Due to the increasing amount of networking to the outside world, connected cars are becoming increasingly attractive targets for attacks. If an attacker succeeds in gaining access to the internal network of a vehicle, they can cause a great deal of damage. For this reason, T-Systems continuously analyzes attack scenarios and develops detection algorithms. As a software detective in the car, an intrusion detection system (IDS) monitors the on-board network and system.
With an IDS as a software module on the central gateway in the car, communication within the vehicle network can be monitored for anomalies in real time. If the IDS detects a known malfunction, it triggers a defensive response – previously agreed with the vehicle manufacturer – to protect the vehicle (Intrusion Prevention System, IPS). This is to prevent a cyberattack on the internal vehicle network from affecting vehicle functions and endangering the safety of vehicle occupants.
The IDS sends all alarms to the manufacturer's back end, where the data is analyzed using modern machine learning methods and sent back to the vehicle. The IDS back end can be linked flexibly to the manufacturer's systems or provided in an Automotive Security Operation Center. Anomalies are categorized in this automotive SOC and form the basis for the ongoing process strategy, in order to protect both the driver and the vehicle immediately and in the future against the risks of hacker attacks.
According to the principle "Security by Design", companies should think about and plan intrusion detection systems in the early stages of vehicle development. The IDS can be implemented in different ways based on the vehicle's internal network and control unit structure. On every complex control unit, for example, a sensor component can be used to detect anomalies in firmware, CAN bus traffic, and sensor data. These sensors report detected anomalies to the IDS core component, which runs on a central control unit with a gateway function (including firewall). The core component can perform more complex analyses and communicate with the manufacturer's back end via the telematic control units.
In modern connected cars, vehicle servers and virtualization reduce the number of control units required – and with that the complexity, too. Similar to the functions of modern ECUs, the IDS software can also run as a function block on the virtualization layer of the vehicle server. The capabilities of the IDS can also be extended to monitor processes and functions on the vehicle server and detect malicious behavior.