SOME/IP Intrusion Detection System Using Real-Time and Retroactive Anomaly Detection

As the amount of in-vehicle data and number of in-vehicle functions have increased, automotive Ethernet and IP-based protocols have been adopted in vehicles. The scalable service-oriented middleware over IP (SOME/IP) protocol is designed for sending periodic or direct control messages and for updating or appending scalable functions. International regulation UN R-155 requires security monitoring to analyze and detect cyber-threats, vulnerabilities, and cyber-attacks from vehicle data and logs. SOME/IP also should be monitored from the perspective of security. We report a classification of use cases and possible attack patterns for SOME/IP, and we propose an intrusion detection system (MS) that achieves high accuracy by combining two whitelist-based anomaly detection algorithms. The first is a real-time algorithm that compares received SOME/IP packets with a normal communication model to determine whether they are anomalies. The attack patterns covered in this paper include sophisticated malicious packets that are difficult for the real-time detection algorithm to distinguish from normal packets. Hence, the second algorithm performs retroactive detection by determining whether packets are anomalous from long-term time characteristics spanning an entire SOME/IP session. Although the retroactive algorithm takes longer for detection, we confirm a high level of detection accuracy for the proposed IDS, with a true positive rate of 0.91 and a false positive rate of 0.052.