Abstract
Modern in-vehicle networks may contain tens of Electronic Control Units (ECUs) connected over several Controller Area Network (CAN) buses. To protect vehicles from cyberattacks, researchers have proposed various security countermeasures, including intrusion detection systems (IDS). Because real clock sources are imperfect, ECUs transmit messages with a period slightly different from the ideal period. This difference is referred to as clock skew, and previous research suggests that IDS may detect anomalies when they observe that an ECU transmits periodic CAN messages with a different clock skew than expected. We argue that previously proposed approaches rely on an incomplete model and may yield inaccurate results when applied to a real vehicle. This is problematic for automotive technologies, which must be reliably deployed in millions of safety-critical systems. We propose an improved model for the fluctuations of CAN message timestamps and apply it to a real vehicle, where we are able to improve the accuracy of ECU clock skew estimations.
