Security Analysis of the TSN Backbone Architecture and Anomaly Detection System Design Based on IEEE 802.1Qci

,


Introduction
Autonomous vehicles are driving rapid advances in technologies, including next-generation vehicle communications, V2X (vehicle to everything), and advanced driver-assistance systems.
e environment around the vehicle can provide key information to the intelligent driving vehicle, and these technologies need the support of advanced sensors with high bandwidth, such as cameras and radar.In addition, long-term evolution (LTE) and 5G communication technologies also provide external communication means for intelligent driving.In the context of large bandwidth requirements, the network architecture of modern vehicles should be a new link combined with traditional buses, for example, controller area network (CAN), local interconnect network (LIN), and new buses, for example, CAN FD (CAN with a flexible data rate) and Ethernet technologies [1].In these networks, the same Ethernet infrastructure is shared by various domains and distinct requirements on timing.In the future, the E/E architecture of intelligent vehicles has been developed with the centralization of communication [2].In the meantime, the automotive Ethernet applying the time-sensitive network (TSN) technology will exist as the backbone network of the invehicle network.
After the TSN standard is introduced, the automotive Ethernet can meet the functions necessary for the quality of service (QoS) of the communication system in the vehicle, including time synchronization, high real-time performance, and high reliability.e TSN began as an extension of audio-video bridging (AVB) and has since expanded to include many new consumer segments.Its main goals are to provide zero loss from congestion and bounded latency for a variety of time-sensitive data streams coexisting on a network that also support besteffort traffic [3].While TSN brings benefits to the automotive Ethernet, vehicles are also facing new challenges.
Vehicles used to be disconnected from the outside world, so there is only a tiny chance of hackers attacking and operating a vehicle.However now, vehicles are exposed to an open network environment due to the V2X technology, which increases the attack surface of vehicles.For example, most modern cars have an onboard diagnostic (OBD-II) interface under the dashboard that hackers can use to gain direct access to in-vehicle networks.Hackers may also target vehicular ad hoc networks (VANETs) to disrupt vehicle operations.Furthermore, in-vehicle Ethernet can use more complicated communication protocols in addition to TSN, the flaws of which will raise vehicle security risks.ere are some studies on the security of diagnostic communication over Internet protocol (DoIP), scalable service-oriented middleware over IP (SOME/IP), and AVB [4][5][6], but there are only a few studies on TSN security.
TSN is a combination of series standards.One of the TSN standards is IEEE 802.1Qci, which defines per-stream filtering and policing before queue frames to protect timesensitive flow. is is a significant security enhancement to TSN because it protects against unnecessary bandwidth consumption, burst sizes, and malicious or improperly configured endpoints.IEEE 802.1Qci may also be used to restrict faults to particular regions of the network, reducing their effects on other areas of the network.Although IEEE 802.1Qci is a published standard, there has been little progress in connecting the standard to current Ethernet security systems and architectures.Furthermore, nothing has been done to investigate how IEEE 802.1Qci policies could be implemented on network devices and integrated with established automotive security policies.
e motivations of this work are as follows.First, to study the security of TSN and the application scope of IEEE 802.1Qci, the E/E architecture of TSN as the vehicle backbone network is studied.At the same time, threats under the network architecture should be analyzed to determine the vulnerable points of the TSN as the backbone network.To study the performance of IEEE 802.1Qci defense policies, a model or simulation platform should be established to evaluate the network functions of TSN and IEEE 802.1Qci defense policies and what countermeasures can be achieved based on PSFP should be discussed in detail.e performance of countermeasures should be analyzed using the simulation.In addition, how IEEE 802.1Qci influences the TAS (time-aware shaper) defined in IEEE 802.1Qbv and guard band in automotive Ethernet should be discussed.
Based on the above considerations, an integrated defense and protection policy for TSN automotive Ethernet is proposed in this paper.e contributions of this paper can be summarized as follows: (i) e vulnerability and threats of automotive Ethernet with TSN as the backbone network are analyzed through the STRIDE threat model developed by Microsoft (ii) e blocking and detection mechanisms of PSFP are discussed and analyzed in detail (iii) A novel anomaly detection system is proposed, and stream filters, stream gates, and flow meters in PSFP are innovatively used to effectively solve the problem caused by DoS attacks and abnormal traffic behavior (iv) e open-source simulation tool OMNeT++ was used to develop a precursory ADS model, including the MSDU (maximum service data unit) size filter, gate control filter, and token bucket meter (v) e performance of ADS is evaluated, and the experimental results show that the ADS not only does not affect the normal traffic performance but can also detect the abnormal behavior of traffic and DoS attacks e rest of this paper is organized as follows: Section 2 introduces the background and related work of this paper.Section 3 analyzes the threat of automotive E/E architecture with TSN as the backbone based on the STRIDE threat method.Section 4 discusses the defense and detection policies of PSFP and proposes the anomaly detection system based on IEEE 802.1Qci.Section 5 simulates and analyses the performance of ADS based on a TSN advanced driver-assistance systems (ADASs) sensor fusion zone using the OMNeT++ simulation tool.Section 6 summarizes this paper.

Background and Related Work
2.1.TSN Standard Overview.Standard TSN is an extension of the standard AVB.e emergence of TSN is to ensure the required QoS requirements for critical data transmission, especially to achieve deterministic, low-latency, and faulttolerant data transport.Table 1 shows the TSN standard overview.Table 1 lists some projects that the TSN task group has completed and is completing regarding automobiles.

reat and Attack Vector of the In-Vehicle Ethernet Network.
e increasing number of application scenarios in vehicles requires the involvement of Ethernet, such as diagnostics, deterministic transmission with a high rate, and service-oriented architectures.With this comes a diverse range of vulnerability points.Once the attackers have penetrated the system through the vulnerability, they can launch an attack on the in-vehicle Ethernet network with the following three attack vectors:

Active Manipulation or Eavesdropping of the Message.
is type of attack is an attacker who wants to manipulate the vehicle's feature set or even exploit the original equipment manufacturer's (OEM) back-end servers through the vehicle's parts.In addition, eavesdropping on the information in the car is related to analysis.By collecting the messages in the car for a long time, the attacker can obtain 2 Security and Communication Networks the details of the encryption method and key used by the network in the car.

Masquerading Attacks.
Attackers are generally unauthorized devices.e attackers use a false identity to communicate with the original network, and if the authorization process of the communication system is not adequately protected, it is easy to attack.

DoS Attacks.
A denial of service attack is similar to a flood attack in which it is intended to bring down the target network.DoS attacks use a large amount of available bandwidth to prevent the original message from working correctly.

Related Work.
In terms of international standards, to promote the construction of automotive network security, SAE international published Cybersecurity Guidebook for Cyber-Physical Vehicle System (J3061) in June 2016 [15].J3061 provides a framework and guidance for cybersecurity processes for automotive.In February 2020, draft Road Vehicles-Cybersecurity Engineering (ISO/SAE 21434) was published by the SAE international and ISO [16].In addition, the United Nations Economic Commission for Europe (UNECE) WP.29 Working Party on Automated and Connected Vehicles (GRVA) adopted a draft UN Regulation on Cyber Security and Cyber Security Management System in March 2020, which will be the first regulation governing information security in vehicles [17].
In terms of academic research, Sommer et al. [18] have a detailed classification of automotive attacks, including 23 different categories, according to the description of the attack, a violation of the security attribute or the exploit of a vulnerability, and so on.Carnevale et al. [19] provided a hardware accelerator architecture for key derivation and encryption required by IEEE 802.1X-2010 in automotive applications, and for further research, IEEE 802.1AE was also implemented by Carnevale [20,21].e three researchers are all hardware support for automotive Ethernet security.Choi et al. [22] proposed a new MACsec (media access control security) extension over the SDN (software defined network) for in-vehicle secure communication based on IEEE 802.1X authentication mechanism.Nasrallah et al. [23] surveyed the existing research studies toward achieving ultralow latency (ULL) in the context of the TSN standards and mentioned that IEEE 802.1Qcp is used to support IEEE 802.1AX and IEEE 802.1X.Bello et al. [24] gave an overview of TSN in industrial communication and automation systems and clarified how to configure IEEE 802.1Qci to achieve a concrete effect is largely missing.Ergenç et al. [25] discussed more than 30 potential security issues and threats of IEEE 802.1TSN protocols.
ere are also some studies on abnormal detection systems; Grimm et al. [26] provided an extension of a hybrid anomaly detection system using specifications and machine learning methods.Herold et al. [5] studied anomaly detection for SOME/IP using a method called complex event processing.Table 2 lists the contributions and disadvantages of some researches.
ere are some researches on TSN as well.Farzaneh et al. [27] developed a modeling approach based on logic programming (LP) to support a more efficient configuration and verification process focusing on in-vehicle TSNs.A prototypical experimental setup was also designed and developed by Farzaneh deploying a timeaware shaper defined in IEEE 802.1Qbv [28].Brunner et al. [29] presented a future evolution for automotive E/E architectures, which is centralized with the communication of TSN.Mahfouzi et al. [30] proposed a securityaware methodology for routing and scheduling for control applications in Ethernet networks to maximize the resilience of control applications.
It can be seen that the information security of the vehicle is imperative, but the security of the TSN protocol with

Security Analysis of the TSN Backbone Network
3.1.TSN Backbone E/E Architecture.Over the last few years, features such as automated driving, networking, and cybersecurity have become increasingly important.e importance of these functionalities will increase as these advanced technologies develop and consumer adoption increases.In-vehicle communication networks, power networks, connectivity, safety, and security require a paradigm shift in E/E architectures to implement these functionalities in mainstream vehicles [31].
Today, the E/E architecture of intelligent connected vehicles is facing these four challenges: security, real-time performance, bandwidth bottlenecks, and computing power black hole.However, there is no common E/E architecture among the car manufacturers, and each car manufacturer uses its own architecture.According to the Ethernet as the core network in the centralized vehicle E/E architecture proposed by Volvo [32], this paper adds the concept of TSN into the E/E architecture.e main goal of TSN functions in E/E architecture is intended to ensure the compliance of various application domain requirements within the network in real time and to reduce the interference of real-time traffic from nonreal-time traffic in the network.Figure 1 shows the E/E architecture, and Table 3 lists the function of each unit.
tIn this architecture, the core network consists of four VIUs and one VCU.VCU can be the computational unit.One or more high-performance controllers (HPCs) in the VCU will provide vehicle-level behavior, such as behavior decision or motion planning for driverless.Furthermore, VCU also receives a large amount of data from sensors such as cameras or radars.is leads to the demand for high bandwidth and high transmission speed between the VCU and other nodes, and Ethernet as a backbone network becomes necessary.VIU can be a zone gateway in which frames from the edge nodes are forwarded or routed.Connected to a VIU is an edge node, which can be a sensor, an actuator, or a controller.e communication between VIU and edge nodes can be CAN or LIN.TSN is added because the traffic of different priority levels share the same link resource, and TSN can ensure that they are not affected by each other.

STRIDE
reat Model.Microsoft's STRIDE threat model is used to identify system security threats [33].e STRIDE model establishes a mapping relationship with security threats and security properties.As shown in Figure 2, the data flow of TSN Ethernet as core network E/E architecture is analyzed through threat modeling tool (TMT), and only Ethernet was considered.e architecture of Figure 2 is basically the same as that of Figure 1. e difference is that some real sensors, actuators, and controllers are placed in Figure 2, and the firmware update server outside the car is connected to the inside of the car through the OBD port.In addition, the communication between any nodes is Ethernet.e report is generated through TMT, and the attack methods are mainly counted and analyzed.
As shown in Figure 3, the threats are always divided into six types according to different threats of attacks and targets: spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege.
In the absence of any security technology, the most common type of attack is the denial of service because there will be the denial of service threat on every data link.
e second most is information disclosure.Information disclosure happens when the information can be read by an unauthorized party.Elevation of privileges is all related to ECUs, either gain complete control of actuators, or exploit the standard ECU, or manipulate sensor fusion data.Tampering and spoofing are related to sensors' data and cameras' data.Repudiation is from the external interactor.
rough the analysis of the STRIDE model, the general threats can be obtained.However, in the TSN system, there should be other factors, such as bandwidth and configuration.Bandwidth should be of consideration because secure encryption can change the bandwidth requirements.e configuration of TSN streams should also be security relevant.Choi et al. [22] MACsec extension over the SDN e proposed mechanism needs to operate in the context of SDN, and the universality is low Grimm et al. [26] Hybrid anomaly detection system using specifications and machine learning methods Lack of features relevant to the TSN Herold et al. [5] Anomaly detection for SOME/IP using complex event processing Only focus on the upper layer some/IP protocol and no consideration given to TSN Ergenç et al. [25] Discussed more than 30  e firewall of traditional Ethernet is based on the OSI layer 3 and layer 4.However, the second layer needs to be protected in the car Ethernet, so per-stream filtering and policing are considered, depending on how the different detection parameters are used, such as Port No., IP, VLAN ID, Frame Length, and so on.

Intrusion or Anomaly Detection
System.An intrusion detection system (IDS) is a passive detection system that detects an attack or abnormal issues as a warning.e IDS generally provides high accuracy but has the disadvantage that it can only detect known attacks.For unknown attacks, a new signature needs to be developed.An abnormal detection system detects specific behavior.For layers 5, 6, and 7, we use deep packet inspection (DPI) to detect abnormal network behavior.is technology adds application protocol identification, packet content inspection, and deep decoding of application layer data to the traditional IP packet inspection techniques.

3.3.3.
Cryptography.IEEE 802.1AEMAC security (MACsec) provides specifications for authenticating the content of message payloads in fixed networks and specifies how to encrypt the content of message payloads to provide confidentiality in addition to message authentication [34].In      6 Security and Communication Networks generated by sensor A may squeeze the bandwidth of the other data stream.PSFP will reshape the data stream and force it back to the state before the data outbreak.us, the data of sensor B, which is working correctly, will not be affected by the other stream, and the rest of the system will not be affected either.

Per-Stream Filtering and Policing.
e PSFP is defined in IEEE 802.1Qci.As shown in Figure 6, PSFP consists of three parts: stream filter, stream gate, and flow meter.Stream filters define the filtering and policing actions on a specific stream, including gate ID and meter ID, and the filters are related to the priority and stream handle defined in IEEE 802.1CB.As the entrance of PSFP, stream filters determine which stream gate and which flow meter a specific stream will enter.Stream gate defines the gate state and internal priority value (IPV), the gate state can be "OPEN" or "CLOSED".
e gate states are all controlled by a gate control list, and the IPV replaces stream priority in a sense, which determines the frame's traffic class.e flow meter defines the color mode and committed information rate and excess information rate which reflect the bandwidth of a specific stream.e color of the stream can be "GREEN," "YELLOW," or "RED."

System Model.
As mentioned above, each of the three sections, namely stream filters, stream gates, and flow meter in IEEE 802.1Qci, has parameters that can be set for filtering and policing.erefore, these parameters defined in IEEE 802.1Qci are introduced into the design of ADS.As shown in Figure 7, the parameters are defined in ADS that can be filtered and monitored for each part.In addition to defining which specific gate ID and meter ID the traffic enters, the stream filter can set a value of the maximum SDU size, and messages exceeding this value can be blocked.In stream gates, the state of the gate is set according to the gate control list, and messages can be blocked if the gate state is CLOSED.In addition, depending on the value of OctetsExceeded, OctetsExceeded specifies the maximum number of MSDU octets permitted to pass the gate during the specified gate timer interval.Flow meters decide the bandwidth of the    Security and Communication Networks stream in a way that is called token bucket meter.e "Yellow" stream and "RED" stream can be blocked.
During ADS operation, the Stream Filters detect and discard the packets whose SDU size exceeds a maximum threshold value, whereas the Stream Gates detect and discard the traffic received in a wrong time window.Flow meters detect and discard the abnormal traffic exceeding a fixed bandwidth determined by the token bucket.
As shown in Figure 8, two levels can be set when detection through the meter.When the color mode (CM) is turned on as Colour Aware, the warning level is when the YELLOW stream was detected, while the dropping level is when the RED stream was once detected.
In equation ( 1), B i C (t j ) represents the number of tokens in the committed buckets for meter i at time t j .CIR (committed information rate) is expressed as bits per second.e CIR limits the average rate of policing frames which will be declared GREEN.e committed burst size (CBS) is expressed as bytes.e CBS indicates the maximum number of bytes to be sent in the meter queue, which will be declared GREEN.In equation ( 2), O i C (t j−1 , t j ) represents the number of tokens that overflow the committed buckets at meter i between time t j−1 and t j .e coupling flag (CF) has only two possible values, 0 or 1.When the CF is 1, the overflow tokens not used for the GREEN stream can be used as YELLOW tokens.In equation ( 3), B i E (t j ) represents the number of tokens in the excess token buckets for meter i at time t j .e excess information rate (EIR) is expressed as bits per second.
e EIR limits the average rate of policing frames which will be declared YELLOW.e excess burst size (EBS) is expressed as bytes.
e EBS indicates the maximum number of bytes to be sent at the meter queue, which will be declared YELLOW.
Figure 9 shows the flowchart of the token bucket meter when there is a frame of length l j arrives at time t j , for meter i.If there are enough GREEN tokens, then the GREEN tokens minus the packet length of GREEN tokens and mark the frame GREEN.Otherwise, if there are enough YELLOW tokens, YELLOW tokens minus the packet length of YEL-LOW tokens and mark the message YELLOW.If neither is satisfied, mark the message as RED.
At the beginning of the design of the in-vehicle network, the security-related traffic should be determined, including the traffic type, the characteristics of the traffic, scheduling rules, and the worst-case analysis and time details.us, the configuration of the parameters in PSFP is deterministic at the beginning, including the stream filters, stream gates, and flow meter.Strictly speaking, the traffic passing through PSFP will not be discarded if the network traffic is not abnormal.In other words, if the traffic is discarded by the accurately configured PSFP, there must be abnormal traffic in the network.e PSFP can be regarded as an anomaly detector, and the use of strict configuration can force the expected behavior of the network.As shown in Figure 10, the three operating modes of the switch are shown.When the PSFP is not turned on, the DoS attack traffic will directly enter the queue frames of the switch.Under the working mode of the firewall, PSFP will directly discard the messages that do not meet the configuration, and under the working mode of ADS, the controller should sound a warning.
In the design of PSFP, the switch will count the frames through the filters, gates, and meter.In addition to recording the messages of normal behavior, it also counts the discarded messages with an exception, thus generating exception prompts.If the PSFP is configured correctly, these exception hints will not result in false positives, as shown in Figure 11.
Finally, the whole structure of the ADS and the detection process is shown in Figure 12.Security and Communication Networks

Simulation and Results
e simulation environment used in the experiment is OMNeT++, which is an open-source simulation tool.e experiment uses a case study to evaluate the performance of ADS based on IEEE 802.1Qci.e case study is a TSN ADAS sensor fusion zone network in which PSFP is supported on every port of every switch, and TAS defined in IEEE 802.1Qbv is also applied.Switch nodes are corresponding to TSN bridges, and controller nodes are corresponding to TSN endpoints of the TSN backbone E/E architecture.

Topology.
e network adopts the star network architecture, as shown in Figure 13.e network consists of two switch nodes and five ECU nodes.e CentralHost with switch2 makes up the module VCU, while ZonalHost with switch1 make up the module VIU. e sensor nodes consist of AV1, AV2 and Radar.e speed of each link is 100 Mbps automotive Ethernet, and the message format is based on Ethernet II with IEEE 802.1QVLAN (virtual local area network) tag.
e simulation time of the scenario is 150 ms, and the switch buffer capacity is set to a maximum of 30 packets.e relevant parameters of various traffic flow in the network are shown in Table 5.
e TAS scheduling table of two switches has the same design.e scheduling rules are as follows: (1) e scheduling cycle is set to 500 us Declare Traffic Frame Red Traffic Frame of length l j arrives at time t j for Meter i AND (l j ≤ B i C (t j )) Figure 9: Token bucket meter.

Security and Communication Networks
(2) e priority code point (PCP) of control messages is 7 (the highest priority) (3) e PCP of the Forward Camera message is 4 (the medium priority) (4) e PCP of the Radar message is 4 (the medium priority) (5) e switching processing delay is set at 8 us, which is the same as the NXP SJA1105Q (6) e design of gate control lists (GCLs) is shown in Table 6 e ADS strategies are applied only in the switch1, and the parameter configurations are given in Table 7.
e Stream Filter 2 of all ports is used to detect and drop the undefined frames.

Detection.
To analyze the performance of the ADS system, the abnormal traffic is added to the normal traffic.e characteristics of abnormal traffic are shown in Table 8, including the abnormal type and quantity.e addition of abnormal traffic can significantly change the real-time performance of the original traffic, as shown in Figure 14. Figure 14(a) shows the end-to-end delay of each traffic without abnormal traffic, and the end-to-end delay of each traffic type is very stable.Figure 14(b) shows the end-to-end delay for each traffic with added bandwidth traffic.Figure 14(c) shows the end-to-end delay for each traffic with all abnormal traffic.
In addition, the behavior of abnormal traffic is mainly divided into the following four kinds.

MSDU.
e messages transmitted by the sensor network are generally within a known range.Messages exceeding MSDU are regarded as abnormal traffic.

Timing.
e cycle of messages transmitted by the sensor network is also known.In the network design stage, the time that each message should be transmitted is also determined.erefore, messages received at an abnormal time are regarded as abnormal traffic.

Undefined.
After the network topology and traffic are determined, the type of network traffic is known.If an unknown traffic type is received, it will be considered abnormal traffic.

Bandwidth.
For ADAS traffic in the sensor, the bandwidth is also statically configured, and abnormal bandwidth behavior is treated as an exception.
Comparatively speaking, MSDU and undefined can be classified as tempering attacks, as mentioned in Section 2. Timing and bandwidth are usually caused by node corruption.e performance of ADS is closely related to the configuration of PSFP.Figures 14 and 15 show the effects of ADS on four different kinds of abnormal traffic.e system starts abnormal traffic from 50 ms, and abnormal traffic is detected and discarded from the 50 ms after passing through the ADS system.
ere is no difference between Figures 14(a) and 14(d), Figures 14(b) and 14(e) are also the same.In the absence of abnormal traffic, ADS will not cause any impact on the TSN system.Figure 14(c) shows the worst impact caused by abnormal traffic, in which control packets with high priority are affected because the abnormal control packets are added to the normal control message flow, and the length of the abnormal control packets is larger than MSDU.erefore, the increase in end-to-end delay of normal control packets is due to the influence of abnormal control packets.At the     Security and Communication Networks same time, the end-to-end delay itself includes both normal and abnormal end-to-end delays.Similarly, the other three types of messages are affected by abnormal traffic.As shown in Figure 14(f ), for the system after applying ADS, the average end-to-end delay of each traffic has been greatly improved.
As a bonus, Figure 16 shows the behavior of the warning level.When the warning level is triggered, YELLOW tokens are taken, but no frames are dropped until the dropping level is triggered.Table 9 shows the performance of the system with and without abnormal traffic when ADS is applied and is not applied.

Security and Communication Networks
It can be seen that the real-time performance of the control data is not significantly affected when ADS is applied.

Conclusions
In this paper, the security of an automotive TSN as a backbone E/E architecture was analyzed through the MS STRIDE threat model.In the architecture, denial of service attacks is the biggest hidden danger and needs to be emphasized.To form a comprehensive protection strategy for automotive Ethernet security combining the traditional Ethernet and TSN security mechanisms, the protection countermeasures of each layer were listed according to the OSI model, and the countermeasures were divided into three categories: isolation and filtration, detection and defense, and authentication and encryption.en, according to the definition of PSFP defined in IEEE 802.1Qci, an anomaly detection system was designed.Finally, according to the OMNeT++ simulation tool, the performance of ADS was analyzed and evaluated.Experimental results showed that the ADS successfully identified and discarded four different abnormal traffic events.e application of ADS can thus reduce the impact of abnormal traffic, especially the denial of service attacks.Among them, ADS can make the highest priority control messages not affected by abnormal messages, achieving the goal of ADS design.In future work, the performance of ADS will be further evaluated through hardware based on the simulation design method and model.

Figure 1 :
Figure 1: TSN Ethernet as the core network in the centralized vehicle E/E architecture.
Security and Communication Networks addition to the traditional Ethernet security protocols that can be utilized in the upper layer, such as secure sockets layer (SSL), transport layer security (TLS), and datagram transport layer security (DTLS), the AUTOSAR (automotive open system architecture) organization has specifically standardized the definition of security onboard communication (SecOC) for automotive Ethernet.

4 .
ADS Design Based on IEEE 802.1Qci4.1.Problem Formulation.As shown in Figure5, an example of PSFP applied to DoS attacks or sensor failure defense is presented.Figure5(a) shows the traffic transmission plan of sensor A and sensor B in the scheduling plan.e two traffic streams belong to the same traffic type, and the scheduling table allocates 45 Mbps bandwidth for this traffic type.However, when the node of sensor A encounters DoS attacks or node failure, its transmission flow becomes abnormal, which surges from the panned 15 Mbps to 60 Mbps.If there is no protection mechanism, as shown in Figure5(b), the data of sensor B will be affected by the fault data of sensor A, resulting in the data of sensor B cannot be transmitted normally, which is unacceptable for functions such as automatic driving.If PSFP is applied to the switch connected to sensor A and sensor B, as shown in Figure5(c).e sudden increase of the traffic

Figure 2 :Figure 3 :
Figure 2: Data flow of TSN Ethernet as the core network topology.

Figure 4 :
Figure 4: OSI models and security technologies.

Figure 5 :
Figure 5: Sensor failure or DoS attack scenario.

Figure 13 :
Figure 13: ADAS fusion zone system with the star-topology TSN.

Figure 14 :Figure 15 :Figure 16 :
Figure 14: (a) End-to-end delay of each traffic without abnormal traffic.(b) End-to-end delay for each traffic with added bandwidth traffic.(c)End-to-end delay for each traffic with all abnormal traffic.(d) End-to-end delay of each traffic without abnormal traffic when ADS is applied.(e) End-to-end delay for each traffic with added bandwidth traffic when ADS is applied.(f ) End-to-end delay for each traffic with all abnormal traffic when ADS is applied.

Table 1 :
TSN standard overview.Profiles for secure, highly reliable, deterministic latency, automotive in-vehicle bridged IEEE 802.3 Ethernet networks based on IEEE 802.1 TSN standards and IEEE 802.1 security standards Security and Communication Networks many advantages is rarely discussed.TSN is primarily based on the data link layer.However, only the encryption and authentication introduced by MACsec and IEEE 802.1X cannot completely override TSN security.

Table 2 :
Research for the security aspect of automotive Ethernet.

Table 4 .
Firewalls can be applied according to different categories and different technologies.Firewalls are set up to avoid DoS Attacks and limit the number and throughput of simultaneous connections to the network.

Table 4 :
Firewall types with the OSI layer, protocols, and techniques.

Table 5 :
Traffic characteristics of the star-topology TSN.

Table 6 :
GCL design of the star-topology TSN.
1: means the parameter is not related to the corresponding port. 2 e MAC address of the CentralHost node.3o:openstate of the gate (the gate state period is 500us).4C:closed state of the gate.

Table 9 :
e performance of the system with and without abnormal traffic when ADS is applied and is not applied.E2E mean delay without abnormal traffic when ADS is not applied. 6E2E delay2 � E2E mean delay with abnormal traffic when ADS is not applied. 7E2E delay3 � E2E mean delay without abnormal traffic when ADS is applied. 8E2E delay4 � E2E mean delay with abnormal traffic when ADS is applied.