Advanced Temperature-Varied ECU Fingerprints for Source Identification and Intrusion Detection in Controller Area Networks

External wireless interfaces and the lack of security design of controller area network (CAN) standards make it vulnerable to CAN-targeting attacks. Unfortunately, various defense solutions have been proposed merely to detect CAN intrusion attacks, while only a few works are devoted to intrusion source identiﬁcation. Demonstrated by our experimental studies, the most advanced IDS with intrusion source identiﬁcation, which is based on the physical feature ﬁngerprints of the in-vehicle Electronic Control Units (ECUs), will fail when the temperature changes. In this paper, we innovatively propose temperature-varied ﬁngerprinting, called TVF, for CAN intrusion detection and intrusion source identiﬁcation. Motivated by the remarkable observation that the physical feature of an ECU, i.e., its clock oﬀset, changes linearly with the temperature of ECUs, the concept of temperature-varied ﬁngerprints is proposed. Then, for a severe intrusion case, we provide an advanced TVF for further supplemented and expanded. The proposed advanced temperature-varied ﬁngerprinting is implemented, and extensive performance evaluation experiments are conducted in both CAN bus prototype and real vehicles. The experimental results illustrate the eﬀectiveness and performance of advanced TVF.


Introduction
With the development of automobile intelligent control systems, multifunctional Electronic Control Units (ECUs) have been mounted in contemporary vehicles. Typically, ECUs exchange messages via the controller area network (CAN) which is a de facto standard for in-vehicle networks. However, due to the lack of security defense design of CAN protocol, those vulnerable ECUs are easily accessed by adversaries to perform CAN-targeting attacks. e vulnerable ECUs are those noncritical and usually support wireless functions, such as WiFi, Bluetooth, and various V2X communications, which can link with outside terminals, including smartphones, base stations, and other vehicles. e in-vehicle network intrusion is to inject spoofing messages through a vulnerable ECU to the CAN bus, which will induce those safety-critical ECUs to conduct dangerous operations [1][2][3][4]. e safety-critical ECUs are those enabling control critical safety-related types of equipment in the vehicle, e.g., automatic cruise system, antiskid brake system, and airbags. An illustrating example of intrusions on CAN bus is shown in Figure 1. ECU X was wirelessly compromised by adversaries, and its messages are noncritical and pose little threat to the car. ECU Y is a critical controller ECU which is able to send brake commands Msg y through CAN bus when the vehicle overspeeds. Z is a safety-critical ECU with crucial function, which performs brake operations when receiving brake commands Msg y from Y. In other words, an intrusion attack can be mounted by adversaries through ECU X by sending forged commands Msg y to the CAN bus to seduce ECU Z performing unexpected braking. Such kinds of intrusion attacks could completely ignore drivers' input and lead to brake errors, power steering failures, or other severe hazards to passengers' safety.
Intrusion detection is dedicated to detecting intrusion attacks in in-vehicle networks. It has faced the following challenges. First, it requires high accuracy because any falsepositive error may severely affect the safety of drivers. en, since ECUs inside vehicles have limited computational resources, complex cryptographic algorithms cannot be deployed in vehicles. Last, there are no source or destination addresses in a CAN frame, so it is difficult to trace the attacker ECU even though an intrusion was detected.
Two types of intrusion detection solutions have been proposed for in-vehicle network attacks. One is messagerecognition-based intrusion detection systems (IDSs) [1,[5][6][7][8][9] and the other is the source-recognition-based detection solutions [10][11][12][13][14][15][16]. In a message-recognition-based detection system, intrusion attacks can be detected by analyzing the message features, e.g., CAN message rate, CAN message time information, and CAN bus entropy. Nevertheless, such message-recognition-based detection solutions cannot recognize which ECU actually mounts the attack, as the CAN frame does not carry any source information. Existing ECU source-recognition-based solutions are typically based on clock skew fingerprint [10,13] and voltage fingerprint [11,12,[14][15][16]. Although these solutions achieve the identification of attack sources, they can only be useful in a temperature-stable environment.
Based on the analysis of the experimental results, we witnessed that the clock skew-based fingerprints are susceptible to the temperature, which leads to the failure of existing clock skew-based fingerprints. According to our observation, only 10 centigrade temperature difference will make the ECU fingerprints fail.
In this paper, we innovatively propose the temperaturevaried fingerprinting for intrusion detection and source identification in the in-vehicle CAN network. We utilize the characteristics of clock offsets, which varied with temperature, as fingerprints of each ECU to detect the intrusions and identify the source. Based on the previous work [17], we improve upon the TVF to counter an advanced masquerade attack, in which the adversary delays the transmission by a difference between the target ECU and the compromised ECU on the clock offset. at means the two ECUs have the same clock offset based on the current temperature, yet the previous TVF cannot detect it. e advanced TVF exploits the correlation coefficient of normal and attack messages for detecting. e instantaneous change of the clock offset, which is estimated by messages from one ECU, is impacted by the dynamic temperature. us, messages from the same ECU have a high correlation. In contrast, messages from different ECUs are almost irrelevant.
Compared to existing solutions that utilize the information of clock offset for detection and identification, the advanced TVF is more suitable for the interior environment of a vehicle with significant temperature change. e proposed method constructs the fingerprint for each and every ECU within an in-vehicle network according to its temperature-dependent clock offset.
To the best of our knowledge, this is the first work that exploits the temperature-varied clock information to detect and identify the intrusion in in-vehicle networks. is paper has made several contributions as follows: (i) Based on our observation, we found that the clock offsets of ECUs are varied regularly with the increase in temperature. (ii) Proposal of TVF, which utilizes temperature-varied fingerprinting for intrusion detection and source identification, and advanced version of TVF is made for further supplemented and expanded. (iii) e proposed solution is implemented, and extensive experiments are conducted in both CAN bus prototype and real vehicles. e effectiveness of the proposed method has been verified. e rest of the paper is structured as follows. e related work is provided in Section 2. Section 3 describes the necessary background and the main attack model of the CAN bus. A set of empirical studies of TVF are described in Section 4. In Section 5, we provide an overview of the proposed method, and the details of the proposed method are introduced in Section 6. We evaluated the TVF on the CAN bus prototype and the real vehicle in Section 7. Finally, the paper is concluded in Section 8.

Related Work
To resist against in-vehicle network related attacks, researchers come up with two main solutions. One is the message-identification-based intrusion detection systems, and the other is the source-identification-based detection solutions.

Message-Identification-Based Detection.
e messageidentification-based IDS is one of the best ways to enhance the security of in-vehicle network, and various IDSs have been proposed to guard against in-vehicle network-related attacks [1,5,6,[18][19][20][21][22][23][24]. Several message-identification-based IDSs are introduced to detect invasions by analyzing message characteristics, e.g., CAN  machine learning is also extensively used in these kinds of intrusion detection systems. Some of the IDSs are introduced utilizing characteristics and entropy of regular CAN bus to detect attacks. Muter et al. [6] presented a solution to use the features of attack messages to distinguish the intrusions. e solution involves a series of detection sensors that serve as recognition criteria for in-vehicle network intrusions. ese detection sensors are constructed with normal properties of the CAN bus network, which are used for distinguishing the abnormal message. However, it cannot detect the attack messages that are entirely in line with the normal behavior of CAN messages. Afterward, an entropy-based attack detection solution is proposed by the author [5], who can successfully distinguish the variations between the normal and abnormal behavior of CAN bus networks.
Several solutions used the time intervals of messages to detect the intrusion. Song et al. [19] proposed an IDS based on the analysis of the feature of CAN message time intervals, and three kinds of injection attacks are performed on the CAN network to evaluate the solution. e result showed the IDS could successfully detect the three attacks within a millisecond. Likewise, Gmiden et al. [25] proposed to use the feature of time intervals of messages with the same ID for intrusion detection, and their solution does not need a modification on CAN standard. Such time-based intrusion solutions are very useful at detecting common intrusion attacks on the CAN bus, e.g., Denial-of-service (DoS) attack. Nevertheless, these solutions seem unable to solve the situation when the attack message has the same time interval with the normal message.
Machine learning was already applied to some solutions for intrusion detection. Seo et al. [7] proposed the GANbased Intrusion Detection System (GIDS), which used the Generative Adversarial Nets to train only normal data rather than the real attack data for detecting intrusions. GIDS could detect the intrusion attacks without considering the attack types. Kang et al. [8] presented an approach using a deep neural network (DNN) to train the high-dimensional CAN message for detecting. e approach calculates the static characteristics of the inherent properties of normal and attack messages, respectively. en, the corresponding features are extracted to decide whether the in-vehicle network is being attacked.
However, none of these solutions considered the source ECU of the intrusion message. ese IDSs just considered if there was an intrusion on the CAN bus, and no further source identification was made. It is hard to identify the source ECU of the intrusion message because there is no source address in a CAN frame.

Source-Identification-Based Detection.
e sourceidentification-based detection solutions could track the attack source after they have detected the intrusions. As invehicle network such as CAN protocol does not involve any source transmitters information, it is difficult for the above message-identification-based detection solutions to distinguish the exact ECU that launches the attacks. Researchers have proposed solutions that use unique physical features to detect the intrusions and identify the source of the attacks. ese unique physical features might be signal voltage, the clock related features, propagation delays, and signal attenuation due to wire lengths [26]. Among these features, clock skew and signal voltage have already been used as fingerprints in the existing ECU source-identification-based approaches.

Voltage Fingerprints.
Diverse ECUs had tiny differences in the voltage of electrical signals when they sent the message, which leads by the hardware and production process of the transceiver. erefore, the unique features of electrical signals could be used as fingerprints for detecting intrusions as well as identifying the source ECU of the intrusion message.
Hoppe et al. [26] proposed a method which utilizes the voltage characteristic of ECUs to detect forged messages. Murvay and Groza [11] also proposed a solution that uses the characteristics of voltage signals of the ID field of the CAN frame to identify the source ECU. e solution used the Mean Squared Error and convolution of voltage signals for fingerprinting ECUs. However, the voltage features on the first few bits of the ID field may not be unique due to the CAN protocol's arbitration rule, so the features on the ID field may not be suitable for fingerprinting ECU.
Choi et al. [27] proposed a source identification detection method. e method chooses to use the voltage features extracted in the extended ID field of an extended CAN frame as fingerprints of ECUs. In their solutions, a supervised learning method is used to classify the statistical voltage features extracted from the extended ID fields. However, the extended CAN frame format has not been widely used in modern in-vehicle networks, and most vehicles are deployed with the standard format on the CAN bus network. Subsequently, the author [15] proposed to use the dominant, positive-slope, and negative-slope portion voltage signals which are extracted from the standard CAN frame as a fingerprint to detect the in-vehicle network attack. e scheme has been verified on real vehicles, and it could discriminate between errors and the bus-off attack on CAN bus [28].
A voltage-based attacker identification (Viden) [12] approach was come up to identify the source ECU of the intrusion message on the CAN bus which used the feature of voltage signals as fingerprints. Viden first learns the ACK threshold from the voltage signals that send from the real source ECU in the ACK slot field of a CAN frame. en, it selects appropriate voltage signals based on the ACK threshold to derive the voltage instance, which is a set of features of an ECU's voltage output. After that, Viden uses the voltage instance obtained from every new signal to construct and update an ECU's voltage profile as its fingerprint. Finally, the voltage profiles are used to distinguish the source ECU. Viden could ignore the type of frames and the transmission speed to identify the attacker ECU in various conditions. Nevertheless, the voltage signals are sensitive to temperature, which causes the Viden to be less accurate.
Kneib and Huth [16] proposed an intrusion detection system called Scission. Scission extracts the voltage signal feature for fingerprinting ECUs and thus to detect intrusions and identify the sender ECU. e effectiveness of Scission has been verified in the real vehicle. Besides, the influence of temperature on voltage signals is also considered in the Scission. Scission is proved to be valid in the temperature of 23°C, 25°C, 32°C, and 36°C, respectively. However, there remains a higher and lower temperature under practical conditions.

Clock Skew Fingerprints.
e clock frequencies information, which is uniquely determined by the quartz crystal clock in the transmitter ECU, can be utilized to distinguish different ECU. A clock-based IDS (CIDS) solution [10] was proposed to use accumulated clock offset for fingerprinting the transmitter ECU to detect and identify intrusions. Based on the thus-obtained fingerprints, CIDS builds the model of ECUs' clock behaviors to detect the intrusion and identify the source of the intrusion message. Nevertheless, the solution did not adequately consider the temperature, and the solution could be valid only in a temperature-stable environment.
Sagong et al. [13] proposed a cloaking attack which could emulate the clock skew of the ECU on CAN bus. e clocking attack is an intelligent masquerade attack that could deceive CIDS. However, the cloaking attack is designed under the assumption that the clock skew of an ECU is constant. ey still did not consider the temperature change in the vehicular environment. e temperature will enable the clock offset to vary, which will make the clock skew not constant.
Existing source-identification-based detection solutions could detect the intrusions and identify the transmitter ECUs well when the temperature is stable. However, these solutions may fail when the temperature of ECUs changed. Moreover, the temperature of an ECU is directly affected by the neighboring environment, especially the engine, which will make some of the ECU's temperature unstable. e features such as voltages and clock offset-based fingerprints are susceptible to the temperature and thus affect the accuracy. Consequently, these solutions will fail because of the unstable temperature of ECUs inside the vehicle.

Background
In this section, we describe the background of the CAN bus and the ECUs. And then, the attack model is given.

CAN Bus.
Controller Area Network (CAN) bus is the communication channel between ECUs inside vehicles, which adopts the CAN protocol. CAN protocol provides a broadcast transmission mechanism, and all nodes (ECUs) are connected through one single bus. In other words, the message sent from one ECU is broadcast to all other nodes on the CAN bus. When other ECU receives the broadcast message, it will check and determine whether to receive the message. An example of messages transmission on CAN bus is shown in Figure 2; ECU X sends its prepared message to the CAN bus. ECU Y and ECU Z are both on the bus and receive the message in turn. en, each node checks the message to make sure if it wants. Finally, ECU Y checks and accepts the message while ECU Z ignores it. Each node only accepts the messages it wants and ignores the others.
ere are four kinds of CAN frames on the CAN bus, and they are data frame, remote frame, error frame, and overload frame. Among them, we focus primarily on the data frame as it carries more useful information, such as command and sensor data.
ere are two kinds of data frames: one is the standard frame with an 11 bit identifier (CAN2.0A), and the other is the extended frame with a 29 bit identifier (CAN2.0B) [29]. We mainly focus on the standard frame in the proposed method, as the standard frame is the most widely used in modern vehicles. In the following, we called the standard data frame the CAN message. As shown in Figure 3, a standard CAN data frame involves fields such as Start of Frame (SOF), identifier (ID), CRC, and ACK. We can see that the standard data frame does not contain the protection measures fields such as encryption or authentication. Moreover, CAN frames do not contain a validation field or any source address identifier field so that the node can send packets indiscriminately to the others. In other words, if the adversaries compromise one ECU, he can inject messages arbitrarily into the CAN bus through this node and thus conduct hazardous operations.
When multiple ECUs send messages to the CAN bus simultaneously, to avoid the collision, each node sends the messages according to the priority depending on the ID. at is to say, messages with lower IDs have a high priority to send. For instance, if two messages are sent on the CAN bus with the ID value of 0 × 13 and 0 × 72 at the same time, the message with ID 0 × 13 is sent first due to the lower value.
We assume that all the ECU and its sending messages are known by default. Moreover, we can get the correspondence between the ECU and its message from the vehicle manufacturers. e other way is to reverse engineer the messages in the CAN bus [1].

ECU Security Levels.
e modern vehicle has approximately 25 ECUs in it, and the number of ECU in some highend models is even more than 100 [30]. ese ECUs have diverse functions, for example, some ECUs control the window and the door, and others may control brake. ey are connected with each other via the CAN networks and located in different positions inside vehicles. e position of the ECU varies with the model of the vehicle. We summarized most of the models and obtained the ECU distribution in the vehicle, as shown in Figure 4. e ECUs, which have a high demand for real-time messages, are in the high speed CAN bus (the red line), and most of these ECUs are closely related to the safe driving of the vehicle. As the name suggests, the low speed CAN bus line of the ECUs have a low real-time requirement for messages, and these ECUs have less threat to the safety of the vehicle.
Based on the security requirement, ECUs can be divided into safety-critical ECUs and less critical ECUs. Among the various ECUs, the safety-critical ECUs are generally supposed to be able to control the critical safety-related facilities, e.g., engine ECU, automatic transmission ECU, and antilock brake system ECU. Such critical ECUs are connected to the high speed CAN bus in a wired and secure manner. However, there are some less critical ECUs, such as the Tire Pressure Monitoring System (TPMS) and Gateway ECU, which may have multiple modes of communication in the high speed CAN bus. ese kinds of ECUs could communicate with the CAN bus network and the wireless network, and the wireless network can be used as remote access points to attack the in-vehicle network [1][2][3]31].

Attack Models.
At present, adversaries have two ways to invade the in-vehicle CAN network. One way is to inject the forged message through the compromised ECUs that are remotely cracked by various wireless attack surfaces [1,2]. Another way is to inject the forged message into the invehicle network via the OBD-II interface inside the vehicle. We mainly focus on the former one since the second one needs physical access to the vehicle and lacks flexibility. e main attack models are discussed below.

Attack Models.
e adversary could inject forged messages into the CAN bus network and thus control the vehicle, as long as he compromised one of the ECUs via various wireless or wired attack surfaces.
is is because messages are broadcast to all ECUs on a single CAN bus in vehicles, and there is no source address or authentication field on a CAN frame. When ECUs receive the broadcast message, they will check the message and determine whether to receive it or not. So, the forged messages which are sent by the adversary will be executed indiscriminately by the ECU. According to the research [10], the attack models are mainly  Security and Communication Networks classified by three kinds: the suspension attack, the fabrication attack, and the masquerade attack. A suspension attack, just as the name implies, means the compromised ECU is suspended from sending its message by the adversary. e fabrication attack means the ECU is compromised to send any forged messages to the CAN bus. e masquerade attack is a more covert attack that contains the suspension attack and the fabrication attack. It means that two ECUs need to be compromised. Among the two ECUs, the one who sent the target message is imposed on the suspension attack, and the second one is imposed on the fabrication attack to send the target message. It means the second ECU is compromised to send the message with the same ID and period of the suspend ECU. Miller et al. [32] had mounted the masquerade attack on the Jeep Cherokee controlling the ABS collision prevention system. In the proposed method, we primarily focus on the masquerade attack as it can cause more severe damages to vehicles.

Advanced Attack Model.
ere is an enhanced masquerade attack in which the adversary is able to alter the ECU's temperature and thus change the clock offset. To mount this attack, the adversary could cool down or heat up the compromised ECU to mimic the target ECU's clock offset [10]. Moreover, the enhanced masquerade attack cannot be detected and identified by our previous work [17].

Empirical Study
In this section, we first did a simple experiment and observed the influence of temperature on the ECU's clock offset. en, a further observation of the clock offset is described on distinct ECUs at different temperatures.

Setup.
We discovered that the clock offset changes with temperature, which will cause the clock-based fingerprints to fail by some sample experiments. Inspired by CIDS [10], which utilized the clock offset inherent in the ECU as fingerprints to identify the attacker ECU, we replicated their algorithm with the same experimental setup, e.g., a CAN prototype. rough multiple experiments, we found that the temperature has a significant impact on the clock offset.
en, we carried out the experiments at the temperature of 10°C and 30°C, respectively. We measured the clock offset at the two temperatures and found that the average clock offset of one ECU at 30°C was slightly larger than it at 10°C.

Observation.
In a vehicle, the temperature of ECUs is correspondingly changed with the driving status and the ECU's positions in the car. We have investigated various models of cars and found that most ECUs are distributed in the engine cabin of the car. e engine temperature is the most significant factor that affects the ECU temperature, with the highest temperature of more than 80°C after the car started. As shown in Figure 5, we measure the temperature distribution in the engine cabin of a Volkswagen Polo vehicle after it has been driven for 30 minutes at a speed of 40 km/h when the ambient air temperature was at 15°C. e temperatures of each part, including the ECUs, are scaled from 26°C to 84°C in the engine cabin of the car, and the temperatures of the ECUs are different with their locations. For instance, the temperature of the ABS ECU is 43°C. While the temperature of gateway ECU and airbag ECU is 31°C and 26°C, respectively.
We observed the intervals of messages with the same ID at two different temperatures and found they are different. e probability mass function of message intervals at different temperatures for the same message is shown in Figure 6. We can clearly see that the message interval of 0 × 30 is concentrated at 50.675 ms at 20°C, while it is about 50.7 ms at 70°C.
According to the above experimental results, the average clock offset of ECU is susceptible to temperature, and the value of the clock offset increases with the rising of temperature. We measured the clock offset of ECU A and ECU B from 10°C to 50°C, respectively. e results are shown in Figure 7, and the average clock offset of both ECUs varies about linearly with temperatures from 10°C to 50°C. In addition, according to our observation, if ECU A is 10°h igher than ECU B, they will have the same clock offset. is situation may exist in real vehicles, which can render existing fingerprint-based methods ineffective. To sum up, the influence of temperatures should be considered when using the time information as ECUs' fingerprints.

Overview
In this section, we first provide the basic terminology for the problem statement and then explain the basic idea of TVF.

Problem Statement.
e chief problem that TVF solves is to detect the intrusion attack and identify the attack source on the CAN bus, and the essential variables and terminology description are formalized as follows. We follow the definition of the clock offset in Paxson [33]. One additional ECU is used for recording the timestamp when the traffic on the CAN arrived, denoted by ECU U R . Let U denote the nodes (ECUs) on the CAN bus, U � U 1 , U 2 , . . . , U i , . . . , U n , and all these ECUs send periodic messages on the CAN bus. Typically, each ECU can send at least one kind of periodic message. We chose one of the periodic messages to denote the clock information of the ECU, as the messages with multiplied IDs that are sent from the same ECU have the same clock offset. e periodic message M iR that is sent from S it,1 , S it,2 , . . . , S it,j , . . . , S it,m refers to the timestamp sequence of the message M iR . We primarily consider the periodical messages on the CAN bus because most of the messages on the CAN bus are sent periodically. Even in some models of vehicles, all the messages on the CAN bus are periodical [10,34,35]. We do not consider the nonperiodic messages in the proposed method.
As shown in Figure 8, ECU U R is the receiving end, and a series of messages with period T is sent from ECU U i . e interval of two adjacent timestamps is a bit larger than T, as the hardware quartz crystal clock induces the sending ECU U i to deviate from the real clock with a small offset from the true clock each time. e timestamp interval of the message with the same ID at C t is denoted by where O it,j is the relative clock offset between U i and U R when U i sends the jth message at C t , d it,j is the transmission delay of one message on the CAN bus, and n it,j is the noise generated by the quantization process of the timestamp at the receiver [36]. Later, in this paper, we refer to the clock offset as relative clock offset. d it,j tends to zero and n it,j is a zero-mean Gaussian noise term [36], and both of them are little affected by temperature. Let where O it is the average clock offset that deduce by M iR at C t . e average clock offset O it of an ECU increases linearly with temperatures that ranged from 0°C to 80°C, which can be described by a linear model, denoted f i . e uniquely linear model f i can be used as the fingerprint of an ECU.
Given the message timestamp sequence S it and the temperature C t , the intrusions can be detected. Intrusion detection can be described as the problem whether the derived vector (C t , O it ) belongs to f i or not. After the intrusion has been detected, we can get the clock offset of intrusion message O ai . en, with the cooperation of f i of each ECU, the intrusion source could be identified.

Basic Idea.
e proposed TVF consists of three phases: fingerprint construction, intrusion detection, and source identification. Figure 9 shows the overview of the proposed method. An ECU clock contains a crystal oscillator that ticks at a nominal frequency and a counter for counting ticks. However, the actual frequency which determines the clock offset of an ECU is affected by the environment, such as the temperature [36,37]. Based on our observation, the average clock offset of ECU varies regularly with temperatures. erefore, we chose the average clock offset at different temperatures as the fingerprint, and the basic idea of our method is described below.

Fingerprint Construction.
To construct the temperature-varied fingerprint of ECU in a real vehicle, we need to calculate the clock offset of the ECU at different temperatures.
In a vehicle, the temperature of an ECU is influenced by the surroundings, e.g., the position of ECUs, the vehicle's driving status, and the ambient temperature. Among them, the most influential factor is the driving status of a vehicle. By measuring the temperature of the ECU in different driving status, we can roughly know the temperature range of the ECU. Besides, the temperature range of each ECU can be obtained from the vehicle manufactures. To make sure the normal works of ECUs, the automobile manufacturer will measure the temperature range of ECUs during all driving status before an automobile leaves the factory.

Intrusion Detection.
We first calculate the average clock offset (O i ) based on the timestamps of the newly obtained messages with the same ID. According to the message ID, the transmitter ECU can be determined. en, we can estimate the temperature (C e ) (empirical temperature) of the ECU according to the vehicle's current driving status. Finally, whether the vector (C e , O i ) conforms to the fingerprint model of the ECU U i can be determined. If this vector does not belong to the model f i , the message can be judged as the intrusion message.
We refer to the ECU's temperature at different driving status as the empirical temperature of an ECU, denoted as C e , and refer to the temperature that deduces by the fingerprint model and the timestamps of the message as the real temperature, denoted by C r . e value of real temperature C r is correct at the fingerprint construction phase. However, the value of C r maybe fake in the intrusion detection phase, as another ECU may forge it.

Intrusion Source Identification.
e ECU that may mount the attack can be deduced according to the average clock offset of intrusion messages and the fingerprint model. Based on the average clock offset of the intrusion messages and the fingerprints, the attack temperatures C ir of each ECU can be obtained. If the attack temperature C ir is in the error range of the empirical temperature C ie , the ECU can be judged as the intrusion source ECU.
To achieve the basic idea described above, we have to face the following challenges.

Fingerprint Model Acquisition of ECU.
e clock offset of ECU at each temperature needs to be obtained within its safe operating temperature range; then, the fingerprint model is constructed through the average clock offset at each temperature.

Intrusion Detection.
e average clock offset of newly arrived messages and the ECU's empirical temperature is used to determine whether the messages are normal or not. How to distinguish between normal and abnormal messages is an important issue concerning the accuracy of intrusion detection.

Source Identification.
After detecting the intrusions, we need to determine the source ECU of the intrusion messages. Since CAN messages do not contain any source information of transmitter ECU, it is difficult to get the intrusion source directly through the intrusion messages.

Proposed Approach
In this section, we describe our method to detect intrusions and identify the source of intrusions. According to our experimental observation, the clock offset of ECUs varied with temperature can be fingerprinted. en, the thus-obtained fingerprints can be used to detect intrusion messages as well as to identify the source ECU. e flow chart is shown in Figure 10, and we describe the proposed TVF in three steps: the construction of fingerprints, the detection of intrusion messages, and the identification of intrusion source ECU.

Construction of the Fingerprints.
For each ECU, the temperature-varied fingerprints were constructed when there were no intrusions. One can obtain the average clock offset from the periodic message M iR � U i , U R , S it , ID i of each ECU at a certain temperature from 0°C to 80°C.
rough multiexperimental observations, we discovered that the average clock offset of each ECU is grown linear with the temperature at the working range. Hence, the fingerprint can be described as the linear regression model: where O it represents the average clock offset of ECU U i , C t is the temperature, k i is the regression parameter, and e i is the  In the meantime, the empirical temperature C xe of ECU U x also can be estimated from the driving status. Once the empirical temperature C xe is obtained, we can get an average offset O ex from the fingerprint. e average clock offset resembles a Gaussian distribution at a specific temperature. en, if the value of |O xr − O xe | is bigger than 0.8σ xe , where σ xe is the standard deviation of the average offset at the empirical temperature C xe , the message with ID x will be considered as a masqueraded attack message. If it is a normal message, the real temperature C r and the empirical temperature C e should be basically the same, or else it may be considered as an intrusion message. In other words, by judging whether the value of O xr belongs to [O xe − 0.8σ xe , O xe + 0.8σ xe ], we can detect the intrusion message. e pseudocode of the detection of masquerade attacks is illustrated in Algorithm 2.

Message Source Identification.
e masquerade attack has been detected in the previous step, and next TVF will identify the real source ECU that sends the attack message, as the attack message was sent by a different ECU rather than the original one. Firstly, the attacked average clock offset O ack can be obtained through the detected intrusion message, and its value is the clock offset of the ECU that sends the intrusion message. By substituting the clock offset O ack into the fingerprints of each ECU, we can get the possible attack temperature of each ECU, denoted as C ir . At the same time, we empirically get the temperature error range [u ie − 0.8σ ie − e i /k i , u ie + 0.8σ ie − e i /k i ] of each ECU. If C ir is in the empirical temperature error range, ECU U i is determined as the source ECU of the intrusion message. e pseudocode of source identification is illustrated in Algorithm 3.

Advanced Method.
ere is a situation that can lead to the failure of TVF. When the clock offset of the attacking ECU is exactly the same as that of the attacked ECU, TVF cannot detect the intrusion in this situation. Because the average clock offset of the attacker ECU is almost equivalent to that of the intruded ECU and its value is in the normal range of the clock offset of the intruded ECU, TVF cannot detect it. When the two periodic messages are sent from the same ECU with different IDs, their average clock offsets are almost equal, and the value of the correlation coefficient, ρ, of the two messages is close to 1. While the correlation of periodic messages sent from different ECUs, ρ≃0.
For the above situation, we have made an advanced method, which is an advanced supplement based on TVF. We use the correlation coefficient ρ of the average clock offset of the two periodic messages to detect the intrusion and identify the source. e correlation coefficient of the clock offset of periodic messages can be used to judge whether these two messages are sent from the same ECU, especially inside a car. In other words, the advanced masquerade attack can be detected and identified depending on the value of the ρ of two periodic messages, as the temperature changed clock offset of the two messages from the same ECU has a higher correlation coefficient. Figure 11 shows the kernel density plots of the Pearson correlation sets of the periodic messages sent from the same ECU and different ECUs, respectively. e measurements were collected by the CAN prototype shown in Section 7. One can see that the two sets both resemble Gaussian distribution, and the two distributions are distinct from each other. A threshold value of τ is used to distinguish the two sets. TVF determines value τ � F s + F d /2, where F s � u s − 3σ s , µ s and σ s are the mean and the standard deviation of the sets from the same ECU, respectively. F d � u d − 3σ d is the set that is sent from different ECU, where µ d and σ d are the mean and the standard deviation, respectively.
If two messages are sent from the same ECU, their correlation coefficient is higher than τ.
en, the correlation coefficient is lower than τ when two messages are sent from different ECUs. Based on this, the advanced TVF can check the value of ρ to determine whether the two messages are sent from the same ECU or different ECUs. For example, ECU A sends 0 × 11 and 0 × 55 periodically, and the value ρ of the two messages may be higher than τ as they are sent from the same ECU. While ECU B  Security and Communication Networks masqueraded ECU A to send the message 0 × 11, and the value ρ may be lower than τ. en, the attack on the CAN bus can be detected as well as the source ECU of it depending on the threshold value of ρ.

Evaluation
We now evaluate TVF on the CAN bus prototype and a real vehicle. Numerous experiments were carried out to prove the temperature-based clock offset, which can be used as fingerprints of ECUs. en, based on this, the intrusion message can be detected, and the source can be identified in the CAN bus network.

Setup. A CAN bus prototype with four Arduino-based
ECUs and a desktop thermostatic test chamber is used for the simulation experiment, and a real vehicle is also used in the real-world situation experiment.
Require: S it : a set of timestamp sequence of messages with ID i that are sent from ECU U i at a temperature of C t ; Ensure: periodic message with the periods of T. Require: S xr : a set of timestamp sequence of new arrival messages with ID x that are sent from ECU U x ; C xe : the empirical temperature of ECU U x at the moment; O xe the standard deviation of ECU U x ′ s average clock offset distribution at the temperature of C xe . Ensure: periodic message with the period of T. (9) return 1 ⊳ Intrusion message (10) else (11) return 0 (12) end if ALGORITHM 2: Masquerade attack detection.
Require: O ack : the average clock offset of intrusion message; μ ie , σ ie : the mean and standard deviation of ECU U x ′ s average clock offset at the empirical temperature of C ie Ensure: periodic message with the period of T.
return i ⊳ Attack source message (4) end if ALGORITHM 3: Source identification.

CAN Bus Prototype.
e CAN bus prototype involves four CAN transceiver nodes, each node consists of a Seeeduino CAN bus shield and an Arduino UNO board [38,39]. e Seeeduino CAN bus shield is an open-source MCU development board that consists of an MCP2515 CAN controller, an MCP2551 CAN transceiver, and a 120 Ω terminating resistor for the communication of CAN bus. e CAN bus prototype with four CAN nodes was set up to operate with a speed of 500 kbps. We only kept the resistor of two longest-distance nodes, which as the terminating resistor, and removed the resistor from the CAN shield PCBs of the other two notes to prevent signal reflection during communication on the CAN bus. On the CAN bus prototype, the first node A was programmed to send message 0 × 11, node B to send message 0 × 33 and 0 × 55, and node C to send message 0 × 68 and 0 × 90. ese three nodes were set to send messages at the same frequency, and the sending periods were 50 ms. Node D was programmed as the message receiving node to run TVF. Figure 12, we used the desktop thermostatic test chamber to simulate the temperature of an ECU in a real vehicle. e model of the desktop thermostatic test chamber is DHTHM-50-20P-SD, and its working temperature ranges from − 20°C to 180°C. Nodes A, B, and C were put inside the thermostatic test chamber to send messages. To precise measuring the temperature changed clock offset the former three nodes, we put node D outside the test chamber in a stable temperature as the receiver node. e temperature is set up from 0°C to 80°C according to the operating temperature range of the ECU in the real vehicle. Figure 13, a Toyota Vios 2017 was used for our experiments in a safe and controllable environment. We used our CAN bus prototype to connect to the On-Board Diagnostics (OBD-II) system port [40] of the vehicle with a DB9 to OBD2 Cable. e CAN bus prototype was used to capture the traffic from the in-vehicle network. To get the different temperatures environments, we experimented at noon and night during 7 days, and the average temperature was about 12°C at noon and 2°C at night. ese experiments were carried out when the vehicle drives at a constant speed of 40 km/h for a trip of approximately 30 minutes. Considering the security problem, we only measured the data of the real vehicle for fingerprinting ECUs.

Temperature-Varied Clock Offset as a Fingerprint.
We verified the utility of TVF and built it on the CAN bus prototype and a real vehicle.

CAN Bus Prototype.
We built the TVF of ECUs on the CAN bus prototype. e clock offsets deduced by message series are stable at a constant value at a certain temperature, and the values of each ECU are distinguished from each other. As shown in Figure 14(a), the clock offsets which are deduced by the three ECU's messages on the prototype are stable at 0.7042 ms, 0.6986 ms, and 0.6748 ms at 20°C, respectively. By exploiting the clock feature of ECU, CIDS [10] builds the fingerprint of ECUs to detect the intrusions and identify the actual transmitter ECU. Nevertheless, we found that the clock offsets of the ECU varied with the temperature. en, we built the temperature-varied fingerprint for detecting and identifying. e temperature-varied clock fingerprints of the CAN bus prototype are shown in Figure 14(b). e average clock offsets were calculated every five degrees with the rise of temperature. All the deduced averaged clock offsets are linear with the temperature grows, and we use the LSE to build the fingerprint of each ECU. We can see the linear models of the three ECUs are separated from each other with the growth of the temperature, which can be used as the fingerprint to distinguish ECUs. e error bar graph of the average clock offset is shown in Figure 14(c). e clock offset fluctuates between up and down errors of 0.005 ms centered the average value. Still, clock offsets of different ECUs can be distinguished from each other. e average clock offset of node A was 0.6964 ms at 0°C, while it increased to 0.7318 ms at 80°C. To obtain the average clock offset at different temperatures, we put nodes A, B, and C in the thermostatic test chamber at different temperatures, and node D was put outside the test chamber as the receiver end. e range of temperatures was set from 0°C to 80°C, and the messages were measured every 5°increase in temperature. Figures 14(e) and 14(f ) plot the fingerprints and the error bar of the average offset under different message periods. e result shows that the temperature-varied clock fingerprint will not be affected by message periods, and different ECU can be distinguished in the CAN bus prototype.

Real Vehicle.
A real vehicle (Toyota Vios 2017) was also used to validate TVF. e temperature-varied clock fingerprint can be constructed by the CAN traffic data which were logged by our CAN prototype. Because the temperature of ECUs in the engine cabin will gradually increase after the car starts, we logged the traffic data at different temperatures, and the TVF of ECUs on a real vehicle could be constructed. e data were logged in the static state of the vehicle at an ambient temperature of 5°C and 15°C, respectively. Since the temperature was stable at about 5°C when collecting the initial data, we can distinguish whether the message is from the same ECU by using the clock-based fingerprint method [10]. en, we found messages 0 × 24F, 0 × 2C1, and 0 × 163 were transmitted from three ECUs, respectively. e TVF of ECUs on a real vehicle is shown in Figure 14(d). e results show that the temperature clock fingerprint can be used in real vehicles.

e Detection of Masquerade Attack.
To estimate the detection capability of TVF against the masquerade attack, we first implemented the attack on the CAN bus prototype, and then we detected it with the proposed method.
We mounted a masquerade attack on the CAN bus prototype. On the CAN bus prototype, node A was programmed to send 0 × 11, B was programmed to send the target message 0 × 33 and 0 × 55, and C was programmed to send 0 × 68. Now, we set note A to mount the masquerade attack on B; then, note A was compromised to send 0 × 33 and 0 × 11 and B was compromised to stop sending the message 0 × 33. To keep the instant total numbers of messages on the CAN bus constant, we let A continue sending messages 0 × 11. Figure 15(a) shows the masquerade attack that is mounted by A on B at 20°C. e clock offset of the 0 × 33 suddenly increased by about 30 μs when the masquerade attack was mounted at 75 s.
We then detected the masquerade attack on the CAN bus by the proposed method. Node D was programmed to run the proposed TVF. We set the masquerade attack that was mounted by A at 10°C, 40°C, and 60°C, respectively. As shown in Figure 15(b), the orange and the blue line are the fingerprint of A and B. e red circles are the clock offsets of attack messages that were mounted by A at three temperatures, and the values were 0.6940 μs, 0.7103 μs, and 0.7266 μs, respectively. Nevertheless, the empirical temperature of B was 20°C and the average clock offset of the normal message of B was 0.6748 μs. It can be clearly seen that the normal average clock offset is significantly lower than that of the attack messages, and then the masquerade attacks at three temperatures were surely detected by TVF.

e Identification of Source ECU.
We estimated the feasibility of the intrusion source identification of TVF on a CAN bus prototype. We detected the masquerade attack in the intrusion detection phase, yet we still did not recognize which was the attacker ECU that launched the intrusion. Considering that note A and note C were compromised by the adversary. Note C was programmed to mount a masquerade attack on A, and the empirical temperatures of A, B, and C were 20°C, 40°C, and 30°C, respectively. As the clock offset of C at 30°C was higher than that of A at 20°C, the masquerade attack which was mounted by C was easily detected by TVF. Moreover, the attack source note C could also be identified by analyzing the possible temperature and empirical temperature of C. As shown in Figure 15(c), the red circle indicates the average clock offset of the intrusion message (send by C), and the value of it is about 0.71 ms. e orange circle on the fingerprint corresponds to the possible attack temperature. From the figure, the average clock offset of intrusion message exceeds the fingerprint of B so that B can be excluded from the source of intrusion first. e nodes that can mount the attack were A and C, and their possible attack temperatures were 30°C and 40°C, respectively. e empirical temperature of A was 20°C, so it cannot send the attack message. e empirical temperature of C was 30°C and the temperature of the attack was close to 30°C. So, it can be determined that C was the source of the attack.

Computational Time.
We evaluated the computational time required of the proposed TVF. TVF consists of three phases. We only evaluated the computational time required for the intrusion detection phase, which was mainly implemented on the ECU, and intrusion detection is the main phase that affects the computational overhead compared to other phases. e fingerprint construction phase was analyzed using the MATLAB codes, which were conducted on an Intel i5 3.4 GHz dual-core processor with 8 GB of RAM. Moreover, the intrusion detection phase and source identification phase were programmed on the CAN prototype by C. In the CAN prototype, TVF only detected the messages sent by the three ECUs, and its program's global variables use 32% of dynamic memory. Table 1 shows the computational time for TVF to conduct one correct detection of intrusion under different message periods. e computational time is largely dependent on the period of messages according to the value of m in Algorithm 2.
In addition, the Arduino-based ECU seems insufficient to analyze all CAN messages in real-time for detection, due to the large CAN traffic with high frequency and limited computing capability of the ECU. However, we can handle this problem by deploying TVF to devices with a strong computing capability, such as adding a Raspberry Pi to run the proposed solution. We will try to implement TVF on this kind of devices with high computing capability in future work. 7.6. Performance. We illustrated the detection rate and false alarm rate of TVF and compared it with state-of-the-art IDS, and we also examined the performance of advanced TVF on the advanced masquerade attack.   We used two performance metrics of P c and P fa to evaluate the proposed method. e metric P c is the probability of correctly detect the attack. e metric P fa is a false alarm, which means a normal CAN message is identified as an attack one. An excellent in-vehicle network IDS may have a high P c and a low P fa . In a vehicle, a high P c may help the driver quickly identify the existence of the attack and take action accordingly. Meanwhile, the low P fa reduces the driver's distraction and thus ensure driving safety.
We demonstrated the detection rate P c and false alarm rate P fa of TVF and compared the proposed detection method with CIDS. Considering the scenario, node A mounted a masquerade attack on node C. We first built the fingerprints of A, B, and C with CIDS at 10°C. We chose a certain temperature to build the fingerprints because CIDS did not consider the temperature in their solutions. At the same time, we built the fingerprints by the TVF at a temperature of range from 0°C to 80°C, as shown in Figure 14(b). en, we examined TVF and CIDS with messages which were sent at different temperatures, e.g., 20°C, 55°C, and 80°C. e results of TVF and CIDS are shown in Figure 16(a). e detection rate P c of CIDS at 20°C is close to 0% because the clock offset of A at 20°C is the same with C at 10°C. Although the detection rate P c of CIDS rises to about 98% after 25°C, the false alarm rate P fa is up to as high as 98% because CIDS considers its legitimate high-temperature clock offsets as attacks. e detection rate of TVF is stable at about 96.4%, and the false alarm rate is below 1.8%. At the same time, the proposed method also can identify the source of the intrusion message, and the result is shown in Figure 16(b). e correct identification rate P ci of the proposed method is 97.2%, and the P ci of CIDS is about 0%. When the temperature is at 20°C, the clock offset of A is equal with C, so the masquerade attacks mount by A is identified sending from C; then, the P ci is 0%. en, with the temperature increase, the accumulated clock offset does not match any of the fingerprints of CIDS, so the P ci is 0%. Accordingly, the proposed method can detect the masquerade attack at various temperatures with a stable rate. Moreover, the proposed method could identify the source of the intrusion message accurately.
We also evaluated the advanced TVF against the advanced masquerade attack. A more serious situation, which the above two solutions did not consider, is that the adversaries used the same clock offset as the target ECU to launch the masquerade attack. In other words, the adversaries launch an advanced masquerade attack that the TVF and CIDS can not detect and identify. For the advanced attack, advanced TVF has an average detection rate of 85% and a source identification rate of 80%, while the previous version of TVF and CIDS are both about 0%. On the whole, the advanced proposed method is a significant supplement that can detect the advanced masquerade attack.

Conclusion
Existing ECU physical-based fingerprinting methods are susceptible to the impacts of temperature, which could result in the failure of detection and identification based on our multiply empirical studies. To counter this situation, we proposed TVF, a temperature-varied fingerprint, which exploits the fact that the clock offset of the ECU change linearly with the temperature for intrusion detection and source ECU identification. Based on this, an advanced version of TVF is made for further supplemented and expanded, which can counter more serious intrusion cases. As far as we know, we are the first to introduce temperature as a vector to build the fingerprint and achieved excellent results on the detection and identification of intrusions. e proposed method has been verified on a CAN bus prototype and a real vehicle, and the results show that it can accurately detect the intrusion messages and identify the source ECU in the in-vehicle network. erefore, we believe that the proposed method can effectively enhance the security and safety of the vehicle.
Data Availability e data were collected from the CAN bus prototype with the Arduino, which have mentioned in the paper. Moreover, the real vehicle data were collected from the OBD port with a DB9 to OBD2 Cable. Later, we will put the data on the Internet.

Conflicts of Interest
e authors declare that they have no conflicts of interest .