Review

Cybersecurity of Automotive Wired Networking Systems:

Evolution, Challenges, and Countermeasures
Nicasio Canino 1,† , Pierpaolo Dini 1, *,† , Stefano Mazzetti 2,† , Daniele Rossi 1,† , Sergio Saponara 1,† and
Ettore Soldaini 1,†

1 Department of Information Engineering, University of Pisa, Via G. Caruso n.16, 56122 Pisa, Italy;
nicasio.canino@phd.unipi.it (N.C.); daniele.rossi1@unipi.it (D.R.); sergio.saponara@unipi.it (S.S.);
ettore.soldaini@hotmail.it (E.S.)
2 Embedded Software Systems (ESWS) S.r.l., Via R. Volpi n.77, 41058 Vignola, Italy; stefano.mazzetti@esws.tech
* Correspondence: pierpaolo.dini@unipi.it
† Authors are listed in alphabetic order.

Abstract: The evolution of Electrical and Electronic (E/E) architectures in the automotive
industry has been a significant factor in the transformation of vehicles from traditional
mechanical systems to sophisticated, software-defined machines. With increasing vehicle
connectivity and the growing threats from cyberattacks that could compromise safety and
violate user privacy, the incorporation of cybersecurity into the automotive development
process is becoming imperative. As vehicles evolve into sophisticated interconnected sys-
tems, understanding their vulnerabilities becomes essential to improve cybersecurity. This
paper also discusses the role of evolving standards and regulations, such as ISO 26262 and
ISO/SAE 21434, in ensuring both the safety and cybersecurity of modern vehicles. This
paper offers a comprehensive review of the current challenges in automotive cybersecurity,
with a focus on the vulnerabilities of the Controller Area Network (CAN) protocol. Ad-
ditionally, we explore state-of-the-art countermeasures, focusing on Intrusion Detection
Systems (IDSs), which are increasingly leveraging artificial intelligence and machine learn-
ing techniques to detect anomalies and prevent attacks in real time. Through an analysis
of publicly available CAN datasets, we evaluate the effectiveness of IDS frameworks in
mitigating these threats.

Academic Editor: Wajeb Gharibi

Keywords: automotive cybersecurity; vehicle E/E architecture; intrusion detection systems
Received: 13 December 2024 (IDSs); controller area network (CAN); in-vehicle network (IVN); ISO road vehicles; CAN
Revised: 15 January 2025
dataset
Accepted: 20 January 2025
Published: 24 January 2025

Citation: Canino, N.; Dini, P.;

Mazzetti, S.; Rossi, D.; Saponara, S.; 1. Introduction
Soldaini, E. Cybersecurity of
Automotive Wired Networking
The automotive industry is undergoing an evolution driven by advancements in
Systems: Evolution, Challenges, and Electrical and Electronic (E/E) architectures, which have significantly enhanced vehicle
Countermeasures. Electronics 2025, 14, functionality and user experience. This evolution is characterized by the integration of
471. https://doi.org/10.3390/ numerous Electronic Control Units (ECUs) that communicate through various vehicular
electronics14030471
communication protocols. Although the Controller Area Network (CAN) is one of the
Copyright: © 2025 by the authors. most common, the Local Interconnect Network (LIN), FlexRay, Media-Oriented System
Licensee MDPI, Basel, Switzerland. Transport (MOST), and Automotive Ethernet are also implemented depending on the
This article is an open access article
specific needs [1–4]. As vehicles become increasingly interconnected, the complexity of
distributed under the terms and
their E/E architectures grows, leading to a broader attack surface for potential cyber
conditions of the Creative Commons
Attribution (CC BY) license
threats. Reliance on these communication protocols, while facilitating enhanced vehicle
(https://creativecommons.org/ performance and features, simultaneously introduces vulnerabilities that can be exploited
licenses/by/4.0/). by malicious actors.

Electronics 2025, 14, 471 https://doi.org/10.3390/electronics14030471

Electronics 2025, 14, 471 2 of 29

This paper aims to provide a comprehensive overview of the current challenges in

automotive cybersecurity, with a focus on the vulnerabilities of the Controller Area Network
(CAN) protocol. The main objectives of this review are as follows:
• To describe the evolution of Electrical and Electronic (E/E) architectures in vehicles,
highlighting the vulnerabilities introduced in in-vehicle networks (IVNs) due to the
ever-increasing attack surfaces.
• To explore the role of evolving automotive safety and cybersecurity standards, such as
ISO 26262 and ISO/SAE 21434, in securing modern vehicles.
• To present a novel dual taxonomy for the classification of attack surfaces based on the
proximity of the attacker before and during the attack.
• To provide an overview of the security vulnerabilities of the CAN protocol and all
known cyberattacks targeting it.
• To summarize relevant CAN-based public datasets, with additional structured insights
on their characteristics and their use in developing effective Intrusion Detection
Systems (IDSs).
• To discuss state-of-the-art IDS taxonomy and approaches, such as anomaly-based,
rule-based, and hybrid systems, in the context of mitigating cyber threats, alongside a
review of AI and machine learning techniques for real-time anomaly detection in IDSs.

1.1. Vehicular E/E Architecture

The shift from mechanical to complex electronic systems has redefined E/E archi-
tectures in vehicles, heavily incorporating software and network components. This shift
has paved the way for the integration of advanced driver-assistance systems (ADASs)
and autonomous driving, both of which depend on the real-time data exchange between
the electronic devices. However, this connectivity raises cybersecurity concerns because
conventional in-vehicle networks were not designed with security considerations. For
example, the CAN protocol supports real-time communication but lacks inherent security
features, exposing it to risks such as message injection, replay attacks, and unauthorized ac-
cess [5–7]. As vehicles incorporate more V2X connectivity, the risk of cyberattacks increases,
necessitating a comprehensive understanding of the vulnerability of the protocol. These
attacks could have significant consequences, such as financial losses for manufacturers,
legal liabilities, and diminished consumer trust. Thus, mitigating these vulnerabilities is
crucial for maintaining the safety and security of contemporary vehicles.

1.2. Cybersecurity Concerns and Solutions

With a specific focus on the vulnerabilities of the CAN protocol, they have been
extensively documented and demonstrated, highlighting the potential consequences of
successful cyberattacks on vehicle safety and security [8–10]. Attackers can exploit these
vulnerabilities to manipulate vehicle behavior, leading to catastrophic outcomes such
as loss of control, unauthorized access to sensitive data, and even physical damage to
occupants or pedestrians. Research has shown that an effective solution can be Intrusion
Detection/Prevention (IDS/IPS) mechanisms to secure the CAN network, which remains a
prime target for cyber threats [11,12]. To address increasing threats, numerous solutions
have been proposed to secure the CAN protocol. A key approach is Intrusion Detection
Systems (IDSs), which monitor network traffic for malicious activities. In particular, AI and
machine learning have led to advanced IDSs, which are capable of detecting anomalies in
CAN traffic. In fact, by exploiting data-driven methods to detect intrusion patterns, they
offer preemptive protection against attacks [5,13–15]. Research continues to improve IDS
detection capabilities against evolving attacks.
Electronics 2025, 14, 471 3 of 29

The development of effective Intrusion Detection Systems (IDSs) for automotive net-
works, particularly those focusing on the CAN protocol, is highly dependent on the quality
of the datasets used. Therefore, publicly available CAN datasets play a crucial role in train-
ing and evaluating these systems, providing researchers with the necessary data to simulate
various attack scenarios and assess the performance of their detection mechanisms.

1.3. Related Review Articles

In recent years, several review articles have been published on the topic of automotive
cybersecurity, each addressing various aspects of the field. Here, we discuss some of
the most relevant review papers and highlight how our work differs from and improves
upon them.
1. Abreu et al. focused on the use of artificial intelligence (AI) technologies to im-
prove IoT security in vehicles. They addressed key research questions related to
the challenges and threats faced by IoT devices and how AI can be used to enhance
their security. While their work provided valuable insights into AI-driven solutions
for cyber threat detection, it did not delve deeply into the specific vulnerabilities of
automotive systems or the role of standards and regulations [16].
2. Pascale et al. introduced an embedded Intrusion Detection System (IDS) for the
automotive sector, designed to analyze traffic on the CAN bus and identify poten-
tial cyberattacks. The authors focused on the implementation and effectiveness of
their proposed IDS but did not provide a comprehensive overview of the broader
cybersecurity landscape or the integration of evolving standards and regulations [17].
3. Luo et al. conducted a systematic and comprehensive review of automotive cyberse-
curity testing methods and testbeds. They classified and discussed various security
testing techniques and identified gaps and limitations in existing research. How-
ever, their work primarily focused on testing methodologies and did not extensively
cover the practical implementation of cybersecurity frameworks or the role of AI and
machine learning techniques [18].
4. Kifor et al. analyzed the current state of research regarding automotive cyberse-
curity, with a particular focus on frameworks, standards, monitoring, and testing
technologies. While the authors provided a detailed discussion of existing standards
and regulations, their work did not emphasize the practical challenges and solutions
for maintaining cybersecurity throughout the vehicle’s lifecycle [19].
5. Fernandez de Arroyabe et al. addressed the challenges and solutions for maintaining
cybersecurity in the automotive industry, using the technology adoption model (TAM)
as a theoretical framework. Their work highlighted the importance of maintaining
cybersecurity after the vehicle has been sold and proposed solutions for ongoing
cybersecurity maintenance. However, their review did not provide a detailed analysis
of specific cybersecurity technologies or the integration of AI-driven solutions [20].

1.4. Unique Contributions of This Work

This paper aims to provide a concise, yet comprehensive, overview of automotive
cybersecurity, thus contributing with the following:
1. Detailed Analysis of CAN Protocol Vulnerabilities: Unlike previous reviews, our paper
provides an in-depth analysis of the specific vulnerabilities of the Controller Area Net-
work (CAN) protocol. We discuss various types of attacks, including frame injection,
error management exploitation, suspension, and masquerade attacks, and highlight
the potential consequences of these vulnerabilities on vehicle safety and security.
2. Comprehensive Review of Intrusion Detection Systems (IDSs): Our work offers a
thorough review of state-of-the-art IDS techniques, including rule-based, anomaly-
Electronics 2025, 14, 471 4 of 29

based, fingerprint-based, and hybrid approaches. We discuss the strengths and

limitations of each approach and provide insights into the latest advancements in AI
and machine learning techniques for real-time anomaly detection in IDSs.
3. Evaluation of Publicly Available CAN Datasets: We present a detailed analysis of the
most valuable CAN datasets shared by the research community. Our review includes
a comparison of the key features of these datasets, such as traffic type, labeling,
and attack scenarios, and highlights their importance in developing and evaluating
effective IDS frameworks.
4. Novel Dual Taxonomy for Attack Surface Classification: We propose a novel dual
taxonomy for classifying attack surfaces based on the proximity of the attacker before
and during the attack. This taxonomy provides a more comprehensive understanding
of the potential entry points and methods used by attackers, which is crucial for
performing effective Threat Analysis and Risk Assessment (TARA).
5. Integration of Evolving Standards and Regulations: Our paper explores the role
of evolving automotive safety and cybersecurity standards, such as ISO 26262 and
ISO/SAE 21434, in ensuring the security of modern vehicles. We discuss how these
standards complement each other and provide a structured framework for integrating
functional safety and cybersecurity into the automotive development process.
By providing a comprehensive overview of these topics, we aim to contribute to the
ongoing discussion on enhancing the security of automotive systems in an increasingly
connected world.

2. Search Methods and Inclusion/Exclusion Criteria

To ensure a comprehensive and systematic review of the current challenges in automo-
tive cybersecurity, we employed a rigorous methodology to gather and evaluate relevant
literature. This section details the search methods, databases consulted, keywords used,
and the inclusion/exclusion criteria applied.

2.1. Search Methods

The literature search was conducted using the following electronic databases to ensure
a wide coverage of relevant studies:
• ACM Digital Library;
• IEEE Xplore;
• Springer Link;
• MDPI.
The search was performed using a combination of keywords and phrases related to
automotive cybersecurity. The primary keywords included the following:
• “Automotive cybersecurity”;
• “Vehicle E/E architecture”;
• “Intrusion Detection Systems (IDS)”;
• “Controller Area Network (CAN)”;
• “In-Vehicle Network (IVN)”;
• “ISO/SAE 21434”;
• “Automotive Ethernet”;
• “Vehicle-to-Everything (V2X)”.

2.2. Search Strategy

The search strategy involved the following steps:
Electronics 2025, 14, 471 5 of 29

1. Initial Search: An initial search was conducted using the primary keywords in each
database. This step aimed to identify a broad range of potentially relevant articles.
2. Refinement of Search Terms: Based on the initial search results, the search terms
were refined to include additional relevant keywords and phrases. Boolean operators
(AND, OR) were used to combine search terms effectively.
3. Screening of Titles and Abstracts: The titles and abstracts of the retrieved articles were
screened to assess their relevance to the review’s objectives. Articles that did not meet
the inclusion criteria were excluded at this stage.
4. Full-Text Review: The full texts of the remaining articles were reviewed to ensure they
met the inclusion criteria. Any discrepancies or uncertainties were resolved through
discussion among the authors.

2.2.1. Inclusion Criteria

The following inclusion criteria were applied to select articles for the review:
1. Time Period: Articles published between 2010 and 2024 were included. This time
frame was chosen to capture the most recent advancements and challenges in auto-
motive cybersecurity.
2. Type of Publication: Only peer-reviewed journal articles, conference papers, and
technical reports were considered. This criterion ensured the inclusion of high-quality
and credible sources.
3. Relevance: Articles had to specifically address the cybersecurity of automotive wired
networking systems, including vulnerabilities, countermeasures, and standards. Stud-
ies focusing on related topics such as Intrusion Detection Systems (IDSs), Controller
Area Network (CAN), and automotive safety standards were also included.
4. Language: Only articles published in English were included to maintain consistency
in language and ease of analysis.

2.2.2. Exclusion Criteria

The following exclusion criteria were applied to filter out irrelevant or redundant
studies:
1. Non-English Publications: Articles not published in English were excluded to ensure
consistency in language and ease of analysis.
2. Irrelevant Topics: Articles that did not focus on automotive cybersecurity or related
topics were excluded. For example, studies focusing solely on mechanical aspects of
vehicles without addressing cybersecurity were not considered.
3. Duplicate Studies: Duplicate studies or articles presenting the same findings were
excluded to avoid redundancy. In cases where multiple articles reported similar
findings, the most comprehensive and recent study was included.
4. Incomplete Data: Articles lacking sufficient data or methodological details to support
their findings were excluded.

2.3. Data Extraction and Synthesis

The selected articles were subjected to a detailed data extraction process, which
involved the following steps:
1. Extraction of Key Information: Key information such as the study’s objectives, meth-
ods, findings, and conclusions were extracted from each article. This information was
organized into a structured format to facilitate comparison and synthesis.
2. Evaluation of Methodological Quality: The methodological quality of each study was
assessed using predefined criteria. Studies with significant methodological flaws were
excluded from the final synthesis.
Electronics 2025, 14, 471 6 of 29

3. Synthesis of Findings: The extracted data were synthesized to identify common

themes, trends, and gaps in the literature. The synthesis process involved both
qualitative and quantitative analysis, where applicable.
The search process yielded a total of [number] articles. After applying the inclu-
sion and exclusion criteria, [number] articles were selected for full-text review. Of these,
[number] articles were included in the final synthesis. The selected articles provided a
comprehensive overview of the current state of automotive cybersecurity, highlighting key
vulnerabilities, countermeasures, and emerging trends.

3. Evolution and Vulnerabilities of In-Vehicle Network Architecture

3.1. Evolution of E/E Architecture
The evolution of Electrical and Electronic (E/E) architectures in the automotive in-
dustry has been a significant factor in the transformation of vehicles from traditional
mechanical systems to sophisticated, software-defined machines. This evolution is largely
driven by the increasing demand for advanced functionality, such as automated driving,
enhanced connectivity, and improved user experiences. The E/E architecture encompasses
the fundamental organization of the electrical and electronic components of a vehicle, in-
cluding Electronic Control Units (ECUs), sensors, actuators, wiring, power distribution, and
communication systems, all of which are essential for achieving desired performance and
functional goals [2–4,21,22]. This comprehensive framework highlights the intricate interac-
tions and interdependencies among various components, which have become increasingly
complex as vehicles integrate more advanced technologies. Over the past century, the
automotive E/E architecture has undergone a paradigm shift, particularly in response to
the requirements of automated driving. The advent of autonomous vehicles has imposed
new challenges on existing architectures, leading to revolutionary innovations in the design
of the E/E architecture [1]. The automotive industry began as a completely mechanical
domain, with no starter motor to even turn on the engine electrically. By the 1970s, the
industry entered an electrification era in which mechanical components started to be re-
placed by electronic devices, although the E/E architecture was still in its early stages. The
rise of Integrated Circuits (ICs) led to the formation of large-scale automotive networks,
enhancing vehicle performance through point-to-point connections [1,23]. The demand for
automotive safety and efficiency since the 1980s led to the adoption of electronic control
systems, which initially resulted in complex and cumbersome wiring due to point-to-point
connections. To mitigate this, field buses such as the Controller Area Network (CAN) bus
were introduced to facilitate efficient communication among ECUs with fewer lines.
In the following years, as car technology and features expanded, the demand for an
affordable serial network emerged, since implementing the CAN bus for each car com-
ponent was too costly. This prompted European car manufacturers to adopt various IVN
protocols to address and cover specific tasks, such as FlexRay, Local Interconnect Network
(LIN), and Media-Oriented System Transport (MOST). The complete list of automotive IVN
protocols, in chronological order, is provided in Table 1, which also provides their pros and
cons; for example, although it is considered cost-effective due to its requirement of only
two wires, the CAN protocol cannot support the high data rates essential for applications
such as infotainment and autonomous driving.
Electronics 2025, 14, 471 7 of 29

Table 1. Comparison of in-vehicle network protocols.

Protocol Year Pros Cons

High reliability; cost-effective; suitable Limited bandwidth (up to 1 Mbps);
CAN [24] 1986 for real-time and safety-critical not suitable for high-data-rate
applications. applications.
Low cost; ideal for low-speed tasks; Low data rate (20 kbps); unsuitable for
LIN [25] 1999
simple master–slave architecture. real-time applications.
Optimized for multimedia; high data Not suitable for safety-critical
MOST [26] 1999 rate (150 Mbps); real-time applications; higher complexity and
transmission. cost.
High-speed (10 Mbps); fault-tolerant; Expensive; complex hardware and
FlexRay [27] 2000
deterministic for x-by-wire systems. software.
Very high bandwidth (1 Gbps+);
Higher cost; complex integration and
Automotive Ethernet [28] 2008 scalable; supports IP-based
synchronization.
communication.
Time-sensitive networking; low
Limited to multimedia; precise
AVB [29] 2009 latency for multimedia; integrates
configuration required.
with Ethernet.
Higher data rate (8 Mbps); backward Complex error handling; requires
CAN-FD [30] 2012
compatible; increased payload size. CAN FD-compatible hardware.
Guarantees time-sensitive data;
High complexity; expensive for small
TSN [31] 2012 suitable for mixed-criticality
systems.
applications.
High data rate (10 Mbps); large
Early adoption stage; requires new
CAN-XL [30] 2019 payload (2048 bytes); backward
infrastructure.
compatible.

Around the beginning of the new century, E/E architectures started a rapid ramp-up
towards their electrification. This evolution was supported by the adoption of centralized
gateways, which became common to optimize in-vehicle networks (IVNs) and their wiring.
In fact, all the ECUs were subdivided and distributed among different subnets, all con-
nected to a common gateway. This approach increased the number of available comfort
and safety services, thus increasing power demands, necessitating the transition to high-
voltage systems (48 V) [1,32,33]. Also, as vehicles started to become cyber–physical systems,
from purely mechanical, the introduction of a gateway was the first step toward increased
cybersecurity [34–36]. As automated driving functions and the number of ECUs increased,
the traditional network architecture became unsustainable, leading to the development
of Domain Control Units (DCUs) [24,37]. They centralize the management of multiple
subsystems within a vehicle domain, consolidating tasks that were traditionally handled
by separate ECUs. This consolidation results in increased system efficiency through lower
power consumption, simplified wiring, and reduced system complexity. Domain con-
trollers, for example, improve subsystem integration and coordination, particularly in
complex frameworks such as an ADAS. They offer scalability, facilitate easier software
updates, including over-the-air updates, and reduce hardware costs. Nonetheless, they
improve cybersecurity by focusing control on fewer and more secure areas, simplifying
vehicle communication, reducing latency, and ensuring better real-time responsiveness.
As vehicles become more automated, domain controllers are crucial for managing the
complexities of modern automotive architecture. Table 2 lists the typical domains with their
core functions, components (i.e., ECUs), and common IVN protocol. This E/E architecture
has been widely adopted since the 2010s and continues to be in use.
Electronics 2025, 14, 471 8 of 29

Also, as in the gateway-centric architecture, each domain utilizes different communi-

cation protocols according to specific needs. Lastly, in recent years, the idea of Software-
Defined Vehicles (SDVs) has become the next step to be reached to continue the evolution
of the automotive domain toward new services and features provided to the end-user.
In addition, a zone-based architecture has been proposed [4,24], which divides the ECUs
according to their physical location rather than function. In each geographic zone of
the vehicle, the electronics systems are managed by a Zone Control Unit (ZCU), which
consolidates local inputs and outputs (sensors and actuators) and communicates with a
central compute platform. The correlation between the zonal E/E architecture and SDVs
lies in their shared goal of creating more flexible, scalable, and efficient vehicle designs
by centralizing and simplifying electronic control and communication systems. The zonal
architecture is essential in separating vehicle functions from particular hardware sites,
enabling software-based control to prevail over the limitations imposed by physical wiring.

Table 2. Vehicle domain functions, components, and typical network protocol [2,24,37].

Vehicle Domain Function Components Protocols

Manages engine control, ECU, TCM, throttle control,
Powertrain transmission, and related fuel injection, exhaust gas CAN, CAN FD, FlexRay
systems recirculation
Responsible for vehicle ABS, ESC, airbags, traction
Chassis dynamics, safety, and control, suspension FlexRay, CAN
control systems systems
Manages body control Central locking, climate
Body systems for convenience control, lighting, power LIN, CAN
and user comfort windows
Handles multimedia, Audio systems, navigation,
MOST, Ethernet, AVB,
Infotainment navigation, and Bluetooth, wireless
CAN
entertainment systems connectivity, user interface
Focuses on Adaptive cruise control,
semi-autonomous and lane-keeping assist, radars, Ethernet, CAN FD, TSN,
ADAS
autonomous driving cameras, LIDAR, parking FlexRay
systems assistance
Telematics Control Unit,
Manages telematics, GPS, V2V, V2I Ethernet, Cellular, Wi-Fi,
Telematics and HMI
communications, and OTA communication, 4G/5G V2X, CAN FD
modem
Responsible for climate Air conditioning system,
HVAC control, ventilation, blower fans, temperature LIN, CAN
cooling, and heating sensors
Battery Management
Manages energy storage,
Energy Management/High System (BMS), charging
distribution, and battery CAN, CAN FD, Ethernet
Voltage (EVs) systems, inverters, electric
systems in EVs
motors

3.2. Overview on Automotive Safety and Cybersecurity: Standards and Regulations

As just mentioned, the rise of connected vehicles has introduced additional layers
of complexity to E/E architectures. Vehicles are increasingly equipped with a variety of
V2X connectivity features (Vehicle-to-Everything) that allow them to communicate with
testbed networks, other vehicles, and infrastructure. This connectivity improves vehicle
functionality, but also raises safety and cybersecurity concerns, as the attack surface for
potential threats expands significantly to the wireless domain.
Electronics 2025, 14, 471 9 of 29

As a result, the development of robust cybersecurity measures is becoming an in-

tegral part of the E/E architecture design process [38]. Manufacturers must ensure that
their systems are not only functional, but also secure against potential cyber threats that
could compromise vehicle safety and user privacy. Consequently, specific safety and cy-
bersecurity standards have been established: ISO 26262, ISO/SAE 21434, and UNECE
R155 and R156, each targeting distinct elements of automotive system safety and security.
ISO 26262, first introduced in 2011 and updated in 2018, is a comprehensive standard that
addresses the functional safety of electronic and electrical systems within vehicles [39]. It
provides extensive guidelines covering the entire lifecycle of automotive systems, from the
initial concept phase to the development, production, and operation phases, and concludes
with the decommissioning stage. The primary goal is to ensure that the safety principles
are methodically integrated at each stage of the process [40]. ISO 26262 holds particular
significance for systems that operate in safety-critical environments, as it establishes the
necessary Automotive Safety Integrity Levels (ASILs). These levels determine the depth
and rigor of the required safety protocols, depending on the severity and likelihood of
risks associated with potential system failures [41–43]. With the increasing complexity
of vehicle systems and their connectivity, the boundary between functional safety and
cybersecurity has become blurred, requiring an all-round reliable system. A system failure
due to a cyberattack can have serious safety consequences. This overlap is prompting
manufacturers to consider how security breaches can trigger safety hazards. Therefore, a
holistic approach is fundamental, where both safety and security measures are aligned to
protect against both functional failures and cyber threats [43–45]. ISO/SAE 21434, released
in 2021, directly addresses cybersecurity concerns in road vehicles, offering a structured
approach to handling cyber threat risks throughout the vehicle lifecycle [46]. This standard
highlights the necessity of integrating security protocols during the design and develop-
ment stages, as well as in the operational and maintenance phases [36,47,48]. Although
ISO 26262 provides the framework for preventing safety-critical failures, ISO/SAE 21434 is
a fine-tuned standard focused on protecting against malicious attacks that could lead to
such failures. The standard includes provisions for cybersecurity risk management, threat
analysis, and vulnerability assessments, all of which are essential to ensure that vehicle
systems are secure against cyber threats. A key example of the link between security and
safety is in the implementation of Intrusion Detection Systems (IDSs) to monitor IVNs.
Indeed, an IDS enhances the reliability of critical vehicle systems against cyberattacks, such
as those targeting ECUs. By detecting and responding to potential intrusions, such systems
ensure that security breaches do not escalate into safety-critical failures. This integration
of cybersecurity measures strengthens the functional safety protocols initially outlined
in ISO 26262, demonstrating the growing interdependence between safety and security
in modern vehicle architectures. Regarding the regulations, UNECE R155 and R156
complement these standards by establishing a regulatory framework for cybersecurity and
software updates in vehicles, according to the principles established in ISO/SAE 21434.
UNECE R155 requires manufacturers to implement a cybersecurity management system
to protect vehicles from cyber threats [49], while R156 focuses on the secure management
of software updates, ensuring that vehicles remain safe and secure throughout their op-
erating life [50]. These regulations underscore the importance of a holistic approach to
vehicle and passenger safety, which integrates functional safety, cybersecurity, and ongoing
software integrity. As vehicles evolve to incorporate ADASs and autonomous driving
capabilities, the risks associated with both functional failures and cyber threats become
more pronounced. Therefore, adherence to ISO 26262, ISO/SAE 21434, and UNECE R155
is not only a regulatory requirement but also a critical component to ensure the safety and
security of future automotive innovations [41,44].
Electronics 2025, 14, 471 10 of 29

The integration of these standards into the automotive development process will
ultimately contribute to building consumer trust and fostering the safe adoption of new
technologies in the automotive industry.

3.3. Vehicle Attack Surfaces

As vehicles evolve into sophisticated interconnected systems, understanding their
vulnerabilities becomes essential to improve cybersecurity. Two concepts can be defined to
determine and classify the origin and effects of an attack, attack surface and attack vector.
The attack surface of a vehicle encompasses all potential points at which an unauthorized
user can gain access to vehicle systems, extract sensitive data, or disrupt functionalities.
The attack vector, instead, determines the specific path, method, exploited by the attacker
from the beginning to the end target of the attack [8,51–55]. The typical classification of
attack surfaces considers only the entry point of the attacker, as listed in Table 3. They are
classified into three main categories:
• Physical, requires direct physical access to the vehicle or its components.
• Local Wireless, requires proximity to the vehicle (within a range of 100 m) without
physical access.
• Unlimited Wireless, can be exploited without any limitation on the distance from
the vehicle.

Table 3. Attack surfaces in the automotive domain, classified according to classical taxonomy.

Category Attack Surface

IVN protocols (CAN, LIN, FlexRay, etc.); OBD-II Port;
Powertrain ECU; Body Control ECU; Infotainment
Physical ECU; ADAS; Infotainment USB Ports; SD Card Slots;
Auxiliary Ports; Charging Ports (EV); Aftermarket
Devices (e.g., plugged into OBD-II).
Bluetooth; Wi-Fi (in-vehicle hotspots); NFC; Keyless
Entry Systems; TPMS; LIDAR/RADAR (autonomous
Wireless Local (<100 m)
vehicles); Cameras (autonomous vehicles); Ultrasonic
Sensors.
Telematics Units (GPS, Cellular); V2V Communication;
V2I Communication; OTA Updates; Telematics
Wireless Unlimited (>100 m) Backend Systems; Mobile Apps and Connected
Services; RFID; V2G Systems; EV Charging Networks;
Cloud and Backend Systems.

This classification can become limiting when performing a Threat Analysis and Risk
Assessment (TARA) on the vehicle against its cybersecurity vulnerabilities [48]. Therefore,
we propose a novel and more complete taxonomy, as depicted in Figure 1, in which the
attack surface is further distinguished according to the proximity of the attacker before and
during the attack:
• Attack starting point phase: is the actual access point before the attack actually is
carried out. It can require the following:
– Initial physical access to the vehicle, for example, by accessing the IVN, OBD-II
port, or infotainment ports;
– Without any initial physical access to the vehicle, for example, exploiting wireless
V2X connectivity, or tampering with the vehicle’s sensors.
• Attack ongoing phase: defines how the attacker performs the attack, physically or
remotely connected to the vehicle.
Electronics 2025, 14, 471 11 of 29

Figure 1. Taxonomy of attack surfaces from a dual point of view: starting point and ongoing phases
of an attack.

This distinction can be useful in some sophisticated attacks; for example, consider that
the attacker aims to inject malicious messages into the vehicle’s IVN, starting from the OBD-
II port. This would mean, without our taxonomy, that the attack surface should be classified
as physical. However, if the attacker connects to the OBD-II port with an aftermarket device
with wireless connectivity, in reality, the physical attack surface would become wireless
indirectly. In light of the ready availability of tools of this nature, the TARA phase for
the vehicle may require further consideration. In fact, the potential threat associated with
physical attack surfaces may increase. This is because physical attack surfaces that would
otherwise remain contained may become vulnerable due to the difficulty of carrying out
prolonged attacks with the attacker physically connected to the car. Throughout the rest
of this paper, a specific focus will be on the CAN protocol for two reasons. First, it is one
of the most used within the vehicle domain (see the last column in Table 2) because of
its high reliability and contained cost of implementation. In fact, for the physical layer, it
only requires a twisted pair of wires to deliver the data information. Second, since this
protocol was invented in the 1980s, it does not include security countermeasures such as
message authentication, sender and receiver addresses, or message encryption. Therefore,
countermeasures must be taken into account to protect critical domains that rely on the
CAN bus.

3.4. CAN Bus Vulnerabilities

The CAN protocol [56], developed during the 1980s, is widely used in automotive
systems to allow communication between various ECUs. This protocol functions as a multi-
master serial communication system using CSMA/CA (Carrier Sense Multiple Access with
Collision Avoidance) to reduce errors and minimize data retransmissions. It utilizes a
twisted pair bus, transmitting data frames in differential mode, where the logical value
output is the wired-AND outcome (with logic-0 as the dominant value and logic-1 as the
recessive value) of all active transmitting ECUs. As illustrated in Figure 2, multiple ECUs
may initiate transmission simultaneously, requiring an arbitration procedure (leveraging
the wired-AND property) to determine the ECU that will assume control of the bus and
continue transmitting the CAN frame. Since bits are sent from MSB to LSB, a lower ID
(identifier) value in the transmitted frame results in more dominant bits being sent initially,
granting it higher priority during arbitration. However, from a cybersecurity perspective,
the simplicity and convenience of implementing the CAN protocol represent significant
vulnerabilities. The principal security risks associated with the CAN protocol, extensively
documented in scholarly reviews [54,57,58], cover the following aspects:
Electronics 2025, 14, 471 12 of 29

• Frame Injection Attack: Due to the broadcast characteristic of the CAN protocol and
its lack of encryption mechanisms, an attacker can inject malicious messages into
the CAN bus, potentially altering vehicular actions and disrupting standard IVN
operations. This can be performed, for example, by physically accessing the OBD-II
port or directly connecting to the targeted subnet.
• Error Management: This mechanism within the CAN protocol, designed to improve
reliability and fault tolerance, can inadvertently create vulnerabilities that malicious
actors can exploit. These mechanisms include error counters (Transmit and Receive
Error Counters) that track the number of transmission errors and dictate the opera-
tional state of a CAN node. Figure 3 displays the error states and the conditions under
which the ECU changes its network state. Although these features are intended to
isolate faulty nodes and maintain network integrity, they can also be manipulated to
launch sophisticated attacks.

Figure 2. CAN arbitration policy: three ECUs (A, B, and C) initiate transmission at the same time, but
only ECU B wins arbitration.

Figure 3. Error states defined by CAN protocol.

• Suspension and Masquerade Attacks: Exploiting the error management functions of

the CAN protocol, or by installing malicious software, attackers can suspend message
transmission from the targeted ECU, posing potentially severe threats to the correct
functionality of the vehicle. Also, after the ECU is suspended, masquerade tactics can
be exploited, whereby a malicious ECU transmits forged data frames using identical
periodicity, identifiers, and payload configurations.
• Insider Threats: Individuals with legitimate access to vehicle systems, such as em-
ployees or contractors, may exploit their access and knowledge to manipulate ECU
functionalities, thus altering the properties of some CAN messages or introducing
vulnerabilities, compromising vehicle security.
Electronics 2025, 14, 471 13 of 29

• Eavesdropping/Sniffing: Since the transmission of CAN frames occurs in unsecured

plaintext over a physical layer consisting merely of two wires, attackers can intercept
and scrutinize data exchanged among ECUs. Such interceptions might expose sensi-
tive vehicle operation details and user activities, paving the way for further attacks.
These identified threats underscore the urgent need for comprehensive cybersecurity
strategies within automotive networks that depend on the CAN protocol, especially given
the growing connectivity (attack surfaces) and the increase in safety-related features in
autonomous vehicles.

4. CAN-Related Cybersecurity Vulnerabilities and Solutions

Developed for the automotive domain, the CAN protocol has become a key commu-
nication technology among vehicle ECUs. Its reliability and efficiency have made it the
dominant choice for real-time data transfer in contemporary vehicles. However, extensive
integration of CAN has revealed significant vulnerabilities that could be exploited by
malicious individuals. As vehicles move into more connected systems with expanded
features, the risks related to CAN cybersecurity have increased substantially. This section
presents an overview of the intrinsic weaknesses of the CAN protocol, the various types of
attack it may face, and the consequences of such security gaps. By understanding these
cybersecurity issues, we can recognize the necessity of robust countermeasures and how
they can be designed to protect automotive networks.

4.1. Attacks to CAN Protocol

Given the intrinsic properties and vulnerabilities of the CAN protocol, a wide variety
of attacks have been discovered and demonstrated [12,57,58]. Figure 4 summarizes the
known attacks on CAN networks, depicting exemplifying message sequences with K as
the attacker ECU, while A and B are benign ones. The following are the main properties
of these attacks.

Figure 4. Examples of known attacks on CAN networks, highlighting the order and periodicity of
considered frames. ECUs A and B are legitimate, while K is the attacker.

(a) DoS Attack floods the CAN bus with an excessive number of high-priority frames,
thus preventing benign ECUs from transmitting frames that have lower priority levels.
The typical ID used is 0x000 (highest overall priority, but easy to detect because it is
never used by benign nodes) or the highest ID typically sent in that network [59,60].
(b) Fuzzy Attack involves injecting frames that contain random, or partially random,
values across various fields of the CAN frame, namely ID, DLC (Data Length Code),
and payload. This strategy seeks to inundate benign frames by introducing a high
Electronics 2025, 14, 471 14 of 29

volume of randomized traffic, or to specifically target a set of benign IDs with the goal
of inducing adverse vehicle behaviors [61].
(c) Replay Attack involves an initial phase to capture valid frames by monitoring the
CAN traffic, storing them, and subsequently retransmitting these frames to produce
discrepancies in the information within the targeted benign IDs [62].
(d) Spoof Attack requires an initial examination of the data embedded in the payload of
the target ID(s).
The forged malicious frames, with benign ID, are then transmitted with manipulated
payloads, with the intent of provoking undesired or dangerous vehicle states [63].
(e) Suspension Attack is designed to stop the transmission of CAN frames originating
from a targeted ECU. This can be executed externally by taking advantage of the error
handling capabilities inherent in the CAN protocol, inducing the ECU into the Bus Off
state (see Figure 3), or internally through the deployment of harmful software aimed
at blocking frame transmission at a certain stage [64].
(f) Masquerade Attack occurs after the suspension of transmission from an ECU. Using
a malicious ECU, spoofed frames that match the ID, DLC, payload characteristics,
and timing of the original frames are transmitted, thus seemingly maintaining an
unchanged overall traffic pattern on the bus [65].
Depending on the target ECU for the suspension attack, it can become a Wormhole/
Black-hole Attack, which causes an ECU that interconnects multiple distinct subnets to
cease functioning.
For injection attacks, the first four in Figure 4, a distinction can be made depending on
the injection delivery method, rather than only on the content of CAN frames. Three meth-
ods can be exploited: periodic, flam, and irregular. Firstly, the periodic delivery method
consists of the injection of malicious CAN frames within a fixed period. The effectiveness of
this method highly depends on the targeted ID, and on the chosen periodicity. Secondly, the
flam delivery method is a more sophisticated option. In this case, the malicious frames are
sent in immediate succession after the benign ones. This timing order between benign and
injected frames ensures that the authentic message cannot physically be executed before
the malicious one modifies the data [10]. The effects of flam delivery can be noticed, for
example, in the information displayed on the tachometer, in which the needle may remain
at a fixed position even if the vehicle is in motion. This happens because the instrument
cluster ECU does not have the physical time to actuate the benign data before the injected
one arrives. Lastly, the irregular delivery method encloses all CAN frames injected with-
out a specific time property. The aforementioned attack categories focus specifically on
their effects on CAN bus traffic. The specific attack vector (the technique employed by
an attacker to unlawfully access an IVN or ECU) is beyond the scope of this overview
and is inherently linked to the attacker’s chosen target. However, since every attack will
inevitably leave traces in some part of the vehicle’s IVN, an intrusion detection system
monitoring that network may be able to detect the attack.

4.2. Network IDS Taxonomy

To address security vulnerabilities in the CAN protocol, various solutions have been
proposed, ranging from lightweight encryption mechanisms to Message Authentication
Codes (MACs) and Intrusion Detection Systems (IDSs) that monitor abnormal traffic
patterns across different layers of the protocol stack. The typical IDS taxonomy is depicted
in Figure 5, in which the main characteristics of an IDS are summarized.
• Location: the IDS can be designed to monitor the behavior and activities of an ECU
(host-based), or to monitor the traffic of the targeted IVN subnet (network-based).
Electronics 2025, 14, 471 15 of 29

• Approach: defines which architecture has been selected for the IDS, determining the
detection methodology between more deterministic (rule-based) or heuristic (anomaly-
based) approaches.
• Layering: the IDS can monitor single protocol layers (single-layer), or more than one
layer simultaneously (cross-layer). It depends on the available layers of the considered
protocol, for example, physical, data-link, network, or application layers.
• Reaction: classifies the post-detection behavior of the system. An Intrusion Detection
System (IDS) is a passive technique that only raises an alert when an anomaly/attack
is detected, while an Intrusion Prevention System (IPS) is also able to proactively take
some countermeasures after the detection of the anomaly/attack.

Figure 5. IDS taxonomy defining the four characteristics of the design space.

Among these, Network-IDS plays a crucial role in continuously monitoring net-

work activity, identifying unusual events, and triggering alerts when potential anoma-
lies/intrusions are detected. These anomalies/intrusions can represent unauthorized
attempts to gain access to vehicle systems and may originate either within vehicle internal
components, such as compromised ECUs, or externally from attackers seeking to infiltrate
the network. Over the years, several IDS techniques have been developed to strengthen the
security of the CAN protocol [12,34,66]. These techniques focus on monitoring different
aspects of CAN bus communication, from its physical properties to detecting recurring
patterns in network traffic. The published IDS approaches can be classified as follows.

4.2.1. Rule-Based Approach

It operates by defining a set of pre-established rules or signatures related to the
behavior of the IVN, which are known at the implementation stage of the IVN devices.
These rules are typically based on specific design characteristics of vehicle communication,
such as limiting the value range of certain message fields (e.g., payload fields cannot
exceed predefined max and min bounds) or ensuring that values have a variability within
the nominal range, between consecutive frames. Additionally, signature-based IDSs can
identify known attack patterns, such as Denial of Service (DoS) attacks, by matching
traffic against predefined attack signatures [35,67–69]. This method is highly effective for
detecting known threats, but struggles against new or evolving attack techniques.

4.2.2. Anomaly-Based Approach

It monitors real-time traffic in the IVN and establishes a baseline for normal behavior
using heuristic or statistical methods. Any deviation from this baseline beyond a specified
threshold is flagged as abnormal behavior, triggering an alert. Typically, it is based on
ML/AI techniques that analyze valuable features of network traffic, ranging from the ID
sequence to the payload content or typical arrival periodicity of that ID. Anomaly-based
IDSs are useful for detecting unknown or previously unseen attack types by identifying
Electronics 2025, 14, 471 16 of 29

unusual patterns that deviate from normal operations [70–72]. Although this approach is
adept at uncovering novel attacks, it can also result in a higher rate of false positives due
to the challenges in precisely defining what constitutes "normal" behavior in a dynamic
automotive environment.

4.2.3. Fingerprint-Based Approach

It leverages unique characteristics, or “fingerprints”, of ECUs and communication
patterns to distinguish legitimate activities. By assigning specific identifiers to each ECU
or communication, the system can detect discrepancies that indicate malicious behavior.
The most widely used fingerprinting techniques exploit voltage or timing features of the
devices in the IVN, which can be used to identify the specific ECU that transmits a given
CAN frame, making it easier to detect unauthorized behavior in the network [73–75].
• Voltage Fingerprinting is based on the observation that each ECU exhibits a unique
electrical signature when transmitting CAN frames, due to slight variations in hard-
ware components such as transistors, resistors, and other circuitry [73,76]. This method
measures electrical characteristics, such as voltage levels and signal transitions, during
message transmission on the CAN bus, which are unique identifiers for each ECU.
By capturing and analyzing these signatures, an IDS can detect deviations from the
expected profile, which may indicate that a malicious or compromised ECU is trans-
mitting messages not belonging to it. Voltage fingerprinting can be highly effective in
distinguishing between legitimate and illegitimate ECUs because even if the transmit-
ted messages appear valid at the data-link layer, the underlying electrical signature of
a counterfeit ECU will differ from the expected one. This method provides a low-level,
hardware-based layer of security that is difficult for attackers to mimic. However, volt-
age fingerprinting can be sensitive to environmental conditions such as temperature
or voltage fluctuations, which may introduce noise into the system and complicate
the detection process [73,76]. Advanced filtering and calibration techniques are often
required to ensure reliable detection under varying operational conditions.
• Timing Fingerprinting leverages the observation that each ECU has a distinctive tim-
ing pattern when sending CAN frames [77,78]. These timing characteristics arise from
subtle differences in clock precision, processing power, and the internal scheduling
algorithms of different ECUs. By monitoring the inter-arrival times of CAN frames or
the precise timing of bit transitions within a message, the IDS can establish a baseline
of normal timing behavior for each ECU. Any significant deviation from this baseline
could indicate that an unauthorized ECU is attempting to masquerade as a legiti-
mate one, or that a timing-based attack, such as a replay attack, is being conducted.
Timing fingerprinting is particularly useful because even if an attacker can replicate
the content of a legitimate message, it is unlikely that they can perfectly replicate the
exact timing characteristics of the genuine ECU. However, the effectiveness of timing
fingerprinting can be affected by bus congestion, network latency, or jitter, which may
alter the expected timing behavior without necessarily indicating an attack [77,78].
Sophisticated algorithms are therefore required to distinguish between normal timing
variations and malicious activity.

4.2.4. Hybrid-Based Approach

It combines two or more of the previously mentioned approaches to exploit their
strengths while mitigating their individual weaknesses. For example, a hybrid system
may use a rule-based approach for known threats while employing anomaly detection
for unknown patterns, resulting in a more comprehensive security framework [13,79].
Hybrid systems can be organized hierarchically, starting with coarse-grained checks
Electronics 2025, 14, 471 17 of 29

and refining them to more detailed inspections to optimize both detection accuracy and
computational efficiency.

4.2.5. Summary: Pros and Cons

Each of these IDS approaches has its strengths and limitations. Rule-based systems,
while highly effective against well-known attack patterns, require constant updates to
stay relevant as new threats emerge. Without regular updates, these systems become
less effective over time. In contrast, anomaly- and fingerprint-based systems are more
suitable at identifying unknown or sophisticated attacks, such as masquerading attacks,
but tend to produce more false positives due to their reliance on heuristics and statistical
thresholds. Moreover, the use of ML/AI in a safety-critical and resource-constrained
domain, such as automotive, poses severe concerns because of their intrinsic nature. In
fact, new work will inevitably tend towards eXplainable AI (XAI) and Embeddable AI
(EAI) to overcome these concerns [80,81]. As vehicles become more interconnected and rely
more on software, striking the right balance between detection accuracy and minimizing
false positives is critical to ensuring robust IVN security. These IDS categories, along with
ongoing advancements in AI-driven detection, offer a layered defense strategy that can
adapt to the evolving threat landscape.

5. CAN Datasets and AI-Based IDS Solutions

Rapid advancement of artificial intelligence (AI) has significantly impacted various
domains, including automotive cybersecurity. As traditional rule-based systems struggle
to keep up with increasingly sophisticated cyberattacks, AI-driven solutions offer a more
dynamic and adaptive approach to intrusion detection. In this section, we discuss the
role of AI in enhancing the security of in-vehicle networks, particularly focusing on the
Controller Area Network (CAN) protocol, as anticipated in previous sections. We will
explore the most complete CAN datasets shared by the research community, which are
crucial to assess the detection performances of the developed IDS architectures. Then, an
overview of the AI techniques used to detect and mitigate cyber threats and their overall
performance will be provided.

CAN Dataset Analysis

The analysis of CAN datasets is fundamental for developing effective IDSs in au-
tomotive cybersecurity. These datasets must provide the necessary data to simulate the
highest variety of attack scenarios, while also providing a sufficient amount of normal
traffic patterns. By analyzing CAN datasets collected from real vehicles, researchers can
identify common attack vectors, understand the typical behavior of IVNs, and develop
robust detection mechanisms. In the CAN context, datasets offer labeled traffic data, en-
compassing both benign actions and established attack scenarios, which help fine-tune the
detection capabilities of AI-driven IDS solutions. Several publicly available CAN datasets
have been developed to emulate real-world vehicular settings, capturing both legitimate
network traffic and a variety of attack patterns, such as Denial of Service (DoS), message
spoofing, and replay attacks. These datasets are invaluable for researchers working on
machine learning models that can generalize across various attack types while minimizing
false positives. The effectiveness of AI-driven IDSs is largely dependent on the quality
of datasets used during model creation. Attributes such as traffic volume, the diversity
of attacks, and the proportion of normal to malicious data critically affect the system’s
performance. For example, an IDS model trained with imbalanced datasets might find it
challenging to detect rare but crucial attacks, or it may produce an excessive number of
false alarms, reducing its effectiveness in real-time automotive scenarios.
Electronics 2025, 14, 471 18 of 29

Moreover, the ability of the datasets to encompass the complete range of CAN traffic,
including elements like ID, DLC (Data Length Code), payload, and timestamps, augments
the model’s ability to detect subtle anomalies. Future research should emphasize the ex-
pansion and refinement of these datasets, integrating more intricate attack scenarios and
real-time traffic conditions, to ensure that AI-based IDS models are robust, flexible, and
prepared for deployment in next-generation vehicles. Table 4 contains some of the most
recent and valuable CAN datasets for IDSs, providing the release year, organization, and
URL of the shared repositories for each dataset. Then, the key features of the aforemen-
tioned CAN datasets are listed in Table 5. This information can provide valuable insights
to determine the most suitable CAN dataset for IDS design and development. Therefore,
we have classified the traffic categories of each attack and benign data point, with an
in-depth distinction: Real, Testbed, Virtual, and Manipulated. The Real class considers
only traffic (benign or attack) logged entirely from a real vehicle, without any subsequent
manipulation or simulation in a virtual environment. Clearly, attacks classified as real
have been performed by injecting additional CAN frames into the monitored IVN of the
real vehicle, for example, via the OBD-II port. The Testbed class instead considers those
datasets generated in physical testbeds, without the use of a vehicle connection during the
recording, for example, by emulating a real CAN network with discrete boards.

Table 4. Overview of most valuable CAN datasets, in chronological order.

Dataset Year Organization Repository URL

https://ocslab.hksecurity.net/Dataset/
OTIDS [82] [DS1] 2017 HCRL CAN-intrusion-dataset (accessed on 15
October 2024)
https://data.4tu.nl/articles/dataset/
Automotive_Controller_Area_Network_
Intrusion Dataset v2 [83] [DS2] 2019 TU Eindhoven
CAN_Bus_Intrusion_Dataset/12696950/2
(accessed on 15 October 2024)
https://github.com/etas/SynCAN
SynCAN [84] [DS3] 2019 Bosch
(accessed on 15 October 2024)
https://ocslab.hksecurity.net/Datasets/
CarHacking Challenge [85] [DS4] 2020 HCRL carchallenge2020 (accessed on 15 October
2024)
https://0xsam.com/road/ (accessed on 15
ROAD [86] [DS5] 2020 ORNL
October 2024)
https://www.crysys.hu/research/vehicle-
CrySyS [87] [DS6] 2023 CrySyS Lab
security (accessed on 15 October 2024)
https://github.com/sampathrajapaksha/
CAN-MIRGU [88] [DS7] 2024 Robert Gordon University
CAN-MIRGU (accessed on 15 October 2024)
https://ieee-dataport.org/open-access/x-
X-CANIDS [89] [DS8] 2024 HCRL canids-dataset-vehicle-signal-dataset
(accessed on 15 October 2024)

The Virtual class is assigned when the CAN traffic is fully generated in a virtual
environment, for example, in Matlab suite. Lastly, the Manipulated class is related to traffic
generated in a physical environment, and then manipulated to manually add/remove
CAN frames. When choosing a dataset, according to the IDS to be designed, the labeling
and traffic diversity characteristics should be considered. If, for example, the designed
IDS should cover at least a subset of the known attacks, then at least those attacks should
be included.
Electronics 2025, 14, 471 19 of 29

Also, a key aspect could be the total duration of the dataset, and its balancing between
benign and attack traffic, thus providing the most complete scenario possible to develop an
IDS. However, for each chosen dataset, some preliminary steps may be required to prepare
the data appropriately:
• Preprocessing: Cleaning and organizing data to remove noise and irrelevant informa-
tion, ensuring high-quality inputs for AI models.
• Dataset Analysis: Determining the main information of the dataset and defining
which CAN traffic characteristics to monitor in the IDS.
• Feature Extraction: Identifying and extracting relevant features from the CAN data,
such as message IDs, payload content, and timing information, which are crucial for
detecting anomalies.
In the following, an overview of the most common AI models for Intrusion Detection
Systems will be provided.

Table 5. Main characteristics of the considered CAN datasets.

Dataset Label Traffic Type Benign DoS Fuzzy Replay Spoof Susp. Masq. Traces No Attack Attack
DS1 No Real Yes Yes Yes - - Yes - 3 17 m 17 s 18 m 56 s
DS2 Yes Real/Testbed Yes Yes Yes Yes Yes Yes - 18 32 m 8 s 19 m 45 s
DS3 Mixed Real/Virtual Yes Yes Yes Yes Yes Yes Yes 5 13 h 24 h
DS4 Mixed Real Yes Yes Yes Yes Yes - - 13 2m 46 m
DS5 No Real Yes Yes Yes - Yes - Yes 33 3 h 0 m 32 s 27 m 10 s
DS6 Yes Real/Testbed Yes - Yes Yes Yes - Yes 1248 2 h 33 m 43 s 2 h 33 m 43 s
DS7 Yes Real Yes Yes Yes Yes Yes Yes Yes 36 17 h 8 m 10 s 2 h 54 m 56 s
32 m 42 s
DS8 Yes Real/Testbed Yes - Yes Yes Yes Yes Yes 126 3 h 28 m 25 s
each

6. AI Models for IDS in Automotive Cybersecurity

6.1. Statistical Learning Models
• In the context of vehicle cybersecurity, the Naive Bayes model is particularly useful for
detecting attacks on wired networks, such as those used in the CAN bus, which is the
main internal communication system in vehicles. CAN bus attacks, such as malicious
message injection or manipulation of data transmitted between vehicle components,
are a major security threat. Naive Bayes can be used to monitor and analyze messages
transmitted over the CAN network, identifying anomalies in communication patterns,
such as the message sequence, message identifier, and data length. Due to its simple
structure and ability to quickly calculate probabilities, the model can detect deviations
from normal behaviors, which may indicate malicious message injection. Additionally,
attacks such as Denial of Service (DoS), which aim to overload the vehicle’s wired
network by sending an excessive number of messages or requests, can be detected by
analyzing the frequency and distribution of transmitted messages. Naive Bayes, with
its low computational complexity O(n), is particularly suitable for these scenarios,
since it can be implemented in embedded systems with limited resources, ensuring a
rapid response to attacks without compromising the vehicle performance. The model’s
ability to operate in real time is crucial for the security of wired networks in vehicles,
where any delay in detecting an attack could compromise the operational safety of the
vehicle [90,91].
• The K-Nearest Neighbors (KNN) model is presented as an effective solution to detect
attacks on wired vehicle networks, such as those based on the CAN bus. In this
type of network, the risk of attacks, such as the injection of malicious messages
or the manipulation of communications between the various vehicle modules, is a
serious problem, as it can compromise the security and correct functioning of the
systems. KNN stands out for its simplicity and its ability to detect anomalies by
Electronics 2025, 14, 471 20 of 29

comparing new data with previous examples, without the need for a complex model.
In practice, the model analyzes the similarity between new observations and stored
historical data, classifying messages transmitted on the CAN network based on their
proximity to the most similar “neighbors”, which have been labeled as legitimate
or suspicious. When a suspicious message is transmitted on the network, KNN can
detect it by comparing the sequence, message identifier, and other characteristics with
pre-existing data, identifying any significant deviations. Another type of attack that
KNN can detect is a Denial of Service (DoS) attack, where an attacker sends a large
number of messages to the network to saturate it. In this case, the model can observe
the characteristics of the messages, such as frequency and temporal distribution,
and determine if there are any spikes or unusual patterns that suggest an ongoing
attack. The main strength of KNN is its ability to dynamically adapt to changes in the
data, since as new data is acquired, the model can easily update itself, improving its
ability to detect emerging threats. Although KNN can be more expensive in terms
of memory and computation than simpler models such as Naive Bayes, its distance-
based and proximity classification approach makes it particularly useful in scenarios
where deviations from normal network behavior are subtle and difficult to detect.
Additionally, KNN can be implemented on embedded systems, albeit with some
resource limitations, and can run in real time, which is essential for ensuring secure
communications on wired networks in vehicles. Its effectiveness depends on the
choice of an appropriate value of K, which determines the number of neighbors to
consider, and on the quality of the training data, which must be representative of
normal conditions and possible threats [92,93].
• In the context of vehicle cybersecurity, the linear regression model can be used to
detect attacks on wired networks, such as those using the CAN bus. Although linear
regression is not a classification model, its application in wired vehicle networks is
beneficial for detecting anomalies in data by analyzing the relationships between
different variables. The most common attacks on these networks include malicious
message injection or the manipulation of data passing between various vehicle com-
ponents. Linear regression can be used to monitor the relationship between various
communication parameters, such as message sequence, data length, and the time
interval between messages. Under normal conditions, these parameters will follow
predictable, linear trends. If an attack such as malicious message injection alters these
patterns, linear regression would be able to detect a discrepancy between the observed
data and those predicted by the model, flagging potential threats. For example, a
Denial of Service (DoS) attack could generate an abnormal amount of traffic on the
CAN network, suddenly changing the relationships between the number of messages
sent and the time elapsed between them. Linear regression, analyzing the historical
trend of the data, could identify these changes and suggest that the network traffic is
deviating from what would be considered normal. Another important aspect of linear
regression is its ability to make predictions. If the model is trained on historical, nor-
malized CAN communication data, it could provide an indication of what constitutes
expected network behavior, allowing it to easily identify when current data deviate
from this prediction. However, linear regression also has limitations in complex attack
scenarios. Because it assumes a linear relationship between variables, it may not be
able to detect attacks with more complex patterns, where the relationships between
the data do not follow a simple distribution. However, this model is extremely useful
for detecting anomalies in scenarios where the changes in the data are gradual or
follow regular trends, such as traffic spikes or fluctuations in message flow. Although
linear regression is not particularly computationally demanding and can be easily
Electronics 2025, 14, 471 21 of 29

implemented on resource-constrained embedded systems, its effectiveness depends

on the quality of the training data and its ability to adapt to nonlinear or unpredictable
behavior, which may require more sophisticated approaches [94,95].

6.2. Machine Learning Models

• Decision Trees are particularly useful in these scenarios because they provide a clear
and interpretable representation of rule-based decisions that can distinguish between
normal traffic and anomalous behavior. On the CAN bus, attacks such as malicious
message injection or communication tampering can be detected by analyzing various
message attributes, such as the message identifier, data length, and transmission time.
A Decision Tree can be trained to create rules based on these characteristics, where each
node represents a condition that separates data based on specific values, such as if the
message length exceeds a certain threshold or if the time between successive messages
is less than a normal value. When an attack, such as malicious message injection,
tampers with the usual behavior of CAN data, the Decision Tree can identify these
anomalies through the rules it has learned. For example, if network traffic suddenly
spikes in the number of messages with a certain ID, or if messages are sent at irregular
intervals, the Decision Tree can quickly isolate these events as anomalous compared
to normal traffic patterns. This approach is also useful for detecting Denial of Service
(DoS) attacks, where traffic volume suddenly increases to saturate the network. The
Decision Tree, through its decision rules, can recognize these changes in state and
report the attack. Another advantage of Decision Trees is their flexibility and ability to
adapt to complex data without requiring linear assumptions about the relationships
between variables. This makes them suitable for detecting attacks that may not follow
predictable, linear patterns, allowing them to capture a wider range of anomalous
behavior. However, a challenge with Decision Trees is the risk of overfitting, especially
if the tree is too deep and has too many rules that may be specific to the training
data. This can be mitigated through techniques such as pruning, which reduces the
complexity of the tree by eliminating branches that add little or no accuracy to the
predictions. Despite this, Decision Trees remain a powerful and interpretable model,
particularly suitable for embedded environments in vehicles, where it is essential to
have models that can run in real time and provide clear explanations for their sensing
decisions [96,97].
• Support Vector Machines (SVMs) are particularly suited to distinguish between nor-
mal and anomalous traffic in scenarios where the differences between the two classes
are subtle and not easily separable. The main goal of SVMs is to find an optimal hyper-
plane that separates the classes with the maximum margin, which makes them ideal
for detecting attacks such as malicious message injection or communication manipula-
tion, which can be difficult to distinguish from normal data flows. In the case of the
CAN bus, SVMs can analyze various characteristics of messages, such as the identifier,
length, time sequence, and transmission frequency, to establish a boundary between
legitimate data and potentially malicious data. When an attack occurs, such as in the
case of rogue message injection, new data may fall outside the margin established by
the SVM, thus signaling an anomaly. This approach is also effective for detecting DoS
attacks, where traffic volume suddenly and abnormally increases. SVMs can identify
these deviations from normal behavior, classifying them as potential attacks based
on their distance from the separating hyperplane. A significant advantage of SVMs
is their ability to handle high-dimensional spaces, making them useful in situations
where there are multiple data features to consider at once. Additionally, using the
kernel trick, SVMs can handle non-linearly separable problems by transforming the
Electronics 2025, 14, 471 22 of 29

data into a higher-dimensional space, where a hyperplane can separate classes more
effectively. This is particularly useful for detecting complex attacks that do not follow
simple linear patterns. However, SVMs can be computationally intensive, especially
during the training phase, and require a fair amount of resources to compute margins
and support vectors, which can be a challenge in resource-constrained embedded
environments. However, once trained, SVMs can operate in real time, which is critical
for the security of wired vehicle networks. Their ability to generalize well to unseen
data makes them a robust choice for cybersecurity applications, where accuracy and
the ability to detect new forms of attack are essential [98,99].
• Random Forest (RF) is an ensemble of Decision Trees that works by combining
predictions from many trees to improve the accuracy and robustness of the model
compared to a single Decision Tree. This approach is particularly useful for detecting
attacks such as fraudulent message injection or communication manipulation within
the CAN network, where individual message features (such as identifier, length,
and transmission time) can have subtle variations that are difficult to detect with
simple models. For attacks such as message injection, Random Forest can analyze
each message by running through multiple Decision Trees, each trained on different
portions of the data and with a different subset of features. This allows the model
to capture complex patterns and reduce the risk of overfitting, which is common in
single Decision Trees. When an anomalous message is detected, such as a message
with an unusual ID or sent at an unusual time, the multiple trees in the Random
Forest can converge to classify this message as anomalous. Random Forest is also
particularly effective at detecting DoS attacks, where traffic on the CAN network
suddenly increases to overload the system. Due to its ability to aggregate decisions
from multiple trees, Random Forest can detect these anomalies even when the attack
signals are subtle and distributed across many features. The model can handle a large
number of inputs and find correlations that individual trees might miss. Another
significant advantage of Random Forest is its robustness to noise in the data and
its ability to handle datasets with many features, without the need for excessive
preprocessing or dimension reduction. This makes it particularly suitable for the
complex environment of wired vehicle networks, where each message may contain
multiple attributes to analyze. However, Random Forest can be computationally
more expensive than simpler models, especially during the training phase, where
many trees must be built. Despite this, once trained, the model is fast and efficient
at inference, making it suitable for real-time implementation in embedded vehicle
systems, ensuring fast and accurate detection of attacks on wired networks [100,101].

6.3. Deep Learning Models

• Long Short-Term Memory (LSTM) is a type of recurrent neural network (RNN) de-
signed to learn and remember relevant information over long sequences, overcoming
the limitations of traditional RNNs that suffer from vanishing gradient problems.
In the CAN bus, communications occur sequentially and temporally, which makes
LSTMs particularly well suited for monitoring and detecting anomalies in message
flows. For example, an attack such as fraudulent message injection or traffic manipu-
lation may not be immediately apparent based on a single instance of data, but can
manifest itself through variations in the temporal pattern of transmissions. LSTMs, by
being able to learn the temporal dependencies between messages, can detect when
the data sequence begins to deviate from what is considered normal. If an attacker
attempts to inject messages with inconsistent transmission times or with IDs that
disrupt the typical sequence, LSTMs can identify these discrepancies as anomalies.
Electronics 2025, 14, 471 23 of 29

DoS attacks, which aim to overload the CAN network by sending a large number
of messages in rapid succession, can also be effectively detected with LSTMs. The
network can observe the sudden and sustained increase in traffic, distinguishing these
anomalous spikes from normal communication patterns. A key advantage of LSTMs
is their ability to handle both data that exhibit short-term relationships and data with
long-term relationships. This is particularly useful in detecting attacks that may have
cumulative or delayed effects over time, something that traditional models may not
capture effectively. However, training LSTM networks can be computationally in-
tensive and require a significant amount of training data to generalize well, which
may be a challenge in resource-constrained embedded systems in vehicles. However,
once trained, LSTMs can operate in real time, allowing the immediate detection of
anomalies in CAN network traffic, ensuring a high level of security for internal vehicle
communications [102,103].
• Convolutional Neural Networks (CNNs) automatically extract relevant features from
complex data structures, including temporal or sequential data that can be represented
as two-dimensional matrices. In the case of CAN networks, transmitted messages can
be transformed into a matrix representation, where each row could represent a message
and each column could represent an attribute of the message, such as the identifier,
data length, and timestamp. CNNs can then be used to detect complex spatial and
temporal patterns within this data, which could indicate anomalous behavior or
attacks. For example, a malicious message injection attack could alter regular message
patterns, introducing variations in the data that a CNN can recognize as deviations
from normal behavior. DoS attacks, which produce a sudden and anomalous increase
in message volume, can be detected by CNNs due to their ability to capture rapid
and distinct changes in data patterns. CNNs, by applying convolutional filters, can
quickly identify regions of the data where significant changes occur, signaling the
presence of a possible attack. One advantage of CNNs is their ability to reduce the
need for manual feature engineering, as convolutional filters can autonomously learn
the most significant features from the raw data. This is particularly useful in complex
environments such as wired vehicle networks, where it is difficult to determine a
priori which specific features are most indicative of an attack. However, CNNs require
considerable computational power, especially during the training phase, and large
amounts of data to learn effectively, which can be a challenge in resource-constrained
embedded systems. However, once trained, CNNs can operate efficiently in real time,
providing accurate and rapid detection of anomalies in network traffic, providing an
additional layer of security for vehicle communications [104,105].
• Autoencoders are unsupervised neural networks designed to learn a compressed
representation (encoding) of input data, and then reconstruct it as accurately as possi-
ble. Their ability to learn a compact and faithful representation of normal data makes
them ideal for anomaly detection, as any significant deviation from normal data, such
as attacks, will result in a higher reconstruction error. In the case of CAN networks,
autoencoders can be trained using only legitimate, non-compromised data. During
training, the network learns to compress and decompress network messages in a way
that minimizes information loss. When the autoencoder is exposed to anomalous
data, such as those generated by malicious message injection or denial of service
attacks, the trained models cannot accurately reconstruct these new data patterns,
resulting in a higher reconstruction error. This error can be used as a signal to identify
potential attacks. For example, in a message injection attack, the injected message data
will have temporal and structural characteristics that differ significantly from normal
data. The autoencoder, trained on normal CAN data, will not be able to accurately
Electronics 2025, 14, 471 24 of 29

reproduce these new data, signaling an anomaly. The same is true for DoS attacks,
where the sudden and irregular increase in traffic may produce a pattern that the
autoencoder cannot effectively reconstruct. A significant advantage of autoencoders
is that they do not require labeled data for training, which is useful in cybersecurity
contexts where obtaining a complete dataset of attacks can be difficult. However,
a potential disadvantage is that they require a sufficient amount of normal data to
train the model, and their ability to generalize may be limited if the training data
do not well represent all the variables of normal communication scenarios. Despite
these challenges, autoencoders are a powerful technique for anomaly detection, being
able to operate in real time on embedded systems, offering an efficient and accurate
solution to protect wired vehicle networks from potential threats [106,107].

7. Conclusions and Future Work

This paper provides a comprehensive review of the evolution of automotive E/E
architectures, with a particular focus on the critical role of cybersecurity within in-vehicle
networks, specifically the Controller Area Network (CAN) protocol. We have thoroughly
examined the capabilities and limitations of various AI-based Intrusion Detection Systems
(IDSs), including statistical learning models, machine learning approaches, and deep
learning techniques. Each model was analyzed in the context of its effectiveness in detecting
a range of cyberattacks prevalent in automotive networks. One of the key innovations
introduced in this review is the detailed categorization and comparative analysis of AI-
driven IDS methodologies tailored for the automotive domain. Unlike previous works
that often provide a general overview of IDS solutions, this review emphasizes the unique
challenges posed by automotive-grade embedded systems, such as limited computational
resources, the necessity for real-time detection, and strict safety requirements. Additionally,
we have highlighted the importance of integrating Explainable AI (XAI) and Embedded AI
(EAI) to enhance the transparency and efficiency of IDSs in the automotive context. These
aspects represent significant advancements over the current state of the art, providing a
more focused lens on how AI can be optimized for vehicular cybersecurity. Despite these
advancements, several areas warrant further investigation to ensure that IDS solutions
can meet the growing demands of modern, highly connected vehicles. Future research
directions include the following:
• Scalability: With the advent of increasingly complex in-vehicle networks and the
growth of autonomous driving technologies, it is imperative to develop IDS solutions
that can scale to manage the rising volume and complexity of network traffic without
degrading performance.
• Transparency and Explainability: The integration of XAI techniques is critical to build
trust in IDS decisions. Future work should aim at making AI-based IDS decisions
interpretable by engineers and other stakeholders, which is essential for debugging,
validation, and compliance with safety standards.
• Adaptability: As cyber threats evolve, IDSs must adapt in real time to detect new,
sophisticated attacks. Research should focus on incorporating online learning mecha-
nisms to enhance the adaptive capabilities of IDS systems.
• Performance on Embedded Platforms: The deployment of IDSs on actual automotive-
grade embedded platforms must be rigorously assessed. Future work should ensure
that these systems operate within the stringent real-time constraints of automotive
environments without imposing significant overhead on vehicle ECUs.
• Integration with Automotive Standards: Ensuring compliance with standards such
as ISO/SAE 21434 will facilitate the adoption of IDS solutions within the industry.
Electronics 2025, 14, 471 25 of 29

Future research should explore ways to align IDS development with these standards
to ensure security without compromising compliance.
• Energy Efficiency: Given the limited power resources in vehicles, future research
should explore energy-efficient IDS implementations that minimize power consump-
tion while maintaining high detection accuracy.
In conclusion, this review not only consolidates existing knowledge but also introduces
novel insights into the application of AI-based IDSs in the automotive sector. By addressing
the outlined research directions, future studies can contribute to the development of more
robust, scalable, and efficient IDS solutions. Such advancements are crucial for safeguarding
the next generation of connected and autonomous vehicles from an ever-growing landscape
of cyber threats.

Author Contributions: All authors have contributed equally to this article. All authors have read
and agreed to the published version of the manuscript.

Funding: This research has been partially supported by CN1 Spoke 6; by HARDNESS PE SERICS
Spoke 7; MIUR project FoReLab.

Data Availability Statement: No new data have been generated.

Conflicts of Interest: Stefano Mazzetti was employed by the company ESWS. The remaining authors
declare that the research was conducted in the absence of any commercial or financial relationship
that could be construed as a potential conflict of interest.

References
1. Zhu, H.; Zhou, W.; Li, Z.; Li, L.; Huang, T. Requirements-driven automotive electrical/electronic architecture: A survey and
prospective trends. IEEE Access 2021, 9, 100096–100112. [CrossRef]
2. Askaripoor, H.; Hashemi Farzaneh, M.; Knoll, A. E/E architecture synthesis: Challenges and technologies. Electronics 2022,
11, 518. [CrossRef]
3. Bandur, V.; Selim, G.; Pantelic, V.; Lawford, M. Making the case for centralized automotive E/E architectures. IEEE Trans. Veh.
Technol. 2021, 70, 1230–1245. [CrossRef]
4. Brunner, S.; Roder, J.; Kucera, M.; Waas, T. Automotive E/E-architecture enhancements by usage of ethernet TSN. In Proceedings
of the 2017 13th Workshop on Intelligent Solutions in Embedded Systems (WISES), Hamburg, Germany, 12–13 June 2017; pp. 9–13.
5. Young, C.; Zambreno, J.; Olufowobi, H.; Bloom, G. Survey of automotive controller area network intrusion detection systems.
IEEE Des. Test 2019, 36, 48–55. [CrossRef]
6. Bozdal, M.; Samie, M.; Jennions, I. A survey on can bus protocol: Attacks, challenges, and potential solutions. In Proceedings of
the 2018 International Conference on Computing, Electronics & Communications Engineering (iCCECE), Southend, UK, 16–17
August 2018; pp. 201–205.
7. Bozdal, M.; Samie, M.; Aslam, S.; Jennions, I. Evaluation of can bus security challenges. Sensors 2020, 20, 2364. [CrossRef]
[PubMed]
8. Checkoway, S.; McCoy, D.; Kantor, B.; Anderson, D.; Shacham, H.; Savage, S.; Koscher, K.; Czeskis, A.; Roesner, F.; Kohno, T.
Comprehensive experimental analyses of automotive attack surfaces. In Proceedings of the 20th USENIX Security Symposium
(USENIX Security 11), San Francisco, CA, USA, 8–12 August 2011.
9. Rouf, I.; Miller, R.; Mustafa, H.; Taylor, T.; Oh, S.; Xu, W.; Gruteser, M.; Trappe, W.; Seskar, I. Security and privacy vulnerabilities
of {In-Car} wireless networks: A tire pressure monitoring system case study. In Proceedings of the 19th USENIX Security
Symposium (USENIX Security 10), Washington, DC, USA, 11–13 August 2010.
10. Hoppe, T.; Kiltz, S.; Dittmann, J. Security threats to automotive CAN networks—Practical examples and selected short-term
countermeasures. Reliab. Eng. Syst. Saf. 2011, 96, 11–25. [CrossRef]
11. Wang, Q.; Lu, Z.; Qu, G. An entropy analysis based intrusion detection system for controller area network in vehicles. In
Proceedings of the 2018 31st IEEE International System-on-Chip Conference (SOCC), Arlington, VA, USA, 4–7 September 2018;
pp. 90–95.
12. Lokman, S.F.; Othman, A.T.; Abu-Bakar, M.H. Intrusion detection system for automotive Controller Area Network (CAN) bus
system: A review. EURASIP J. Wirel. Commun. Netw. 2019, 2019, 184. [CrossRef]
13. Zhang, L.; Ma, D. A hybrid approach toward efficient and accurate intrusion detection for in-vehicle networks. IEEE Access 2022,
10, 10852–10866. [CrossRef]
Electronics 2025, 14, 471 26 of 29

14. Longari, S.; Noseda, F.; Carminati, M.; Zanero, S. Evaluating the Robustness of Automotive Intrusion Detection Systems Against
Evasion Attacks. In Proceedings of the International Symposium on Cyber Security, Cryptology, and Machine Learning, Beer
Sheva, Israel, 29–30 June 2023; Springer: Berlin/Heidelberg, Germany, 2023; pp. 337–352.
15. Zhou, J.; Xie, G.; Yu, S.; Li, R. Clock-based sender identification and attack detection for automotive CAN network. IEEE Access
2020, 9, 2665–2679. [CrossRef]
16. Abreu, R.; Simão, E.; Serôdio, C.; Branco, F.; Valente, A. Enhancing IoT Security in Vehicles: A Comprehensive Review of
AI-Driven Solutions for Cyber-Threat Detection. AI 2024, 5, 2279–2299. [CrossRef]
17. Pascale, F.; Adinolfi, E.A.; Coppola, S.; Santonicola, E. Cybersecurity in automotive: An intrusion detection system in connected
vehicles. Electronics 2021, 10, 1765. [CrossRef]
18. Luo, F.; Zhang, X.; Yang, Z.; Jiang, Y.; Wang, J.; Wu, M.; Feng, W. Cybersecurity testing for automotive domain: A survey. Sensors
2022, 22, 9211. [CrossRef]
19. Kifor, C.V.; Popescu, A. Automotive cybersecurity: A Survey on frameworks, standards, and testing and monitoring technologies.
Sensors 2024, 24, 6139. [CrossRef]
20. Fernandez de Arroyabe, I.; Watson, T.; Phillips, I. Cybersecurity Maintenance in the Automotive Industry Challenges and
Solutions: A Technology Adoption Approach. Future Internet 2024, 16, 395. [CrossRef]
21. Jiang, S. Vehicle E/E Architecture and Its Adaptation to New Technical Trends; Technical report, SAE Technical Paper; SAE: Warrendale,
PA, USA, 2019.
22. Guissouma, H.; Hohl, C.P.; Lesniak, F.; Schindewolf, M.; Becker, J.; Sax, E. Lifecycle management of automotive safety-critical
over the air updates: A systems approach. IEEE Access 2022, 10, 57696–57717. [CrossRef]
23. Mariño, A.G.; Fons, F.; Arostegui, J.M.M. The future roadmap of in-vehicle network processing: A HW-centric (R-) evolution.
IEEE Access 2022, 10, 69223–69249. [CrossRef]
24. Hussein, H.M.; Ibrahim, A.M.; Taha, R.A.; Rafin, S.S.; Abdelrahman, M.S.; Kharchouf, I.; Mohammed, O.A. State-of-the-Art
Electric Vehicle Modeling: Architectures, Control, and Regulations. Electronics 2024, 13, 3578. [CrossRef]
25. ISO 17987; Road Vehicles—Local Interconnect Network (LIN). ISO: Geneva, Switzerland, 2016.
26. ISO 21806; Road Vehicles—Media Oriented Systems Transport (MOST). ISO: Geneva, Switzerland, 2020.
27. ISO 17458; Road Vehicles—FlexRay Communications System. ISO: Geneva, Switzerland, 2013.
28. ISO 21111; Road Vehicles—In-Vehicle Ethernet. ISO: Geneva, Switzerland, 2020.
29. ISO/IEC/IEEE 8802-1BA; Information Technology—Telecommunications and Information Exchange Between Systems—Local
and Metropolitan Area Networks—Specific Requirements-Part 1BA: Audio Video Bridging (AVB) Systems. ISO: Geneva,
Switzerland, 2023.
30. ISO 11898; Road Vehicles—Controller Area Network (CAN). ISO: Geneva, Switzerland, 2024.
31. Schulte, W. TSN-Time-Sensitive Networking; VDE Verlag GmbH: Berlin, Germany, 2020.
32. Rodríguez, B.; Sanjurjo, E.; Tranchero, M.; Romano, C.; González, F. Thermal parameter and state estimation for digital twins of
e-powertrain components. IEEE Access 2021, 9, 97384–97400. [CrossRef]
33. Lin, M.; Xie, H.; Shan, M. A hybrid multiscale permutation entropy-based fault diagnosis and inconsistency evaluation approach
for lithium battery of E-vehicles. IEEE Access 2022, 10, 104757–104768. [CrossRef]
34. Karopoulos, G.; Kambourakis, G.; Chatzoglou, E.; Hernández-Ramos, J.L.; Kouliaridis, V. Demystifying in-vehicle intrusion
detection systems: A survey of surveys and a meta-taxonomy. Electronics 2022, 11, 1072. [CrossRef]
35. Otoum, Y.; Nayak, A. As-ids: Anomaly and signature based ids for the internet of things. J. Netw. Syst. Manag. 2021, 29, 23.
[CrossRef]
36. Dini, P.; Elhanashi, A.; Begni, A.; Saponara, S.; Zheng, Q.; Gasmi, K. Overview on intrusion detection systems design exploiting
machine learning for networking cybersecurity. Appl. Sci. 2023, 13, 7507. [CrossRef]
37. Wang, D.; Ganesan, S. Automotive domain controller. In Proceedings of the 2020 International Conference on Computing and
Information Technology (ICCIT-1441), Tabuk, Saudi Arabia, 9–10 September 2020; pp. 1–5.
38. Kilian, P.; Koller, O.; Van Bergen, P.; Gebauer, C.; Dazer, M. Safety-related availability in the power supply domain. IEEE Access
2022, 10, 47869–47880. [CrossRef]
39. ISO 26262; Road Vehicles—Functional Safety. ISO: Geneva, Switzerland, 2018.
40. Vdovic, H.; Babic, J.; Podobnik, V. Automotive software in connected and autonomous electric vehicles: A review. IEEE Access
2019, 7, 166365–166379. [CrossRef]
41. De Gelder, E.; Elrofai, H.; Saberi, A.K.; Paardekooper, J.P.; Den Camp, O.O.; De Schutter, B. Risk quantification for automated
driving systems in real-world driving scenarios. IEEE Access 2021, 9, 168953–168970. [CrossRef]
42. Ranjbar, B.; Safaei, B.; Ejlali, A.; Kumar, A. FANTOM: Fault tolerant task-drop aware scheduling for mixed-criticality systems.
IEEE Access 2020, 8, 187232–187248. [CrossRef]
43. Canino, N.; Di Matteo, S.; Rossi, D.; Saponara, S. HW-SW interface design and implementation for error logging and reporting
for RAS improvement. IEEE Access 2024, 12, 60081–60094. [CrossRef]
Electronics 2025, 14, 471 27 of 29

44. Girdhar, M.; You, Y.; Song, T.J.; Ghosh, S.; Hong, J. Post-Accident Cyberattack Event Analysis for Connected and Automated
Vehicles. IEEE Access 2022, 10, 83176–83194. [CrossRef]
45. Sharma, P.; Gillanders, J. Cybersecurity and Forensics in Connected Autonomous Vehicles: A Review of the State-of-the-Art.
IEEE Access 2022, 10, 108979–108996. [CrossRef]
46. ISO/SAE 21434; Road Vehicles—Cybersecurity Engineering. ISO: Geneva, Switzerland; SAE: Warrendale, PA, USA, 2018.
47. Costantino, G.; De Vincenzi, M.; Matteucci, I. A comparative analysis of unece wp. 29 r155 and ISO/SAE 21434. In Proceedings of
the 2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), Genoa, Italy, 6–10 June 2022; pp. 340–347.
48. Macher, G.; Schmittner, C.; Veledar, O.; Brenner, E. ISO/SAE DIS 21434 automotive cybersecurity standard-in a nutshell. In
Proceedings of the Computer Safety, Reliability, and Security. SAFECOMP 2020 Workshops: DECSoS 2020, DepDevOps 2020,
USDAI 2020, and WAISE 2020, Lisbon, Portugal, 15 September 2020; Proceedings 39; Springer: Berlin/Heidelberg, Germany,
2020; pp. 123–135.
49. UNECE. UN Regulation No.155-Cyber Security and Cyber Security Management System; UNECE: Geneva, Switzerland, 2021.
50. UNECE. UN Regulation No.156-Software Update and Software Update Management System; UNECE: Geneva, Switzerland, 2021.
51. Miller, C. Remote exploitation of an unaltered passenger vehicle. In Proceedings of the Black Hat USA, Las Vegas, NV, USA, 1–6
August 2015.
52. Jing, P.; Cai, Z.; Cao, Y.; Yu, L.; Du, Y.; Zhang, W.; Qian, C.; Luo, X.; Nie, S.; Wu, S. Revisiting automotive attack surfaces: A
practitioners’ perspective. In Proceedings of the 2024 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA,
19–23 May 2024; pp. 2348–2365.
53. Marksteiner, S.; Priller, P. A model-driven methodology for automotive cybersecurity test case generation. In Proceedings of
the 2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), Vienna, Austria, 7–11 September 2021;
pp. 129–135.
54. Cho, K.T.; Shin, K.G. Error handling of in-vehicle networks makes them vulnerable. In Proceedings of the 2016 ACM SIGSAC
Conference on Computer and Communications Security, Vienna, Austria, 24–28 October 2016; pp. 1044–1055.
55. Gumrukcu, E.; Arsalan, A.; Muriithi, G.; Joglekar, C.; Aboulebdeh, A.; Zehir, M.A.; Papari, B.; Monti, A. Impact of cyber-attacks
on EV charging coordination: The case of single point of failure. In Proceedings of the 2022 4th Global Power, Energy and
Communication Conference (GPECOM), Cappadocia, Turkey, 14–17 June 2022; pp. 506–511.
56. Specification, C. Bosch. Robert Bosch Gmbh Postfach 1991, 50, 15.
57. Koscher, K.; Czeskis, A.; Roesner, F.; Patel, S.; Kohno, T.; Checkoway, S.; McCoy, D.; Kantor, B.; Anderson, D.; Shacham, H.; et al.
Experimental security analysis of a modern automobile. In Proceedings of the 2010 IEEE Symposium on Security and Privacy,
Oakland, CA, USA, 16–19 May 2010; pp. 447–462.
58. Jo, H.J.; Choi, W. A survey of attacks on controller area networks and corresponding countermeasures. IEEE Trans. Intell. Transp.
Syst. 2021, 23, 6123–6141. [CrossRef]
59. Perraud, E. Machine learning algorithm of detection of DoS attacks on an automotive telematic unit. Int. J. Comput. Netw.
Commun. (IJCNC) 2019, 11, 27–43. [CrossRef]
60. Jedh, M.; Othmane, L.B.; Ahmed, N.; Bhargava, B. Detection of message injection attacks onto the can bus using similarities of
successive messages-sequence graphs. IEEE Trans. Inf. Forensics Secur. 2021, 16, 4133–4146. [CrossRef]
61. Lee, H.; Choi, K.; Chung, K.; Kim, J.; Yim, K. Fuzzing can packets into automobiles. In Proceedings of the 2015 IEEE 29th
International Conference on Advanced Information Networking and Applications, Gwangiu, Republic of Korea, 24–27 March
2015; pp. 817–821.
62. Csikor, L.; Lim, H.W.; Wong, J.W.; Ramesh, S.; Parameswarath, R.P.; Chan, M.C. Rollback: A new time-agnostic replay attack
against the automotive remote keyless entry systems. ACM Trans. Cyber-Phys. Syst. 2024, 8, 1–25. [CrossRef]
63. Van Der Merwe, J.R.; Zubizarreta, X.; Lukčin, I.; Rügamer, A.; Felber, W. Classification of spoofing attack types. In Proceedings of
the 2018 European Navigation Conference (ENC), Gothenburg, Sweden, 14–17 May 2018; pp. 91–99.
64. Lee, S.; Choi, W.; Jo, H.J.; Lee, D.H. ErrIDS: An enhanced cumulative timing error-based automotive intrusion detection system.
IEEE Trans. Intell. Transp. Syst. 2023, 24, 12406–12421. [CrossRef]
65. Jo, H.J.; Kim, J.H.; Choi, H.Y.; Choi, W.; Lee, D.H.; Lee, I. Mauth-can: Masquerade-attack-proof authentication for in-vehicle
networks. IEEE Trans. Veh. Technol. 2019, 69, 2204–2218. [CrossRef]
66. Rajapaksha, S.; Kalutarage, H.; Al-Kadri, M.O.; Petrovski, A.; Madzudzo, G.; Cheah, M. Ai-based intrusion detection systems for
in-vehicle networks: A survey. ACM Comput. Surv. 2023, 55, 1–40. [CrossRef]
67. Studnia, I.; Alata, E.; Nicomette, V.; Kaâniche, M.; Laarouchi, Y. A language-based intrusion detection approach for automotive
embedded networks. Int. J. Embed. Syst. 2018, 10, 1–12. [CrossRef]
68. Jin, S.; Chung, J.G.; Xu, Y. Signature-based intrusion detection system (IDS) for in-vehicle CAN bus network. In Proceedings of
the 2021 IEEE International Symposium on Circuits and Systems (ISCAS), Daegu, Republic of Korea, 22–28 May 2021; pp. 1–5.
69. Tomandl, A.; Fuchs, K.P.; Federrath, H. REST-Net: A dynamic rule-based IDS for VANETs. In Proceedings of the 2014 7th IFIP
Wireless and Mobile Networking Conference (WMNC), Vilamoura, Portugal, 20–22 May 2014; pp. 1–8.
Electronics 2025, 14, 471 28 of 29

70. Groza, B.; Murvay, P.S. Efficient intrusion detection with bloom filtering in controller area networks. IEEE Trans. Inf. Forensics
Secur. 2018, 14, 1037–1051. [CrossRef]
71. Aliyu, I.; Feliciano, M.C.; Van Engelenburg, S.; Kim, D.O.; Lim, C.G. A blockchain-based federated forest for SDN-enabled
in-vehicle network intrusion detection system. IEEE Access 2021, 9, 102593–102608. [CrossRef]
72. Dini, P.; Begni, A.; Ciavarella, S.; De Paoli, E.; Fiorelli, G.; Silvestro, C.; Saponara, S. Design and testing novel one-class classifier
based on polynomial interpolation with application to networking security. IEEE Access 2022, 10, 67910–67924. [CrossRef]
73. Dini, P.; Saponara, S. Design and Experimental Assessment of Real-Time Anomaly Detection Techniques for Automotive
Cybersecurity. Sensors 2023, 23, 9231. [CrossRef]
74. Cho, K.T.; Shin, K.G. Fingerprinting electronic control units for vehicle intrusion detection. In Proceedings of the 25th USENIX
Security Symposium (USENIX Security 16), Austin, TX, USA, 10–12 August 2016; pp. 911–927.
75. Hafeez, A.; Rehman, K.; Malik, H. State of the Art Survey on Comparison of Physical Fingerprinting-Based Intrusion Detection Techniques
for In-Vehicle Security; Technical report, SAE Technical Paper; SAE: Warrendale, PA, USA, 2020.
76. Choi, W.; Joo, K.; Jo, H.J.; Park, M.C.; Lee, D.H. VoltageIDS: Low-level communication characteristics for automotive intrusion
detection system. IEEE Trans. Inf. Forensics Secur. 2018, 13, 2114–2129. [CrossRef]
77. Zhao, Y.; Xun, Y.; Liu, J. ClockIDS: A real-time vehicle intrusion detection system based on clock skew. IEEE Internet Things J.
2022, 9, 15593–15606. [CrossRef]
78. Rosadini, C.; Chiarelli, S.; Cornelio, A.; Nesci, W.; Saponara, S.; Dini, P.; Gagliardi, A. Method for Protection from Cyber Attacks
to a Vehicle Based Upon Time Analysis, and Corresponding Device. U.S. Patent Application 18/163,488, 2 February 2023.
79. Wang, C.; Zhao, Z.; Gong, L.; Zhu, L.; Liu, Z.; Cheng, X. A distributed anomaly detection system for in-vehicle network using
HTM. IEEE Access 2018, 6, 9091–9098. [CrossRef]
80. Adadi, A.; Berrada, M. Peeking inside the black-box: A survey on explainable artificial intelligence (XAI). IEEE Access 2018,
6, 52138–52160. [CrossRef]
81. Zhang, Z.; Li, J. A review of artificial intelligence in embedded systems. Micromachines 2023, 14, 897. [CrossRef] [PubMed]
82. Lee, H.; Jeong, S.H.; Kim, H.K. OTIDS: A novel intrusion detection system for in-vehicle network by using remote frame. In
Proceedings of the 2017 15th Annual Conference on Privacy, Security and Trust (PST), Calgary, AB, Canada, 28–30 August 2017;
pp. 57–5709.
83. Dupont, G.; Lekidis, A.; Den Hartog, J.; Etalle, S. Automotive Controller Area Network (CAN) Bus Intrusion Dataset v2. Version
2. 4TU.ResearchData. Dataset 2019. [CrossRef]
84. Hanselmann, M.; Strauss, T.; Dormann, K.; Ulmer, H. CANet: An Unsupervised Intrusion Detection System for High Dimensional
CAN Bus Data. IEEE Access 2020, 8, 58194–58205. [CrossRef]
85. Kang, H.; Kwak, B.I.; Lee, Y.H.; Lee, H.; Lee, H.; Kim, H.K. Car hacking and defense competition on in-vehicle network. In
Proceedings of the Workshop on Automotive and Autonomous Vehicle Security (AutoSec), Online, 25 February 2021; Volume 2021,
p. 25.
86. Verma, M.E.; Iannacone, M.D.; Bridges, R.A.; Hollifield, S.C.; Moriano, P.; Kay, B.; Combs, F.L. Addressing the lack of comparability
& testing in can intrusion detection research: A comprehensive guide to can ids data & introduction of the road dataset. arXiv
2020, arXiv:2012.14600.
87. Gazdag, A.; Ferenc, R.; Buttyán, L. CrySyS dataset of CAN traffic logs containing fabrication and masquerade attacks. Sci. Data
2023, 10, 903. [CrossRef]
88. Rajapaksha, S.; Madzudzo, G.; Kalutarage, H.; Petrovski, A.; Al-Kadri, M.O. CAN-MIRGU: A Comprehensive CAN Bus Attack
Dataset from Moving Vehicles for Intrusion Detection System Evaluation. In Proceedings of the Symposium on Vehicles Security
and Privacy. Internet Society, San Diego, CA, USA, 26 February 2024.
89. Jeong, S.; Lee, S.; Lee, H.; Kim, H.K. X-CANIDS: Signal-Aware Explainable Intrusion Detection System for Controller Area
Network-Based In-Vehicle Network. IEEE Trans. Veh. Technol. 2024, 73, 3230–3246. [CrossRef]
90. Islam, R.; Devnath, M.K.; Samad, M.D.; Al Kadry, S.M.J. GGNB: Graph-based Gaussian naive Bayes intrusion detection system
for CAN bus. Veh. Commun. 2022, 33, 100442. [CrossRef]
91. Lampe, B.; Meng, W. Intrusion Detection in the Automotive Domain: A Comprehensive Review. IEEE Commun. Surv. Tutor. 2023,
25, 2356–2426. [CrossRef]
92. Anthony, C.; Elgenaidi, W.; Rao, M. Intrusion detection system for autonomous vehicles using non-tree based machine learning
algorithms. Electronics 2024, 13, 809. [CrossRef]
93. Kousar, A.; Ahmed, S.; Altamimi, A.; Khan, Z.A. A Novel Light-Weight Machine Learning Classifier for Intrusion Detection in
Controller Area Network in Smart Cars. Smart Cities 2024, 7, 3289–3314. [CrossRef]
94. Dakic, P.; Zivkovic, M.; Jovanovic, L.; Bacanin, N.; Antonijevic, M.; Kaljevic, J.; Simic, V. Intrusion detection using metaheuristic
optimization within IoT/IIoT systems and software of autonomous vehicles. Sci. Rep. 2024, 14, 22884. [CrossRef] [PubMed]
95. Bi, Z.; Xu, G.; Xu, G.; Wang, C.; Zhang, S. Bit-level automotive controller area network message reverse framework based on
linear regression. Sensors 2022, 22, 981. [CrossRef] [PubMed]
Electronics 2025, 14, 471 29 of 29

96. Azam, Z.; Islam, M.M.; Huda, M.N. Comparative Analysis of Intrusion Detection Systems and Machine Learning-Based Model
Analysis Through Decision Tree. IEEE Access 2023, 11, 80348–80391. [CrossRef]
97. Sowka, K.; Palade, V.; Jadidbonab, H.; Wooderson, P.; Nguyen, H. A review on automatic generation of attack trees and its
application to automotive cybersecurity. In Artificial Intelligence and Cyber Security in Industry 4.0; Springer: Berlin/Heidelberg,
Germany, 2023; pp. 165–193.
98. Avatefipour, O.; Al-Sumaiti, A.S.; El-Sherbeeny, A.M.; Awwad, E.M.; Elmeligy, M.A.; Mohamed, M.A.; Malik, H. An Intelligent
Secured Framework for Cyberattack Detection in Electric Vehicles’ CAN Bus Using Machine Learning. IEEE Access 2019,
7, 127580–127592. [CrossRef]
99. Ashraf, M.W.A.; Singh, A.R.; Pandian, A.; Rathore, R.S.; Bajaj, M.; Zaitsev, I. A hybrid approach using support vector machine
rule-based system: Detecting cyber threats in internet of things. Sci. Rep. 2024, 14, 27058. [CrossRef] [PubMed]
100. Caivano, D.; Catalano, C.; De Vincentiis, M.; Lako, A.; Pagano, A. MaREA: Multi-class Random Forest for Automotive Intrusion
Detection. In Proceedings of the International Conference on Product-Focused Software Process Improvement, Dornbirn, Austria,
10–13 December 2023; Springer: Berlin/Heidelberg, Germany, 2023; pp. 23–34.
101. Reddy, C.M.; Anbarasi, A.; Mohankumar, N.; Ishwarya, M.V.; Murugan, S. Cloud-Based Road Safety for Real-Time Vehicle
Rash Driving Alerts with Random Forest Algorithm. In Proceedings of the 2024 3rd International Conference for Innovation in
Technology (INOCON), Bangalore, India, 1–3 March 2024; pp. 1–6. [CrossRef]
102. Longari, S.; Nova Valcarcel, D.H.; Zago, M.; Carminati, M.; Zanero, S. CANnolo: An Anomaly Detection System Based on LSTM
Autoencoders for Controller Area Network. IEEE Trans. Netw. Serv. Manag. 2021, 18, 1913–1924. [CrossRef]
103. Zhang, H.; Kang, C.; Xiao, Y. Research on network security situation awareness based on the LSTM-DT model. Sensors 2021,
21, 4788. [CrossRef]
104. Chougule, A.; Kulkarni, I.; Alladi, T.; Chamola, V.; Yu, F.R. HybridSecNet: In-Vehicle Security on Controller Area Networks
Through a Hybrid Two-Step LSTM-CNN Model. IEEE Trans. Veh. Technol. 2024, 73, 14580–14591. [CrossRef]
105. Na, I.S.; Haldorai, A.; Naik, N. Federal Deep Learning Approach of Intrusion Detection System for In-Vehicle Communication
Network Security. IEEE Access 2025, 13, 2215–2228. [CrossRef]
106. Wei, P.; Wang, B.; Dai, X.; Li, L.; He, F. A novel intrusion detection model for the CAN bus packet of in-vehicle network based on
attention mechanism and autoencoder. Digit. Commun. Netw. 2023, 9, 14–21. [CrossRef]
107. Kim, T.; Kim, J.; You, I. An Anomaly Detection Method Based on Multiple LSTM-Autoencoder Models for In-Vehicle Network.
Electronics 2023, 12, 3543. [CrossRef]

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual
author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to
people or property resulting from any ideas, methods, instructions or products referred to in the content.