An Intrusion Detection System Based on the Double-Decision-Tree Method for In-Vehicle Network

Intrusion Detection Systems (IDS), technically speaking, is to monitor the network, system, and operation status according to certain security policies, and try to find various attack attempts, attacks or attack results to ensure the confidentiality, integrity and availability of network system resources. Automotive intrusion detection systems can identify and alert by analyzing in-vehicle traffic and log when software applications or devices with malicious activity exist, or the in-vehicle network is tampered and injected. But unfortunately, automotive cybersecurity researchers hardly produce a comprehensive detection method due to the confidential nature of Controller Area Network (CAN) DBC format files, which is a standard long maintained by car manufacturers. In this paper, an enhanced intrusion detection method is proposed based on the double-decision-tree to classify different attack models for in-vehicle CAN network without the need to obtain complete DBC files. Unlike the existing method that is using data from the simulated CAN traffic traces, we construct three attack models based on real CAN bus traffic collected from Pentium T99. A totally new data split method is provided to divide training set, validation set and test dataset. Three experiments are set to verify this new data split method and the results show that we have achieved high accuracy in the recognition of the three types of attacks, and the model has high operating efficiency.