Design and Validation of a Lightweight Entropy-Based Intrusion Detection Algorithm for Automotive CANs

Abstract

The rapid devolopment of Internet of Vehicles (IoV) and Autonomous Connected Vehicles (ACVs) has increased the complexity of in-vehicle networks, exposing security vulnerabilities in traditional Controller Area Network (CAN) systems. CAN security faces dual challenges: stringent computational constraints imposed by automotive functional safety requirements and the impracticality of protocol modifications in multi-device networks. To address this, we propose a lightweight intrusion detection algorithm leveraging information entropy to analyze side-channel CAN message ID distributions. Evaluated in terms of detection accuracy, false positive rate, and sensitivity to bus load variations, the algorithm was implemented on an NXP MPC-5748G embedded platform through the AutoSar Framework. Experimental results demonstrate robust performance under low computational resources, achieving high detection accuracy with high recall (>80%) even at 10% bus load fluctuation thresholds. This work provides a resource-efficient security framework compatible with existing CAN infrastructures, effectively balancing attack detection efficacy with the operational constraints of automotive embedded systems.

1. Introduction

The rapid advancement of Internet of Vehicles (IoV) and Autonomous Connected Vehicles (ACVs) has intensified cybersecurity challenges in automotive systems. Modern ACVs rely heavily on Controller Area Network (CAN) buses for communications between electronic control units (ECUs), yet their open architecture renders them vulnerable to attacks [1]. While existing solutions predominantly employ fixed-rule detection or machine learning models [2], they face critical limitations in real-time responsiveness or computational complexity, particularly for resource-constrained automotive embedded systems.

This work addresses CAN bus security by proposing an information entropy-based intrusion detection algorithm that combines statistical hypothesis testing with adaptive threshold optimization. The methodology capitalizes on the stability of CAN message ID frequency distributions under normal conditions, quantified through Shannon entropy, to detect malicious traffic patterns. Building upon foundational work in [3], our approach introduces two key innovations: (1) a two-tailed statistical test leveraging baseline entropy distribution $(\mu \pm 2.5\sigma )$ to minimize false positives and (2) Receiver Operating Characteristic (ROC) curve-guided threshold selection to balance sensitivity and specificity.

Current research presents diverging perspectives on optimal detection methods. Cryptographic solutions [4] theoretically ensure message authenticity but face deployment barriers due to legacy ECU compatibility issues. Deep learning approaches [3] achieve high accuracy in lab environments yet demand impractical computational resources. Voltage fingerprinting methods [5,6,7,8,9,10], while effective for ECU authentication, struggle with changing environments. In contrast, our entropy-based framework demonstrates a pragmatic compromise between detection efficacy and computational efficiency.

Experimental validation on hardware (manufactured by NXP Semiconductors N.V., Eindhoven, Netherlands) demonstrates the algorithm’s capability to detect 100% of anomalies under 10% bus load variation, achieving 80% accuracy with <20% false positive rates. Remarkably, it maintains a 100 ms detection duration and <10 KB memory footprint, outperforming comparable methods in resource efficiency. These results validate the viability of lightweight statistical approaches for securing legacy automotive networks during the transitional period toward fully encrypted vehicular architectures.

2. Background

2.1. Information Entropy Model

Let discrete random variable X represent CAN message IDs with possible values $x_1,x_2,\dots ,x_n$ and corresponding probability distribution $p_1,p_2,\dots ,p_n$. The Shannon entropy $H\left(X\right)$ is defined as [3]

$$H\left(X\right)=-\sum _{i=1}^n{p}_i{log}_2{p}_i$$

(1)

Under normal operating conditions, CAN message ID frequencies remain stable, resulting in entropy fluctuations typically below 0.1 bits. During cyberattacks, abrupt changes in message distributions cause significant entropy deviations. Our algorithm detects anomalies by monitoring real-time entropy variations against baseline levels.

2.2. Normal Distribution Hypothesis and Two-Tailed Testing on CAN

Under normal operating conditions without intrusions, the frequency distribution of CAN message IDs remains stable, resulting in minimal fluctuations in information entropy values. We therefore posit that variations in CAN bus entropy follow a Gaussian distribution. Assuming entropy values follow $\mathcal{N}(\mu ,{\sigma }^2)$ during stable operation, where $\mu$ and ${\sigma }^2$ represent baseline mean and variance respectively, the detection framework implements the following:

• Baseline Establishment: Collect ${10}^4$ normal CAN messages to calculate

  $$\begin{array}{cc}\hfill \mu & =\mathbb{E}\left[H\right]\hfill \end{array}$$

  (2)

  $$\begin{array}{cc}\hfill {\sigma }^2& =\mathrm{Var}\left(H\right)\hfill \end{array}$$

  (3)
• Real-Time Computation: Compute windowed entropy ($W=100$):

  $$H_{\mathrm{real}}=-\sum _{k=1}^W{p}_k{log}_2{p}_k$$

  (4)
• Hypothesis Testing: Construct test statistic

  $$Z={\displaystyle \frac{H_{\mathrm{real}}-\mu }{\sigma }}$$

  (5)
  Reject null hypothesis when $\left|Z\right|>Z_{\alpha /2}$ ($\alpha =0.05$, $Z_{0.025}=1.96$).

2.3. ROC Curve Optimization

To balance sensitivity and false positives, we implement ROC-guided threshold tuning [11]:

• Dataset preparation: Let $\mathcal{D}={\left\{(H_k,y_k)\right\}}_{k=1}^M$ be the labeled dataset, where $H_k$ is the entropy value of the k-th observation window, and $y_k\in \{0,1\}$ is a binary label (0 = normal, 1 = attack).
• Threshold Sweeping: For any candidate threshold $T\in [\mu -3\sigma ,\mu +3\sigma ]$, we define

  $$\mathrm{TPR}\left(T\right)={\displaystyle \frac{{\sum }_{k=1}^M\mathbb{I}(H_k\ge T\wedge y_k=1)}{{\sum }_{k=1}^M\mathbb{I}(y_k=1)}}$$

  (6)

  $$\mathrm{FPR}\left(T\right)={\displaystyle \frac{{\sum }_{k=1}^M\mathbb{I}(H_k\ge T\wedge y_k=0)}{{\sum }_{k=1}^M\mathbb{I}(y_k=0)}}$$

  (7)
• Optimal Threshold: Select $T_{\mathrm{opt}}=\mu \pm 2.5\sigma$ minimizing

  $$\sqrt{{(1-\mathrm{TPR}\left(T\right))}^2+{\left(\mathrm{FPR}\left(T\right)\right)}^2}$$

  (8)

3. Related Works

Research on the security of in-vehicle CANs primarily focuses on two main directions: protocol-based encryption security solutions and intrusion detection systems (IDSs) [4]. Protocol encryption approaches enhance message integrity verification through CAN protocol modifications such as incorporating message authentication codes (MACs). Although extensively studied in early works [12,13,14], these methods face three fundamental deployment challenges: (1) mandatory ECU hardware modifications, (2) excessive computational overhead, and (3) non-trivial real-time constraints.

Conversely, IDS solutions have gained prominence due to their protocol independence and minimal bandwidth consumption. Existing intrusion detection algorithms can be categorized into four groups based on data types: entropy-based, content-based, frequency-based, and voltage signal-based methods.

Entropy-based methods [3,15,16] quantify uncertainty in CAN ID distributions, demonstrating particular efficacy against traffic anomalies like Denial-of-Service (DoS) attacks. Their limitation lies in detecting stealthy attacks that mimic legitimate patterns (e.g., precisely timed replay attacks). Content-based approaches [17,18] employ deep learning to analyze payload legitimacy. While achieving laboratory accuracy exceeding 95%, their practical deployment is hindered by substantial training data requirements and computational complexity. Frequency-based techniques [19,20,21,22] monitor temporal message characteristics, including clock skew and inter-arrival intervals. These methods achieve low false positive rates but prove ineffective against aperiodic or context-aware attacks. Voltage signal-based methods [5,6,7,8,9,10,23] exploit physical-layer characteristics for ECU authentication. These methods achieve microsecond-level fingerprinting accuracy, yet remain vulnerable to environmental drift and require continuous recalibration.

Under the strict resource constraints of contemporary automotive embedded platforms, entropy-based anomaly detection algorithms demonstrate significant practical advantages. Compared with methods requiring complex models (e.g., deep learning) or high-precision signal acquisition (e.g., voltage fingerprinting), entropy algorithms only require statistical analysis of CAN ID frequency distributions, featuring low computational complexity and minimal storage requirements. While current entropy-based detection algorithms remain constrained in addressing complex attack scenarios (e.g., precise replay attacks), their efficiency and low deployment costs in resource-constrained environments have gained widespread recognition. The subsequent sections detail key technical implementations, hardware adaptation strategies, and experimental validation outcomes.

4. Threat Model

4.1. Attack Type

We consider an attacker who can inject malicious CAN frames via physical access (e.g., OBD-II port) or short-range wireless interfaces, but cannot compromise ECU firmware. The attacker has full knowledge of the CAN protocol and possesses vehicle-specific ID allocation information. The attacker can launch various attacks, including the following:

• DoS Attack: The adversary floods the bus with high-priority frames (e.g., ID = 0x000 at 500 fps), causing entropy to drop below $\mu -2.5\sigma$ (see Equation (3)).
• Injection Attack: The attacker records legitimate messages (e.g., brake commands) and re-injects them at inappropriate times.

The current detection framework focuses on batch message injection attacks that cause observable entropy deviations. Single-frame injection scenarios, while theoretically possible, require different detection paradigms and are reserved for future research. This design choice aligns with automotive safety priorities where sustained attacks pose greater immediate risks.

4.2. Attack Impact on Entropy

The entropy deviation $\Delta H=|H_{\mathrm{attack}}-\mu |$ under DoS attacks is

$$\Delta H_{\mathrm{DoS}}\propto {\displaystyle \frac{1}{\sigma }}\left|log{n}_{\mathrm{malicious}}-\mu \right|$$

(9)

where $H_{\mathrm{DoS}}$ is the entropy deviation under DoS attack, and $n_{\mathrm{malicious}}$ is the count of attack frames per window.

For injection attacks, the entropy deviation is defined as

$$\Delta H_{\mathrm{injection}}=\left|\sum _{i=1}^n(p_i^{\mathrm{orig}}-p_i^{\mathrm{injection}}){log}_2{p}_i^{\mathrm{orig}}\right|$$

(10)

where $H_{\mathrm{injection}}$ is the entropy deviation under injection attack, and $p_i^{\mathrm{orig}}$ and $p_i^{\mathrm{injection}}$ represent the original and injected message distributions, respectively.

5. System Models

The proposed system architecture comprises three tightly coupled modules, as conceptually illustrated in Figure 1. The data flow initiates from the CAN bus interface, where raw messages are timestamped, and then processed through an entropy-based detection pipeline.

5.1. Data Acquisition Module

The data acquisition module utilizes the CAN bus interface within the AUTOSAR framework to ensure seamless integration with existing vehicle network systems. When the CAN receiver detects an interrupt, the module is triggered and subsequently transfers the received CAN message IDs and contents to the upper-layer detection program via Direct Memory Access (DMA) for further analysis.

To precisely identify each CAN message, the module generates a unique timestamp upon message reception. This timestamp serves as a unique identifier to distinguish and tag different CAN messages, providing accurate temporal references for subsequent data analysis and anomaly detection. The process employs standard CAN message processing patterns, delivering reliable data support for the entire intrusion detection system.

5.2. Computational Identification Module

The computational identification module receives CAN message IDs from the data acquisition module and analyzes them using parameters provided by the algorithm training module. After accumulating 100 CAN messages, the module calculates the information entropy of these message IDs, to measure the probability distribution of CAN IDs, according to Equation (1).

The module then employs a two-tailed statistical test to determine whether the computed entropy falls within the normal range, thereby identifying potential network anomalies or attacks, according to Equation (5). The two-tailed test helps determine if the sample mean significantly differs from the expected value, evaluating whether the information entropy significantly deviates from normal communication patterns.

Finally, the module generates a binary detection output, where a value of 0 indicates normal entropy conditions while a value of 1 signals abnormal patterns that may trigger security alerts or initiate countermeasures. Key performance metrics demonstrate the system’s real-time capability, including a fixed processing window of 100 messages for entropy calculation, detection latency constrained to under 100 ms to meet automotive timing requirements, and memory consumption maintained below 10 KB to ensure compatibility with resource-constrained ECUs.

For each detection window of N messages, the algorithm computes Shannon entropy by iterating over n unique CAN IDs (fixed for a given vehicle, e.g., $n=71$ in our experiments). This requires $O\left(n\right)$ operations per window. The Z-score calculation involves constant-time arithmetic operations $\left(O\right(1\left)\right)$. The per-window complexity is $O\left(n\right)+O\left(1\right)=O\left(n\right)$. This linear complexity enables deployment on resource-constrained ECUs without hardware accelerators.

Compared to state-of-the-art approaches, the proposed entropy-based detection achieves better computational efficiency. The entropy model proposed in recent research [16] involves signal processing with $O(NlogN)$ complexity for Fourier transforms (where N is the size of the sliding window), while the deep learning method [17] requires $O\left(N^2\right)$ operations per detection window due to matrix multiplications in neural networks (where N is the feature dimension).

5.3. Algorithm Training Module

The algorithm training module uses CAN bus data collected during stable vehicle operation as baseline information for the training process, according to Equation (4). During training, the module first injects attack patterns into normal data to generate abnormal data, simulating the impact of cyber attacks on CAN bus communication.

The training module then splits the received CAN message sequences according to configurable granularity. After obtaining the entropy data, it uses the Cumulative Distribution Function (CDF) to estimate the normal distribution parameters of the collected data. This step is based on the assumption that CAN ID frequency values follow a normal distribution over a certain period.

The module then uses the normal distribution model to test the injected attack data. To optimize the detection method, it employs Receiver Operating Characteristic (ROC) curve analysis to determine the optimal detection threshold, according to Equation (8). Ultimately, the module establishes an optimal threshold for subsequent real-time CAN monitoring and anomaly detection.

6. Experiments and Results

6.1. Real-World Dataset Validation

To validate the effectiveness of the proposed algorithm, we conducted experiments using a real-world dataset collected from a real vehicle. The dataset includes 71 unique CAN message IDs with varying payloads and periodicities, simulating typical in-vehicle communication patterns.

For a DoS attack, following the evaluation methodology of [15], we injected DoS attack frames (ID = 0x000) at 30% bus load penetration to create an adversarial testing environment. The comparative analysis was performed using 500 ms time windows for both methods. For the baseline approach [15], we implemented their fixed threshold detection with $k=0.8$ as recommended in their original work, which yielded 92% accuracy with an 18% false positive rate at 100% recall. Our adaptive entropy-based method demonstrated superior performance with 99% accuracy and only a 1% false positive rate (FPR) while maintaining 100% recall, as detailed in

Table 1. Performance comparison with fixed-threshold method.

Metric	Fixed Threshold	Proposed Method
Accuracy	0.92	0.99
False Positive Rate	0.18	0.01
Recall	1.00	1.00

.

For injection attacks, we injected recorded legitimate messages at 30% bus load penetration. As shown in

Table 2. Performance comparison for injection attack detection.

Metric	Fixed Threshold	Proposed Method
Accuracy	0.87	0.99
False Positive Rate	0.29	0.01
Recall	1.00	0.99

, our method maintains superior performance with 99% accuracy and 1% false positive rate at 90% recall, while the fixed-threshold approach suffers from higher false alarms (29% FPR) despite achieving full recall:

The performance improvement stems from two key algorithmic innovations: our threshold searching mechanism enables the algorithm to adapt to different datasets rapidly, compared to the fixed threshold approach.

6.2. Hardware-in-the-Loop Evaluation

6.2.1. Platform Configuration

The testbed comprised an NXP MPC5748G development board (32-bit Power Architecture MCU with 2 MB Flash) and a USBCAN-II FD interface device (manufactured by GCGtec Co., Shenyang, China) supporting CAN FD at 5 Mbps, configured with standard 120 $\Omega$ termination resistance to emulate automotive network conditions. The experiment environment is shown in Figure 2.

A Simulink (R2022a) model generated both normal and malicious CAN frames with periods ranging from 10 ms to 1155 ms, covering typical in-vehicle communication intervals. The model implemented 71 distinct CAN IDs with payload patterns derived from real-world vehicle data captures.

6.2.2. Evaluation Methodology

The experimental procedure involves configuring the USBCAN-II FD device to emulate CAN bus traffic while the MPC5748G processes incoming messages for anomaly detection. Based on actual vehicle data, the simulation implements 71 unique frame types with periodicities spanning 10–1155 ms.

The algorithm performs 100 independent detection cycles, respectively, on both normal CAN bus traffic and attack-injected compromised networks, where the attack-injected network injects malicious frames at 9.28% bus load penetration (equivalent to 1 attack frame per 10.8 normal frames based on the 500 kbps CAN FD bandwidth). The detection algorithm processes this mixed traffic on the MPC5748G platform, with performance metrics shown in

Table 3. Performance metric evaluation framework.

Metric	Calculation
Accuracy (ACC)	$(TP+TN)/Total$
Recall (REC)	$TP/(TP+FN)$
Execution Time	$t_{end}-t_{start}$

, calculated under attack or normal conditions, while execution timing was measured via S32 Design Studio’s µs-resolution debugger across all 71 simulated message types (10–1155 ms periods) derived from production vehicle data.

6.2.3. Evaluation Results

As shown in

Table 4. Performance metric evaluation.

Metric	Target	Measured
Sensitivity Threshold	≤10%	9.28%
Algorithm Running time	100 ms	about 70 ms
Detection Accuracy (ACC)	80%	84.5%
Recall (REC)	80%	85.6%

, The experimental results demonstrate the algorithm’s effectiveness in detecting various attack types while maintaining low false positive rates. The system achieved a detection accuracy of 84% with a recall (REC) higher than 80% under normal or attack conditions. The execution time, which is the program running time after collecting CAN messages within the time window, for the detection algorithm was consistently below 100 ms, ensuring real-time performance on the MPC5748G platform.

7. Conclusions

This study presented a lightweight entropy-based intrusion detection system for automotive CANs, leveraging Shannon entropy analysis of CAN message ID distributions and a two-tailed statistical test with adaptive threshold optimization. The algorithm, implemented on an NXP MPC5748G platform, achieved 84.5% accuracy and 85.6% recall under 9.28% bus load penetration. Key innovations include ROC curve-guided threshold selection, ensuring compatibility with resource-constrained ECUs. Hardware-in-the-loop validation confirmed real-time performance, with detection latency constrained to 70 ms per 100 message windows. The solution addresses critical limitations of cryptographic and machine learning-based approaches by offering a protocol-agnostic, low-overhead detection framework. Future work will focus on adaptive threshold tuning for evolving attack patterns while maintaining the algorithm’s sub 100 ms execution time and sub 10 KB memory footprint.