Data-Centric Automotive Cybersecurity: From Automotive Intrusion Detection to Driver Authentication

Modern vehicles have evolved from purely mechanical systems into connected “computers on wheels” featuring Bluetooth, internet access, cellular communications, and seamless smartphone integration. Despite these technological advances, modern vehicles still rely on the Controller Area Network (CAN) bus for safety-critical communications between internal components. The CAN protocol, developed in the 1980s—back when vehicles operated as isolated systems—lacks fundamental cybersecurity controls such as authentication, authorization, and encryption. This security gap has led to substantial vulnerabilities in today’s vehicles. Given typical vehicle lifespans, these vulnerabilities will persist for years—even decades—to come, necessitating retrofit solutions compatible with existing automotive architectures.
This thesis addresses these vulnerabilities through a data-centric approach that facilitates practicable automotive cybersecurity solutions. In particular, this thesis tackles two main challenges: detecting cyberattacks on vehicle networks through intrusion detection systems, and preventing vehicle theft through driver authentication systems.
This work comprises three main components. First, comprehensive literature reviews systematize existing knowledge in automotive cybersecurity and intelligent transportation system (ITS) cybersecurity, establishing the theoretical groundwork for future research directions. Second, two foundational datasets provide real-world CAN bus data as standardized resources for the research community. The can-train-and-test dataset provides benign and malicious CAN traffic, including nine unique attack types across four vehicles, to facilitate automotive intrusion detection research. The Kidmose CANid Dataset (KCID) provides behavioral driving data from sixteen drivers across four vehicles, supporting driver authentication research.
Third, novel methodologies bridge critical gaps in automotive cybersecurity research. The can-logic approach leverages temporal logic and indicators of compromise for logic-based intrusion detection, a lightweight alternative to machine learning. The can-fp methodology distinguishes between bona fide false positives and attack-related artifacts, creating an attack-aware evaluation scheme that provides a more holistic picture of machine learning model performance. The can-sleuth approach presents a systematic, comparative analysis of automotive intrusion detection datasets, revealing their respective advantages and limitations as well as their practical utility. The KCID methodology establishes a conceptual framework and proof of concept for driver authentication systems.
This thesis presents a data-centric approach to automotive cybersecurity, providing foundational knowledge, comprehensive datasets, and proven methodologies that enable practicable intrusion detection and driver authentication solutions for both current and future vehicle systems.