{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,11]],"date-time":"2026-02-11T19:05:16Z","timestamp":1770836716913,"version":"3.50.1"},"reference-count":52,"publisher":"MDPI AG","issue":"2","license":[{"start":{"date-parts":[[2026,2,11]],"date-time":"2026-02-11T00:00:00Z","timestamp":1770768000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Systems"],"abstract":"<jats:p>SOME\/IP is a core AUTOSAR middleware for Automotive Ethernet, enabling scalable service-oriented communication among distributed embedded devices; however, its lack of built-in authentication, encryption, and integrity protection exposes vehicles to threats such as eavesdropping, denial-of-service, fuzzing, and man-in-the-middle attacks. To study these risks, we empirically reproduce representative attack behaviors in a realistic SOME\/IP simulation and propose an anomaly detection framework tailored to SOME\/IP traffic. The framework parses raw Ethernet frames into layered SOME\/IP and SOME\/IP Service Discovery representations and extracts behavior-centric features, including time-interval variation, payload likelihood and entropy, and payload and length change rates. Based on these features, it performs real-time classification using an XGBoost-based model. Experimental evaluation on a large-scale dataset demonstrates that the proposed approach achieves 0.93 PR-AUC, 0.99 ROC-AUC, and a 0.97 F1-score on a real-world-reflective, imbalanced dataset, while also delivering an end-to-end efficiency of 0.556 ms per packet, covering both feature generation and XGBoost inference.<\/jats:p>","DOI":"10.3390\/systems14020196","type":"journal-article","created":{"date-parts":[[2026,2,11]],"date-time":"2026-02-11T17:45:36Z","timestamp":1770831936000},"page":"196","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["XGBoost-Based Anomaly Detection Framework for SOME\/IP in In-Vehicle Networks"],"prefix":"10.3390","volume":"14","author":[{"given":"TaeGuen","family":"Kim","sequence":"first","affiliation":[{"name":"Department of Cyber Security, Korea University Sejong, Sejong 30019, Republic of Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0000-1673-8032","authenticated-orcid":false,"given":"Hyeon","family":"Park","sequence":"additional","affiliation":[{"name":"Department of Cyber Security, Korea University Sejong, Sejong 30019, Republic of Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0604-3445","authenticated-orcid":false,"given":"Ilsun","family":"You","sequence":"additional","affiliation":[{"name":"Department of Financial Information Security, Kookmin University, Seoul 02707, Republic of Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Byung Il","family":"Kwak","sequence":"additional","affiliation":[{"name":"Department of Cyber Security, Korea University Sejong, Sejong 30019, Republic of Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2026,2,11]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"77","DOI":"10.1109\/MVT.2020.2980444","article-title":"Protecting in-vehicle services: Security enabled SOME\/IP middleware","volume":"15","author":"Iorio","year":"2020","journal-title":"IEEE Veh. Technol. Mag."},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"1574","DOI":"10.1109\/COMST.2022.3178081","article-title":"Survey on issues and recent advances in vehicular public key infrastructure","volume":"24","author":"Khan","year":"2022","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"ref_3","unstructured":"(2026, January 28). SOME\/IP Network Traffic Dataset with Simulated Attack Scenarios. Available online: https:\/\/doi.org\/10.6084\/m9.figshare.30970450."},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"101842","DOI":"10.1016\/j.adhoc.2019.02.001","article-title":"An intrusion detection system for connected vehicles in smart cities","volume":"90","author":"Aloqaily","year":"2019","journal-title":"Ad Hoc Netw."},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Refat, R.U.D., Elkhail, A.A., and Malik, H. (2022, January 1\u20133). A lightweight intrusion detection system for CAN protocol using neighborhood similarity. Proceedings of the 2022 7th International Conference on Data Science and Machine Learning Applications (CDMA), Riyadh, Saudi Arabia.","DOI":"10.1109\/CDMA54072.2022.00025"},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Deng, Z., Xun, Y., Liu, J., Li, S., and Zhao, Y. (2022, January 4\u20138). A novel intrusion detection system for next generation in-vehicle networks. Proceedings of the GLOBECOM 2022, Rio de Janeiro, Brazil.","DOI":"10.1109\/GLOBECOM48099.2022.10000766"},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"11540","DOI":"10.1109\/TVT.2022.3190721","article-title":"DAGA: Detecting attacks to in-vehicle networks via n-gram analysis","volume":"71","author":"Stabili","year":"2022","journal-title":"IEEE Trans. Veh. Technol."},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Song, H.M., Kim, H.R., and Kim, H.K. (2016, January 13\u201315). Intrusion detection system based on the analysis of time intervals of CAN messages for in-vehicle network. Proceedings of the 2016 International Conference on Information Networking (ICOIN), Kota Kinabalu, Malaysia.","DOI":"10.1109\/ICOIN.2016.7427089"},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Jin, S., Chung, J.G., and Xu, Y. (2021, January 22\u201328). Signature-based intrusion detection system (IDS) for in-vehicle CAN bus network. Proceedings of the 2021 IEEE International Symposium on Circuits and Systems (ISCAS), Daegu, Republic of Korea.","DOI":"10.1109\/ISCAS51556.2021.9401087"},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Khan, J., Lim, D.W., and Kim, Y.S. (2023). Intrusion detection system CAN-bus in-vehicle networks based on the statistical characteristics of attacks. Sensors, 23.","DOI":"10.3390\/s23073554"},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"50850","DOI":"10.1109\/ACCESS.2018.2868993","article-title":"A novel intrusion detection model for a massive network using convolutional neural networks","volume":"6","author":"Wu","year":"2018","journal-title":"IEEE Access"},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"1185","DOI":"10.1109\/TII.2022.3202539","article-title":"TCE-IDS: Time interval conditional entropy-based intrusion detection system for automotive controller area networks","volume":"19","author":"Yu","year":"2022","journal-title":"IEEE Trans. Ind. Inform."},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"120057","DOI":"10.1016\/j.ins.2023.120057","article-title":"DeepSecDrive: An explainable deep learning framework for real-time detection of cyberattack in in-vehicle networks","volume":"658","author":"Ding","year":"2024","journal-title":"Inf. Sci."},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Seo, E., Kim, J., Lee, W., and Seok, J. (2023, January 4\u20137). Adversarial attack of ML-based intrusion detection system on in-vehicle system using GAN. Proceedings of the 2023 Fourteenth International Conference on Ubiquitous and Future Networks (ICUFN), Paris, France.","DOI":"10.1109\/ICUFN57995.2023.10200297"},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"4651","DOI":"10.1109\/TII.2023.3324949","article-title":"AERO: Automotive Ethernet real-time observer for anomaly detection in in-vehicle networks","volume":"20","author":"Jeong","year":"2023","journal-title":"IEEE Trans. Ind. Inform."},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Peng, R., Li, W., Yang, T., and Huafeng, K. (2019, January 16\u201318). An internet of vehicles intrusion detection system based on a convolutional neural network. Proceedings of the 2019 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Big Data & Cloud Computing, Sustainable Computing & Communications, Social Computing & Networking (ISPA\/BDCloud\/SocialCom\/SustainCom), Xiamen, China.","DOI":"10.1109\/ISPA-BDCloud-SustainCom-SocialCom48970.2019.00234"},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"22111","DOI":"10.1109\/JIOT.2023.3303271","article-title":"CANShield: Deep learning-based intrusion detection framework for controller area networks at the signal level","volume":"10","author":"Shahriar","year":"2023","journal-title":"IEEE Internet Things J."},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"120","DOI":"10.1109\/JIOT.2022.3200121","article-title":"CGAN-based collaborative intrusion detection for UAV networks: A blockchain-empowered distributed federated learning approach","volume":"10","author":"He","year":"2022","journal-title":"IEEE Internet Things J."},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Anand, M., Kumar, S.P., Selvi, M., SVN, S.K., Ram, G.D., and Kannan, A. (2023, January 23\u201325). Deep learning model based IDS for detecting cyber attacks in IoT based smart vehicle network. Proceedings of the 2023 International Conference on Sustainable Computing and Data Communication Systems (ICSCDS), Erode, India.","DOI":"10.1109\/ICSCDS56580.2023.10104996"},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Meng, Y., Li, J., Liu, F., Li, S., Hu, H., and Zhu, H. (2023, January 10\u201312). GB-IDS: An intrusion detection system for CAN bus based on graph analysis. Proceedings of the 2023 IEEE\/CIC International Conference on Communications in China (ICCC), Dalian, China.","DOI":"10.1109\/ICCC57788.2023.10233123"},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Seo, E., Song, H.M., and Kim, H.K. (2018, January 28\u201330). GIDS: GAN based intrusion detection system for in-vehicle network. Proceedings of the 2018 16th Annual Conference on Privacy, Security and Trust (PST), Belfast, UK.","DOI":"10.1109\/PST.2018.8514157"},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Taslimasa, H., Dadkhah, S., Neto, E.C.P., Xiong, P., Iqbal, S., Ray, S., and Ghorbani, A.A. (2023, January 6\u20138). ImageFed: Practical privacy preserving intrusion detection system for in-vehicle CAN bus protocol. Proceedings of the 2023 IEEE 9th Intl Conference on Big Data Security on Cloud (BigDataSecurity), High Performance and Smart Computing (HPSC) and Intelligent Data and Security (IDS), Xi\u2019an, China.","DOI":"10.1109\/BigDataSecurity-HPSC-IDS58521.2023.00031"},{"key":"ref_23","unstructured":"Amutha, S., and Ramathilagam, A. (2023, January 20\u201322). Improved IDS for Vehicular Ad-Hoc Network using Deep Learning Approaches. Proceedings of the 2023 2nd International Conference on Automation, Computing and Renewable Systems (ICACRS), Tiruchengode, India."},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"616","DOI":"10.1109\/JIOT.2021.3084796","article-title":"MTH-IDS: A multitiered hybrid intrusion detection system for Internet of Vehicles","volume":"9","author":"Yang","year":"2021","journal-title":"IEEE Internet Things J."},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"919","DOI":"10.1109\/TITS.2019.2908074","article-title":"A survey of intrusion detection for in-vehicle networks","volume":"21","author":"Wu","year":"2020","journal-title":"IEEE Trans. Intell. Transp. Syst."},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"237","DOI":"10.1145\/3570954","article-title":"AI-based intrusion detection systems for in-vehicle networks: A survey","volume":"55","author":"Rajapaksha","year":"2023","journal-title":"ACM Comput. Surv."},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Luo, F., Yang, Z., Zhang, Z., Wang, Z., Wang, B., and Wu, M. (2023). A multi-layer intrusion detection system for SOME\/IP-based in-vehicle network. Sensors, 23.","DOI":"10.3390\/s23094376"},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Herold, N., Posselt, S.A., Hanka, O., and Carle, G. (2016, January 25\u201329). Anomaly detection for SOME\/IP using complex event processing. Proceedings of the 2016 IEEE\/IFIP Network Operations and Management Symposium (NOMS), Istanbul, Turkey.","DOI":"10.1109\/NOMS.2016.7502991"},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Casparsen, A., S\u00f8rensen, D.G., Andersen, J.N., Christensen, J.I., Antoniou, P., Kr\u00f8yer, R., and Gjoerup, K. (2022, January 29\u201331). Closing the security gaps in SOME\/IP through implementation of a host-based intrusion detection system. Proceedings of the 2022 25th International Symposium on Wireless Personal Multimedia Communications (WPMC), Aarhus, Denmark.","DOI":"10.1109\/WPMC55625.2022.10014951"},{"key":"ref_30","doi-asserted-by":"crossref","unstructured":"Gehrmann, T., and Duplys, P. (2020, January 26\u201328). Intrusion detection for SOME\/IP: Challenges and opportunities. Proceedings of the 2020 23rd Euromicro Conference on Digital System Design (DSD), Kranj, Slovenia.","DOI":"10.1109\/DSD51259.2020.00096"},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Koyama, T., Tanaka, M., Miyajima, A., Ukai, S., Sugashima, T., and Egawa, M. (2022, January 19\u201322). SOME\/IP intrusion detection system using real-time and retroactive anomaly detection. Proceedings of the 2022 IEEE 95th Vehicular Technology Conference (VTC2022-Spring), Helsinki, Finland.","DOI":"10.1109\/VTC2022-Spring54318.2022.9860928"},{"key":"ref_32","doi-asserted-by":"crossref","unstructured":"Alkhatib, N., Ghauch, H., and Danger, J.L. (2021, January 27\u201330). SOME\/IP intrusion detection using deep learning-based sequential models in automotive Ethernet networks. Proceedings of the 2021 IEEE 12th Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON), Vancouver, BC, Canada.","DOI":"10.1109\/IEMCON53756.2021.9623129"},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Alkhatib, N., Mushtaq, M., Ghauch, H., and Danger, J.L. (2023, January 4\u20137). Here comes SAID: A SOME\/IP attention-based mechanism for intrusion detection. Proceedings of the 2023 Fourteenth International Conference on Ubiquitous and Future Networks (ICUFN), Paris, France.","DOI":"10.1109\/ICUFN57995.2023.10200508"},{"key":"ref_34","doi-asserted-by":"crossref","unstructured":"Ding, S., Cao, Y., and Deng, R. (2024, January 26\u201328). Suricata-based SOME\/IP intrusion detection system design and implementation. Proceedings of the Fourth International Conference on Mechanical, Electronics, and Electrical and Automation Control (METMS 2024), Xi\u2019an, China.","DOI":"10.1117\/12.3030661"},{"key":"ref_35","doi-asserted-by":"crossref","first-page":"27322","DOI":"10.1109\/JIOT.2024.3397665","article-title":"SISSA: Real-time monitoring of hardware functional safety and cybersecurity with in-vehicle SOME\/IP Ethernet traffic","volume":"11","author":"Liu","year":"2024","journal-title":"IEEE Internet Things J."},{"key":"ref_36","doi-asserted-by":"crossref","unstructured":"Ma, B., Yang, S., Zuo, Z., Zou, B., Cao, Y., Yan, X., and Li, J. (2022). An authentication and secure communication scheme for in-vehicle networks based on SOME\/IP. Sensors, 22.","DOI":"10.3390\/s22020647"},{"key":"ref_37","doi-asserted-by":"crossref","unstructured":"Zuo, Z., Yang, S., Ma, B., Zou, B., Cao, Y., Li, Q., and Li, J. (2021). Design of a CANFD to SOME\/IP gateway considering security for in-vehicle networks. Sensors, 21.","DOI":"10.3390\/s21237917"},{"key":"ref_38","doi-asserted-by":"crossref","unstructured":"Li, Y., Chen, H., Zhang, C., Xiong, S., Liu, C., and Wang, Y. (2020, January 1\u20134). Ori: A greybox fuzzer for SOME\/IP protocols in automotive Ethernet. Proceedings of the 2020 27th Asia-Pacific Software Engineering Conference (APSEC), Singapore.","DOI":"10.1109\/APSEC51365.2020.00063"},{"key":"ref_39","doi-asserted-by":"crossref","first-page":"13450","DOI":"10.1109\/TVT.2020.3028880","article-title":"Securing SOME\/IP for in-vehicle service protection","volume":"69","author":"Iorio","year":"2020","journal-title":"IEEE Trans. Veh. Technol."},{"key":"ref_40","doi-asserted-by":"crossref","unstructured":"Du, J., Tang, R., and Feng, T. (2022). Security analysis and improvement of vehicle Ethernet SOME\/IP protocol. Sensors, 22.","DOI":"10.3390\/s22186792"},{"key":"ref_41","doi-asserted-by":"crossref","unstructured":"Lee, S., Choi, W., and Lee, D.H. (2023). Protecting SOME\/IP communication via authentication ticket. Sensors, 23.","DOI":"10.3390\/s23146293"},{"key":"ref_42","unstructured":"(2026, January 28). vSomeIP Computersoftware. Available online: https:\/\/github.com\/COVESA\/vsomeip."},{"key":"ref_43","unstructured":"(2026, January 28). Autonomous Vehicle Dataset for Anomaly Detection. Available online: https:\/\/dx.doi.org\/10.21227\/0q64-5f96."},{"key":"ref_44","doi-asserted-by":"crossref","first-page":"55","DOI":"10.1080\/00401706.1970.10488634","article-title":"Ridge regression: Biased estimation for nonorthogonal problems","volume":"12","author":"Hoerl","year":"1970","journal-title":"Technometrics"},{"key":"ref_45","doi-asserted-by":"crossref","first-page":"53","DOI":"10.1016\/0377-0427(87)90125-7","article-title":"Silhouettes: A Graphical Aid to the Interpretation and Validation of Cluster Analysis","volume":"20","author":"Rousseeuw","year":"1987","journal-title":"J. Comput. Appl. Math."},{"key":"ref_46","first-page":"1","article-title":"A dendrite method for cluster analysis","volume":"3","author":"Calinski","year":"1974","journal-title":"Commun. Stat."},{"key":"ref_47","doi-asserted-by":"crossref","first-page":"224","DOI":"10.1109\/TPAMI.1979.4766909","article-title":"A cluster separation measure","volume":"1","author":"Davies","year":"1979","journal-title":"IEEE Trans. Pattern Anal. Mach. Intell."},{"key":"ref_48","doi-asserted-by":"crossref","first-page":"179","DOI":"10.1111\/j.1469-1809.1936.tb02137.x","article-title":"The use of multiple measurements in taxonomic problems","volume":"7","author":"Fisher","year":"1936","journal-title":"Ann. Eugen."},{"key":"ref_49","unstructured":"(2026, January 28). Renesas Vehicle Computer Generation 4 (Flyer). Available online: https:\/\/www.renesas.com\/en\/document\/fly\/renesas-vehicle-computer-generation-4?srsltid=AfmBOor-8KqorwtHG6onli_HaHxGbnqiGNvCpCwOf9LTZkm5_f2WwiFM."},{"key":"ref_50","unstructured":"(2026, January 28). Vehicle Computer Development Kit (Flyer). Available online: https:\/\/www.renesas.com\/en\/document\/fly\/vehicle-computer-development-kit?srsltid=AfmBOoqb7ybThH3Uu_W0_-Ahb9N9fu3hHVuPK4F1V7k7fy4vYcI4qKqz."},{"key":"ref_51","unstructured":"(2026, January 28). S32G Vehicle Network Processors. Available online: https:\/\/www.nxp.com\/products\/processors-and-microcontrollers\/s32-automotive-platform\/s32g-vehicle-network-processors:S32G-PROCESSORS."},{"key":"ref_52","unstructured":"(2026, January 28). S32G3 Product Brief. NXP Semiconductors. Available online: https:\/\/www.nxp.com\/docs\/en\/product-brief\/PBS32G3V2.pdf."}],"container-title":["Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2079-8954\/14\/2\/196\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,2,11]],"date-time":"2026-02-11T18:04:02Z","timestamp":1770833042000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2079-8954\/14\/2\/196"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,2,11]]},"references-count":52,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2026,2]]}},"alternative-id":["systems14020196"],"URL":"https:\/\/doi.org\/10.3390\/systems14020196","relation":{},"ISSN":["2079-8954"],"issn-type":[{"value":"2079-8954","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,2,11]]}}}