Resumen
Integrating embedded systems into next-generation vehicles is proliferating as they increase safety, efficiency, and driving comfort. These functionalities are provided by hundreds of electronic control units (ECUs) that communicate with each other using various protocols that, if not properly designed, may be vulnerable to local or remote attacks. The paper presents a vehicle-security operation center for improving automotive security (V-SOC4AS) to enhance the detection, response, and prevention of cyber-attacks in the automotive context. The goal is to monitor in real-time each subsystem of intra-vehicle communication, that is controller area network (CAN), local interconnect network (LIN), FlexRay, media oriented systems transport (MOST), and Ethernet. Therefore, to achieve this goal, security information and event management (SIEM) was used to monitor and detect malicious attacks in intra-vehicle and inter-vehicle communications: messages transmitted between vehicle ECUs; infotainment and telematics systems, which provide passengers with entertainment capabilities and information about the vehicle system; and vehicular ports, which allow vehicles to connect to diagnostic devices, upload content of various types. As a result, this allows the automation and improvement of threat detection and incident response processes. Furthermore, the V-SOC4AS allows the classification of the received message as malicious and non-malicious and acquisition of additional information about the type of attack. Thus, this reduces the detection time and provides more support for response activities. Experimental evaluation was conducted on two state-of-the-art attacks: denial of service (DoS) and fuzzing. An open-source dataset was used to simulate the vehicles. V-SOC4AS exploits security information and event management to analyze the packets sent by a vehicle using a rule-based mechanism. If the payload contains a CAN frame attack, it is notified to the SOC analysts.