News & Events

An immune system for your vehicle

IDPS news

Intrusion detection and prevention systems (IDPSs) are widely used in traditional IT and have already proven their efficiency. While automotive cybersecurity is still a relatively young discipline, adopting this concept for modern connected vehicles or vehicle fleets (which are in effect distributed IT systems) makes perfect sense. While the objective of automotive IDPSs – identification and documentation of anomalies in onboard network communications and prevention of attacks – is, by and large, equivalent to that of traditional IDPSs, automotive IDPSs require a solution that is tailored to vehicle electronics and vehicle networking. On the one hand, onboard IDPS components must be compatible with established automotive networks – in particular, controller area networks (CANs). On the other, they must be able to run on typical resource-limited ECUs. In addition, IDPS components need to be ideally situated within the vehicle’s E/E architecture. Gateways and central ECUs within a vehicle domain are particularly well suited.

The primary task of IDPS components in vehicles is to detect abnormalities indicative of potential attacks in onboard network communication. To determine the characteristics of anomalies that are typically indicative of hacking attempts, ESCRYPT’s security experts analyzed existing and potential vehicle attack scenarios and compared them to “normal” behavior as specified by the OEM. These analyses led to the development of modules to detect typical attack signatures. Detection mechanisms for CANs typically include anomaly detection for cyclic CAN messages (e.g. an abrupt increase in the number of messages or the sudden appearance of unusual messages) and misuse detection for diagnostic requests (does the request correspond to the current vehicle health?). By monitoring different detection mechanisms, the ESCRYPT IDPS solution can quickly detect manipulation attempts. The system is regularly augmented with new detection mechanisms derived from a continuous analysis of current methods of attack.

As part of the IDPS calibration process, simulations and automatic analyses of recorded network traffic (supported by machine learning) subsequently enable appropriate threshold values for such initial rules to be established, and additional rules to be defined for exceptional cases. This ensures a high detection rate while also ensuring that the fewest possible false alarms are triggered.

In addition to local intrusion detection, the ESCRYPT IDPS solution also provides a connection to a “cyber defense center”, in which attempted and actual attacks are analyzed and new defense strategies are devised. The latter can then be simply and rapidly distributed using the secure, over-the-air firmware update function.

ISO 9001-2008 Home