Do you actually need a security product in your car? Part 3 : Intrusion Prevention and Detection Systems

I ended part 2 with the promise that we will discuss about :

2) Intrusion detection and prevention systems (IDS/IPS or IDPS)

From Wikipedia:

Intrusion prevention systems (IPS), also known as intrusion detection and prevention systems (IDPS), are network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, attempt to block/stop it, and report it.

Intrusion prevention systems are considered extensions of intrusion detection systems because they both monitor network traffic and/or system activities for malicious activity. The main differences are, unlike intrusion detection systems, intrusion prevention systems are placed in-line and are able to actively prevent/block intrusions that are detected.

More specifically, IPS can take such actions as sending an alarm, dropping the malicious packets, resetting the connection and/or blocking the traffic from the offending IP address.


IDPS for cars?

Once inside, an attacker can utilize the vehicle’s internal communication bus and take control of additional modules inside the vehicle, including safety critical systems like the ABS and Engine Electronic Control Units (ECUs). Therefore, there is no “trusted device” anymore. Everything has to be assumed to be compromised.

The cars contain a very complex network of many sub-systems that need to communicate with each other. Yes, it is not only the standard TCP/IP network for which these systems (IDPS) were initially developed. We are talking here about the Controller Area Network (CAN BUS). They don’t exchange TCP/IP packets because this is a vehicle bus standard designed to allow microcontrollers and devices to communicate with each other in applications without a host computer. It is a message-based protocol, designed originally for multiplex electrical wiring within automobiles (but is also used in many other contexts).


There has to be a device in the car integrated with the CAN BUS, most probably through the existing OBD2 interface.

An IDPS for cars would be a completely new product, not really a specialization of existing products.

What they will have in common is the way the detection part is built.

We have several known and proven methods to detect the anomalies:

1.Signature-Based Detection: Signature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures.

This method is classical, we can apply it only for known types of attacks and therefore is pretty much useless when we talk about emerging technologies.

2.Statistical anomaly-based detection: A statistical anomaly-based IDS determines the “normal” network activity — it learns first what the normal is and then alerts the administrator or user when traffic is detected which is not “normal”.

3. Stateful Protocol Analysis Detection or Deep Packet Inspection (DPI): This method identifies deviations of protocol states by comparing known observed events with predetermined profiles of generally accepted definitions of benign and malign activity. This technology is sometimes called “Deep Packet Inspection” because it analyzes the packets of the protocol used to exchange information and it looks there to find anomalies.


What about Cloud ? 

All these methods need Over The Air (OTA) updates. Depending on their type, the updates come in form of signature/pattern files for Signature-Based Detection and using some API for analyzing the packets in real-time for the DPI and for collecting the statistics from all vehicles in a single place.


More and more we see startups on the security market that advertise to bring a new method of detecting malware: Artificial Intelligence.

4. Artificial Intelligence detection

Heheh, you got it: this is part 4!


© Copyright 2016 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity

Check for seeing the consulting services we offer.

Visit for latest security news in English
Besuchen Sie für IT Sicherheits News auf Deutsch

About the Author

Sorin Mustaca
Sorin Mustaca, (ISC)2 CSSLP, CompTIA Security+ and Project+, is working since over 20 years in the IT Security industry and worked between 2003-2014 for Avira as Product Manager for the known products used by over 100 million users world-wide. Today he is CEO and owner of Endpoint Cybersecurity GmbH focusing on Cybersecurity, secure software development and security for IoT and Automotive. He is also running his personal blog Sorin Mustaca on Cybersecurity and is the author of the free eBook Improve your security .
%d bloggers like this: