Event-Triggered Interval-Based Anomaly Detection and Attack Identification Methods for an In-Vehicle Network

Mee Lan Han, Byung Il Kwak, Huy Kang Kim

Research output: Contribution to journalArticlepeer-review

22 Citations (Scopus)


Vehicle communication technology has been steadily progressing alongside the convergence of the in-vehicle network (IVN) and wireless communication technology. The communication with various external networks further reinforces the connectivity between the inside and outside of a vehicle. However, this bears risks of malicious packet attacks on computer-assisted mechanical mechanisms that are capable of hijacking the vehicle's functions. The present study proposes a method to detect and identify abnormalities in vehicular networks based on the periodic event-triggered interval of the controller area network (CAN) messages. To this end, we first define four attack scenarios and then extract normal and abnormal driving data corresponding to these scenarios. Next, we analyze the CAN ID's event-triggered interval and measure statistical moments depending on the defined time-window. Finally, we conduct extensive evaluations of the proposed methods' performance by considering different attack scenarios and three types of machine learning models. The results demonstrate that the proposed method can effectively detect an abnormality in the IVN, with up to 99% accuracy. Our results suggest that when tree-based machine learning models are used as the classifier, the proposed method of attack identification can achieve more than 94% accuracy.

Original languageEnglish
Article number9387321
Pages (from-to)2941-2956
Number of pages16
JournalIEEE Transactions on Information Forensics and Security
Publication statusPublished - 2021

Bibliographical note

Funding Information:
Manuscript received June 11, 2020; revised October 11, 2020 and February 8, 2021; accepted March 13, 2021. Date of publication March 26, 2021; date of current version April 19, 2021. This work was supported by the Institute for Information and Communications Technology Promotion (Development of Security Primitives for Unmanned Vehicles) under Grant 2020-0-00374. The associate editor coordinating the review of this manuscript and approving it for publication was Prof. Xiaodong Lin. (Mee Lan Han and Byung Il Kwak contributed equally to this work.) (Corresponding author: Huy Kang Kim.) The authors are with the School of Cybersecurity, Korea University, Seoul 02841, Republic of Korea (e-mail: blosst@korea.ac.kr; kwacka12@ korea.ac.kr; cenda@korea.ac.kr). Digital Object Identifier 10.1109/TIFS.2021.3069171

Publisher Copyright:
© 2005-2012 IEEE.


  • Anomaly detection
  • attack identification
  • controller area network
  • event-triggered interval
  • in-vehicle network

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Computer Networks and Communications


Dive into the research topics of 'Event-Triggered Interval-Based Anomaly Detection and Attack Identification Methods for an In-Vehicle Network'. Together they form a unique fingerprint.

Cite this