Modern transportation and digital network concept.

Intrusion Detection System: The security guard in a connected car

An intrusion detection system reports anomalies in the data traffic of the on-board system, which in turn helps it to protect against cyberattacks

Software detective for on-board systems

Due to the increasing amount of networking to the outside world, connected cars are becoming increasingly attractive targets for attacks. If an attacker succeeds in gaining access to the internal network of a vehicle, they can cause a great deal of damage. For this reason, T-Systems continuously analyzes attack scenarios and develops detection algorithms. As a software detective in the car, an intrusion detection system (IDS) monitors the on-board network and system.

Central defense system

Shield with lock against dark blue background.

With an IDS as a software module on the central gateway in the car, communication within the vehicle network can be monitored for anomalies in real time. If the IDS detects a known malfunction, it triggers a defensive response – previously agreed with the vehicle manufacturer – to protect the vehicle (Intrusion Prevention System, IPS). This is to prevent a cyberattack on the internal vehicle network from affecting vehicle functions and endangering the safety of vehicle occupants.

White paper: SASE Security for Automotive

In this guide, you will learn how SASE can help automotive companies by bringing together connectivity, performance, and security. Find out where you are on your SASE journey.

Invisible alarm system

Bluish abstract tunnel leading into the light.

The IDS sends all alarms to the manufacturer's back end, where the data is analyzed using modern machine learning methods and sent back to the vehicle. The IDS back end can be linked flexibly to the manufacturer's systems or provided in an Automotive Security Operation Center. Anomalies are categorized in this automotive SOC and form the basis for the ongoing process strategy, in order to protect both the driver and the vehicle immediately and in the future against the risks of hacker attacks.

Possible countermeasures

Workflows based on the data analysis of the results


  • Notify vehicle owners
  • Send instructions to customer service
  • Alert the police and authorities
  • Notify special OEM departments

Remote intervention

  • Activate visual, acoustic, or haptic displays
  • Disable compromised functions
  • Update software or on-board safety functions

We look forward to your project!

We would be happy to provide you with the right experts and to answer your questions about the planning, implementation, and operation of security solutions for the connected vehicle. Contact us, we are here to help.

Intrusion Detection as a component on electronic control units and gateways

Car X-ray / Blueprint - with clipping path

According to the principle "Security by Design", companies should think about and plan intrusion detection systems in the early stages of vehicle development. The IDS can be implemented in different ways based on the vehicle's internal network and control unit structure. On every complex control unit, for example, a sensor component can be used to detect anomalies in firmware, CAN bus traffic, and sensor data. These sensors report detected anomalies to the IDS core component, which runs on a central control unit with a gateway function (including firewall). The core component can perform more complex analyses and communicate with the manufacturer's back end via the telematic control units.

Intrusion detection as a virtualized function

Blockchain with blue light spots on black background

In modern connected cars, vehicle servers and virtualization reduce the number of control units required – and with that the complexity, too. Similar to the functions of modern ECUs, the IDS software can also run as a function block on the virtualization layer of the vehicle server. The capabilities of the IDS can also be extended to monitor processes and functions on the vehicle server and detect malicious behavior.

Circular system: How IDS as a service from T-Systems works

T-Systems offers companies in the automotive industry an intrusion detection system with ESLOCKS (Embedded Security Locks) as a customized service. How it works: An Autosar-compliant on-board software for detecting anomalies dynamically compares the target behavior of communication in the vehicle. If the current network traffic does not match the defined behavior or shows suspicious activity, the next step is for the IDS to classify the traffic as known or unknown anomalies. 

A back end connection is an essential part of the process. The back end is supplied with information on unknown anomalies from all of the vehicles in a fleet. As a result of this, large amounts of data are gradually accumulated in the back end, which can be evaluated using machine learning methods based on a big-data cluster. The aim of bulk data evaluations is to determine whether unknown anomalies are normal traffic (target behavior) or an attack (new anomaly). 

If an automotive SOC is connected to the back end, forensic experts can take care of evaluating the analysis results from the intrusion detection. The information obtained is processed and transmitted back to the vehicles as a signature update. The on-board software is thus continuously optimized thanks to the continually growing database – and can protect the car against newly identified threats via intrusion prevention.

Your advantages with ESLOCKS IDS from T-Systems

  • Intrusion Detection System as an individualized service
  • Customer-specific defensive measures can be integrated
  • Domain-specific versions for the automotive industry
  • Continuously optimized and effective protection of equipment and vehicles
  • Control and transparency for all actions and results
  • State-of-the-art algorithms for machine learning
  • Continuous optimization of the entire system
  • Operation of the solution in accordance with GDPR and compliance requirements: on-premises or in the Deutsche Telekom Cloud
Do you visit t-systems.com outside of China? Visit the local website for more information and offers for your country.