IDS/IPS in automotive: How intrusion detection and prevention systems protect vehicle communication?
In the third installment of my series on automotive cybersecurity, I aim to introduce readers to dedicated security controls and technologies that go beyond mere network segmentation. Today, I will focus on IDS/IPS solutions used in environments where a network stack is implemented.
It is worth mentioning that these systems are standardized within AUTOSAR Classic (starting from AUTOSAR 20/11). However, the AUTOSAR standard will be discussed in detail in a separate article series.
What Are IDS/IPS Systems in Automotive?
IDS/IPS solutions comprehensively secure vehicle communication. They can be a key component of cybersecurity systems, where data is transmitted to a Security Operation Center (SOC). There, with the support of monitoring tools and statistical analysis, cybersecurity analysts oversee network traffic and ensure ecosystem security.
For an IDS/IPS system to function correctly, its design must involve collaboration between vehicle architects and cybersecurity specialists.
How Does an IDS/IPS System Work?
For IDS/IPS to effectively protect vehicles, it must be based on guidelines and processes known as IRP (Incident Response Process). The key components of this process include:
- Network stack data – collected by sensors within the IDS (Intrusion Detection System).
- Anomaly detection guidelines – defining when to trigger an alert. Too low a tolerance can lead to false alarms, while too high a tolerance may overlook threats.
- Security Operation Center (SOC) – a monitoring hub utilizing Machine Learning tools, deep learning, and statistical analysis.
- Incident response – SOC can deploy patches and updates to minimize risks.
Such an incident response system is essential for meeting regulatory requirements like UN R155 and ISO/SAE 21434, which mandate vehicle manufacturers (OEMs) to actively protect and swiftly respond to threats.
IDS (Intrusion Detection System) – Detecting Intrusions
IDS identifies anomalies in communication protocols or signatures of malicious activities within the network. It can detect distorted packets and suspicious operations, such as:
- port scanning (Xmass Tree, ACK, FIN, NULL),
- ARP/DNS Poisoning attacks,
- other unusual network behaviors within the vehicle.
Modern vehicles contain dozens or even hundreds of ECU (Electronic Control Units), forming a distributed structure. Therefore, IDS must also function as a distributed system.
IPS (Intrusion Prevention System) – Preventing Attacks
IPS adds the capability of actively blocking threats, making it the dominant solution in modern cybersecurity systems. Key IPS functions include:
Neutralizing malicious traffic – actively eliminating threats.
Notifying SOC – the system reports incidents, leaving the response decision to analysts.
Blocking network traffic – for example, blocking an IP address after multiple failed authentication attempts (similar to fail2ban).
Reconfiguring firewalls – preventing malicious traffic propagation.
Conclusion
IDS/IPS systems are essential cybersecurity tools in the automotive industry, ensuring effective protection of vehicle networks. In the next article, I will expand on this topic by discussing network security measures at the lower layers of the ISO/OSI model.
To Be Continued
Author: Krzysztof Labuda,
Security Testing Consultant
A participant in the Certified Ethical Hacker CEH v11 program, which teaches the latest commercial-grade hacking tools, techniques, and methodologies used by hackers and information security professionals.
