IEEE Access (Jan 2020)
Normal and Malicious Sliding Windows Similarity Analysis Method for Fast and Accurate IDS Against DoS Attacks on In-Vehicle Networks
Abstract
Controller Area Network (CAN) is a de facto standard of in-vehicle networks. Since CAN employs broadcast communication and a slower network than other general networks (e.g. Ethernet, IEEE802.11), it is inherently vulnerable to Denial-of-Service (DoS) attacks. As a countermeasure against DoS attacks on CAN, a method for detecting a DoS attack using the entropy in a sliding window has been proposed. This method has a good advantage in terms of effectiveness and the small computational overhead. However, this method may only be effective against DoS attacks under naive conditions such as some higher priority messages. In addition, if an adversary can adjust the entropy of the DoS attack to its normal value, the conventional method cannot detect a DoS attack in which the adversary manipulates the entropy. We found this type of DoS attack, which is called an entropy-manipulated attack. In this paper, we propose a method that can detect an entropy-manipulated attack by using the similarity of two sliding windows. We confirmed that the proposed method detected the DoS attack in 100% of the cases in our experiment, and we showed that the detection time is up to 93% (14 μs) shorter than the conventional method.
Keywords