WINDS: A Wavelet-based Intrusion Detection System for Controller Area Network (CAN)

Vehicles are equipped with Electronic Control Units (ECUs) to increase their overall system functionality and connectivity. However, the rising connectivity exposes a defenseless internal Controller Area Network (CAN) to cyberattacks. An Intrusion Detection System (IDS) is a supervisory module, proposed for identifying CAN network malicious messages, without modifying legacy ECUs and causing high traffic overhead. The traditional IDS approaches rely on time and frequency thresholding, leading to high false alarm rates, whereas state-of-the-art solutions may suffer from vehicle dependency. This paper presents a wavelet-based approach to locating the behavior change in the CAN traffic by analyzing the CAN network’s transmission pattern. The proposed Wavelet-based Intrusion Detection System (WINDS) is tested on various attack scenarios, using real vehicle traffic from two independent research centers, while being expanded toward more comprehensive attack scenarios using synthetic attacks. The technique is evaluated and compared against the state-of-the-art solutions and the baseline frequency method. Experimental results show that WINDS offers a vehicle-independent solution applicable for various vehicles through a unique approach while generating low false alarms.