Rui Zhao,Cheng Luo,Fei Gao,Zhenhai Gao,Longyi Li,Dong Zhang,Wengang Yang

DOI: https://doi.org/10.3390/electronics13020377

IF: 2.9

2024-01-17

Electronics

Abstract:The Controller Area Network with Flexible Data-Rate (CAN-FD) bus is the predominant in-vehicle network protocol, responsible for transmitting crucial application semantic signals. Due to the absence of security measures, CAN-FD is vulnerable to numerous cyber threats, particularly those altering its authentic physical values. This paper introduces Physical Semantics-Enhanced Anomaly Detection (PSEAD) for CAN-FD networks. Our framework effectively extracts and standardizes the genuine physical meaning features present in the message data fields. The implementation involves a Long Short-Term Memory (LSTM) network augmented with a self-attention mechanism, thereby enabling the unsupervised capture of temporal information within high-dimensional data. Consequently, this approach fully exploits contextual information within the physical meaning features. In contrast to the non-physical semantics-aware whole frame combination detection method, our approach is more adept at harnessing the physical significance inherent in each segment of the message. This enhancement results in improved accuracy and interpretability of anomaly detection. Experimental results demonstrate that our method achieves a mere 0.64% misclassification rate for challenging-to-detect replay attacks and zero misclassifications for DoS, fuzzing, and spoofing attacks. The accuracy has been enhanced by over 4% in comparison to existing methods that rely on byte-level data field characterization at the data link layer.

engineering, electrical & electronic,computer science, information systems,physics, applied

Miki E. Verma,Robert A. Bridges,Samuel C. Hollifield

DOI: https://doi.org/10.48550/arXiv.1811.07897

2018-11-20

Abstract:Modern vehicles contain scores of Electrical Control Units (ECUs) that broadcast messages over a Controller Area Network (CAN). Vehicle manufacturers rely on security through obscurity by concealing their unique mapping of CAN messages to vehicle functions which differs for each make, model, year, and even trim. This poses a major obstacle for after-market modifications notably performance tuning and in-vehicle network security measures. We present ACTT: Automotive CAN Tokenization and Translation, a novel, vehicle-agnostic, algorithm that leverages available diagnostic information to parse CAN data into meaningful messages, simultaneously cutting binary messages into tokens, and learning the translation to map these contiguous bits to the value of the vehicle function communicated.

Other Computer Science,Applications

Xuhang Ying,Giuseppe Bernieri,Mauro Conti,Linda Bushnell,Radha Poovendran

DOI: https://doi.org/10.1109/tdsc.2021.3068213

2021-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:In recent years, the security of automotive Cyber-Physical Systems (CPSs) is facing urgent threats due to the widespread use of legacy in-vehicle communication systems. As a representative legacy bus system, the Controller Area Network (CAN) hosts Electronic Control Units (ECUs) that are crucial for the vehicles functioning. In this scenario, malicious actors can exploit the CAN vulnerabilities, such as the lack of built-in authentication and encryption schemes, to launch CAN bus attacks (e.g., suspension, injection, and masquerade attacks) with life-threatening consequences (e.g., disabling brakes). In this article, we present TACAN (Transmitter Authentication in CAN), which provides secure authentication of ECUs on the legacy CAN bus by exploiting the covert channels, without introducing CAN protocol modifications or traffic overheads (no extra bits or CAN messages are used). TACAN turns upside-down the originally malicious concept of covert channels and exploits it to build an effective defensive technique that facilitates transmitter authentication via a centralized, trusted Monitor Node. TACAN consists of three different covert channels for ECU authentication: 1) the Inter-Arrival Time (IAT)-based, leveraging the IATs of CAN messages; 2) the Least Significant Bit (LSB)-based, concealing authentication messages into the LSBs of normal CAN data; and 3) a hybrid covert channel, exploiting the combination of the first two. In order to validate TACAN, we implement the covert channels on the University of Washington (UW) EcoCAR (Chevrolet Camaro 2016) testbed. We further evaluate the bit error, throughput, and detection performance of TACAN through extensive experiments using the EcoCAR testbed and a publicly available dataset collected from Toyota Camry 2010. We demonstrate the feasibility of TACAN and the effectiveness of detecting CAN bus attacks, highlighting no traffic overheads and attesting the regular functionality of-ECUs.

computer science, information systems, software engineering, hardware & architecture

Pablo Moriano,Robert A. Bridges,Michael D. Iannacone

DOI: https://doi.org/10.14722/autosec.2022.23028

2022-03-12

Abstract:Vehicular Controller Area Networks (CANs) are susceptible to cyber attacks of different levels of sophistication. Fabrication attacks are the easiest to administer -- an adversary simply sends (extra) frames on a CAN -- but also the easiest to detect because they disrupt frame frequency. To overcome time-based detection methods, adversaries must administer masquerade attacks by sending frames in lieu of (and therefore at the expected time of) benign frames but with malicious payloads. Research efforts have proven that CAN attacks, and masquerade attacks in particular, can affect vehicle functionality. Examples include causing unintended acceleration, deactivation of vehicle's brakes, as well as steering the vehicle. We hypothesize that masquerade attacks modify the nuanced correlations of CAN signal time series and how they cluster together. Therefore, changes in cluster assignments should indicate anomalous behavior. We confirm this hypothesis by leveraging our previously developed capability for reverse engineering CAN signals (i.e., CAN-D [Controller Area Network Decoder]) and focus on advancing the state of the art for detecting masquerade attacks by analyzing time series extracted from raw CAN frames. Specifically, we demonstrate that masquerade attacks can be detected by computing time series clustering similarity using hierarchical clustering on the vehicle's CAN signals (time series) and comparing the clustering similarity across CAN captures with and without attacks. We test our approach in a previously collected CAN dataset with masquerade attacks (i.e., the ROAD dataset) and develop a forensic tool as a proof of concept to demonstrate the potential of the proposed approach for detecting CAN masquerade attacks.

Cryptography and Security,Machine Learning,Applications

Dahui Gao,Qingfeng Wang,Yong Lei,Zheng Chen,Linying Shangguan

DOI: https://doi.org/10.1155/2015/659623

IF: 1.43

2015-01-01

Mathematical Problems in Engineering

Abstract:The Controller Area Networks (CAN) are widely used in industrial Networked Control Systems (NCSs), such as construction machineries, hybrid vehicles, robotics, and other applications. The message response time (MRT) or communication delay is the main issue to degrade the performance of CAN-based NCSs since its exact value is time-varying and unpredictable. The online acquisition of exact MRT can be quite helpful for the delay compensation of NCSs. However, since the clocks on different nodes are asynchronous, the MRT acquisition in CAN is a challenging work. The current delay acquisition methods for asynchronous systems are not suitable for the delay compensation in CAN-based NCSs because they either increase the bus load of CAN or cannot acquire the exact MRT in real time. In this paper, we propose a novel online real-time MRT estimation method for periodic CAN messages based on the analysis of message traces on CAN bus. The proposed method can estimate the exact MRT of the received message instance in real time without increasing the bus load and can be conveniently embedded into the CAN nodes without requiring additional equipment. In order to validate the proposed method, practical experiments are carried out and the experimental results show that the proposed method can effectively estimate the exact MRT of periodic CAN messages.

Zhangwei Yu,Yan Liu,Guoqi Xie,Renfa Li,Siming Liu,Laurence T. Yang

DOI: https://doi.org/10.1109/tii.2022.3202539

IF: 12.3

2022-12-17

IEEE Transactions on Industrial Informatics

Abstract:Intelligent connected vehicle is rapidly growing with the 5-G technology; the diversity of functional interfaces has significantly expanded the avenues of attack, making automotive controller area network (CAN) more vulnerable to cyberthreats. Automotive CAN network attacks are a direct threat to traffic safety, and in this study, we explore the use of intrusion detection techniques for mitigating cyberattacks. However, most automotive CAN network intrusion detection technologies are not capable of defending against sophisticated attacks, making it extremely challenging for detecting intrusions in practice. In this article, we propose a novel time interval conditional entropy method for detecting intrusions in automotive CAN networks. The time interval conditional entropy intrusion detection method is not susceptible to interference and is capable of detecting a variety of attacks. In our experiments, the conditional entropy values of regular communication messages are collected and utilized to distinguish and detect the attacks. The time interval conditional entropy detection method is implemented and evaluated in our controller area net-work bus (CAN-BUS) network platform. The experiments show that our method has higher detection accuracy and is easier to deploy compared to existing automotive CAN network intrusion detection methods.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Haichun Zhang,Kelin Huang,Jie Wang,Zhenglin Liu

DOI: https://doi.org/10.1109/cisai54367.2021.00050

2021-09-01

Abstract:The Controller Area Network (CAN) bus is the de-facto standard for connecting the Electronic Control Units (ECUs) in automobiles. However, there are serious cyber-security risks due to the lack of security mechanisms. In order to mine the vulnerabilities in CAN bus, this paper proposes CAN-FT, a fuzz testing method for automotive CAN bus, which uses a Generative Adversarial Network (GAN) based fuzzy message generation algorithm and the Adaptive Boosting (AdaBoost) based anomaly detection mechanism to capture the abnormal states of CAN bus. Experimental results on a real-world vehicle show that CAN-FT can find vulnerabilities more efficiently and comprehensively.

Xuhang Ying,Giuseppe Bernieri,Mauro Conti,Radha Poovendran

DOI: https://doi.org/10.48550/arXiv.1903.05231

2019-03-12

Cryptography and Security

Abstract:Nowadays, the interconnection of automotive systems with modern digital devices offers advanced user experiences to drivers. Electronic Control Units (ECUs) carry out a multitude of operations using the insecure Controller Area Network (CAN) bus in automotive Cyber-Physical Systems (CPSs). Therefore, dangerous attacks, such as disabling brakes, are possible and the safety of passengers is at risk. In this paper, we present TACAN (Transmitter Authentication in CAN), which provides secure authentication of ECUs by exploiting the covert channels without introducing CAN protocol modifications or traffic overheads (i.e., no extra bits or messages are used). TACAN turns upside-down the originally malicious concept of covert channels and exploits it to build an effective defensive technique that facilitates transmitter authentication via a trusted Monitor Node. TACAN consists of three different covert channels for ECU authentication: 1) Inter-Arrival Time (IAT)-based, leveraging the IATs of CAN messages; 2) offset-based, exploiting the clock offsets of CAN messages; 3) Least Significant Bit (LSB)-based, concealing authentication messages into the LSBs of normal CAN data. We implement the covert channels on the University of Washington (UW) EcoCAR testbed and evaluate their performance through extensive experiments. We demonstrate the feasibility of TACAN, highlighting no traffic overheads and attesting the regular functionality of ECUs. In particular, the bit error ratios are within 0.1% and 0.42% for the IAT-based and offset-based covert channels, respectively. Furthermore, the bit error ratio of the LSB-based covert channel is equal to that of a normal CAN bus, which is 3.1x10^-7%.

Kevin Setterstrom,Jeremy Straub

2023-07-20

Abstract:the autonomous vehicle industry continues to grow, various companies are exploring the use of aftermarket kits to retrofit existing vehicles with semi-autonomous capabilities. However, differences in implementation of the controller area network (CAN) used by each vehicle manufacturer poses a significant challenge to achieving large-scale implementation of retrofits. To address this challenge, this research proposes a method for reverse engineering the CAN channels associated with a vehicle's accelerator and brake pedals, without any prior knowledge of the vehicle. By simultaneously recording inertial measurement unit (IMU) and CAN data during vehicle operation, the proposed algorithms can identify the CAN channels that correspond to each control. During testing of six vehicles from three manufacturers, the proposed method was shown to successfully identify the CAN channels for the accelerator pedal and brake pedal for each vehicle tested. These promising results demonstrate the potential for using this approach for developing aftermarket autonomous vehicle kits - potentially with additional research to facilitate real-time use. Notably, the proposed system has the potential to maintain its effectiveness despite changes in vehicle CAN standards, and it could potentially be adapted to function with any vehicle communications medium.

Other Computer Science,Robotics,Systems and Control

Zachariah Tyree,Robert A. Bridges,Frank L. Combs,Michael R. Moore

DOI: https://doi.org/10.48550/arXiv.1808.10840

2018-08-28

Abstract:Modern vehicles rely on scores of electronic control units (ECUs) broadcasting messages over a few controller area networks (CANs). Bereft of security features, in-vehicle CANs are exposed to cyber manipulation and multiple researches have proved viable, life-threatening cyber attacks. Complicating the issue, CAN messages lack a common mapping of functions to commands, so packets are observable but not easily decipherable. We present a transformational approach to CAN IDS that exploits the geometric properties of CAN data to inform two novel detectors--one based on distance from a learned, lower dimensional manifold and the other on discontinuities of the manifold over time. Proof-of-concept tests are presented by implementing a potential attack approach on a driving vehicle. The initial results suggest that (1) the first detector requires additional refinement but does hold promise; (2) the second detector gives a clear, strong indicator of the attack; and (3) the algorithms keep pace with high-speed CAN messages. As our approach is data-driven it provides a vehicle-agnostic IDS that eliminates the need to reverse engineer CAN messages and can be ported to an after-market plugin.

Cryptography and Security

Qian Wang,Zhaojun Lu,Gang Qu

DOI: https://doi.org/10.48550/arXiv.1808.04046

2018-08-13

Abstract:Dozens of Electronic Control Units (ECUs) can be found on modern vehicles for safety and driving assistance. These ECUs also introduce new security vulnerabilities as recent attacks have been reported by plugging the in-vehicle system or through wireless access. In this paper, we focus on the security of the Controller Area Network (CAN), which is a standard for communication among ECUs. CAN bus by design does not have sufficient security features to protect it from insider or outsider attacks. Intrusion detection system (IDS) is one of the most effective ways to enhance vehicle security on the insecure CAN bus protocol. We propose a new IDS based on the entropy of the identifier bits in CAN messages. The key observation is that all the known CAN message injection attacks need to alter the CAN ID bits and analyzing the entropy of such bits can be an effective way to detect those attacks. We collected real CAN messages from a vehicle (2016 Ford Fusion) and performed simulated message injection attacks. The experimental results showed that our entropy based IDS can successfully detect all the injection attacks without disrupting the communication on CAN.

Cryptography and Security

William Marfo,Pablo Moriano,Deepak K. Tosh,Shirley V. Moore

2024-08-10

Abstract:Modern vehicles rely on a myriad of electronic control units (ECUs) interconnected via controller area networks (CANs) for critical operations. Despite their ubiquitous use and reliability, CANs are susceptible to sophisticated cyberattacks, particularly masquerade attacks, which inject false data that mimic legitimate messages at the expected frequency. These attacks pose severe risks such as unintended acceleration, brake deactivation, and rogue steering. Traditional intrusion detection systems (IDS) often struggle to detect these subtle intrusions due to their seamless integration into normal traffic. This paper introduces a novel framework for detecting masquerade attacks in the CAN bus using graph machine learning (ML). We hypothesize that the integration of shallow graph embeddings with time series features derived from CAN frames enhances the detection of masquerade attacks. We show that by representing CAN bus frames as message sequence graphs (MSGs) and enriching each node with contextual statistical attributes from time series, we can enhance detection capabilities across various attack patterns compared to using only graph-based features. Our method ensures a comprehensive and dynamic analysis of CAN frame interactions, improving robustness and efficiency. Extensive experiments on the ROAD dataset validate the effectiveness of our approach, demonstrating statistically significant improvements in the detection rates of masquerade attacks compared to a baseline that uses only graph-based features, as confirmed by Mann-Whitney U and Kolmogorov-Smirnov tests (p < 0.05).

Cryptography and Security,Machine Learning

Qiang Dong,Zenglu Song,Haoshu Shao

DOI: https://doi.org/10.1049/ell2.13112

2024-01-30

Electronics Letters

Abstract:This research presents a novel method for detecting and defending against intrusions in the Controller Area Network (CAN) bus used in automotive systems. By analysing frequency anomalies in message transmission and utilizing the arbitration mechanism of the CAN bus, this approach effectively identifies and disrupts illegal messages in real‐time, ensuring the security of the network. As automobile intelligence continues to develop, the electronic control units connected to the Controller Area Network (CAN) bus within vehicles face an increasing number of threats from potential attacks originating from the internet. To address this issue, an intrusion detection and defence method is proposed that is capable of detecting illegal messages through the use of frequency anomaly detection, and subsequently disrupting them through utilization of the CAN bus arbitration mechanism. This proposed method offers a simple implementation compared to traditional approaches, while being able to identify suspicious units and neutralize threats in real‐time. Experimental results demonstrate the effectiveness of this approach.

engineering, electrical & electronic

Markus Hanselmann,Thilo Strauss,Katharina Dormann,Holger Ulmer

DOI: https://doi.org/10.1109/access.2020.2982544

IF: 3.9

2020-01-01

IEEE Access

Abstract:We propose a neural network architecture for detecting intrusions on the controller area network (CAN). The latter is the standard communication method between the electronic control units (ECUs) of automobiles. However, CAN lacks security mechanisms and it has recently been shown that it can be attacked remotely. Hence, it is desirable to monitor CAN traffic to detect intrusions. In order to find both, known and unknown intrusion scenarios, we consider a novel unsupervised learning approach which we call CANet. To our knowledge, this is the first deep learning based intrusion detection system (IDS) that naturally handles the data structure of the high dimensional CAN bus, where different message types are sent at different times. Our method is evaluated on real and synthetic CAN data. A comparison with previous machine learning based methods shows that CANet outperforms them by a significant margin. For reproducibility of the method, our synthetic data is publicly available.

Francesco Pollicino,Dario Stabili,Mirco Marchetti

DOI: https://doi.org/10.1145/3604913

2023-07-10

Abstract:This work presents an experimental evaluation of the detection performance of eight different algorithms for anomaly detection on the Controller Area Network (CAN) bus of modern vehicles based on the analysis of the timing or frequency of CAN messages. This work solves the current limitations of related scientific literature, that is based on private dataset, lacks of open implementations, and detailed description of the detection algorithms. These drawback prevent the reproducibility of published results, and makes it impossible to compare a novel proposal against related work, thus hindering the advancement of science. This paper solves these issues by publicly releasing implementations, labeled datasets and by describing an unbiased experimental comparisons.

Cryptography and Security,Performance

Junchao Xiao,Hao Wu,Xiangxue Li,Yuan Linghu

DOI: https://doi.org/10.1007/978-3-030-38961-1_40

2020-01-01

Abstract:A vehicle bus is a specialized internal communication network that interconnects components inside a vehicle. The Controller Area Network (CAN bus), a robust vehicle bus standard, allows microcontrollers and devices to communicate with each other. The community has seen many security breach examples that exploit CAN functionalities and other in-vehicle flaws. Intrusion detection systems (IDSs) on in-vehicle network are advantageous in monitoring CAN traffic and suspicious activities. Whereas, existing IDSs on in-vehicle network only support one or two attack models, and identifying abnormal in-vehicle CAN traffic against diversified attack models with better performance is more expected as can be then implemented practically. In this paper, we propose an intrusion detection system that can detect many different attacks. The method analyzes the CAN traffic generated by the in-vehicle network in real time and identifies the abnormal state of the vehicle practically. Our proposal fuses the autoencoder trick to the SVM model. More precisely, we introduce to the system an autoencoder that learns to compress CAN traffic data into extracted features (which can be uncompressed to closely match the original data). Then, the support vector machine is trained on the features to detect abnormal traffic. We show detailed model parameter configuration by adopting several concrete attacks. Experimental results demonstrate better detection performance (than existing proposals).

Xiaojie Lin,Baihe Ma,Xu Wang,Guangsheng Yu,Ying He,Ren Ping Liu,Wei Ni

2024-08-18

Abstract:As the primary standard protocol for modern cars, the Controller Area Network (CAN) is a critical research target for automotive cybersecurity threats and autonomous applications. As the decoding specification of CAN is a proprietary black-box maintained by Original Equipment Manufacturers (OEMs), conducting related research and industry developments can be challenging without a comprehensive understanding of the meaning of CAN messages. In this paper, we propose a fully automated reverse-engineering system, named ByCAN, to reverse engineer CAN messages. ByCAN outperforms existing research by introducing byte-level clusters and integrating multiple features at both byte and bit levels. ByCAN employs the clustering and template matching algorithms to automatically decode the specifications of CAN frames without the need for prior knowledge. Experimental results demonstrate that ByCAN achieves high accuracy in slicing and labeling performance, i.e., the identification of CAN signal boundaries and labels. In the experiments, ByCAN achieves slicing accuracy of 80.21%, slicing coverage of 95.21%, and labeling accuracy of 68.72% for general labels when analyzing the real-world CAN frames.

Cryptography and Security,Machine Learning,Networking and Internet Architecture,Systems and Control

Haichun Zhang,Xu Meng,Xiong Zhang,Zhenglin Liu

DOI: https://doi.org/10.3390/s20174900

IF: 3.9

2020-08-30

Sensors

Abstract:The Internet of Things (IoT) is an industry-recognized next intelligent life solution that increases the level of comfort, efficiency, and automation for citizens through numerous sensors, smart devices, and cloud stations connected physically. As an important application scenario of IoT, the Internet of Vehicles (IoV) plays an extremely critical role in the intelligent transportation field. In fact, the In-Vehicle Network of smart vehicles that are recognized as the core roles in intelligent transportation is currently the Controller Area Network (CAN). However, the In-Vehicle CAN bus protocol has several vulnerabilities without any encryption, authentication, or integrity checking, which severely threatens the safety of drivers and passengers. Once malicious attackers hack the vehicular gateway and obtain the access right of the CAN, they may control the vehicle based on the vulnerabilities of the CAN bus protocol. Given the severe security risk of CAN, we proposed the CANsec, a practical In-Vehicle CAN security evaluation tool that simulates malicious attacks according to major attack models to evaluate the security risk of the In-Vehicle CAN. We also show a usage case of the CANsec without knowing any information from the vehicle manufacturer.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Umberto Fugiglando,Emanuele Massaro,Paolo Santi,Sebastiano Milardo,Kacem Abida,Rainer Stahlmann,Florian Netter,Carlo Ratti

DOI: https://doi.org/10.48550/arXiv.1710.04133

2017-10-09

Abstract:Cars can nowadays record several thousands of signals through the CAN bus technology and potentially provide real-time information on the car, the driver and the surrounding environment. This paper proposes a new method for the analysis and classification of driver behavior using a selected subset of CAN bus signals, specifically gas pedal position, brake pedal pressure, steering wheel angle, steering wheel momentum, velocity, RPM, frontal and lateral acceleration. Data has been collected in a completely uncontrolled experiment, where 64 people drove 10 cars for or a total of over 2000 driving trips without any type of pre-determined driving instruction on a wide variety of road scenarios. We propose an unsupervised learning technique that clusters drivers in different groups, and offers a validation method to test the robustness of clustering in a wide range of experimental settings. The minimal amount of data needed to preserve robust driver clustering is also computed. The presented study provides a new methodology for near-real-time classification of driver behavior in uncontrolled environments.

Machine Learning,Computers and Society,Data Analysis, Statistics and Probability

Krzysztof Pawelec,Robert A. Bridges,Frank L. Combs

DOI: https://doi.org/10.48550/arXiv.1812.11596

2019-01-05

Abstract:Modern vehicles contain a few controller area networks (CANs), which allow scores of on-board electronic control units (ECUs) to communicate messages critical to vehicle functions and driver safety. CAN provide a lightweight and reliable broadcast protocol but is bereft of security features. As evidenced by many recent research works, CAN exploits are possible both remotely and with direct access, fueling a growing CAN intrusion detection system (IDS) body of research. A challenge for pioneering vehicle-agnostic IDSs is that passenger vehicles' CAN message encodings are proprietary, defined and held secret by original equipment manufacturers (OEMs). Targeting detection of next-generation attacks, in which messages are sent from the expected ECU at the expected time but with malicious content, researchers are now seeking to leverage "CAN data models", which predict future CAN message contents and use prediction error to identify anomalous, hopefully malicious CAN messages. Yet, current works model CAN signals post-translation, i.e., after applying OEM-donated or reverse-engineered translations from raw data. In this work, we present initial IDS results testing deep neural networks used to predict CAN data at the bit level, thereby providing IDS capabilities but avoiding reverse engineering proprietary encodings. Our results suggest the method is promising for continuous signals in CAN data, but struggles for discrete, e.g., binary, signals.

Cryptography and Security