] [DS1]2017HCRLhttps://ocslab.hksecurity.net/Dataset/CAN-intrusion-dataset (accessed on 15 October 2024)
Intrusion Dataset v2 [83] [DS2]2019TU Eindhovenhttps://data.4tu.nl/articles/dataset/Automotive_Controller_Area_Network_CAN_Bus_Intrusion_Dataset/12696950/2 (accessed on 15 October 2024)
SynCAN [84] [DS3]2019Boschhttps://github.com/etas/SynCAN (accessed on 15 October 2024)
CarHacking Challenge [85] [DS4]2020HCRLhttps://ocslab.hksecurity.net/Datasets/carchallenge2020 (accessed on 15 October 2024)
ROAD [86] [DS5]2020ORNLhttps://0xsam.com/road/ (accessed on 15 October 2024)
CrySyS [87] [DS6]2023CrySyS Labhttps://www.crysys.hu/research/vehicle-security (accessed on 15 October 2024)
CAN-MIRGU [88] [DS7]2024Robert Gordon Universityhttps://github.com/sampathrajapaksha/CAN-MIRGU (accessed on 15 October 2024)
X-CANIDS [89] [DS8]2024HCRLhttps://ieee-dataport.org/open-access/x-canids-dataset-vehicle-signal-dataset (accessed on 15 October 2024)
Table 5. Main characteristics of the considered CAN datasets.
Table 5. Main characteristics of the considered CAN datasets.
DatasetLabelTraffic TypeBenignDoSFuzzyReplaySpoofSusp.Masq.TracesNo AttackAttack
DS1NoRealYesYesYes--Yes-317 m 17 s18 m 56 s
DS2YesReal/TestbedYesYesYesYesYesYes-1832 m 8 s19 m 45 s
DS3MixedReal/VirtualYesYesYesYesYesYesYes513 h24 h
DS4MixedRealYesYesYesYesYes--132 m46 m
DS5NoRealYesYesYes-Yes-Yes333 h 0 m 32 s27 m 10 s
DS6YesReal/TestbedYes-YesYesYes-Yes12482 h 33 m 43 s2 h 33 m 43 s
DS7YesRealYesYesYesYesYesYesYes3617 h 8 m 10 s2 h 54 m 56 s
DS8YesReal/TestbedYes-YesYesYesYesYes1263 h 28 m 25 s32 m 42 s each
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Canino, N.; Dini, P.; Mazzetti, S.; Rossi, D.; Saponara, S.; Soldaini, E. Cybersecurity of Automotive Wired Networking Systems: Evolution, Challenges, and Countermeasures. Electronics 2025, 14, 471. https://doi.org/10.3390/electronics14030471

AMA Style

Canino N, Dini P, Mazzetti S, Rossi D, Saponara S, Soldaini E. Cybersecurity of Automotive Wired Networking Systems: Evolution, Challenges, and Countermeasures. Electronics. 2025; 14(3):471. https://doi.org/10.3390/electronics14030471

Chicago/Turabian Style

Canino, Nicasio, Pierpaolo Dini, Stefano Mazzetti, Daniele Rossi, Sergio Saponara, and Ettore Soldaini. 2025. "Cybersecurity of Automotive Wired Networking Systems: Evolution, Challenges, and Countermeasures" Electronics 14, no. 3: 471. https://doi.org/10.3390/electronics14030471

APA Style

Canino, N., Dini, P., Mazzetti, S., Rossi, D., Saponara, S., & Soldaini, E. (2025). Cybersecurity of Automotive Wired Networking Systems: Evolution, Challenges, and Countermeasures. Electronics, 14(3), 471. https://doi.org/10.3390/electronics14030471

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop