Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A Framework for the Systematic Assessment of Anomaly Detectors in Time-Sensitive Automotive Networks

Philipp Meyer, Timo Häckel, Teresa Lübeck, Franz Korf, Thomas C. Schmidt

TL;DR

This paper tackles the challenge of evaluating anomaly detectors in time-sensitive automotive networks by presenting an open-source, modular framework that generates domain-specific, labeled IVN datasets via a TSN-aware simulation. The toolchain couples scenario definitions, a TSN-capable simulation environment, a labeled PCAPNG dataset library, and a flexible NADS processing pipeline to enable reproducible comparisons across detectors and configurations. Case studies demonstrate how traffic class, anomaly type, and detector choice influence detection performance, highlighting the framework's potential for rapid, iterative NADS assessment and cross-domain applicability. The work advances practical NADS evaluation by providing transparent datasets, configurable experiments, and a pathway toward broader, real-world validation and deployment readiness in hard real-time Ethernet contexts.

Abstract

Connected cars are susceptible to cyberattacks. Security and safety of future vehicles highly depend on a holistic protection of automotive components, of which the time-sensitive backbone network takes a significant role. These onboard Time-Sensitive Networks (TSNs) require monitoring for safety and -- as versatile platforms to host Network Anomaly Detection Systems (NADSs) -- for security. Still a thorough evaluation of anomaly detection methods in the context of hard real-time operations, automotive protocol stacks, and domain specific attack vectors is missing along with appropriate input datasets. In this paper, we present an assessment framework that allows for reproducible, comparable, and rapid evaluation of detection algorithms. It is based on a simulation toolchain, which contributes configurable topologies, traffic streams, anomalies, attacks, and detectors. We demonstrate the assessment of NADSs in a comprehensive in-vehicular network with its communication flows, on which we model traffic anomalies. We evaluate exemplary detection mechanisms and reveal how the detection performance is influenced by different combinations of TSN traffic flows and anomaly types. Our approach translates to other real-time Ethernet domains, such as industrial facilities, airplanes, and UAVs.

A Framework for the Systematic Assessment of Anomaly Detectors in Time-Sensitive Automotive Networks

TL;DR

This paper tackles the challenge of evaluating anomaly detectors in time-sensitive automotive networks by presenting an open-source, modular framework that generates domain-specific, labeled IVN datasets via a TSN-aware simulation. The toolchain couples scenario definitions, a TSN-capable simulation environment, a labeled PCAPNG dataset library, and a flexible NADS processing pipeline to enable reproducible comparisons across detectors and configurations. Case studies demonstrate how traffic class, anomaly type, and detector choice influence detection performance, highlighting the framework's potential for rapid, iterative NADS assessment and cross-domain applicability. The work advances practical NADS evaluation by providing transparent datasets, configurable experiments, and a pathway toward broader, real-world validation and deployment readiness in hard real-time Ethernet contexts.

Abstract

Connected cars are susceptible to cyberattacks. Security and safety of future vehicles highly depend on a holistic protection of automotive components, of which the time-sensitive backbone network takes a significant role. These onboard Time-Sensitive Networks (TSNs) require monitoring for safety and -- as versatile platforms to host Network Anomaly Detection Systems (NADSs) -- for security. Still a thorough evaluation of anomaly detection methods in the context of hard real-time operations, automotive protocol stacks, and domain specific attack vectors is missing along with appropriate input datasets. In this paper, we present an assessment framework that allows for reproducible, comparable, and rapid evaluation of detection algorithms. It is based on a simulation toolchain, which contributes configurable topologies, traffic streams, anomalies, attacks, and detectors. We demonstrate the assessment of NADSs in a comprehensive in-vehicular network with its communication flows, on which we model traffic anomalies. We evaluate exemplary detection mechanisms and reveal how the detection performance is influenced by different combinations of TSN traffic flows and anomaly types. Our approach translates to other real-time Ethernet domains, such as industrial facilities, airplanes, and UAVs.
Paper Structure (25 sections, 4 figures, 4 tables)

This paper contains 25 sections, 4 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. Tools for Assessing Network Anomaly Detectors
  4. In-Car Network Scenario
  5. Topology
  6. Benign Stimuli
  7. Abnormal Interactions
  8. Simulation Environment
  9. Label Managing
  10. Anomaly Modelling
  11. Dataset Library
  12. Network Anomaly Detection System
  13. Stream Filtering
  14. Metric Recording
  15. Anomaly Detection Algorithm
  16. ...and 10 more sections

Figures (4)

  • Figure 1: Toolchain for assessment of NADS. Red are contributions of this work. Dark gray represent existing tools. Light gray depicts implementation examples. Green indicates optional input from empirical measurements.
  • Figure 2: PCAPNG excerpt of a stream (UDP destination port 1200) with a starting abnormal scenario observed on a switch interface (eth0).
  • Figure 3: Sample IVN topology with a zonal ring architecture.
  • Figure 4: Minimum and maximum end-to-end latency of the timed control traffic per receiver (cf. Table \ref{['tab:sim_traffic']}).