Vehicle Security: A Survey of Security Issues and Vulnerabilities, Malware Attacks and Defenses

Recent years have led the path to the evolution of automotive technology and with these new developments, modern vehicles are getting increasingly astute and offering growing quantities of innovative applications that cover various functionalities. These functionalities are controlled by hundreds of Electronic Control Units (ECUs) which are connected to each other via the Control Area Network (CAN) bus. Although ECUs are designed to offer various amenities that are associated with modern vehicles including comfort, such features expose new attack surfaces that can be harnessed by attackers. This trend is exacerbated by the fact that many of these ECUs rely on wireless communication for interacting with the outside world. Therefore, making them vulnerable to common threats such as malware injection that can compromise the overall security of modern vehicles. In this paper, we provide a detailed description of the architecture associated with intelligent vehicles, and identify various security issues and vulnerabilities that impact such systems. We provide an overview of different malware types and the vectors of attacks they leverage for infecting modern vehicles. This work also presents a detailed survey of available defenses against such attacks including: signature, behavior, heuristic, cloud, and machine learning-based detection measures. Furthermore, this paper intends to assist researchers in becoming familiar with the available defenses and how they can be applied to secure intelligent vehicles against emerging malware threats that can compromise the security of today’s vehicles. It also provides future directions for researchers who are interested in developing new defenses that can safeguard intelligent vehicles systems against malware attacks.


I. INTRODUCTION
Vehicle systems have seen a great transformation since the previous decade in many aspects going from vehicle control to telematics and advanced driver help frameworks. Vehicular systems have seen plenty of additions and increased their complexity of using the ECUs to provide many improvements in terms of functionality and comfort [1]. With the increase in usage of ECUs in vehicle systems, functionalities have improved, but they have also exposed vehicles to be more susceptible to cyberthreat, making them more gullible to cyber attacks. For instance, with physical access to a vehicle, an attacker can inject malicious messages into the CAN bus, modify and read an ECU via vulnerable interfaces such as CD players, USB and OBD-II [2]. To prove the fact, some researchers have sent out fake messages using the invehicle networks to different ECU's, peruse ECU memory and ECU security keys, peruse and alter ECU programming and control a wide scope of vehicle capacities at ease [3]. Such attacks can cause severe repercussions on the vehicle system tasks and also bring great danger to the safety of the drivers.
On the other hand, with the development of wireless technologies such as Bluetooth, Wi-Fi, Cellular, LTE, and 5G, vehicles can no longer be considered as closed systems, as they are increasingly equipped with functionalities that interact with the environment through these technologies, which can be exposed to attacks over-the-air (OTA) [4]. For example, security keys have been used by vehicle key fobs in order to hack a live system [5]. Radio signals are another way for hackers to breach security and in a few instances, researchers were able to transmit radio signals from a key fob to the car without disrupting any security keys, allowing attackers to simply unlock doors and steal or burglarize the vehicle [6]. Another very common way for Hobbyists to mishandle systems is by tampering with the tire pressure monitoring systems (TPMS) where one can set false readings to send out bogus warnings, causing confusion to the driver [7]. Also, the authors of [1]- [3], [8] were able to inject malicious firmware into a vehicle's OTA system while performing an ECU firmware update. Additionally, researchers could hack into the steering and brakes of two cars. [9]. In another report, a team of hackers was able to hack a Tesla Model S remotely from a distance of 12 miles [10]. Other work by Miller et al. [11] was shown to hack and stop a Jeep Cherokee running on a highway remotely, which led to a recall of 1.4 million vehicles. Another example is provided by Cai et al. [12], which revealed multiple vulnerabilities in numerous BMW models including the ability to compromise ECUs connected through CAN over a wireless connection. Such a reality concerning vehicle attacks makes automotive security one of the most critical issues.
Many attacks that previously could take place through physical access only, can now be easily carried out remotely with the help of wireless technologies. Therefore, allowing attackers to breach into the vehicle systems with the possibility of extending such attacks to multiple vehicles through daisy chaining. One severe threat to intelligent vehicles is malware which is a malicious software designed to obtain unauthorized access to data or disrupt computer operations. Malware can infect intelligent vehicles through a variety of vulnerabilities, including wireless communication with roadside networks, vehicle-based Wi-Fi hotspots, and internet connectivity. Another common vector of attack is concerned with malware-infected consumer electronic devices such as cell phones, iPods, and laptops that can be physically or wirelessly connected to the vehicle and in turn used to exchange files between vehicles. Vulnerabilities in onboard communication systems, software, and hardware designs, [2], [8], [13] can also be abused by malware to infect a vehicle. Malware can cause a wide range of disturbances and harm to the vehicle system once it is inside the vehicle. [1]- [3], [8]. Some examples of how malware affects the vehicle's normal operation are: Toying with the general features of the vehicle causing driver distraction, disrupting standard functions of the vehicle like messing with the incar radio so that the driver cannot switch it on, locking the car's features, illegitimately occupying memory space and CPU cycles, mishandling of data and invading privacy, and disabling safety features of the vehicle. The aforementioned examples underscore that intelligent vehicular systems are a high priority that must be appropriately handled in order to effectively safeguard them.
In this paper, after offering a detailed description of the intelligent vehicle's architecture, this paper discusses the security issues and vulnerabilities that intelligent vehicles face. It also gives an overview of malware attacks and examines the many forms of malware that might infiltrate intelligent vehicles, as well as the malware's probable methods of infection. It also provides a comprehensive survey of available malware defense systems, categorizing them into five categories: signature-based malware detection techniques, behavior-based malware detection techniques, heuristic-based malware detection techniques, cloud-based malware detection techniques, and machine learning-based malware detection techniques. It also discusses the upsides and downsides of every defense system against malware attacks and the various strategies that are utilized in these defense systems. This paper aims to aid researchers in developing a broad understanding of malware protection systems that are available for protecting such systems. It also identifies potential research directions for researchers to pursue in order to increase the intelligent vehicle system's resistance against malware attacks. To the best of our knowledge, this is the first study that offers a detailed survey of the most recent existing malware defense systems and assesses the benefits and drawbacks of deploying such defenses onto intelligent vehicle systems. Overall, this paper makes the following contributions: • Provides an in-depth description of the intelligent vehicle system's architecture. • Describes the most prevalent types of malware that might infiltrate the intelligent vehicle system. • Identifies the issues and vulnerabilities that intelligent vehicles face in terms of security. • Discusses all possible entry points for malware to infect the intelligent vehicle system. • Presents a detailed survey of the most recent malware detection techniques in the last decade and discusses the upsides and downsides of applying such techniques to the intelligent vehicle system. • Provides researchers with prospective study areas for improving the intelligence of vehicle systems and making them more resistant to malware attacks.
Overall, this paper represents an effort of understanding how malware attacks affect vehicle systems and the best practices undertaken for building safer and sturdier systems. The paper is divided into the said sections: Section II gives a detailed description of the architecture of intelligent vehicles. Section III identifies the security issues and vulnerabilities of intelligent vehicles. Section IV provides an overview of malware attacks and discusses the main kinds of malware that can infect intelligent vehicles, as well as the malware's possible ways of infection. Section V discusses existing malware defense techniques, as well as, their pros and cons. Section VI discusses research problems for researchers to address and provides future directions along with some recommendations for developing a more effective malware defense system for intelligent vehicles;

A. IN-VEHICLE NETWORK ARCHITECTURE
To have a better comprehension of the threats that ECUs face against hackers, it is worth having an understanding of the communication protocol between the ECUs that could serve as a potential entry point for the hacker [15]. The Controlled Area Network (CAN) bus was developed in 1983 by an automotive company called Bosch [16]. This protocol has now made it possible for different ECUs to communicate in a fast and reliable manner. The CAN bus has provided a durable and inexpensive solution that allows ECUs to communicate with each other using a single CAN interface instead of analog and digital inputs [16].
Each ECU transmits CAN frames to the receiver labeled by an arbitration ID. All connected ECUs receive the frames, but each ECU decides whether or not it can accept the frame depending on the arbitration ID. Previously used electronic architecture technologies weren't able to allow much space for different ECUs in intelligent vehicles. With the help of the CAN bus, intelligent vehicle manufactures are now able to fit many more ECUs while minimizing the complexity of wiring [16]. Figure 2 illustrates different ECUs and how they are connected to various electronic subsystems.
Each and every subsystem that we can see in Figure  2 has multiple ECUs that are responsible for controlling specific functionality in the vehicle [1]. Through a highspeed communication protocol (CAN), different ECUs in different subsystems are able to communicate with each other. Different subsystems use different types of subnetworks depending on the time sensitivity of each subsystem [15]. For instance, time-sensitive engine control, powertrain, and safety subsystems use the high speed controlled area network (CAN) whereas fewer safety subsystems such as seats and windows motor control use a Local Interconnect Network (LIN) [14], [15]. The Automotive Ethernet (AE) and the Media Oriented System Transport (MOST) are used in the In-Vehicle Infotainment (IVI) subsystem to control car radio, navigation system, Bluetooth, etc [14], [15], [17]. The MOST network is isolated from electromagnetic interference because it utilizes plastic optical fibers as its physical layer which stops problems like buzzing noises in the infotainment system [14]. The AE has a great advantage when it comes to bandwidth capacity since it can support up to 100 Mbps that is slated to increase to nearly 1 Gbps in the near future [14]. In general, the AE is considered to be approximately 100 times faster than the CAN protocol. Therefore, it would be a good choice to replace CAN with Ethernet; however, due to the fact that Ethernet's cost per ECU is higher than CAN, it will most likely not replace but rather get added on to it [18]. Flex-Ray is another invehicle network that has high transmission rates and is used to obtain a good control system. Flex-Ray supports drive-bywire systems such as steer-by-wire and brake-by-wire which also requires great error management to perform as a great driver assistance system. The specification of the in-vehicle network buses is shown in Table 1.
Intelligent vehicles nowadays offer access to an in-vehicle network system to keep track of messages over this system through the On-Board Diagnostics (OBD-II) port in order to provide diagnostic reports. The intelligent vehicles are also provided with an entertainment system with either a USB connectivity option or a CD player. These options enable the users to synchronize and access entertainment content from their mobile devices and play or view them on the vehicle's entertainment systems. Besides, remote key entries and RFID car keys are other modern car technologies that have been largely applied to intelligent vehicles. These technologies can be used to access the vehicle functions such as door opening, flashlights and in some recent cases, are used to even access ignition functions. In addition, the technology of intelligent vehicles nowadays has tremendously shifted towards connecting the in-vehicle network subsystem to the outside world through WiFi, Bluetooth, and cellular networks such as LTE, 3G, 4G, and now 5G [20]. For example, a cell phone can now connect to the infotainment system of the vehicle wirelessly, using Bluetooth connectivity that allows the infotainment system to use apple car play and android auto through the connected phone. Furthermore, WiFi and 5G can be used to offer functionalities like Global Positioning System (GPS), digital radio and traffic messages. Additionally, the telematics unit allows the car to communicate with 3G, 4G, and now 5G networks. It can send and receive telematics data, communicate with back-end cloud servers, and allow access to the internet. Moreover, Dedicated Short Range Communications (DSRC) is an on-board vehicle unit that is developed to establish short-range communications between Vehicle to Vehicle (V2V) and Vehicle to Infrastructure (V2I) as well. DSRC offers great autonomous technology services by allowing vehicles to exchange information either with each other or with the infrastructure such as roadside units that are surrounding the vehicle. DSRC utilizes radio frequency (RF) channels to achieve this communication [21]. VOLUME 4, 2016 In general, the transmitted messages frames on the CAN bus are divided into four major types: the remote frame, the overload frame, the data frame and the error frame. There into, the remote frame is used to enable the received ECU to request the data from specific ECU, the overload frame is utilized to inform that the source ECU cannot receive the data and the error frame is utilized to inform other ECUs regarding the happened error. The Data Frame is used to carry the data from the transmitter ECU to the receiver ECU. The Data Frame is composed of the start of frame (SOF) field which contains one dominant bit and informs a start of transmission to all ECUs, arbitration field which consists of 11 bits as an identifier and one bit as remote transmission request (RTR) and characterizes the priority and the type of the frame, control field which consists of two reserved bits and four bits as data length code (DLC), data field which includes the actual data in a range of 0 to 64 bytes. In addition, the cyclic redundancy check (CRC) field which consists of 15 bits as CRC and 1 bit as CRC delimiter and performs the data error detection, the ACK field which consists of one bit as ACK part and one bit ACK delimiter part, and end of frame which consists of 7 bits and indicates the end of the CAN frame by a recessive bit flag [22]. Figure 3 shows the structure of CAN frame.

B. INTELLIGENT VEHICLES COMPUTATION PLATFORMS
The vehicle's computation platform plays an important role in high intelligent vehicle systems to make sure that the autonomous technology process is smooth, robust, and efficient. Millions of lines of code must get executed in order to accomplish different intelligent algorithms and autonomous functionalities. Generally, Digital Signal Processors (DSPs) and Micro-controller Units (MCUs) are used for signal processing to establish several vehicle functions. Furthermore, DSPs are capable of establishing more complicated applications that demand high quality processing capacity and integration such as Advanced driver-assistance systems (ADAS) [14]. Moreover, a robust and advanced computation platform such as Graphics Processing Units (GPUs) and Field-Programmable Gate Arrays (FPGAs) must be implemented to ensure the efficiency of the autonomous system. GPUs are a great way to perform various types of image processing which could improve obstacle detection algorithms, traffic signs, and all the ADAS functionalities. FPGAs are also useful for similar computations with less energy consumption [14], [23].
Looking at the software system of the computation platform, the automotive industry uses many open systems such as OSEK, JASPAR, and VDX. However, they fail to be reusable for the advanced ECUs. Automotive Open System Architecture (AUTOSAR) is also another open system that is developed to divide the associated hardware from the application software. This open system also requires additional development to further assist the artificial intelligence and machine learning algorithms [14], [24]. Software updates over-the-air (OTA) are also important and highly recommended to be implemented even after the vehicle is sold to the customer to keep the operating systems up to date and bring the latest features to the consumer.

C. SENSORS IN INTELLIGENT VEHICLES
As vehicles are becoming more technologically advanced in order to achieve fully autonomous self-driven cars, intelligent vehicles are using various types of sensors to achieve autonomous vision. Therefore, fusing these sensors together is an excellent way to ensure great autonomous stoutness. Some of the main physical sensors that are used include: • High-resolution Camera: A high-resolution camera is used to detect various different shapes that help in self-driven car technology. Through different stages of image processing, and through the camera, the system is able to detect lines in the road that help the vehicle stay on course, as well as properly yield to other cars, pedestrians, and any surrounding traffic signs. However, cameras alone are insufficient for detecting distances between the intelligent vehicle and the objects that surround it, be it another car, an obstacle, or a traffic sign. A great solution for this is to fuse it with a LiDAR or a RADAR sensor. • LIDAR: Light Detection and Ranging (LiDAR) sensor that uses light in the form of a pulsed laser to map out the surroundings of the intelligent vehicle at the speed of light, namely 300 000 km/s. With the use of LiDAR, intelligent vehicles are able to easily detect distances between all the objects surrounding them. • Ultrasonic: This sensor is also known as sonar. It VOLUME 4, 2016  X-by-wire Switches is considered to be an electronic device that utilizes echolocation to identify if an object is within range of the sensor [25]. It can detect any object in its range by transmitting and receiving ultrasound waves. It also has the ability to measure the distance from the vehicle to a target object by utilizing the time taken by the signal to return back to the ultrasonic sensor after emitting it. However, ultrasonic sensors have a visually impaired zone created due to nearness and common obstruction which may cause incorrect readings. Furthermore, materials with sonic wave dampening abilities like acoustic foam have the tendency to compromise the readings from ultrasonic sensors [26]. • RADAR: Millimeter-wave RADAR technology is very commonly used in intelligent vehicles. The RADAR is designed to obtain distances as far as 250 meters, making adaptive cruise control and collision avoidance very reliable [27]. A major advantage of RADAR lies in its capability to penetrate nontransparent materials such as dust, smoke, snow and fog [14]. RADAR is be able to detect distances irrespective of the weather condition of the operating environment. However, one disadvantage of RADAR is the low side view it has which puts a limitation on its horizontal view [28], [29]. One way to solve this issue is by implementing a monocular camera which helps in improving accuracy and precision [14], [30]. • Intelligent Vision Systems: The Intelligent vision system is a combination of various sensors to achieve reliable driving assistance. This system consists of the monocular visual system and the stereo vision system [14]. These visual sensors are responsible for observing the driver's attention towards the road and the environment that the vehicle is operating in [31]. AI technology and machine learning are essential for adapting to the driver's environment and reacting accordingly.

III. SECURITY ISSUES AND VULNERABILITIES OF INTELLIGENT VEHICLES
With the advancement of car innovation, intelligent vehicles are getting progressively clever and are developing a number of creative applications performing different functionalities. These functionalities are controlled by 70 to 100 ECUs that communicate with each other through the in-vehicle communication buses [1]. While increasing the utilization of about 100 ECUs improves functionality and comfort, it also introduces a new cyberthreat by making vehicles a target for attackers. Additionally, with the advancement of remote communication innovations, vehicles can never be considered as closed frameworks, as they are dynamically equipped with functionality that interacts with the outside world [2]. Despite the fact that remote communication technology brings many improvements in terms of functionality and luxury, nevertheless, communications with the outside world exposes vulnerabilities that can be abused by an attacker and lead to infection of the vehicle. In this section, we discuss vulnerabilities associated with intelligent vehicles, as well as the potential ways an attacker could use With the advancement of automotive technologies, intelligent vehicle systems are controlled through I/O access channels of the embedded ECUs. These access channels present commands and output to the users of intelligent vehicles. However, these channels are vulnerable to attack due to their lack of security features such as authentication scheme, access control and verification process. These access channels can be categorized into four major categories: direct physical access, indirect physical access, short range wireless access and long range wireless access.

1) DIRECT PHYSICAL ACCESS (V1)
Automotive vehicles have many direct physical interfaces that can become potential surfaces for an attacker to infect an intelligent vehicle and have a malicious effect. These surfaces can provide direct access to the ECUs and invehicle network busses of an intelligent vehicle. Such an interface is the On-Board Diagnostics system (OBD) which is usually used by service professionals for performing diagnosis and ECU programming during periodic maintenance inspections. The OBD system can provide direct access to the vehicle's ECUs and its internal network busses through the OBD-II port and the OBD dongle [32].

2) INDIRECT PHYSICAL ACCESS (V2)
The ECUs and in-vehicle network busses of intelligent vehicles can be accessed through indirect physical interfaces without the presence of the attacker. These interfaces can be used by the user to indirectly pass commands or receive communication from the targeted ECUs. Most intelligent vehicles nowadays offer indirect physical access through the entertainment system using physical sources such as CD, disc, USB and iPod. However, these interfaces are vulnerable to attack due to their lack of security features [2].

3) SHORT RANGE WIRELESS ACCESS (V3)
Since car technology and network system has tremendously improved, vehicles are now exposed to the outside world through either the short range wireless access or the long range wireless access [33]. The short range wireless access provides many advantages over direct and indirect physical access as it would inflict many operational complexities, in targeting precise locations, and the inability to control the time of compromise. This type of communication method works mostly on short ranges to attack the surface of automotive wireless systems like Bluetooth, Remote keyless entry, Dedicated Short Range Communications (DSRC) and Wi-Fi. For these architectures, hackers can put a wireless transmitter close to the car's receiver, depending on the channel distance [2].

4) LONG RANGE WIRELESS ACCESS (V4)
The long-distance digital access channels, which are divided into two types: broadcast channels and addressable channels, have been deployed in intelligent vehicles now. The broadcast channels, such as GPS, Traffic Message Channel, Satellite Radio, and Digital Radio, are indirect channels that receivers tune into as part of a media system that is connected to other important ECUs. However, because it is difficult to attribute and command multiple channels at once, these channels are subject to external surface attacks, which might allow an attacker to manipulate channels and their behavior. The addressable Channels, as opposed to broadcast channels, are direct channels that frequently employ cellular phone and data networks and may be accessed over arbitrary distances. However, this type of long-range wireless is vulnerable to attack by the remote transfer system that provides continuous connectivity through cellular voice and data networks [2].

B. ENTRY POINTS INTO INTELLIGENT VEHICLES
With the evolution of vehicle technologies, in the wrong hands, these advanced technologies can lead to severe situations. To some degree, Intrusion Detection Systems (IDS ) can block the potential ways and access channels that an attacker uses to gain access to a vehicle. Yet, no protection technique is absolutely efficient; a protection technique can be effective today however may not remain so for long, since hackers are continually updating the entry points, and looking for new ones. Therefore, in this section, we discuss the potential ways and entry points that an attacker might use to gain access to a vehicle in order to deliver a malicious effect. Furthermore, the attacker's presence in the vehicle, which specifies whether or not the attacker should be present in the vehicle during the compromise process. The scale which captures the approximate scale of the attack, the control which indicates the level of control over the vehicle and the cost which represents the estimated effort involved in developing the attack capability. All of the aforementioned factors are presented for each entry point as shown in Table 2. Some of the potential entry points that hackers may attempt to gain access to a vehicle include: The OBD-II Port: The OBD-II port system in a vehicle is responsible for tracking and modulating the vehicle's performance by monitoring the mileage, speed and other important data [34]. The OBD-II port reports data acquired from its sensors that are presented in the vehicle's infrastructure and it's connected to the check engine light that emits once a problem gets reported. However, the OBD-II port may be vulnerable to malicious attacks since it lacks an authentication method such as voices, facial features, retinas, irises, and fingerprints that can be used to authenticate a vehicle's owner identification. Furthermore, the OBD-II port also lacks an access control mechanism that assures that it is only accessible by the vehicle's owner. In other words, the OBD-II port may be accessed not only by the vehicle's owner, but also by other users and parties. This vulnerability may be exploited by unauthorized users and parties to get access to the vehicle and carry out malicious actions within it. For example, the OBD-II port can be attached to a laptop in order to interrogate the car's ECU program and this allows easy access to an attacker to alter or delete or inject a malicious code into the ECUs [2]. As a demonstration, by using an ECOM cable and handmade connections to attach to the OBD-II port, Valasek and Miller [35] were able to transmit and receive messages over the CAN bus.
The OBD Dongle: The OBD dongles are used to access the reported data from the OBD-II port. This OBD dongle also allows access to the CAN bus of the vehicle, which poses a security threat to the ECUs that are connected through the CAN interface. This allows attackers to easily get access to the CAN bus through the OBD port and send bogus messages to all the connected ECUs [2]. Although the fact that the OBD dongle is a physical connection to the OBD port, modern cars are implementing Wi-Fi technology to access the OBD port through a computer. This allows the hacker to do a variety of tasks on the vehicle , such as locking and unlocking doors, turning on and off vehicles using push button start/stop, steering adjustments, and braking, among other things [36].
The Entertainment System: The entertainment system in intelligent vehicles is an indirect physical access interface to the vehicle ECUs. Most of the intelligent vehicles nowadays are provided with a form of entertainment system that has a USB connectivity option, disk option, iPod, or CD player. These options enable the users to synchronize and access entertainment content from their mobile devices, navigation systems, USB devices, or from CD and play/view on the vehicle entertainment system [37]. In the advanced systems, the entertainment system is not standalone but also has a CAN connection to ECUs of other systems in the vehicle. These systems enable the synchronized mobile device to access more features on the vehicle apart from the media system which creates a threat to the vehicle [2]. For example, Cai et al. [12] demonstrated that attackers can create a backdoor in the BMW vehicle entertainment system via the USB port.
The Infotainment System: The infotainment system supplies the vehicle with information and entertainment such as emails, text messages, voice calls, personal contacts, and many forms of information that can be gotten by interfacing with a cell phone such as stream music, and watch videos [38]. The infotainment system, on the other hand, may be hacked using simple tools like a CD or USB flash drive. Such a tool might be contaminated with malicious codes and infiltrate the car's infotainment system and spread to other systems, such as those that control the vehicle's engine and brakes systems. As a demonstration, a research group demonstrated an attack by altering an audio file to broadcast malicious CAN messages to compromise different in-vehicle systems When played on the vehicle's media player [2]. Furthermore, researchers were able to get a permanent connection to Mazda's infotainment system by running a bash script on the vehicle's Linux working system [39]. Another research group was able to access the address book, conversation history and even location data remotely by connecting the infotainment system's root account [40].
The Telematics System: The Telematics system supplements infotainment systems by giving information about invehicular systems such as vehicle speed, acceleration, tire pressure, fuel efficiency, oil life, door locking, seat belts, transmission issues and engine failures [41]. Furthermore, the telematics unit in the intelligent vehicles allows the vehicles to communicate with 3G, 4G, and now 5G networks. This allows attackers to get access to the vehicle through 3G, 4G and now 5G and do a variety of harmful actions on the vehicle. For example, researchers previously exploited a car's telematics unit remotely without user interaction [2]. They also were able by using reverse-engineering techniques to gain access to the operating system of the telematics ECU. Additionally, work by Jo et al. [42] investigated security risks in Android OS-based telematics frameworks that allow drivers to access and lock vehicle doors remotely, as well as start and stop the vehicle engine Sensors: As vehicles are turning out to be more innovative to accomplish fully autonomous self-driven vehicles, intelligent vehicles nowadays are utilizing different kinds of sensors to accomplish the autonomous vision. Hence, combining those sensors is an extraordinary method to guarantee incredible autonomous strength. However, because there are no adequate security mechanisms in place to restrict the usage of sensors by installed apps, vehicles are exposed to sensor based threats and attacks. For example, the sensors in intelligent vehicles can be hacked easily either remotely or physically. As a demonstration, Petit et al. have shown the efficacy of relay and spoofing attacks against LiDAR [43]. Furthermore, Liu et al. used ultrasonic sensor attacks like jamming and spoofing to test Tesla, Audi, Volkswagen, and Ford. They demonstrated that all of the cars they examined could be jammed and spoofed [44].
In-Vehicle Network Busses: Controller Area Network (CAN) lacks sufficient communication protection. Since it is a broadcast-based communication protocol and there are no sender and receiver addresses, every node receives the frame and it is not secured by any Message Authentication Code (MAC) or digital signature [45], [46]. This creates a threat to confidential data that could be either stolen or manipulated by sending false and fake frames to each and every node which causes unintended behaviors. For example, an attacker can easily access the CAN bus and inject a malicious message in the CAN bus either directly through the OBD-II port or indirectly through the CD player, disc, USB and iPod [2], [35]. Another example is provided by Cai et al [12] revealed multiple vulnerabilities in numerous BMW models, including the ability to compromise ECUs connected through CAN over a wireless connection.
Bluetooth: Bluetooth is currently available in most intelligent vehicles and has a range of up to 10 meters. It  [47].
Remote Keyless Entry (RKE): This type of communication uses radio frequency communication in order to control various functionalities of the intelligent vehicles remotely such as open doors, control lights, activate alarms, and even start and lock the ignition of the vehicle. The remote keyless entry, on the other hand, is open to attacks since it doesn't have a security mechanism such as cryptographic to protect the confidentiality of radio signal that will be transmitted from the vehicle's key. This vulnerability can be exploited by hackers to get access to the vehicle without possessing the key. The attack operates by eavesdropping the signal VOLUME 4, 2016 transmitted when a driver presses his or her key fob to open their vehicle. With $30 cost of equipment, the signal may be cloned, allowing the hacker to have access to the vehicle in the future. The attack can be within 100 meters of the car to clone the key's signal and the hacker can steal the car in less than two minutes [?]. For example, Liu et al. [48] demonstrated that many attacks can be infected to the Hitag2 cipher which is used in many remote keyless entry systems. Another example is by Dibaei et al. [49] showed that two hackers were able to steal a Mercedes-Benz vehicle by manipulating the keyless entry system.
Wi-Fi: The intelligent vehicles are currently equipped with Wi-Fi and consequently, they can connect to the internet via Wi-Fi hotspots on the roadway within the same range of the vehicle. However, some of these wireless hotspots might put the vehicle at risk for a variety of reasons. For instanse. these wireless hotspots may employ outdated encryption standards, putting the vehicle security at risk. One of the initial encryption standards for wireless networking devices, the Wireless Encryption Protocol (WEP), is deemed weak and vulnerable to hacking. Wi-Fi protected access (WPA) was supposed to take the place of WEP as the wireless networking standard, but it, too, was proven to have flaws. Furthermore, these wireless hotspots may expose vehicles to a rogue or fake Wi-Fi hotspot [51]. For example, in the case of the vehicle connect to a malicious hotspot, this allows the hacker to operate many activities on the vehicle such as transfer malicious code to the vehicle. As a demonstration, Nie et al. [50] were able to remotely hack a Tesla vehicle by exploiting the way that the secret key to an installed Wi-Fi was saved in plain text. Furthermore, Nakhila et al. [51] showed that by connecting to an illegitimate Wi-Fi access point, an attacker may eavesdrop on Wi-Fi activity. Vanhoef et al. also looked at the possibility of Denial of Service attacks against Wi-Fi Protected Access [52].
DSRC: DSRC is an on-board vehicle unit that is developed to operate short-range communications between Vehicle to Vehicle (V2V) and Vehicle to Infrastructure (V2I). DSRC offers great autonomous technology services by allowing vehicles to exchange information either with each other or with the infrastructure such as roadside units that are surrounding the vehicle. DSRC utilizes radio frequency (RF) channels to achieve this communication. However, this concept could create an entry point for attacks to enter the DSRC system and cause serious damage by transmitting fake information. This can trick the vehicle's system and cause catastrophic consequences if the hacker was successful. Therefore, serious safety measures have to be taken into consideration to protect V2V and V2I communications [21], [53].
Cellular: The intelligent vehicles are currently equipped with cellular network technologies such as LTE,3G,4G and now 5G [20] and consequently, they can communicate to either another vehicle (V2V) or the infrastructure (V2I) at long distances on the scale of miles [54]. Cellular networks, on the other hand, are prone to eavesdropping and jamming attacks [56]. Cichonski et al. demonstrated that LTE can be hacked easily by jamming attacks and eavesdropping attacks [56]. Other work by Muhammad et al. [55] demonstrated that the LTE and 5G-based vehicular networks are vulnerable to a huge number of attacks. This allows attackers to track vehicle whereabouts in order to get access to the vehicle and carry out harmful operations inside of it. For instance, Miller et al. [11] have been able to hack and stop a Jeep Cherokee running on a highway remotely through 4G.
In-vehicle Applications: The new development of the vehicle industry has implemented a new system in the Human-Machine Interface (HMI) screen that supports smartphone applications such as Google Android Auto and Apple Car Play. However, those vehicle applications can cause security threats and can create a path to inject malicious attacks into the HMI and obtain unaccredited access to vehicle functions. There is a chance where that automobile application can be infected with an attack on the phone itself, thus creating a potential threat to the vehicle's functions if those infected apps are being used by the vehicle's HMI. Those automobile applications support wireless mobile telecommunication technologies such as 3G, 4G, 5G as well as WiFi and Bluetooth to communicate with the vehicle which makes intelligent vehicles to be an open system that causes a potential threat [15]. For example, an attacker can penetrate the application itself and utilize this to get to a vehicle. Researchers discovered several vulnerabilities in seven popular applications that permit attackers to gain entry to vehicles [57]. Furthermore, Symantec researchers explored fake malicious applications that are created to look legitimate as the Uber application [58].

IV. AN OVERVIEW OF MALWARE AND HOW ITS SPREAD
In this section, we first present an overview of malware and common malware types. Second, we discuss the main motivations of an attacker to spread malware to the vehicle systems. Finally, we present the potential ways for Malware to infect the vehicle systems.

A. AN OVERVIEW OF MALWARE AND ITS COMMON TYPES
Malware is a malicious code that embeds itself into a software program that intentionally meets the harmful purposes of the malicious attackers who target any computing device [59]- [61]. Malware can enter any device through different channels such as files and directories from removable media, downloaded applications and files, and through email attachments. Once the malware reaches the device, the execution of the malware is easy by going through the interacting user authorization privileges or by bypassing the PC's authentication strategies to run without the device victim's permissions. Once it's executed on the device, it can harm the infected device by compromising its functions, disturbing its operations, stealing data or evading access controls, gathering personal sensitive information without the victim's permission. It also can obtain unauthorized access to a network system to create destructive damage to its subsystems. Malware can be categorized into many categories based on the way in which they cause harm and proliferate systems. This section provides an overview of the most common sorts of malware, including virus, worm, trojan, spyware, rootkit, backdoor, botnet, adware, scareware, and ransomware [62].
• Virus: It is a type of malicious software that can replicate itself into other programs and only attach themselves to other files, data, and computers when it is activated [63]. Viruses cannot cause much harm unless the infected transporter program is executed. The virus usually runs with user involvement [64] and it can spread from one program to another and from one PC to another [65]. • Worm: It is a malicious program that may infect any machine, spreads over computer networks, and takes advantage of system flaws to further its malicious purposes. It utilizes networking protocols to inspect its local network and grows once it comes upon possible victim systems [66]. Worms can easily spread and execute within a system and also have the ability to replicate itself in a PC to tamper with important documents and the information on it [67]. It also has the ability to encrypt data and deliver spam messages. Worms, unlike viruses, have their own containers via which they spread [68]. • Trojan: It is sometimes called a Trojan horse. It is malicious software that can look legitimate with a useful purpose while in fact, it is executing whatever task the hacker intended. It can compromise computer security by gaining unauthorized access to the compelling PC and extract user confidential information such as credit card information and user credentials and it can cause much damage by executing unknown and unwanted activities [69]. • Spyware: It is a malicious program that is installed on any electronic device without the user's knowledge and it continuously spies on the user activities without the user's permission [70]. Spyware presents its danger only if the device is connected to the internet since It can be used to steal sensitive data like credit card information, government and medical records without one's knowledge. Spyware collects this information and sends it to the hacker, who can easily misuse the obtained data [71]. • Rootkit: It is a collection of malicious software designed to allow hackers to access and change operating systems and kernel data structures for harmful purposes [72]. Rootkits also give access to other types of malware to enter into a system and conceal their presence on the computer [73].
• Backdoor: It is one form of malware that gets the infected PC to be remotely accessed without the user's permission by opening a backdoor in the victim PC [74]. • Botnet: It is malicious software that allows attackers to remotely manipulate a group of infected and controlled devices such as cellphones, PCs, tablets, and internet of things devices. It happens without the users being aware that their PCs have been infected by botnet malware [75]. It is typically used for sending unruly commands and spamming computer systems and performing denial of service attacks [76]. • Adware: It is malicious advertising-supported software that brings advertisements to the computer. It can infect any system when a user tries to download free applications and software such as free playing games [77].
The main sole purpose of this malware is to scrutinize the user's activities while they are networking [78]. • Scareware: It is malicious software that is designed to mislead users into purchasing and downloading unneeded and potentially harmful software and programs, such as fake antivirus protection, which have posed serious financial and privacy risks to the victims [79]. • Ransomware: It is a malicious program that allows the attacker to either lock the victim's computer or encrypt the victim's data, aiming to deny service to the victim and restrict the victim access to his data in return for ransom [80]. The malware then demands a ransom payment from the victim in order to restore access, and decrypt the victim's data on the infected computer [80].

B. MOTIVATIONS FOR INSTALLING MALWARE ON VEHICLE SYSTEMS
There are a various number of motivations behind attackers choosing to spread malware across vehicles. Here are some of the few motivations: • Financial Gain (M1): An attacker can restrict the driver's access to his vehicle by infecting the vehicle remotely with ransomware which can disable the vehicle's functionalities such as immobilize the motor, locking the in-vehicle radio and locking the doors. Such an attack could restrict the vehicle's functionalities in a way that the proprietor's car keys can no longer activate them. The attackers would then be able to demand payoff before these functionalities were reenabled. As a demonstration for academic research purposes only, work by wolf et al. [81] showed that vehicle ransomware can be easily created and deployed. Additionally, researchers from McAfee security [82] demonstrated that the ransomware can block the use of the vehicle until the ransom is paid. Furthermore, fraud can be a major route for hackers to bring in cash. Hacked vehicles could give access to stalkers to be able to track the vehicle identification number of any potential victim through GPS since all intelligent VOLUME 4, 2016 vehicles nowadays have GPS. So in an event that an attacker can track any vehicle, the attacker can begin assistance for anybody that needs to track someone can in exchange for money. As a result, the attacker can gain a lot of money by tracking hundreds of vehicles. It's an extraordinary business. As an example of that, according to a report from Boston 25 News [83], an attacker was able to track a vehicle for many years by hiding a GPS tracking device on the victim's car. Another way of hackers to bring cash is automated toll booth payments, it may create more points of entry for hackers to steal individual information, for example, visa or banking data. Hackers are hoping to put forth the greatest benefit for the base attempt since the intelligent vehicles are going to have a lot of payment systems in order to provide the comfort for the driver to pay via his vehicle when he goes to toll roads and parking lots [84]. • Infringement on the Driver's Privacy (M2): An attacker could infringe the privacy of drivers by infusing spyware into a vehicle. An attacker could steal and access sensitive and private data about the driver for example, where he is located, his driving propensities, his credentials, his visa and banking information, his telephone number and call history, the music he tunes in to, and considerably more. According to an IBM Security report [85], a third party was able to gain access to the personal information of 27.7 million Texas drivers. • Vandalism (M3): The malware can make a wide scope of disruptions to a driver. Malware might deactivate the brakes or force the car to abruptly slow down while driving, resulting in an accident. Furthermore, malware can be used to lock up infotainment systems in a vehicle to a random radio station, tampering with the tire pressure monitoring system's displays or false messages that force the driver to make important decisions while driving, such as changing the audio level or displaying arbitrary messages or images on the head unit display. Any such disturbance could make the driver commit dangerous errors while driving, cause auto collisions, and harm a carmaker's reputation. A team of hackers was able to hack a Tesla Model S remotely from a 12-mile distance [10] for academic research purposes. The authors of [81] demonstrated that ransomware can be easily deployed and disabled the vehicle's braking system. Furthermore, a research group [86] were able to disable the braking system of a 2009 Chevy Impala, which can harm both the passengers and their properties. Additionally, the authors of [11] [88]. In this way, an attacker might hack a victim's vehicle system in order to track the victim aiming to attack the victim's home and such. Furthermore, hackers might be less intrigued by the victim's vehicle's systems and more intrigued by the vehicle's connected devices such as cell phones, laptops, and tablets which can give them admittance to charge card data, passwords, and monetary information, and considerably more. In the event that they're ready to get into the victim's vehicle's systems and locate the victim's connected devices, the victim's data might be in danger. For example, [85], demonstrated that millions of drivers' devices have been accessed by a third party.

C. THE POTENTIAL WAYS FOR MALWARE TO INFECT THE VEHICLE SYSTEMS
In addition to the potential ways presented in Table 2 for an attack to infect the vehicle systems. There are other numerous factors that influence the way malware can enter a vehicle and exploit any vehicle network interface, physical or wireless. Some of the factors are: F1) weaknesses in the design of the software. F2) weaknesses in the hardware. F3) weaknesses in the in-vehicle applications. F4) weaknesses in the in-vehicle network system. F5) The driver's inability to protect document downloads into the vehicle when the driver accesses websites and downloads apps from external sources. F6) External information may be laced with weaknesses that can enter a vehicle, for example, a software update bundle that can be infected with malware before it gets stacked onto a vehicle. F7) weaknesses in the operating systems utilized on the vehicles. There are various methods in which malware can abuse these weaknesses to infect a vehicle as shown in Table 3: • Direct Access: An attacker can infect the vehicular system with malware by getting direct access to the vehicle. For example, Valasek and Miller were able to hack a Jeep Cherokee's infotainment system using the cellular network from a laptop. Upon scanning the network for other vehicles with high vulnerability, 2,695 more vehicles were discovered, which possessed similar vulnerabilities that exposed the jeep to be hacked [11]. Computerizing the attack with a laptop having all the programming steps, the same laptop could be used to hack other vehicles directly. • Updates Over The Air (OTA): Intelligent vehicles as of now have millions of lines of code and the intricacy of in-vehicle programming keeps on developing. In this way, remote OTA ECU firmware update turns out to be progressively significant and expected, which increases the chances of malware infecting vehicles from remote locations [89].  [2]. • Operating Systems: While practices vary by the automaker, the bulk of software running in intelligent vehicles is not written by the automakers and some of it comes from free open-source software, such as Linux and Android and most of the intelligent vehicles nowadays use LINUX or Android operating system [92], [93]. Although the LINUX systems are proved to be less affected by malware than other operating systems like windows, and android since they are owned by limited repositories and operated by trusted distributors. Nevertheless, it has been demonstrated that the LINUX systems are not immune to malware and LINUX malware has been on the rise [94], [95] and what's more, Linux apps and users can be tricked into permitting malware to enter and execute [96]. • Spam and Advertising: Although adding more services to vehicles brings comfort for the driver it likewise adds greater security risks. With the appearance of internet services in intelligent vehicles that permit Internet access from a browser, it is achievable to convey another kind of spam dependent on geographical location and travel. For example, as you approach a fast-food restaurant, imagine a pop-up discount. Not only is this type of behavior likely to be unpleasant, but it may also cause drivers to get distracted. Additionally, those kinds of spam and advertising are well-known infection vectors for malware that can convey the malware to infect the vehicle systems [77], [78]. • Third-Party Applications: Intelligent vehicles have been allowing third parties to create applications for extended services. For instance, an application on a smartphone can be used to open or close vehicle doors. These applications can harm vehicle systems as they are open-ended and is accessible to everyone, making them an easy target to hackers. Smartphone applications are an easy target for hackers when compared to ECU's as applications provide many resources and are more flexible and offer more resources. Vehicle applications are also susceptible since certain third parties employ shoddy security methods and credentials are frequently stored in cleartext [50]. These applications may also store individual data, for example, GPS information, vehicle models, and other data.  device's vehicle to infrastructure (V2I) [98]. The data obtained can be used to improve the driving experience and also safety. The possibility of this technology being exploited by malware will result in many connected vehicles being affected in an adverse way. [99], [100]. • Mobile Device to Vehicle: Intelligent vehicles nowadays have gotten typical to connect smartphones to the vehicle, usually by Bluetooth. This association permits hands-free calling while the driver is driving, playing sound from the driver's smartphone on the vehicle's speaker framework, and different comforts [37]. It is additionally a potential vector for malware [101].  [52]. • Software Bugs: The software bug is an instance of software failing to behave as it was designed, usually caused by mistakes made during the process of writing the software [104]. Bugs can cause software-based systems to be unreliable, commit errors, or give access and control to unauthorized parties [104]. The larger and more complex the body of code, the more bugs it is probably going to contain [104]. Today's intelligent vehicles can contain over a hundred million lines of code and the intricacy of in-vehicle programming keeps on developing. In this way, it will increase the software bugs in the vehicles that hackers can exploit to infect the malware on the vehicles [105], [106].
Once the malware infects any subsystem on a vehicle, for example, an infotainment system, it will have the option to harm other subsystems in the vehicle, as many subsystems are connected internally creating a cross-framework functionality. Malware can transmit signals that cause a vehicle's regular operation to be disrupted. It may also launch denialof-service (DoS) attacks by flooding various subsystems and in-vehicle networks with bogus messages in order to bring down various subsystems. [107]. In some cases, malware may simply impact vehicle system performance and make over-burden processes or making unauthorized access to ECUs and harasses the passengers [91]. In the case of spying, the malware conceals itself in the system, steals sensitive information about the driver, and delivers it to the attackers [91]. Identifying malware is important as there is an increase in the damage to a large surface area and plenty of potential entry points could be taken by the hacker if the situation was not seriously taken.

V. EXISTING DEFENSE TECHNIQUES AGAINST MALWARE
In the last decade, researchers have explored a wide range of malware defense solutions for computer and mobile systems. Those solutions can be categorized into signaturebased, behavior-based, heuristic-based, cloud-based, and machine learning-based techniques [108]- [113]. In this section, we present a detailed review of the main factors of applying these defense systems to protect intelligent vehicles against malware. These factors include the used approach, the used data analysis method, the targeted operating system, the detection time and the detection response, the data source, the main advantages and disadvantages of each defense system. Figure 4 shows the taxonomy dimensions distributed into six classes. We also briefly describe these classes below. 1) Technique. We classify the existing malware detection techniques into five categories, i.e. signaturebased malware detection techniques, behavior-based malware detection techniques, heuristic-based malware detection techniques, cloud-based malware detection techniques, and machine learning-based malware detection techniques. Each of these techniques has certain advantages and disadvantages, we discuss the benefits and drawbacks of each technique. 2) Analysis Methods. The whole detection process is accomplished with static, dynamic and hybrid analysis methods. The description of each method is presented below. Static Analysis. It's a malware analysis method that analyzes an executable code without actually executing the code itself. In static analysis, the low-level information from codes is extracted by disassembling the codes by using any disassembler tools. The main advantage of this method is revealing the code structure of the program without executing it. However, this method may fail in analyzing unknown malware. It may also fail to detect malware that employs obfuscation and evasion techniques in its code [114]. Dynamic Analysis. It's a malware analysis method that entails running the malware and monitoring its behavior, interactions with the host system, and its impacts on the host environment. The infected files in this method are analyzed in a simulated environment such as an emulator, virtual machine and sandbox in order to make the environment invisible to the malware [115]. Although this method is efficient in detecting malware, nevertheless, it may fail to detect malware that uses obfuscation code and evasion techniques.
Hybrid Analysis. It's a malware analysis method that combines both dynamic and static analysis. It examines almost all of the static features of any malware code then combine them with other behavioral features to better the overall analysis process. Despite this method can overcome the limitations of both static and dynamic analysis methods. However, it may result in a rise in the execution time's total overhead [116]. 3) Target Operating System (OS). It refers to the operating system analyzed by the system. It can be LINUX, Windows, or Android [92], [93]. 4) Detection Time. It refers to the time between the analyzed event and the detection itself. It can be realtime (online ) detection, which enables an automatic response such as blocking the attacker and killing the malware process, or non-real-time (offline) detection [117]. 5) Detection Response. The relevant outcome of the system, which can be a passive response which is an event notification such as printing an alert message, or an active response which is an automatic reaction such as blocking the attacker or killing the malware process [117]. 6) Data Source. It refers to the source of the input data analyzed by the system. It can be host logs which are data from the operating system and system applications or application logs which are data directly generated by applications, or network traffic which are data generated by the network layer [117].

A. SIGNATURE-BASED MALWARE DETECTION
The signature-based malware detection process occurs in two sequential phases. First, after identifying the malware, a unique representation or signature for each malware must be created. This process is generally achieved by using a combination of manual and automated analysis of the data obtained from networks and user devices. Second, every device restores the malware signatures. It can then detect if a file or data stream is infected by malware or not by scanning the contents of malware signatures and uniquely identifying each malware [91]. The signature-based detection technique is the most often used in commercial antivirus tools which create different unique signatures using productivity by looking at the disassembled codes of the malware binary. The binary executable files are disintegrated using various disassemblers and debuggers [118]. The features of the disassembled code are extracted and analyzed further. Then, these features are used to create the malware family's signature. The signature-based detection is simpler, faster and safer to implement on intelligent vehicles when compared to other techniques. It's also efficient at detecting known malware. However, it is insufficient for detecting unknown malware and it is also subject to obfuscation and evasion techniques [119].
Researchers have proposed several approaches to detect malware based on the digital footprints of program files or applications like [120]- [135]. Table 4 shows a detailed comparison of the signature-based detection for several published articles in the last decade. These state-of-the-art approaches have used different log files(i.e application logs, host logs, network traffic logs) to find the digital footprints. Most of the works can detect malware on windows operating system (OS). Researchers in [125], [130], [132], [133] have demonstrated their work on android OS. Works by [124] and [135] remain the only two works that can detect Linux OS-based malware. Apart from the OS dependencies, the detection approaches differ in their way of analysis. Some researchers like [120], [121], [132], [133], [135] tried to detect malware by only considering the program bit file. That means detection has been done without executing the code i.e static analysis. For example, Shang et al [120] proposed a novel malware detection method based on function call graph similarity. Other work by Shankarapani et al [121] used API call sequences and assembly instructions to detect malware. The authors of [132], [133] have used control flow graph signatures to detect malware. Wan et al [135] was able to detect malware based on using byte sequences of executable files. Although these approaches are efficient at detecting known malware and provide high accuracy, however, these approaches are insufficient for detecting unknown malware. Furthermore, these methods are incapable of detecting malware in real-time, making them unsuitable for use in intelligent cars.
Additionally, the researchers in [122]- [124], [126]- [130] have used the dynamic analysis (data acquired from running application) to detect malware. For instance, the authors of [122], [123] have used opcode sequences to detect malware. Similarly work in [129], [130] have used Instruction sequences and application permissions in order to detect malware. Demme et al [124] proposed a novel method to detect malware based on hardware performance counters. Despite these methods are effective at identifying known malware and have a high level of accuracy compared to static-based approaches, however, in addition to the high computational time required and hardware modifications needed, these methods are also insufficient for detecting new malware. Additionally, these approaches are incapable of identifying malware in real time, rendering them unsuitable for use in intelligent vehicles. Other works focus on a hybrid approach that performs both the static and the dynamic analysis [131], [134] in order to detect malware. For example, Fan et al [131] used instruction sequences to detect malware. Similarly, work by Ojugo et al [134] proposed a method to detect malware by using Boyer Moore string matching algorithm. These approaches could guarantee efficiency and accuracy higher than static and dynamic based approaches. However, these approaches are not capable of real-time malware detection, which makes them impractical for implementation in modern cars. The signature-based detection technique is simpler and safer to implement compared to other detection techniques since it typically requires less processing power. However, it has numerous drawbacks when applied to defending intelligent cars. For example, signature-based detection is ineffective in detecting new malware (zero-day malware) for which no signatures have been generated. It's also vulnerable to obfuscation and evasion techniques [119]. Furthermore, the existing huge quantity of malware can result in an excessively big malware signature database for a resource-constrained in-vehicle device to store and analyze, which can increase considerably during a vehicle's lengthy lifespan [136]. A typical malware signature database now comprises over a million malicious signatures, resulting in tens of gigabytes of data [137]. As a result, when a car is manufactured, a huge malware signature database must be loaded. However, it will be difficult to anticipate how large a database should be put on a car when it is manufactured, so that it would be able to handle all potential new malware during the vehicle's long lifespan [136]. As a result, a vehicle's storage capacity may need to be increased over time. Additionally, as the number of malware signatures rises [138], the amount of processing power required to scan files for malware signatures will also increase. That is to say, the needed CPU capacity on a vehicle confronts the same problem as the required storage space for malware signatures. Furthermore, when new malware is detected and new malware signatures are created, the malware signature database on each vehicle must be updated on a regular basis. However, frequent malware signature updates to millions of vehicles will be difficult to handle and can be costly to vehicle owners.

B. BEHAVIOUR-BASED MALWARE DETECTION
The behavior-based malware detection technique is used to analyze the execution of a program in order to determine whether it is malicious or not [139]. This approach analyzes the execution of a program in a secure environment such as a virtual machine or a sandbox environment. This technique also uses monitoring tools in order to monitor and determine the behaviors of a program and decide if the program is malicious or benign based on its behaviors [140], [141]. This technique allows the vehicle to detect malware without relying on off-board systems, even with zero-day malware that has never been seen before [142]. The main purpose of this technique is to examine the behavior of any type of malware. Although the malware codes can be developed in different ways depend on the malware makers, however, the malware's behavior remains the same, consequently, the majority of new malware may be discovered using this technique [143]. This is the main advantage of this technique, however, some malware samples on the other hand do not run properly in a secured environment such as a virtual machine and sandbox environments. As a result, malware samples may be incorrectly classified as benign. Furthermore, this approach is insufficient for identifying all behaviors for a program and classifying them as malicious or benign. Additionally, the advanced code obfuscation and evasion techniques can simply prevent malware from being correctly evaluated [143].
Multiple bodies of work have adopted behavior-based malware detection technique as a solution against malware [144]- [159]. Table 5 presents a detailed comparison of the behavior-based detection solutions. These state-of-theart approaches use the application's potential behavior in order to detect suspicious activities. Similar to the signaturebased detection approaches, the majority of the presented solutions use the data file logs and have been demonstrated on Windows, Android, Linux OS. Another similarity between the behavior-based and signatures-based techniques is using the same data analysis methods (static, dynamic, and hybrid). For example, Sheen et al [152] proposed a novel method for detecting malware based on static analysis of API calls and permissions. Similarly, the authors of [148], [149] have developed a method to detect malware based on hybrid analysis of API call sequences. Although the fact that these approaches have a high detection rate, nevertheless, cost efficiency, overhead, and detection time are the main drawbacks of these approaches. Because of these drawbacks, these approaches are unsuitable for intelligent vehicles.
In addition, multiple bodies of work examined the use of dynamic analysis for detecting malware [144]- [147], [150], [151], [153]- [159]. For instance, Nikolopoulos et al [155] proposed a dynamic malware graph-based detection approach based on converting system calls to a temporal graph. Despite this approach provides a high detection rate, nevertheless, it has high time consumption and high complexity, which makes it unsuitable for use in intelligent vehicles. Other work by Marhusin et al [157] proposed a malware n-grams-based detection method based on extraction of API sequences. This method has a low false-positive rate, on other hand, this method has high detection time and high complexity, which makes it unsuitable for use in modern cars. Similarly, the authors of [158], [159] proposed a dynamic malware detection approach based on analysis of API calls and permissions. Other work by Das et al [154] proposed a dynamic hardware-based method for detecting malware based on system call patterns by using processor and field-programmable gate array (FPGA). In this method, the system calls first are extracted and the features are constructed. Then, the extracted features from the benign and malware samples are utilized to train the multilayer perceptron machine learning classifier. The evaluation results of this method showed that this method can detect malware in real-time and block their execution within the first 30% of their execution. Although this method [154] is the only solution that can detect malware in real-time and has an active detection reaction, while the remaining approaches are not capable of real-time detection. However, this solution [154] is highly complicated, not cost-effective, and not adaptable for intelligent vehicles since it requires hardware modifications to be made into the vehicle devices. As a result, the hardware changes that will be made to millions of vehicles will be difficult to handle and may be costly to vehicle owners and automakers as well.
The behavior-based detection technique has an advantage over the signature-based detection technique in detecting new malware generations (zero-day malware) that has never been seen before. The behavior-based detection technique, on other hand, is difficult and complex to implement compared to the signature-based detection technique since it typically requires higher processing power and more resources. Although the fact that the behavior-based detection technique has the advantage of detecting most of new malware generations. However, it has a lot of drawbacks when applied to safeguarding intelligent vehicles. For instance, the behavior-based detection approach is insufficient for recognizing and categorizing all of a program's behaviors as malicious or benign. As a result, an abnormally high rate of false positives or false negatives may occur [144], [158]. Furthermore, complex code obfuscation and evasion techniques might simply prevent malware from being properly assessed [143]. Additionally, when compared the behaviorbased detection technique to signature-based detection, the behavior-based detection approach is much more difficult to install and resource-intensive to execute on each vehicle. As a result, this technique might not be appropriate for resource-constrained in-vehicle devices that also require a lightweight solution. Furthermore, any behavior-based approach implemented on a vehicle today will almost certainly become obsolete over time and will need to be modified or replaced during the vehicle's long lifecycle [136].

C. HEURISTIC-BASED MALWARE DETECTION
The heuristic-based malware detection technique is used to examine program files for suspicious characteristics or emulate the execution of a program or chosen ports of the program to identify if it will perform malicious activities or not [160]. This technique is known for its complexity since it relies on previous experiences and other methods such as data mining, rule-based and machine learning to learn the characteristics of a program in order to assess whether it is malicious or not. It is also used by a lot of existing antivirus software [161]. It is also capable of detecting a wide range of known and unknown malware [162]. This methodology can also allow the vehicle to identify malware without relying on off-board systems, even with zero-day malware that has never been detected before [3]. Although this technique is capable of detecting a wide range of known and unknown malware with a high degree of accuracy, however, it fails to identify most new malware generations and sophisticated malware as well [160]. Furthermore, it is vulnerable to the advanced code obfuscation and evasion techniques that might simply prevent malware from being correctly detected [143].
Several researchers have proposed various heuristic-based malware detection techniques in the last decade [163]- [177]. A thorough comparison of heuristic-based detection solutions is included in Table 6. Some researchers like [165], [170], [172], [177] have relied on static analysis to detect malware. For example, the authors of [165], [172] have proposed a method for detecting malware based on control flow graphs and extracted opcodes from disassembled executable files. Work by Zaker et al [170] used Dynamic Link Libraries (DLLs) to detect malware. Other recent work by Suryati et al [177] relied on API calls network for detecting malware. These methods are effective at identifying known malware; however, they are insufficient for detecting unknown malware. These approaches are complex and prone to high false-positive rates. These methods are also incapable of identifying malware in real-time since they require high time for detecting malware, making them unsuitable for use in intelligent vehicles.
Additionally, researchers in [167], [174], [176] have relied on dynamic analysis for detecting malware. For instance, Shabtai et al [167] proposed a dynamic method for detecting malware based on monitoring system opcode ngram patterns. The authors of [174], [176] have proposed a dynamic graph-based method for detecting malware based on converting system calls to a graph. However, in addition to the high complexity and high computational time needed by these methods to detect malware, these methods are invalid to detect malware if malware can hide its malicious behaviors. They are therefore unfit for use in intelligent cars. Other researchers have used hybrid analysis for detecting malware [163], [164], [166], [168], [169], [171], [173], [175]. For example, the authors of [163], [164] have used API calls and opcode sequences to detect malware. The remaining works [166], [168], [169], [171], [173], [175] This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication.  relied on the graph-based method, in which the classification is done on the basis of a graph. For instance, in [166], the authors have implemented a solution against malware based on opcode similarity, in case of malware attack, the commands are present in the code which should not be present in a normal set of code. Other work by Narayanan et al [173] proposed a hybrid method for detecting malware through online learning. The online machine learning-based framework was used to learn the new malware features over time. This approach was able to detect both known and unknown malware in real-time. However, this method [173] has high complexity and requires high computational power, hence, is not feasible for intelligent vehicles due to the limited computing power of the ECUs to procedure such a complex process. Furthermore, the response time of this method, from data collection to detection, frequently results in a partially damaged vehicle system, putting drivers at risk.
The heuristic-based detection technique outperforms both signature-based detection and behavior-based detection techniques in detecting unknown malware. In contrast to signature-based detection and behavior-based detection techniques, the heuristic-based detection technique is more difficult and complex to execute since it generally needs more computing power and resources. Despite the fact that heuristic-based detection offers the benefit of detecting unknown malware. When it comes to protecting intelligent cars, however, it has a number of limitations. For example, this technique might fail to detect new malware generations, as well as sophisticated malware [160]. It's also vulnerable to complex code obfuscation and evasion techniques, which might prevent malware from being identified appropriately [143]. Additionally, this technique is known for its complexity because it depends on prior experiences and other approaches such as data mining and machine learning to learn the features of a program in order to determine whether it behaves maliciously or not [160]. As a result, this technique might not be suitable for resourceconstrained in-vehicle gadgets that also need to be light. Furthermore, any heuristic-based solution deployed on a vehicle today would almost definitely become obsolete over time, requiring modification or replacement at some point throughout the vehicle's lengthy lifespan [136].

D. CLOUD-BASED MALWARE DETECTION
Cloud computing has grown a lot in popularity in the last decade since it provides a lot of benefits, including easy access, on-demand storage, and reduced prices. Because the cloud became so popular in the last ten years, it has also been utilized recently to detect malware. The Cloud-based malware detection technique employs a variety of detection agents that are hosted on cloud servers and provides security as a service. Furthermore, a user can submit any type of file and obtain a report indicating whether the submitted file is malware or not [178]. The main advantage of the Cloudbased malware detection technique is that it can enhance the detection performance of PCs, mobile devices and vehicular systems with significantly huge malware databases and ponderous computing resources. Other advantages of this technique are Installations, configurations, setups are updated regularly. However, the cloud-based malware detection technique, on the other hand, has significant drawbacks. For example, the internet connection must constantly be fast and always available in order to work properly, but this is not always the case. Furthermore, in the cloud, realtime monitoring of all files is not possible. Additionally, this technique is vulnerable to obfuscation and evasion techniques [17].
Recently, several researchers have used cloud-based techniques to analyze and identify malware [178]- [194]. Table 7 shows a detailed comparison of cloud-based malware detection solutions. Researchers like in [178], [181], [189] have relied on static analysis to detect malware. For example, Ye et al [178] have used file content and file relations features for detecting malware. Similarly, work by Li et al [189] proposed a static method to detect malware based on n-gram string features. However, in addition to the high cost and high overhead of these methods, they are not up to the task of detecting unknown malware. These methods are also inappropriate for usage in intelligent cars since they are incapable of detecting malware in real-time because they need a long time to detect malware. In recent studies, dynamic analysis has been utilized in the cloud to detect malware [188], [190]- [194]. For instance, the authors of [188], [192] have proposed a dynamic method for detecting malware based on monitoring system calls. Similarly, work by Mishra et al [194] proposed a dynamic method to detect malware based on n-gram features. The authors of [191], [193] have used hardware features and hardware performance counters to detect malware. However, in addition to the additional resources and sophisticated hardware changes that these approaches necessitate, they are unable to detect malware in real-time since they need a long time to identify malware. Unfortunately, because of these drawbacks, these approaches are unsuitable for intelligent vehicles.
In addition, several studies have looked into the use of hybrid analysis to detect malware [179], [180], [182]- [187]. For example, Jarabek et al [180] have proposed a web-based method for detecting malware based on file scanning services. However, this method can't keep track of all files in the cloud in real-time. The authors of [182], [186] have proposed monitoring system parameters, such as API calls, file contents and permissions as features for detecting malware. However, these approaches might fail in detecting malware in the cloud if the malware can disguise its harmful activities. Other work by Yadav et al [187] proposed a hybrid approach for detecting malware by utilizing fuzzy k-means and deep neural network in the cloud. However, this technique requires a large quantity of data for training, hence, this technique consumes enormous time for training, making it unsuitable for use in current intelligent cars.
The cloud-based malware detection technique has a num- ber of advantages over conventional malware detection techniques, including quick access, on-demand storage, and lower pricing. The major benefit of using a cloud-based malware detection approach is that it may improve the detection performance of any system with large malware databases and a lot of processing power. Other benefits of this approach are installations and setups are all updated on a regular basis. However, it has a lot of drawbacks when it comes to protecting intelligent vehicles. For example, this technique is subject to sophisticated code obfuscation and evasion techniques, which may make malware difficult to detect in the cloud [17]. The other issue of this approach is real-time monitoring of all files in the cloud is not possible, making it impractical for implementation in intelligent vehicles. Additionally, this technique requires a reliable internet connection in order to work properly for security implementation, however, if for some reason the internet connection is lost, in that case, security can be compromised. As a result, this technique might not be safe enough for applying for intelligent vehicles. But with the advent of high-speed 5G technology [20], this technique might be safer to apply for intelligent vehicles.

E. MACHINE LEARNING-BASED MALWARE DETECTION
For many years, machine learning methods have been employed to identify malware [195]. Naive Bayes (NB), bayesian network (BN), logistic regression (LR), logistic model trees (LMT), C4.5 decision tree variant (J48), sequential minimal optimization (SMO), random forest tree (RF), multilayer perceptron (MLP), k-nearest neighbor (KNN), and support vector machine (SVM) are examples of wellknown machine learning algorithms that have been used for many years in malware detection [195]. Although each algorithm has its own set of benefits and drawbacks, it is impossible to say that one is more effective than the other. However, one algorithm can outperform other algorithms in terms of the distribution of data, the amount of features, and the correlations between characteristics and attributes as well [195]. Deep Learning is a subfield of machine learning that evolved from artificial neural networks (ANN) that learn from examples. It is a novel methodology that is extensively employed in image processing, voice control, intelligent vehicles, and recently in malware detection as well [196]. It seems highly effective and dramatically lowers feature space and is powerful to detect malware. However, it can be deceived by obfuscation and evasion attacks. Furthermore, building a hidden layer requires a lot of time, and adding more hidden layers seldom improves model performance [197].
In the last decade, researchers have proposed various machine learning-based malware detection techniques [198]- [221]. Table 8 and Table 9 show a detailed comparison of machine-based malware detection solutions. Some researchers have used machine learning for detecting malware based on static features [201], [204], [207], [212], [214], [217], [218], [220]. For example, the authors of [201], [204], [207], [212], [214], [218], [220] have used static features such as system calls, strings, byte sequences, DLLs, data flow, native opcodes and image features for detecting malware. However, these methods may fail to identify malware if the malware is able to hide its destructive activities and its contents. Furthermore, the time it takes for these methods to respond from data collection to detection usually results in a partially damaged system, making them unsuitable for use in intelligent vehicles. Other work by Sayadi et al [217] proposed a novel method for detecting malware based on microarchitectural features. However, in addition to the high computational time and sophisticated hardware changes that are needed by this method to detect malware, this method is also incapable of identifying malware in real-time, making it inappropriate for intelligent cars.
Other researchers have relied on dynamic features for detecting malware [198], [202], [210], [215], [221]. For instance, the authors of [210], [215] have used dynamic features such as behavior features, API calls and opcode sequences for detecting malware. However, if malware is able to disguise its behaviors and contents, these approaches may fail to detect it. In addition, the time it takes these approaches to respond from data collection to detection generally results in a largely infected system, making them unsuitable for use in intelligent cars. Other work by Ghanei et al [221] used hardware performance counters as features for detecting malware. However, in addition to the high detection time and complex hardware modifications required to detect malware, this approach is also incapable of detecting malware in real-time, making it unsuitable for modern cars. A large portion of existing machine learning-based malware detection techniques relied on hybrid features to detect malware [199], [200], [203], [205], [206], [208], [210], [211], [213], [215], [219]. For example, the authors of [199], [200], [203], [205], [206], [208], [210], [213], [215], [219] have used system calls, instructions, image features, API calls, data flow, network flow, API call sequences and permissions as features for detecting malware. However, these methods may be ineffective, if malware is able to conceal its harmful actions and contents, making them inappropriate for modern vehicles. Other work by Sayadi et al [211] proposed a novel approach for detecting malware based on hardware performance counters. However, this approach is not adaptable for intelligent vehicles since it requires hardware modifications to be made into vehicle devices. As a result, the hardware modifications that will be required for millions of vehicles would be difficult to implement and might be costly to both vehicle owners and automakers.
The machine learning-based malware detection technique provides several advantages over traditional malware detection techniques, including the ability to detect both known and unknown malware, and improving the detection accuracy. However, it has a lot of limitations when applied to safeguarding intelligent vehicles. For instance, the machine learning-based malware detection technique can be deceived  by complex code obfuscation and evasion techniques that make malware difficult to identify [197]. Furthermore, this technique needs an abundant amount of data for training. As a result, it takes a long time to train for this method, rendering it unsuitable for usage in today's intelligent vehicles. Additionally, most of the solutions that relied on this technique have been suggested and tested on datasets and are not suitable for real-time detection. The non-realtime detection approaches are inappropriate and ineffective for intelligent cars because if a vehicle is attacked with malware, the malware must be identified in real-time in order to ensure the safety of the driver and passengers.

F. INTRUSION DETECTION SYSTEM
The need for an efficient intrusion detection system (IDS) for modern vehicles is becoming one of the most essential security components as these vehicles are exposed to a huge number of threats. To this end, several IDSs to detect vehicle attacks have been explored in multiple bodies of work. For example, Lee et al. [107] and song et al. [222] proposed techniques for detecting an intrusion based on analysis of the CAN data time interval by monitoring the request time and response time of the CAN data traffic. Despite these techniques are lightweight, these techniques have limitations, especially when in-vehicle environments change frequently, as they require a lot of data updates. Müter et al. [223], [224] proposed IDS based on monitoring the state of the CAN bus traffic and the entropy of in-vehicle networks. Despite the fact that this technique does not need any hardware modifications, it is unable to detect irregular message incoming. In addition, multiple bodies of work have adopted physical fingerprinting techniques for IDSs [228], [229], [235]. For instance, Avatefipour et al. [229] proposed a physical fingerprinting technique based on physical ECU features and the physical channel features to detect spoofing attacks. However, this technique can be failed when the channel length is increased which makes the physical ECU features are negligible. Other work by [228] proposed a clock-based intrusion detection system (CIDS) for fingerprinting each ECU based on using the clock skew characteristic of ECUs. Despite the efficiency of their technique, it is demonstrated that CIDS may be defeated by a spoofing attacker who can observe the clock skew and adjust his transmission accordingly [236].
Additionally, several message authentication techniques have been explored by researchers to safeguard vehicles against attacks [225]- [227], [237]. For example, Oguma et al. [237] proposed a novel security architecture by adding a master ECU to the network in order to verify other ECUs in the same way as a verification server does. Groza et al. [227] proposed a broadcast authentication technique based on time synchronization and key chains. Similarly, work by Lin et al. [226] proposed a message authentication technique by sending extra messages which prompts a higher burden on the CAN bus and hence a reduction of the available bandwidth of the CAN bus. Other work by Herrewege et al. [225] proposed a message authentication system for the CAN bus by adding the Hash-based Message Authentication Code (HMAC) field to the CAN data frame. Although these approaches improve security, they are inefficient and unsuitable solutions for vehicles since they need additional resources and sophisticated hardware modifications to be made in the CAN protocol.
Several methods were recently proposed to detect intrusions on the CAN bus based on machine learning techniques [113], [230]- [234], [238], [239]. For instance, Theissler [231] proposed a novel IDS to detect an anomaly on CAN bus based on multivariate time series. In order to identify both known and unknown fault types in various driving circumstances, an ensemble anomaly detector consisting of two-class and one-class classifiers was created. However, this method has drawbacks, particularly when the in-vehicle environment changes often; these drawbacks might include the constant requirement for calibration and data updates. Other work by Barletta et al [233] proposed an IDS based on a combination of an unsupervised Kohonen Self-Organizing Map (SOM) network and k-means algorithm. The CAN IDs, timestamp, DLC and data field were used as features in order to identify attack messages sent on the CAN bus. Minawi et al. [232] also suggested an IDS that uses machine learning and includes crucial warning capabilities to safeguard vehicle operations. The key features utilized to evaluate whether the communication was benign or malicious were the CAN ID and the Data field. Furthermore, Martinelli et al. [230] suggested an IDS based on the eight data bytes of a CAN packet as the main features for determining whether a message is benign or malicious. Another study by Hossain et al [234] presented an IDS using LSTM deep learning model-based. For an in-vehicle CAN bus network attack, the CAN ID, DLC, and data field were exploited as features. Hanselmann et al [238] developed an IDS based on unsupervised neural network architecture to identify intrusions and abnormalities on the CAN bus, where the CAN IDs and timestamps were utilized as features. Additionally, the authors of [113], [239] proposed a graphbased IDS by converting the CAN bus messages into a temporal graph, then the machine learning techniques have been used to identify attack messages sent on the CAN bus. Although the aforementioned methods improve the vehicle's security, nevertheless, these methods are not feasible for a vehicular network due to the limited computing power of the ECUs to procedure a complex process. Table 10 shows a detailed comparison of the IDS-based solutions. We observe that some of these solutions can detect any anomalies on CAN bus by using machine learning technology through different features such as CAN IDs, CAN bus data field, DLC, timestamp, entropy and graph features [107], [113], [224], [230]- [234]. The main benefits of these solutions are that they provide high accuracy and low false positive rates. However, in addition to the high complexity and high computational time required, these VOLUME 4, 2016 solutions lack the ability to detect critical attacks such as malware since these solutions rely on the data link layer and can't detect an attack such as malware which relies on the application layer. Other IDS approaches like [228], [229] can detect any intrusions on CAN bus by using physical fingerprinting technique. Although such approaches provide some degree of security, nevertheless, these approaches are unable to identify malware attacks that rely on the application layer because they rely on the physical layer.
Other IDS methods such as [225]- [227] can detect any anomalies on in-vehicle network by adding a message authentication system field to the CAN bus data frame. Despite these methods provide high detection rate and improve the vehicle's security, however, in addition to the additional resources required and sophisticated hardware modifications needed, these methods lack the ability to detect malware attack since they rely on the data link layer and not rely on the application layer. In summary, the aforementioned IDS solutions can't detect malware attacks at application level and may can detect malware attacks at either the data link layer or the physical layer after the actual damage has likely been occurred. Therefore, in addition to the need for an efficient IDS for intelligent vehicles at data link and physical layers, an efficient malware defense system for modern cars at application layer is also needed.

VI. OPEN ISSUES AND FUTURE DIRECTIONS
In the previous section, we review malware detection approaches that have been proposed in the last decade based on the method used, the analysis method used, the target operating system, the detection and the response times, the data source, the main benefits and drawbacks of each method. In this section, we first discuss the limitations of applying these approaches in securing and protecting the intelligent vehicles against malware. Second, we discuss the security requirements that are needed in order to provide a successful and secure intelligent vehicle system. Finally, we summarize and discuss open research problems for the scientific community to address in order to meet the security requirements that are needed for a successful and secure intelligent vehicle system, and offer some recommendations for developing a more successful detection schema against malware for intelligent vehicles.

A. EXISTING TECHNIQUES LIMITATIONS IN SECURING INTELLIGENT VEHICLES AGAINST MALWARE
Despite the fact that malware detection techniques are improving day over day, the following limitations of applying these malware detection techniques to intelligent vehicles remain an unresolved issues.
Malware can use this technique on vehicles to throttle its execution across multiple ECUs in order to evade detection. Other forms of malware take advantage of multi-core processors, as well as other capabilities like hyper-threading in order to spread malware activity across several cores to evade detection, as well as speed up execution to outrun any preventative measures taken by a victim or system administrator [242], [243].
Malware also can use this technique on vehicles to spread its activity across multiple ECUs' threads in order to evade detection. Other sorts of malware can add dummy instructions to their code to make it look different [244], or use instruction substitution to change their code by substituting equivalent instructions for some of them [245], or use code transposition to reorder the sequence of instructions in their code [246] , or use subroutine reordering to obfuscate their code by randomly rearranging their subroutines [247]. Consequently, malware can evade detection and avoid itself from being properly analyzed by employing such techniques. As a result, these approaches [120]- [135], [144]- [159], [163]- [194], [198]- [221] are unsuitable for use in intelligent vehicles due to concerns about passengers safety. • All of the current approaches [120]- [135], [144]- [159], [163]- [194], [198]- [221] might fail to detect new malware generations, as well as sophisticated malware. As a result, these approaches are inappropriate for use in intelligent vehicles due to concerns regarding driver safety and passengers as well. Furthermore, with the exception of cloud-based approaches, all approaches cannot be used for intelligent vehicles since they need to be updated regularly in order to handle any potential new malware during the vehicle's long lifespan [136]. Besides, updating them on a regular basis on millions of vehicles would be difficult to handle and can be costly for both vehicle owners and automakers. Cloudbased approaches have an edge over other approaches since all installations and configurations are updated on a regular basis in the cloud. Therefore, we believe cloud-based malware detection will be a feasible solution for safeguarding intelligent vehicles against malware attacks in the future especially with the advent of high speed 5G technology [20]. • Malware detection in real-time is really challenge. The majority of malware detection approaches in the last decade [120]- [135], [144]- [159], [163]- [194], [198]- [221] have been proposed and validated to detect malware using datasets and are not suitable for realtime detection. The issue with these non-real-time approaches is that they are unsuitable for intelligent vehicles because if the vehicle is infected with malware, the malware must be detected in real-time in order to ensure the safety of the drivers and passengers. • There is no well-known and widely recognized dataset VOLUME 4, 2016 that can be used to assess the effectiveness of malware detection methods [120]- [135], [144]- [159], [163]- [194], [198]- [221]. Despite the fact that each malware detection technique has its own set of advantages and disadvantages, however, it is difficult to say that one is more effective than the other. This is due to the fact that each malware detection technique uses different malware and dataset. • According to our findings, we observe that there are only two malware detection methods [154], [173] that can detect malware in real time. However, these methods [154], [173] need a lot of computational resources, which make them infeasible for intelligent vehicles due to the limited computational resources of the ECUs and CAN bus. Furthermore, these methods [154], [173] are not cost-efficient and are not adaptable for intelligent vehicles since they need a sophisticated hardware modifications. As a result, these methods may not be suitable for resource-constrained in-vehicle devices that also need to be lightweight. • All present IDS approaches [107], [113], [224]- [234] cannot identify malware attacks at the application level, but they may detect malware attacks at the data link layer or physical layer after the actual damage has likely happened. As a result, in addition to the need for an effective IDS for intelligent vehicles at the data link and physical layers, modern cars also require an effective defense system at the application layer in order to safeguard them against malware.

B. SECURITY REQUIREMENTS TO SECURING INTELLIGENT VEHICLES
In this section, we discuss four essential requirements for securing intelligent vehicles. These are critical security criteria for every communication system. These requirements are authentication, integrity, privacy, and availability. Each requirement is presented below along with its description.
Authentication. It means that the access to any information or vehicle's data must be given to the only authorized users and parties. By giving authorization to specific users and parties to access any information or vehicle's data, malware attacks and unauthorized manipulations can be prevented from happening. In this way, vehicle's network system can be more protected by only giving authorization to a certain users and parties. The key management and distribution must be efficient and accurate in order to meet this requirement [248].
Integrity. It is referred to the validity of data between the sender and the recipient of a communication system. The most basic criterion of communication system integrity is that the data received is correct and not tampered with intentionally. It is important to check the honesty of the message that is being sent in the vehicle's network system. The message has to get validated to make sure that it hasn't been manipulated or corrupted by a malware, or some other factors such as noise and fading. Error detection and correction codes must be developed to ensure the integrity of any communication system [248]. Privacy. Intelligent vehicles tend to share information with each other (such as Vehicle-to-Vehicle communication) and between the surrounding infrastructure (Vehicleto-Infrastructure communication) [249]. Therefore, privacy plays a big factor in this role to protect vehicle's information from being used to do unauthorized behaviors such as using the information to spy on vehicles and access its private data [38]. Availability. It is referred to the fact that authorized users have access to the systems and resources they need. Improving the chances of all targeted vehicles receiving information is critical in vehicular networks. Continuous availability is tough to accomplish under normal working settings, and it gets more and more challenging when updates and patches are required at various points. It is critical that network activities continue and that the cars remain unaffected. The availability of services at all times is critical. As a result, the needed redundancy for this purpose must be appropriately implemented [250].

C. RECOMMENDATIONS AND FUTURE DIRECTIONS
One of the biggest challenges that automakers face is finding solutions against malware attacks and creating a full immunity system to combat this threat. Although the existing defenses are some of the most effective approaches of building structural defenses against malware attacks, there are still some challenges and issues that need further investigation and study. There are additional potential solutions that could be implemented to provide a great protection and immunity against malware attacks. Some additional potential solutions and directions that will enhance intelligent vehicles' security that need to be addressed to meet the security requirements to securing intelligent vehicles are presented below. Authentication System Using Li-Fi Technology. A lightweight cryptographic authentication system if implemented would boost security in intelligent vehicles. This would provide a secure, efficient and flexible method that is able to handle complicated transportation circumstances [251]. The main idea of creating a lightweight cryptographic authentication system has been in key extraction, key establishment and key distribution. Major milestones have been achieved in protocols such as key extraction using wireless fading channels [252], key establishment using keyless cryptography technology [253] and key distribution using the Light fidelity (Li-Fi) [254]. It has been proven that Li-Fi technology can accomplish high-speed wireless communication of over 3 Gb/s compared to Wi-Fi. Furthermore, Li-Fi technology further provides security by avoiding interception and eavesdropping. For these reasons, there has been increased interest in integrating Li-Fi technology in intelligent vehicles design to be used for authentication system in intelligent vehicles [254]. Alongside with implementing authentication system, security criteria must be met in order to provide a successful and secure protection to the vehicle's system.
Firewall System. Although malware attacks can be destructive to intelligent vehicles with its different entry points, there are many ways that can be implemented to defend against malware attacks. Intelligent vehicle's system tends to receive updates more often. Therefore, the liability of the source that is sending that information must be checked to make sure malware doesn't get injected in the intelligent vehicle's network. A network security device such as firewall should be implemented to monitor and block unwanted data [255]. The firewall's main purpose is to filter any data that enters the system and rejects malware attack vectors that have been recognized as a threat. Alongside with applying a network security device, security requirements need to be satisfied in order to provide a successful and secure protection to the vehicle's system.
Deep Learning Using Offloading Computation Mechanism. Intelligent deep learning such as neural networks technology is a great way to detect vulnerabilities and eliminate malware attacks in intelligent vehicle systems. Because the fact that this technology is more accurate and performs better than machine learning technology in malware detection, it is worth considering this advanced technological approach for intelligent vehicle systems [256]. Deep learning, on the other hand, requires a lot of computing resources and capabilities in the vehicle's ECUs, which leads to memory overloading for deep learning implementation in ECUs owing to the vehicle's ECUs' limited computation resources. However, the offloading computation mechanism was found to be a possible solution to solve the limited computation resources of the vehicle's ECUs by transferring the resource intensive computational tasks to a separate processor such as an external platform, a hardware accelerator, a cluster, grid, or cloud server at the network edge [257]. The future of intelligent vehicles is quite promising with deep learning using offloading computation mechanism towards faster and secure vehicle system. Software Defined Security. Intelligent vehicles need to be able to detect malware attacks efficiently and effectively. Therefore, the software defined security system can be a reliable solution to detect and eliminate malware threats and further improves network security for intelligent vehicles by forwarding the security threats characteristics and traffic parameters for forensic analysis. The software defined security is referred to the use of software defined platforms to automate threat detection and mitigation. This can be accomplished by adopting an open flow protocol, Network Function Virtualization (NFV) and Software-Defined Networking (SDN) that uses multi-layered open virtual switch with programmatic extension principle that allows automation of threat detection and elimination on a bigger scale [258]. This form of dynamic solution to threats will provide security for intelligent vehicles against malware attacks.
Cloud Based Solution Using 5G Technology. It is another potential future route for intelligent vehicles since it offers several advantages, such as simple access, on-demand storage, and lower pricing. Furthermore, installations, settings, and setups are all updated on a regular basis with this method. It also can improve the malware detection performance of the intelligent vehicle's system with large malware datasets and ponderous computing resources. It also can fix the resources allocation issues of intelligent vehicle's system by storing the data acquired at each ECU in cloud, the training and testing can be performed also on cloud to see whether the data is authentic or not. This solution of sending data to the cloud would have been impractical few years ago since the internet connection was not fast and always available, but with the advent of high speed 5G [20], it is now practical to store data in cloud. The future of intelligent vehicles looks bright, thanks to cloud solutions that leverage 5G technology to create a quicker and more secure vehicle system.

VII. CONCLUSION
In this paper, we first present a great depth description of the architecture of intelligent vehicles. We also identify the security issues and vulnerabilities of intelligent vehicles in order to illustrate the lack of protection against malware attacks. Furthermore, this paper discusses the most common types of malware that might infiltrate intelligent vehicles to show how each type of malware could be different than another. Additionally, different entry points for malware to infect intelligent vehicles were covered in this paper to emphasize the importance of protecting those aspects. A comprehensive survey of malware detection techniques is also discussed and further categorized into five categories, i.e. signature-based malware detection techniques, behaviorbased malware detection techniques, heuristic-based malware detection techniques, cloud-based malware detection techniques, and machine learning-based malware detection techniques. Each of these techniques has certain advantages and disadvantages, we discussed the advantages and disadvantages of each technique. Finally, a future direction is provided to further improve the immunity for the system of intelligent vehicles to protect it against malware attacks.
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. ANYS BACHA is an Assistant Professor at the University of Michigan. He leads the Security and Systems Lab which focuses on advancing the state-of-the-art in mobile and computer systems to address important challenges in security, applied machine learning, and energy efficiency. His research contributions have been published in top tier venues where his work received various prestigious awards. Furthermore, his industry impact is demonstrated through several U.S. and World patents. Prior to joining academia, he spent over 13 years in the industry where he worked in different Research and Development roles on a variety of subsystems spanning the hardware, firmware, and operating systems layers. He led multiple interdisciplinary efforts that include driving architectural changes into next generation Intel processors that are necessary to meet the demands of emerging workloads. During his tenure at Hewlett-Packard, Dr. Bacha led a group of engineers on a multi-million dollar scalable computing project that broke world records in performance in 2015 and 2014.
HAFIZ MALIK (Senior Member, IEEE) is currently an Associate Professor with the Electrical and Computer Engineering (ECE) Department, University of Michigan-Dearborn. He has published more than 100 articles in leading journals, conferences, and workshops. His research interests include automotive cybersecurity, the IoT security, sensor security, multimedia forensics, steganography/steganalysis, information hiding, pattern recognition, and information fusion is funded by the National Science Foundation, National Academies, Ford Motor Company, and other agencies. Since 2015, he has been a member of the MCity Working Group on Cybersecurity. He is a Founding Member of the Cybersecurity Center for Research, Education, and Outreach at UM-Dearborn. He is a Member Leadership Circle of the Dearborn Artificial Intelligence Research Center, UM-Dearborn. He is also a member of the Scientific and Industrial Advisory Board (SIAB), National Center of Cyber Security Pakistan.