Intrusion Detection Method for In-Vehicle CAN Bus Based on Message and Time Transfer Matrix

As the number and computational power of electronic computing units installed in standard automobiles continue to increase, contemporary motor vehicles face more cybersecurity threats than previous designs, while providing greater convenience and various useful features. Although vehicles are attacked at various entry points, eventually, attacks are injected into the in-vehicle controller area network (CAN) to cause vehicle anomalies. Currently, OEMs and research fields have implemented protection for the CAN bus in terms of external interfaces, internal protocols, and intrusion detection. Although the deployment of intrusion detection solutions is the most effective approach, the main challenges currently faced by automobile intrusion detection algorithms in practice involve limited computing resources, insufficient real-time responsiveness, and low recognition accuracy. In this study, we propose a novel intrusion detection method based on the message and time transfer matrix to address these difficulties, which can be applied to the vehicle Electronic Control Unit (ECU) to achieve real-time attack signal identification with high accuracy. Experiments on actual vehicles show that the proposed algorithm identified various attacks with high accuracy while consuming less computational and storage resources than previous methods. Moreover, the efficiency of the proposed algorithm is not affected by the attack injection frequency. Compared with other methods, the proposed method achieved better attack identification performance. Additionally, the message and time transfer matrix used by the algorithm can be used as a message transfer fingerprint of the CAN bus to discover anomalies.


Introduction
With the general increase in available computational power and the number of Electronic Control Units (ECUs) [1,2], automobiles have become more intelligent and networked. Vehicles are no longer only a means of transportation but have become a smart terminal with computing and communication capabilities. Nowadays, intelligent vehicles improve the driving experience and provide drivers with greater convenience, such as through more accurate assisted driving and more diverse media access. Aside from comfort and functionality, security threats to cars have increased [3,4] and drawn attention from the research community. Researchers have demonstrated the possibility of attacks against intelligent vehicles [3][4][5]. In one poignant example, in 2015, Miller et al. exploited a CAN bus-connected entertainment system and ECU firmware to attack a Jeep Cherokee driving on the highway, causing a series of severe consequences such as loss of vehicle power, radio problems, and uncontrolled water spray [6]. Moreover, Rogers et al. succeeded in stopping a Tesla in place and shutting down the car by sending commands via an iPhone [7]. In 2019, Keen Labs in China exploited vulnerabilities in assisted driving systems to drive vehicles into the reverse lane and even control vehicles' steering remotely using a gamepad [8]. In 2021, two researchers from Kunnamon used a drone to control the infotainment system of a Tesla via Wi-Fi and conducted a series of malicious operations to open doors, change steering, and acceleration modes [9]. Although the entry points for attacks against vehicles vary, all these attacks cause anomalies in the vehicle's internal network, leading to anomalous vehicle behavior. e conventional controller area network (CAN) is commonly used for internal vehicle networks. CAN is a reliable serial bus that provides communication between individual ECUs. However, the CAN bus uses broadcasts for communication and has no encryption or authentication mechanisms. Once hackers gain access to the CAN network from other entry points, they can attack the vehicle control unit, severely threatening the vehicle occupants and pedestrians.
Original equipment manufacturers (OEMs) and research organizations continue to strive to find protective measures to address the security of the existing CAN bus. Two protection strategies are currently used by OEMs to prevent the CAN bus from being compromised. e first is to privatize the Database CAN (DBC) file that describes the meaning of CAN messages to prevent attackers from sending control messages to the CAN network. e other is to filter anomalous messages at the OBD-II interface, which is the CAN network's external physical interface. However, works [10][11][12] have already explored methods to reverse engineer the DBC file used by OEMs for protection. In addition, it is easy for hackers to find other entrances aside from the OBD-II interface to defeat the second security protection to execute an attack. Two main types of CAN protection measures have also been proposed in the relevant literature. e first approach is to add encryption and authentication security mechanisms to the ECU, which will inevitably increase the production cost of the vehicle and the transmission delay of CAN messages and cannot be used in vehicles with time-sensitive control systems. e other is to deploy intrusion detection algorithms in the vehicle to detect and protect against intrusions, which is currently possible but still has several challenges. Practical intrusion detection algorithms mainly include machine learning-based and singlefeature lightweight algorithms. Machine learning-based intrusion detection algorithms involve the challenge of limited or deployment in resource-constrained ECUs, and their required computation time does not meet the realtime requirements of automotive systems. Lightweight intrusion detection algorithms do not meet the accuracy requirements of automotive applications, although they solve the latency and resource problems.
To solve the problems of current automotive CAN bus intrusion detection algorithms related to insufficient realtime response, low accuracy, and high resource occupation, in this study, we propose a CAN intrusion detection algorithm with high accuracy, low latency, and low resource consumption. We analyze CAN messages and time transfer characteristics and construct a multidimensional matrix of message ID transfer, data transfer, and time transfer based on the results of feature analysis. is matrix and message association analysis are used in the detection algorithm to achieve fast and accurate identification of intrusion messages in daily automotive driving scenarios. e critical contributions of the proposed method are summarized as follows.
(i) In this study, an innovative attack detection method based on a message and time transfer matrix is proposed to detect anomalous attacks in real time, having a high recognition rate and requiring less resources than existing methods. (ii) is study uses actual vehicle data to model, validate, and detect. e results show that the method is sufficiently accurate and unaffected by the speed of attack injection in both stationary and moving vehicles. (iii) Compared to existing methods, the proposed method consumes fewer ECU resources, having a shorter response time and higher accuracy. ese characteristics make it more suitable for real-world automotive electronics.
e remainder of this study is organized as follows. Chapter 2 provides a preliminary overview of the CAN bus, describes CAN network-based attack scenarios and models, and analyzes other related works. Chapter 3 analyzes the message transfer and time transfer characteristics of CAN messages. Chapter 4 describes the data collection and injection devices used by the algorithm, the model construction and verification process, and the detection scheme. Chapter 5 describes the accuracy results, time and resource performance, performance of the method in actual vehicle experiments with different attack injection frequencies, advantages over other available schemes, and applications in typical CAN network architectures. Chapter 6 presents a scheme using message and time transfer matrices as fingerprints for CAN data transfer. Finally, Chapter 7 summarizes the work of this paper and provides some directions for future research. Figure 1, a standard CAN frame begins with the start of frame (SOF), which is explicit and allows all nodes to be hard-synchronized. e SOF is followed by the arbitration field, which consists of an 11-bit identifier (ID) and remote transmission request (RTR). e identifier bit is used for arbitration when multiple nodes send data simultaneously, and the smaller the identifier, the higher the priority. Furthermore, RTR is used to distinguish the type of message. e arbitration field is followed by a 6-bit control field, where IDE and r0 specify the length of the frame, and the data length code (DLC) sets the number of bytes in the data field. en, the data field of the CAN frame, which contains the car's control commands, status data, and any other data to be transmitted, is included. Subsequently, the circular check code (CRC) and the acknowledgment field (ACK) are used to detect and confirm if an error occurred in the transmission of the message. Finally, EOF identifies the end of the message.

CAN Bus Preliminary. As shown in
In addition, there are two states in the CAN bus network, 0 is the explicit level, and 1 bit is the implicit level. If both a dominant and a recessive level are present, the status of the CAN bus is set to the dominant level. So when arbitrating between different IDs, the smaller the ID, the higher the priority.
For the attacker, the most meaningful information is the identifier and the data fields. Based on the arbitration mechanism of the CAN bus, an attacker can use the identification bits to implement denial of service (DoS) attacks. In addition, the attacker will focus on the control and status commands in the data field to perform fuzzing and replay attacks.

CAN Attack Surface and Model.
is section analyzes the attack surface and attack models on the automotive bus based on the existing automotive CAN network architecture.

Attack Surface.
e current typical CAN network architecture is shown in Figure 2. e in-vehicle CAN bus network is divided into several domains, including the chassis, body, power, and information. Within each domain, communication between individual ECUs is conducted through the CAN bus. Additionally, each domain is connected to a central controller, enabling interdomain communication through the central controller.
e attack surface against this architecture can be mainly divided into contact attacks and noncontact attacks.
When implementing physical contact attacks, because the OBD-II interface is typically not easily found under the steering wheel, hackers can access an attack device at the OBD-II interface to inject anomalous messages. Additionally, the attacker may hitch the attack device to an exposed CAN connection to inject the attack. In noncontact attacks, the hacker controls the nodes in the CAN network to send attack messages to the CAN bus. e in-car entertainment system is the most vulnerable to hacking as a node for human-vehicle interaction. Once the node is compromised, the attacker can send any attack message remotely. Furthermore, as vehicle manufacturers are increasingly using Over-the-Air Technology (OTA) to upgrade ECU firmware, hackers can tamper with the upgrade package to take control of the ECU and consequently send arbitrary messages to the CAN bus. Either way, hackers send attack data to the CAN network either directly or indirectly to cause abnormal vehicle behavior.

Attack Model.
We surveyed numerous research works on CAN bus attacks and concluded that the current effective attack models included DoS, fuzzy, and replay attacks. In the actual vehicle attack tests conducted by the researchers in this paper, it was found that there is also an ulterior fuzzy attack that has a higher efficiency in executing attacks against the CAN bus. Among the CAN attack models, the easiest to identify is the DoS attack, followed by the fuzzy attack. e ulterior fuzzy attack and the replay attack are more challenging to recognize. e following section describes the four CAN bus attack models.
(1) DoS Attack. All ECU nodes share the same bus resources, and no node is under the administrator's control. In this case, a malicious ECU can increase the bus occupancy without following the bus protocol, causing delays, or even suspending other messages. erefore, hackers can implement DoS attacks by injecting high-priority messages into the bus in a short time, thus preventing the delivery of other CAN messages. An example of the DoS attack is depicted in Figure 3. e bus messages with higher priority (e.g., ID � 0x000) were randomly injected into the typical message traces at high speed. For example, a DoS attack can be implemented by injecting packets with an ID of 0x000 at a rate that is ten times the regular message interval.
(2) Fuzzy Attack. A fuzzy attack indicates that an attacker sends random compromised IDs and data to the CAN network at any time, even if the attacker does not have any specific information about the victim. e attacker is only required to send a malicious message in the same form as a normal CAN message all the time, and the vehicle may be successfully attacked. Unlike a DoS attack, the fuzzy attack paralyzes the vehicle's functionality or causes an abnormal ECU reaction instead of preventing regular message delivery by occupying the bus. erefore, fuzzing attack messages consisting of random IDs and data are randomly inserted into the regular CAN bus traffic. An example of the attack is shown in Figure 4. When the fuzz attack was implemented on the test vehicle, the vehicle randomly performed abnormal reactions, such as abnormal engine noise, flashing lights, abnormal increase in power, and gear switching.
(3) Ulterior Fuzzy Attack. Unlike the basic fuzzy attacks, a savvy attacker may gain prior knowledge of the victim and narrow down the random data by eavesdropping on the bus data. A more advanced fuzzy attacker can perform a more efficient attack by first knowing all the valid IDs in the CAN bus and sending attack messages containing existing IDs and random data. An example of the ulterior fuzz attack is shown in Figure 5. Such attacks are realized efficiently by inserting some messages randomly. e IDs of these messages exist in typical message traces, and the data field is random. Experiments show that ulterior fuzz attacks can cause anomalous vehicle behaviors more frequently than fuzz attacks.
(4) Replay Attack. As shown in Figure 6, the replay attack causes problems by injecting a set of CAN messages extracted and recorded in a particular order into the CAN bus. Replay attack datasets can be generated by randomly inserting a segment of prerecorded CAN messages into the typical traffic trace. Experiments on the test car indicate that the replay attack could cause the car to reproduce some of its   Security and Communication Networks previous operations, such as increasing air conditioning wind, gear switching, and window lifting.

Related Work.
To combat malicious attacks in the CAN bus, it is crucial to build anomaly detection algorithms by analyzing the characteristics of CAN messages to identify attack messages and provide accurate reference information for system protection. Several methods have emerged for CAN anomaly detection, but they fall short in accuracy, usability, and real-time. e first type of method relies on the physical features of the CAN bus for anomaly detection. For example, Cho and Shin proposed a method called Viden, which extracts the voltage characteristics of ECUs through voltage measurements to identify abnormal voltage values.
is method can detect illegal access quickly and accurately [13]. Tian   identify intrusion sources [14]. However, these methods are only suitable for detecting attacks at the physical layer rather than the application layer. Furthermore, they require additional hardware for physical feature acquisition, increasing vehicle manufacturing overheads. e second type of method relies on legitimate CAN data analysis results for anomaly detection. For example, Song et al. analyzed the periodicity of CAN bus messages and found injected attack messages by examining the occurrence periods of the messages with the same ID [15]. Stabili et al. constructed a lightweight CAN intrusion detection algorithm to handle escalating attack messages that did not satisfy the Hamming distance requirement [16]. Additionally, they proposed an anomaly detection algorithm for ID sequences to discover illegitimate ID transfers [17]. Lee et al. identified a fixed pattern of response offset versus time for remote frames, and this pattern will be broken when an attack occurs. ey exploited this pattern to detect attacks [18]. ese methods used lightweight algorithms for the situation where ECU resources are constrained. However, the algorithms can only discover attacks from a single dimension, obtaining poor accuracy in anomaly identification, particularly in identifying advanced attacks. e third type of method uses information theory to identify anomalous attacks. For example, Yu et al. proposed an intrusion detection system based on the estimation of multiorder Rényi entropy [19]. Wu et al. proposed an information entropy-based approach that uses a fixed amount of information as a sliding window to improve the accuracy of attack identification and reduce false positives [20]. Although this type of method can effectively identify anomalies, it cannot make judgments immediately after an attack occurs and does not meet the requirements of rapid automotive response. Furthermore, there is another type of method based on machine learning algorithms for CAN attack detection. For example, Tariq et al. used a rule-based approach and a recursive neural network algorithm to detect anomalous messages with an accuracy exceeding that of previous algorithms collaboratively [21]. Song et al. proposed an intrusion detection system based on a deep convolutional neural network (DCNN) [22]. e DCNN learned network traffic patterns and detected malicious traffic, reducing the false alarm and missed alarm rates. Seo et al. proposed a GAN-based CAN bus intrusion detection system that uses deep learning models to generate adversarial networks to improve the identification rate of attacks [23]. Wang et al. proposed a distributed anomaly detection system using hierarchical time memory (HTM) [24]. ey designed predictors exploiting the HTM algorithm and logarithmic loss function to calculate anomaly scores. ese methods identify attacks with high efficiency, but they cannot be fully applied to vehicles owing to their limited computational resources.

CAN Message and Time Transfer Characteristics Analysis
Based on the investigation of existing studies and actual vehicles, in this section, we analyze the data characteristics and time characteristics of data frame transfer in the automotive CAN bus. In addition, mainstream electric cars, sedans, and sport utility vehicles (SUV) in the market were investigated to illustrate the correctness of the results.  [17]. Based on this conclusion, the ID transfer rule of CAN messages can be used as a feature to detect intrusions, especially for DoS attacks and fuzzy attacks.

Message Transfer
In addition, the transfer characteristics of the CAN message data fields are investigated in this paper. By analyzing the variation of adjacent CAN message data fields for different vehicles, this study finds that the distance of data bits fluctuates within an interval rather than being completely random, regardless of the distance model used. Because anomalies are usually caused by colliding control commands randomly when implementing attacks on the CAN bus, we investigated the collision resistance of each legal transfer under different models based on the transfer characteristics of the data fields. Specifically, we used the Hamming distance [25], Levenshtein distance [26], cosine distance [27], Jaro distance [28], and Jaro-Winkler distance [29] for an electric vehicle to calculate the distance interval for each legitimate message transfer. en, the distance intervals are collided with the fuzzy attack to obtain the best distance model for each legitimate transfer against the fuzzy attack.
e best model was applied to achieve accurate anomaly aware messages.

Time Transfer Feature.
is study analyzed the time interval of each legal message transmission in CAN traffic in all test vehicles. We found that the time intervals of message transmission all satisfied the following four distributions. e first type of time interval is a discrete constant, as shown in Figure 9(a), with an integer between 228 and 242. e second type of time interval includes continuous values, as shown in Figure 9(b), with a continuous interval between 240 and 325. e third type approximates time intervals satisfying a one-sided normal distribution, as shown in Figure 9(c). As shown in Figure 9(d), the fourth type contains completely random values for a time interval of a random number between 0 and 6000.
Because injecting anomalous messages into CAN is entirely random, the time interval can be essential for detecting anomalous behavior. For interval distributions that satisfy discrete and continuous values, intrusions that do not meet their distributions can be detected directly and efficiently. For cases that satisfy the normal distribution, the interval of messages can be filtered by using the PauTa criterion to select the best confidence interval. For the utterly random case, the maximum variation range is used as an interval to discover intrusion messages outside the interval. e time interval of the message is unavailable for an attacker, so the attack injection is entirely random. If the time interval distribution of CAN messages is used as a feature to detect anomalies, then they can be identified without distinguishing the type of attack.

Methodology of In-Vehicle Network Intrusion Detection
In this study, we analyze the attack surface of CAN networks as described above, demonstrating that the ultimate goal of intruding the CAN network is to send attack messages, irrespective of whether the CAN bus is directly contacted. In addition, this paper analyzes the current measures on CAN network protection in OEM and scientific fields in the related work. e current relatively effective method is to deploy an intrusion detection mechanism to discover intrusions and protect against them. However, existing methods still cannot meet accuracy, real time response, and resource requirements of network-connected vehicles.
To solve the difficulties faced by the current CAN bus intrusion detection, we designed a CAN intrusion detection model with high accuracy, low latency, and low resource consumption based on the message and time transmission characteristics of CAN messages, which achieved fast and accurate identification of four attacks using this model and up-down message correlation analysis. e overview of the method is shown in Figure 10. e algorithm constructs a transfer feature matrix by extracting messages and time transfers from CAN traces generated by regular driving. e attack messages are discovered in real-time using contextual correlation analysis based on the transfer feature matrix. Additionally, with its lightweight feature, the algorithm can be deployed in the central controller to identify cross-domain attacks and in resource-constrained ECUs to identify abnormal data in the domain.
is section first defines a set of variables used in the algorithm, then describes the devices used for data collection and algorithm detection, and finally describes the algorithm feature model construction, model validation, and anomaly detection.

Data Acquisition and Injection Equipment.
e test vehicle used in this study was a Chinese-made electric vehicle with an internal network implementing the standard CAN bus protocol. Furthermore, the vehicle has an open OBD-II interface for message collection and injection (OBD-II is an interface for monitoring CAN bus data and obtaining diagnostic trouble codes). Additionally, the proposed algorithm is applied to the test vehicle to demonstrate its accuracy, real time responsiveness, and feasibility, because the vehicle has typical interfaces and bus protocols representative of most current commercially available vehicles.
e data acquisition device used is shown in Figure 11  CAN controller with an SPI interface and SN65HVD230 transceiver to receive CAN information. e setup for invehicle CAN message collection is shown in Figure 11(b). e acquisition device collects CAN traffic from the test vehicle at a baud rate of 500 kbps. e message injection device was a combination cable comprising an OBD-II to DB9 diagnostic cable and a PCANUSB FD adapter. e cable was connected from the vehicle's OBD-II port to the USB port on the computer side to enable real-time attack message injection. It is noteworthy that we utilized a splitter to divide the OBD-II interface into two parallel hardware interfaces when detecting anomalies, as shown in Figure 12(a). One interface was connected to a laptop computer configured with the proposed algorithms for identifying intrusions. e other interface was connected to an attack device capable of sending four attack messages based on the attack model, as shown in Figure 12(b).

Model Construction and Validation.
In Chapter 3, we analyzed the features of CAN messages and time transfer and illustrated their advantages in detecting various types of attack messages. Based on these facts, the model construction phase extracts the ID transfer, data transfer, and time transfer features from the CAN traces generated during everyday driving of the test vehicle and deposits them into the feature matrix Ω T . Ω T is a square matrix of order n, where n is the number of elements in the set of unique IDs (ID 0 , ID 1 , ....., ID n ) in the CAN bus traces. e model construction flow is depicted in Figure 13.
First, the row and column index of Ω T are initialized to the set of unique IDs (ID 0 , ID 1 , ....., ID n ) in the initialization phase. e initialized values of the elements in the matrix are two empty lists D ij and T ij , which hold the data distance and time interval distribution of message transfers in CAN traces, respectively. Additionally, the optimal distance algorithm table for each type of message transfer is set considering the input dataset using the transfer characteristics of the CAN message data fields.
Next, when Ω T is created, all legally transferred adjacent CAN messages must be examined. When two consecutive messages are input, the best distance model is selected based on the results of the characteristic analysis. e selected model is exploited to calculate the distance value, and the calculation result is stored in D ij . Similarly, the time interval of adjacent messages is calculated, and the calculation result is appended to T ij . As an example, if there are two legal adjacent CAN messages (m i and m j , where m i with id i , payload da ta i , and timestamp t i , and m j with id j , payload da ta j , and timestamp t j ), then the distances between da ta i and da ta j and t j − t i are, respectively, appended to D ij and e maximum interval is kept if it satisfies the continuous or the completely random. e interval corresponding to the 3-sigma principle is kept if it satisfies the normal distribution. In particular, for nonexistent transfers, the corresponding elements of the matrix are two empty lists.
At this point, the matrix based on the CAN message and time transfer characteristics has been established, and it can describe the legal ID transfer, data transfer, and time transfer characteristics in automotive CAN networks.
Ω T must be validated to improve the algorithm's effectiveness and minimize the false positive rate during detection. e model validation phase used Ω T and the validation dataset as input, and the validation steps were as follows: (1) For consecutive CAN messages in the validation dataset, check whether their ID transfer exists in the index of Ω T . If it exists, proceed to the next step. If it does not exist, add the ID transfer as the index in Ω T and go to the next step.

Model construction dataset
Optimal distance model analysis

Message Transfer Best Distance
Hamming Jaro

Best
Optimal distance algorithm for every tansfer    messages satisfy D ij and T ij and if they do, go to the next step; if they do not, update D ij and T ij with the current value. When the element is empty, fill the element with the distance and time interval distribution. (3) Extract the next message transfer in the verification dataset and repeat the above steps.

Detection
Scheme. e detection scheme used by the proposed algorithm utilizes CAN messages correlation analysis rather than simply comparing the transfer characteristics of adjacent messages. e algorithm uses the validated Ω T to identify anomalies in the raw CAN bus data in the detection phase. ree consecutive messages (m i , m j , and m k ) are used as inputs to determine if m j is an anomaly, where m i is the reference message, m j is the current message, and m k is the following message. According to Figure 14, the steps for detection are as follows. Specifically, if m j is identified as a legitimate message, the algorithm uses m j as a reference to determine the legitimacy of m k . When m j is identified as an abnormal message, the algorithm still uses m i as a reference and m k+1 as a subsequent message to check the legitimacy of m k .

Performance Evaluation
is section details the application and performance evaluation of the proposed CAN intrusion detection scheme in test vehicles. Firstly, this section describes the dataset used for model construction, validation, and detection, together with the data collection and attack injection scenarios. Secondly, the performance of the proposed algorithm is evaluated in terms of recognition efficiency, time and resource consumption, and the algorithm's performance under different fault injection rates. Afterward, the algorithm's advantages in terms of accuracy are compared with other existing algorithms. Finally, specific applications of the algorithm and protection strategies combined with the central controller are described.

Datasets and Scenarios.
To fully and effectively evaluate the performance of the proposed algorithm, we used datasets from different driving scenarios in the model construction, validation, and detection phases.
e dataset used for model construction contained CAN traffic collected while the test vehicle was driving on its daily commute route. e driving route of the test vehicle is shown in Figure 15(a), which included three driving scenarios: country roads, highways, and congested city roads. e dataset for model construction is shown in Table 1; it has 29213281 messages containing seven days of CAN traffic for commuter driving. Road conditions include slippery roads, congested roads, and rainy and foggy conditions. e CAN message and time transfer matrix Ω T constructed using this dataset is a 39 × 39 square matrix that contains 780 legal transfers. e best distance model for the CAN message data fields in the test vehicle is publicly available, and the results indicate the best distance model for resisting fuzzy collisions. e dataset used to validate the model is shown in Table 1, which is twice the size of the modeling dataset. is dataset was collected using the vehicle driving route, as shown in Figure 15(b). After the model was validated, it had zero false positives for the CAN bus traffic of the validation dataset, and the final validated matrix was the same as the original feature transfer matrix.
is result confirms the existence of a fixed bus message transfer pattern under different driving habits and vehicle driving conditions.
To evaluate the detection efficiency of the proposed algorithm, the anomalous data were injected into the CAN bus of the test vehicle using data injection equipment based on four attack models in the vehicle stationary state and vehicle driving state, respectively. e attack dataset is shown in Table 2, in which 1003756 attack messages were injected when the vehicle was stationary and 1316894 attack messages were injected during driving. ey all contained DoS attacks, fuzzy attacks, ulterior fuzzy attacks, and replay attacks. In addition, the driving route was set in a relatively safe country road to prevent the occupants of the vehicle from being harmed by any anomalies, as shown in Figure 15(c).

Identification Efficiency Evaluation.
e performance of the proposed intrusion detection algorithm to identify anomalies was evaluated in terms of the accuracy of online detection of injected attack messages in actual vehicles. is section describes the accuracy of the algorithm in detecting attack messages in actual stationary and moving vehicles. e experimental results show that the algorithm identifies all four types of CAN bus attacks well, as shown in Figure 16. e algorithm performs best in identifying DoS and fuzz attacks, maintaining almost 100% accuracy regardless of the vehicle state. e accuracy of identifying ulterior fuzz attacks was 95.7% when the vehicle was stationary, compared to 95.5% when the vehicle was running.
e accuracy of identifying replay attacks was 90.6% when the vehicle was running and 93.6% when the vehicle was stationary. Overall, the anomaly detection accuracy when the vehicle was stationary was slightly higher than that of the vehicle in the running state. is result occurred because fewer types of messages appear when the vehicle is stationary, there are relatively few message transfers, and attack messages are not easily ignored. Furthermore, more messages appear in the CAN network when the vehicle is moving, and the probability of fuzzy attacks and replay attacks randomly colliding as legitimate transfers increases. e performance analysis of the proposed algorithm is conducted as follows. When implementing DoS attacks, the  attacker interferes with the CAN bus communication by sending messages with higher priority (i.e., message data with smaller IDs), thus occupying the total resources of the CAN bus. e proposed algorithm can quickly identify malicious messages using the presence or absence of ID transmissions alone, so the algorithm has a very high identification accuracy for DoS attacks. Fuzzy attacks inject messages randomly, implying that the message ID, data, and timestamp are random. When the algorithm detects an ambiguous attack, it checks whether the ID transfer, data distance, and time interval of three neighboring messages satisfy the legal conditions of the transfer matrix. Most fuzzy messages fail to satisfy these legal conditions, and very few fuzzy attacks that happen to satisfy the conditions can be misclassified as correct messages. Because the distance model, which works best for random data, is utilized in the modeling phase, the probability of such misclassification is minimal, causing the algorithm to have an accuracy rate close to 100% for fuzzy attacks. However, the ulterior fuzz attack is subtler than the fuzz attack, as it sends random messages with legitimate IDs. erefore, ulterior fuzz attacks are more likely to be misclassified as legitimate by the algorithm. Although the ID transfer of messages is correct in detecting such attacks, the data distance and time interval between adjacent messages are random, so the proposed algorithm can still effectively identify ulterior fuzz attack messages. However, the identification accuracy is relatively lower than that for the first two attack messages. e replay attack is the most difficult to identify because it exactly replicates the previous correct message sequence and its ID and data fields are legitimate. e proposed algorithm identifies replay attacks by examining the characteristics of three consecutive messages. Although the ID transfer and data distance may be judged as correct, the replay timestamp is entirely random and judged as abnormal by the algorithm. Table 3 lists the time consumed by the algorithm for identifying the four types of attacks. e time required to identify standard information was the shortest, averaging 0.261 ms. In detecting attack messages, the time required to identify DoS attack information was the shortest, averaging 0.265 ms, and that required to identify replay attacks was the longest, averaging 0.284 ms. is result also validates the algorithm's model identification process, which uses only the ID transfer to identify DoS attacks and therefore takes the shortest time. Identifying the replay attack takes the longest time, as the three main features of ID transfer, data field distance, and time interval distribution are used. e total time to identify anomalies is the sum of the time interval of adjacent messages and the time required for algorithm identification. e time from the appearance of an anomaly message to its recognition is the sum of the time from that message to the appearance of the following message and the algorithm's recognition time. During normal CAN message acquisition,   e total storage requirement of the algorithm is 20,391 bytes, which is much smaller than the hardware limitation of current automotive ECUs [30]. erefore, the proposed algorithm can be applied to resource-constrained vehicles.

Performance under Different Injection Frequencies.
To better evaluate the method's performance in identifying attack information, the accuracy and recall of the algorithm were tested at different attack injection frequencies.
e performance of the proposed algorithm under different injection frequencies is shown in Figure 17, where four types of CAN bus attacks are injected at a frequency ranging from 10% to 100%. e percentage represents the ratio between the frequency of attack injections and actual messages. e detection of DoS attacks was independent of the injection frequency, and the accuracy and recall were always maintained at 1. Similarly, the identification of fuzz attacks was almost independent of the attack injection frequency, and the accuracy and recall remained close to 1. As the injection frequency increased, the recall of the proposed algorithm for detecting ulterior fuzz attacks approached 1, and the accuracy decreased but remained at 0.85 or more. As for detecting replay attacks, the recall of the proposed algorithm increased with the injection frequency, while the accuracy decreased.
DoS and fuzz attacks respectively rely on higher-priority IDs and completely random messages to cause CAN bus anomalies. e proposed algorithm can almost identify these anomalies using ID shifting and data distance, so the detection results are independent of the injection frequency. For the detection of ulterior fuzz attacks, the judgment using the ID transfer is no longer valid. Whether the messages are legal must be checked based on the dimensions of data distance and time interval, so the detection result is affected by the injection frequency to a certain extent. e increase in injection frequency causes an increase in attack messages, resulting in a certain number of missed and false positives and decreasing accuracy and precision. However, with the increase in injection speed, anomalies are more easily detected with time, and the recall is subsequently increased. e detection of replay attacks by the proposed algorithm almost depends on the time interval between messages, so it is affected by the injection frequency. e faster the replay attacks are injected, the easier the algorithm is to identify. In this case, the number of missed anomalies is reduced, and recall and accuracy are subsequently improved.

Results Compared to Other Available Methods.
is section compares the proposed intrusion detection methods with schemes applied to onboard ECUs. e currently available intrusion detection schemes are the ID sequencebased approach proposed by M. Marchetti and D. Stabili, the Hamming distance-based scheme, and the message-cyclebased method proposed by H. M. Song. ese schemes can be applied to ECUs due to their lightweight design, but their accuracy in identifying anomalous messages needs improvement. Table 4 indicates that both the sequence-based method and the proposed method can identify DoS attack messages very well. In contrast, the other two methods cannot identify DoS attacks because they do not use ID features. ese four methods maintain an accuracy above 0.99 for identifying fuzz attacks. For identifying ulterior fuzz messages, the algorithm proposed in this paper achieved the best performance with an accuracy of 0.957, followed by the Hamming distance-based method, message-cycle-based method, and sequence-based method. For identifying replay attacks, the proposed method achieved an accuracy of 0.936. Except for the proposed method, the Hamming distance-based method achieved the best performance with an accuracy of 0.878, but its recall indicated that the method had missed several messages.

Applications and Discussion.
e experimental results verify that the proposed method achieved excellent performance in detecting CAN bus attack messages with high accuracy for DoS attacks, fuzz attacks, advanced ulterior fuzz attacks, and replay attacks. Moreover, the proposed algorithm achieves outstanding performance under different attack injection frequencies. DoS attacks were injected at the highest possible frequency to suspend CAN bus e proposed algorithm's excellent performance in detecting DoS attacks allows it to effectively identify the attack messages and implement protection along with the corresponding ECU. Fuzz attacks are usually sent randomly with entirely random content, and the proposed algorithm can maintain an accuracy exceeding 95% for anomaly identifications regardless of the injection frequency. In practical tests, it was found that the faster the replay attacks were injected, the better the algorithm recognized them. e proposed method outperformed all other methods in identifying anomalous messages. Additionally, it effectively detected four common CAN bus attacks and exhibited a convincing ability to handle all the attacks under different injection frequencies, making it suitable for practical application scenarios. If the algorithm is applied to an ECU and combined with the CAN bus protection function, it will be able to identify CAN attacks quickly to protect the vehicle effectively.
In addition, the vehicle CAN bus intrusion detection scheme proposed herein can be applied in the typical CAN network architecture mentioned in Chapter 2. For intradomain communication in CAN networks, the scheme can be deployed in any intradomain ECU to achieve intradomain anomaly detection and instruct the attacked ECU to respond. For cross-domain communication in the CAN network, the solution can be deployed in the central controller to detect abnormal CAN messages in cross-domain communication traffic in time to block them and notify the driver to check the vehicle. Primarily, when numerous replay messages and high-frequency messages appear, timely blocking is performed to prevent the car from being maliciously manipulated.

Message and Time Transfer Matrix as CAN Bus Data Transmission Fingerprinting
In this section, the features in the Ω T and the features of the four attack models are analyzed. From the results, significant differences between the features of Ω T and those of the present attacks are revealed. erefore, the message and time transfer matrix are exploited as a fingerprint to quickly distinguish the legitimate transfer matrix from the anomalous transfer matrix.

Comparison of Legal Transfer
Characteristics and Abnormal Characteristics. As shown in Figure 18, there was a clear difference between the legitimate Ω T and the transfer matrix when a DoS attack occurred. Based on this difference, it is possible to quickly identify whether the CAN bus is under a DoS attack. e difference between the message distance of the legitimate Ω T and that of the message transfer    under fuzzy attack and ulterior fuzz attack is shown in Figure 19. When an attack occurs, the message distance fluctuates in a much larger range than that of the legitimate transfer and takes different values. e time intervals of the legitimate message transfer can be classified as discrete and continuous intervals, respectively exhibiting a normal distribution and random value distribution, as shown in Figure 9. However, the time intervals under an attack are entirely random. us, the anomalies can be distinguished by the characteristics of the transfer matrix.

Legal Message and Time Transfer Matrix as CAN Message
Transfer Fingerprint. Based on the results of this study, the legal Ω T was used as a fingerprint for CAN message transfers to quickly identify abnormal messages in the automotive CAN bus and assist the ECU in ensuring vehicle security and further safeguarding the safety of drivers and pedestrians. Moreover, this fingerprint can help the government and enterprises monitor the illegal modification of vehicles and other unlawful behaviors.

Conclusion
In this study, we have proposed a CAN bus anomaly detection algorithm based on CAN message transmission characteristics applied to real vehicle applications. We found that a message and time transmission matrix for attack detection can be constructed using the characteristics of ID transmission, data distance, and time interval. Moreover, this message and time transmission matrix combined with message correlation analysis can effectively identify DoS attacks, fuzzy attacks, and the more challenging collapse attacks and replay attacks. Additionally, the efficiency of the proposed algorithm in identifying these four types of attacks is not affected by the frequency of attack injection. Furthermore, the proposed algorithm has low computational and storage resource consumption, facilitating its application to vehicles without significant hardware resources. In addition, compared with three other lightweight CAN bus intrusion detection methods, the proposed method can effectively identify four types of attacks and achieve a high identification accuracy and recall rate. In practical vehicle applications, the proposed method can be deployed in any ECU within a functional area to identify intradomain attack messages, thanks to its low resource consumption. Alternatively, it can be deployed in the central controller to detect cross-domain attacks. e excellent attack discovery capability of the proposed algorithm can be combined with the security protection function of the ECU to filter and locate the attack information, which helps to rank the threat nodes in the vehicle   CAN bus network. Future research will focus on more lightweight algorithms and finer-grained feature processing. Meanwhile, a CAN intrusion detection system will be built by combining bus traffic and physical bus features.

Conflicts of Interest
e authors declare that they have no conflicts of interest.