Detecting CAN overlapped voltage attacks with an improved voltage-based in-vehicle intrusion detection system

The in-vehicle voltage-based intrusion detection system (VIDS) can recognize the identity of the ECUs and detect the physical layer attacks that cannot be detected by the content-based or frequency-based IDS. However, recent research in VIDS has discovered an overlapped voltage attack that can bypass the existing VIDS by generating overlapped voltage signals from two compromised ECUs to distort the fingerprint of the target ECU. The existing solutions need to change the communication protocol or network topology to mitigate the attack, which may involve additional development costs or scheduling mechanisms to coordinate the tasks. In this paper, motivated by not changing the network topology and protocols, we propose an improved VIDS that can efficiently detect the overlapped voltage attack of the in-vehicle CAN network. Before retraining the VIDS classifier model, we add the mechanism for detecting and filtering overlapped signals in the voltage samples by applying the Long Short-Term Memory (LSTM) autoencoder network to preserve the fingerprint characteristics of the benign waveform in the original samples. First, we establish an LSTM autoencoder model with benign voltages collected in a usual scenario and then apply the automatic thresholding approach to obtain the threshold to separate the overlapped and benign voltages. Next, we filter the overlapped voltages and extract the fingerprint features from the filtered voltage samples to predict the classification of the masquerade CAN packet during the attack. Finally, we evaluate the performance and attack success rate of the proposed VIDS on a CAN bus testbench. The results show that the proposed VIDS can effectively detect the overlapped voltage attack and identify the compromised ECU mimicking the distorted voltage fingerprints with an accuracy of 99.4%. The attack success rate of the proposed VIDS drops to 0 similar to 18%, which is about 60 similar to 95% for the existing VIDS.