Anomaly Detection

Anomaly Detection for Enhanced Vehicle Security


As the auto industry strives to ensure the cyber-security of the modern vehicle, the question arises as to the role that network based Intrusion Detection Systems (IDS) have to play in achieving that goal.  I will provide a brief description of Intrusion Detection and the ESCRYPT approach. I will also explain why it is beneficial not to limit ourselves to thinking only in terms of Intrusion Detection, and really consider it as Anomaly Detection.

Network Based Intrusion Detection Systems

A network based IDS monitors the messages transmitted between the modules on the vehicle network, looking for potentially intrusive messages. The network-based approach is easy to integrate into a new vehicle, or to retrofit to an existing vehicle. The system typically resides in a gateway module, but can be installed in any module attached to the communication bus and can monitor as few or as many messages and signals as required.  So how does IDS work, and does it provide benefits beyond intrusion detection?

First, it is necessary to understand what is going on inside the vehicle. Vehicles are cyber-physical systems. They are physical systems (the vehicle) controlled by a number of individual modules connected via a network. Historically that network has been a CAN (Controller Area Network) Bus.  Networked modules must work together in real-time to provide the driver with basic control and provide enhanced semi-autonomous features like smart cruise control, park assist, and lane keeping. To achieve this requires a well-defined, tightly specified, message and signal exchange between the modules. It is therefore possible to have a profile of normal message and signal behavior, and identify deviations from the norm as potential intrusions.

CAN Bus Message and Signal Monitoring

So the question remains, “How does the IDS know what a normal message and signal look like?” Since the message and signal behavior is defined by the network specifications for each feature supported, if the specification can be turned into a formal set of rules, the IDS can detect violation of these rules.  Note that any violation of the specification (rules) will be flagged, whether it is the result of an intrusion on the bus or due to a component of the system failing to meet the specifications.  This later case is an example of what is referred to as Anomaly Detection. This is the ESCRYPT approach. It is straightforward to understand and our CycurIDS configuration tool allows for rapid creation of the rules based through a user-friendly GUI, no scripting required.

cycurESCRYPT CycurIDS Configuration Tool GUI

The Benefits of Anomaly Detection

Anomaly Detection is as beneficial as Intrusion Detection. The Anomaly Detection capabilities can be used to enhance vehicle quality and identify issues in the vehicle fleet. This begins during the development stage and the process is as follows; 1) in any new vehicle the network specifications are created prior to feature implementation and testing, 2) the IDS rules are captured from the network specifications, 3) as features are implemented the IDS now validates their conformance to the network specifications (i.e., do not violate the rules). Note that the CycurIDS configuration tool can run CAN traces in simulation against the IDS rules; it is not necessary to conduct tests within a vehicle and simulations can be run with traces collected during early bench testing. It is well known that finding issues early in the development process reduces development time and cost. Once in production, the IDS continues to monitor the vehicle network for conformance to the specifications for the life of the vehicle. This is beneficial since an Anomaly may result for several reasons, for example:

  • Aging components, detected before they fail
  • Counterfeit parts entering the supply chain
  • Adverse effects of aftermarket modifications to the vehicle
  • Latent design issues (thereby offering a chance to correct them)

Detecting each of these issues is beneficial to the OEM since they can reduce warranty cost, prevent recalls, reduce liability and lead to long-term improvements of vehicle quality.


As vehicle cybersecurity advances, and as more cybersecurity measures are implemented in the vehicle, it will become increasingly difficult for an attacker to penetrate the vehicle network. The need for Network based Intrusion Detection will therefore decrease, however, the benefits of Anomaly Detection will not.  The Anomaly Detection provided by CycurIDS is beneficial during vehicle development to improve initial quality, and for continuous monitoring over the life of the vehicle.

If you have any questions, please comment below or contact us!

Leave a Reply