lei xue,yangyang liu,tianqi li,kaifa zhao,jianfeng li,le yu,xiapu luo,yajin zhou,guofei gu

2022-01-01

Abstract:Modern vehicles are equipped with many ECUs (Electronic Control Unit) that are connected to the IVN (In-Vehicle Network) for controlling the vehicles. Meanwhile, various interfaces of vehicles, such as OBD-II port, T-Box, sensors, and telematics, implement the interaction between the IVN and external environment. Although rich value-added functionalities can be provided through these interfaces, such as diagnostics and OTA (Over The Air) updates, the adversary may also inject malicious data into IVN, thus causing severe safety issues. Even worse, existing defense approaches mainly focus on detecting the injection attacks launched from IVN, such as malicious/compromised ECUs, by analyzing CAN frames, and cannot defend against the higher layer MIAs (Message Injection Attacks) that can cause abnormal vehicle dynamics. In this paper, we propose a new state-aware abnormal message injection attack defense approach, named SAID. It detects the abnormal data to be injected into IVN by considering the data semantics and the vehicle dynamics and prevents the MIAs launched from devices connected to the vehicles, such as the compromised diagnostic tools and T-boxes. We develop a prototype of SAID for defending against MIAs and evaluate it using both real road data and simulation data. The experimental results show that SAID can defend against more than 99% of the network and service layer attack traffic and all state layer MIAs, effectively enforcing the safety of vehicles.

Qian Wang,Zhaojun Lu,Gang Qu

DOI: https://doi.org/10.48550/arXiv.1808.04046

2018-08-13

Abstract:Dozens of Electronic Control Units (ECUs) can be found on modern vehicles for safety and driving assistance. These ECUs also introduce new security vulnerabilities as recent attacks have been reported by plugging the in-vehicle system or through wireless access. In this paper, we focus on the security of the Controller Area Network (CAN), which is a standard for communication among ECUs. CAN bus by design does not have sufficient security features to protect it from insider or outsider attacks. Intrusion detection system (IDS) is one of the most effective ways to enhance vehicle security on the insecure CAN bus protocol. We propose a new IDS based on the entropy of the identifier bits in CAN messages. The key observation is that all the known CAN message injection attacks need to alter the CAN ID bits and analyzing the entropy of such bits can be an effective way to detect those attacks. We collected real CAN messages from a vehicle (2016 Ford Fusion) and performed simulated message injection attacks. The experimental results showed that our entropy based IDS can successfully detect all the injection attacks without disrupting the communication on CAN.

Cryptography and Security

Zixiang Bi,Guoai Xu,Guosheng Xu,Miaoqing Tian,Ruobing Jiang,Sutao Zhang

DOI: https://doi.org/10.1155/2022/2554280

IF: 1.968

2022-03-07

Security and Communication Networks

Abstract:As the number and computational power of electronic computing units installed in standard automobiles continue to increase, contemporary motor vehicles face more cybersecurity threats than previous designs, while providing greater convenience and various useful features. Although vehicles are attacked at various entry points, eventually, attacks are injected into the in-vehicle controller area network (CAN) to cause vehicle anomalies. Currently, OEMs and research fields have implemented protection for the CAN bus in terms of external interfaces, internal protocols, and intrusion detection. Although the deployment of intrusion detection solutions is the most effective approach, the main challenges currently faced by automobile intrusion detection algorithms in practice involve limited computing resources, insufficient real-time responsiveness, and low recognition accuracy. In this study, we propose a novel intrusion detection method based on the message and time transfer matrix to address these difficulties, which can be applied to the vehicle Electronic Control Unit (ECU) to achieve real-time attack signal identification with high accuracy. Experiments on actual vehicles show that the proposed algorithm identified various attacks with high accuracy while consuming less computational and storage resources than previous methods. Moreover, the efficiency of the proposed algorithm is not affected by the attack injection frequency. Compared with other methods, the proposed method achieved better attack identification performance. Additionally, the message and time transfer matrix used by the algorithm can be used as a message transfer fingerprint of the CAN bus to discover anomalies.

computer science, information systems,telecommunications

Zhangwei Yu,Yan Liu,Guoqi Xie,Renfa Li,Siming Liu,Laurence T. Yang

DOI: https://doi.org/10.1109/tii.2022.3202539

IF: 12.3

2022-12-17

IEEE Transactions on Industrial Informatics

Abstract:Intelligent connected vehicle is rapidly growing with the 5-G technology; the diversity of functional interfaces has significantly expanded the avenues of attack, making automotive controller area network (CAN) more vulnerable to cyberthreats. Automotive CAN network attacks are a direct threat to traffic safety, and in this study, we explore the use of intrusion detection techniques for mitigating cyberattacks. However, most automotive CAN network intrusion detection technologies are not capable of defending against sophisticated attacks, making it extremely challenging for detecting intrusions in practice. In this article, we propose a novel time interval conditional entropy method for detecting intrusions in automotive CAN networks. The time interval conditional entropy intrusion detection method is not susceptible to interference and is capable of detecting a variety of attacks. In our experiments, the conditional entropy values of regular communication messages are collected and utilized to distinguish and detect the attacks. The time interval conditional entropy detection method is implemented and evaluated in our controller area net-work bus (CAN-BUS) network platform. The experiments show that our method has higher detection accuracy and is easier to deploy compared to existing automotive CAN network intrusion detection methods.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Yijie Xun,Zhouyan Deng,Jiajia Liu,Yilin Zhao

DOI: https://doi.org/10.1109/tvt.2023.3236820

IF: 6.8

2023-01-01

IEEE Transactions on Vehicular Technology

Abstract:Intelligent connected vehicles (ICVs) integrate advanced equipment and communication network technologies to realize information exchange and sharing between vehicles and people, roads, clouds, etc., bringing great convenience to people's lives. However, the interconnection of intelligent equipment and vehicles also brings many vulnerable interfaces, threatening the security of in-vehicle networks, e.g., controller area network (CAN) bus. For protecting the security of CAN bus, some researchers propose a data encryption and decryption protocol-based method. Note that due to the resource constraints of computing and bandwidth and the requirements for low-delay data transmission, the research on protocol-based data encryption and decryption method is progressing slowly. For this reason, more researchers study vehicle intrusion detection systems (IDSs) based on side channel analysis. It does not occupy the bandwidth of CAN bus, and detects intrusion by analyzing the physical characteristics of CAN bus. Nevertheless, most of the existing work either cannot locate the source electronic control unit (ECU) of the malicious data frames, or cannot detect malicious data frames from ECUs and external nodes simultaneously, which greatly limits their practical application value. Therefore, we propose a novel IDS based on vehicle voltage signals. Specifically, we map multiple identifiers (IDs) sent for each ECU without developer documentation. In addition, we creatively design FeatureBagging-CNN combined model to detect malicious intrusion. When the external nodes or compromised ECUs send malicious data frames, the system can accurately detect them and locate their sender.

telecommunications,engineering, electrical & electronic,transportation science & technology

Junchao Xiao,Hao Wu,Xiangxue Li,Yuan Linghu

DOI: https://doi.org/10.1007/978-3-030-38961-1_40

2020-01-01

Abstract:A vehicle bus is a specialized internal communication network that interconnects components inside a vehicle. The Controller Area Network (CAN bus), a robust vehicle bus standard, allows microcontrollers and devices to communicate with each other. The community has seen many security breach examples that exploit CAN functionalities and other in-vehicle flaws. Intrusion detection systems (IDSs) on in-vehicle network are advantageous in monitoring CAN traffic and suspicious activities. Whereas, existing IDSs on in-vehicle network only support one or two attack models, and identifying abnormal in-vehicle CAN traffic against diversified attack models with better performance is more expected as can be then implemented practically. In this paper, we propose an intrusion detection system that can detect many different attacks. The method analyzes the CAN traffic generated by the in-vehicle network in real time and identifies the abnormal state of the vehicle practically. Our proposal fuses the autoencoder trick to the SVM model. More precisely, we introduce to the system an autoencoder that learns to compress CAN traffic data into extracted features (which can be uncompressed to closely match the original data). Then, the support vector machine is trained on the features to detect abnormal traffic. We show detailed model parameter configuration by adopting several concrete attacks. Experimental results demonstrate better detection performance (than existing proposals).

Hyungchul Im,Donghyeon Lee,Seongsoo Lee

DOI: https://doi.org/10.3390/s24092807

IF: 3.9

2024-04-29

Sensors

Abstract:The Controller Area Network (CAN), widely used for vehicular communication, is vulnerable to multiple types of cyber-threats. Attackers can inject malicious messages into the CAN bus through various channels, including wireless methods, entertainment systems, and on-board diagnostic ports. Therefore, it is crucial to develop a reliable intrusion detection system (IDS) capable of effectively distinguishing between legitimate and malicious CAN messages. In this paper, we propose a novel IDS architecture aimed at enhancing the cybersecurity of CAN bus systems in vehicles. Various machine learning (ML) models have been widely used to address similar problems; however, although existing ML-based IDS are computationally efficient, they suffer from suboptimal detection performance. To mitigate this shortcoming, our architecture incorporates specially designed rule-based filters that cross-check outputs from the traditional ML-based IDS. These filters scrutinize message ID and payload data to precisely capture the unique characteristics of three distinct types of cyberattacks: DoS attacks, spoofing attacks, and fuzzy attacks. Experimental evidence demonstrates that the proposed architecture leads to a significant improvement in detection performance across all utilized ML models. Specifically, all ML-based IDS achieved an accuracy exceeding 99% for every type of attack. This achievement highlights the robustness and effectiveness of our proposed solution in detecting potential threats.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Qiang Dong,Zenglu Song,Haoshu Shao

DOI: https://doi.org/10.1049/ell2.13112

2024-01-30

Electronics Letters

Abstract:This research presents a novel method for detecting and defending against intrusions in the Controller Area Network (CAN) bus used in automotive systems. By analysing frequency anomalies in message transmission and utilizing the arbitration mechanism of the CAN bus, this approach effectively identifies and disrupts illegal messages in real‐time, ensuring the security of the network. As automobile intelligence continues to develop, the electronic control units connected to the Controller Area Network (CAN) bus within vehicles face an increasing number of threats from potential attacks originating from the internet. To address this issue, an intrusion detection and defence method is proposed that is capable of detecting illegal messages through the use of frequency anomaly detection, and subsequently disrupting them through utilization of the CAN bus arbitration mechanism. This proposed method offers a simple implementation compared to traditional approaches, while being able to identify suspicious units and neutralize threats in real‐time. Experimental results demonstrate the effectiveness of this approach.

engineering, electrical & electronic

Asma Alfardus,Danda B. Rawat

DOI: https://doi.org/10.1109/uemcon53757.2021.9666745

2021-12-01

Abstract:The advent of automotive industry has an increasing market demand pertaining to installation of intelligent transportation facilities in modern vehicles. Now more comfortable and safer travelling experience is one best trait of these vehicles. Moreover, it has opened new gates to advancement in automotive sector. Modern vehicles are connected to advance systems and technologies using various communication protocols. Amongst numerous communication protocols, one widely used protocol is the controller area network (CAN) bus which serves as a central medium for in-vehicle communications. However, the communication in these vehicles may impose greater threats and may ultimately compromise the security by breaching the system. Various attacks on CAN bus may compromise the confidentiality, integrity and availability of vehicular data through intrusions which may endanger the physical safety of vehicle and passengers. In this paper, a novel machine learning based approach is used to devise an Intrusion Detection System for the CAN bus network. The proposed system is scalable and adaptable to a diverse set of emerging attacks on autonomous vehicles. Results witnessed the accuracy of 100% of our proposed system in detecting and safeguarding threats against multiple impersonation and denial of service attacks as well as 99% accuracy of fuzzy attacks.

Riadul Islam,Rafi Ud Daula Refat,Sai Manikanta Yerram,Hafiz Malik

DOI: https://doi.org/10.1109/tits.2020.3025685

IF: 8.5

2022-03-01

IEEE Transactions on Intelligent Transportation Systems

Abstract:The controller area network (CAN) is the most widely used intra-vehicular communication network in the automotive industry. Because of its simplicity in design, it lacks most of the requirements needed for a security-proven communication protocol. However, a safe and secured environment is imperative for autonomous as well as connected vehicles. Therefore CAN security is considered one of the important topics in the automotive research community. In this article, we propose a four-stage intrusion detection system that uses the chi-squared method and can detect any kind of strong and weak cyber attacks in a CAN. This work is the first-ever graph-based defense system proposed for the CAN. Our experimental results show that we have a very low 5.26% misclassification for denial of service (DoS) attack, 10% misclassification for fuzzy attack, 4.76% misclassification for replay attack, and no misclassification for spoofing attack. In addition, the proposed methodology exhibits up to 13.73% better accuracy compared to existing ID sequence-based methods.

engineering, electrical & electronic,transportation science & technology, civil

Jingwen Wei,Ye Chen,Yingxu Lai,Yuhang Wang,Zhaoyi Zhang

DOI: https://doi.org/10.1109/lcomm.2022.3195486

IF: 3.5529

2022-11-12

IEEE Communications Letters

Abstract:A controller area network (CAN) bus that controls real-time communication and data transmission of electronic control units in vehicles lacks security mechanisms and is highly vulnerable to attacks. The detection effectiveness of existing In-Vehicle network intrusion detection systems (IDSs) is usually reliant on training samples of known attacks. Owing to the simple structure of the CAN bus protocol, attackers can easily create variants based on known attacks. In this study, we propose a CAN bus IDS based on a domain adversarial neural network, which can achieve high detection performance on unlearned variant attack data. In addition, we used feature fusion techniques to synthetically extract the features of the attack data to improve detection capability. The experimental results demonstrate that our proposed model has high performance and generalization ability in attack detection.

telecommunications

Md Hasan Shahriar,Yang Xiao,Pablo Moriano,Wenjing Lou,Y. Thomas Hou

DOI: https://doi.org/10.1109/JIOT.2023.3303271

2023-10-08

Abstract:Modern vehicles rely on a fleet of electronic control units (ECUs) connected through controller area network (CAN) buses for critical vehicular control. With the expansion of advanced connectivity features in automobiles and the elevated risks of internal system exposure, the CAN bus is increasingly prone to intrusions and injection attacks. As ordinary injection attacks disrupt the typical timing properties of the CAN data stream, rule-based intrusion detection systems (IDS) can easily detect them. However, advanced attackers can inject false data to the signal/semantic level, while looking innocuous by the pattern/frequency of the CAN messages. The rule-based IDS, as well as the anomaly-based IDS, are built merely on the sequence of CAN messages IDs or just the binary payload data and are less effective in detecting such attacks. Therefore, to detect such intelligent attacks, we propose CANShield, a deep learning-based signal-level intrusion detection framework for the CAN bus. CANShield consists of three modules: a data preprocessing module that handles the high-dimensional CAN data stream at the signal level and parses them into time series suitable for a deep learning model; a data analyzer module consisting of multiple deep autoencoder (AE) networks, each analyzing the time-series data from a different temporal scale and granularity, and finally an attack detection module that uses an ensemble method to make the final decision. Evaluation results on two high-fidelity signal-based CAN attack datasets show the high accuracy and responsiveness of CANShield in detecting advanced intrusion attacks.

Cryptography and Security,Machine Learning

Seonghoon Jeong,Sangho Lee,Hwejae Lee,Huy Kang Kim

DOI: https://doi.org/10.1109/TVT.2023.3327275

2024-03-14

Abstract:Controller Area Network (CAN) is an essential networking protocol that connects multiple electronic control units (ECUs) in a vehicle. However, CAN-based in-vehicle networks (IVNs) face security risks owing to the CAN mechanisms. An adversary can sabotage a vehicle by leveraging the security risks if they can access the CAN bus. Thus, recent actions and cybersecurity regulations (e.g., UNR 155) require carmakers to implement intrusion detection systems (IDSs) in their vehicles. The IDS should detect cyberattacks and provide additional information to analyze conducted attacks. Although many IDSs have been proposed, considerations regarding their feasibility and explainability remain lacking. This study proposes X-CANIDS, which is a novel IDS for CAN-based IVNs. X-CANIDS dissects the payloads in CAN messages into human-understandable signals using a CAN database. The signals improve the intrusion detection performance compared with the use of bit representations of raw payloads. These signals also enable an understanding of which signal or ECU is under attack. X-CANIDS can detect zero-day attacks because it does not require any labeled dataset in the training phase. We confirmed the feasibility of the proposed method through a benchmark test on an automotive-grade embedded device with a GPU. The results of this work will be valuable to carmakers and researchers considering the installation of in-vehicle IDSs for their vehicles.

Cryptography and Security,Signal Processing

Ajeet Kumar Dwivedi

DOI: https://doi.org/10.48550/arXiv.2205.03537

2022-05-07

Cryptography and Security

Abstract:The progression of innovation and technology and ease of inter-connectivity among networks has allowed us to evolve towards one of the promising areas, the Internet of Vehicles. Nowadays, modern vehicles are connected to a range of networks, including intra-vehicle networks and external networks. However, a primary challenge in the automotive industry is to make the vehicle safe and reliable; particularly with the loopholes in the existing traditional protocols, cyber-attacks on the vehicle network are rising drastically. Practically every vehicle uses the universal Controller Area Network (CAN) bus protocol for the communication between electronic control units to transmit key vehicle functionality and messages related to driver safety. The CAN bus system, although its critical significance, lacks the key feature of any protocol authentication and authorization. Resulting in compromises of CAN bus security leads to serious issues to both car and driver safety. This paper discusses the security issues of the CAN bus protocol and proposes an Intrusion Detection System (IDS) that detects known attacks on in-vehicle networks. Multiple Artificial Intelligence (AI) algorithms are employed to provide recognition of known potential cyber-attacks based on messages, timestamps, and data packets traveling through the CAN. The main objective of this paper is to accurately detect cyberattacks by considering time-series features and attack frequency. The majority of the evaluated AI algorithms, when considering attack frequency, correctly identify known attacks with remarkable accuracy of more than 99%. However, these models achieve approximately 92% to 97% accuracy when timestamps are not taken into account. Long Short Term Memory (LSTM), Xgboost, and SVC have proved to the well-performing classifiers.

Mubark Jedh,Lotfi Ben Othmane,Noor Ahmed,Bharat Bhargava

DOI: https://doi.org/10.1109/tifs.2021.3098162

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:The smart features of modern cars are enabled by a number of Electronic Control Units (ECUs) components that communicate through an in-vehicle network, known as Controller Area Network (CAN) bus. The fundamental challenge is the security of the communication link where an attacker can inject messages (e.g., increase the speed) that may impact the safety of the driver. Most of existing practical IDS solutions rely on the knowledge of the identity of the ECUs, which is proprietary information. This paper proposes a message injection attack detection solution that is independent of the IDs of the ECUs. First, we represent the sequencing of the messages in a given time-interval as a direct graph and compute the similarities of the successive graphs using the cosine similarity and Pearson correlation. Then, we apply threshold, change point detection, and Long Short-Term Memory (LSTM)-Recurrent Neural Network (RNN) to detect and predict malicious message injections into the CAN bus. The evaluation of the methods using a dataset collected from a moving vehicle under malicious RPM and speed reading message injections show a detection accuracy of 97.32% and detection speed of 2.5 milliseconds when using a threshold method. The performance metrics makes the IDS suitable for real-time control mechanisms for vehicle resiliency to cyber-attacks.

computer science, theory & methods,engineering, electrical & electronic

Sifan Li,Yue Cao,Hassan Jalil Hadi,Feng Hao,Faisal Bashir Hussain,Luan Chen

DOI: https://doi.org/10.1109/tnsm.2024.3394842

2024-08-25

IEEE Transactions on Network and Service Management

Abstract:With the rapid advancement of vehicle connectivity and intelligent technologies, an increasing number of vehicles are now connected to the Internet. However, these connected vehicles are vulnerable to malicious attacks, posing serious security events. In particular, the in-vehicle controller area network (CAN) bus has witnessed a rise in incidents involving various network attacks, such as denial of service (DoS), fuzzy attacks, and gear attacks. In response, this paper proposes an enhanced cuckoo filter-based intrusion detection system (ECF-IDS) for in-vehicle network. The ECF-IDS builds on an enhanced version of the cuckoo filter. It first utilizes the cuckoo filter to establish two lists (a normal list and an intrusion list) based on the labeled dataset using Car Hacking Dataset (CHD) and can-train-and-test dataset. Then, the input CAN traffic is sequentially compared with these two lists, where the conflicting traffic is further identified using a BERT-based model. The ECF-IDS is experimentally validated using the CHD and can-train-and-test dataset, demonstrating higher detection efficiency, lower resource consumption, and detection success exceeding 99% compared to other algorithms presented in previous studies. Furthermore, we conducted real in-vehicle environment testing on the ECF-IDS model, and its detection performance proved to be excellent.

computer science, information systems

Sang Uk Sagong,Radha Poovendran,Linda Bushnell

DOI: https://doi.org/10.48550/arXiv.1907.10783

2019-07-25

Abstract:Data for controlling a vehicle is exchanged among Electronic Control Units (ECUs) via in-vehicle network protocols such as the Controller Area Network (CAN) protocol. Since these protocols are designed for an isolated network, the protocols do not encrypt data nor authenticate messages. Intrusion Detection Systems (IDSs) are developed to secure the CAN protocol by detecting abnormal deviations in physical properties. For instance, a voltage-based IDS (VIDS) exploits voltage characteristics of each ECU to detect an intrusion. An ECU with VIDS must be connected to the CAN bus using extra wires to measure voltages of the CAN bus lines. These extra wires, however, may introduce new attack surfaces to the CAN bus if the ECU with VIDS is compromised. We investigate new vulnerabilities of VIDS and demonstrate that an adversary may damage an ECU with VIDS, block message transmission, and force an ECU to retransmit messages. In order to defend the CAN bus against these attacks, we propose two hardware-based Intrusion Response Systems (IRSs) that disconnect the compromised ECU from the CAN bus once these attacks are detected. We develop four voltage-based attacks by exploiting vulnerabilities of VIDS and evaluate the effectiveness of the proposed IRSs using a CAN bus testbed.

Cryptography and Security

Easa Alalwany,Imad Mahgoub

DOI: https://doi.org/10.3390/electronics13050919

IF: 2.9

2024-02-29

Electronics

Abstract:The emergence of connected and autonomous vehicles has led to complex network architectures for electronic control unit (ECU) communication. The controller area network (CAN) enables the transmission of data inside vehicle networks. However, although it has low latency and enjoys data broadcast capability, it is vulnerable to attacks on security. The lack of effectiveness of conventional security mechanisms in addressing these vulnerabilities poses a danger to vehicle safety. This study presents an intrusion detection system (IDS) that accurately detects and classifies CAN bus attacks in real-time using ensemble techniques and the Kappa Architecture. The Kappa Architecture enables real-time attack detection, while ensemble learning combines multiple machine learning classifiers to enhance the accuracy of attack detection. The scheme utilizes ensemble methods with Kappa Architecture's real-time data analysis to detect common CAN bus attacks. This study entails the development and evaluation of supervised models, which are further enhanced using ensemble techniques. The accuracy, precision, recall, and F1 score are used to measure the scheme's effectiveness. The stacking ensemble technique outperformed individual supervised models and other ensembles with accuracy, precision, recall, and F1 of 0.985, 0.987, and 0.985, respectively.

engineering, electrical & electronic,computer science, information systems,physics, applied

Yuhang Wang,Yingxu Lai,Ye Chen,Jingwen Wei,Zhaoyi Zhang

DOI: https://doi.org/10.1007/s00521-023-08233-5

2023-04-25

Neural Computing and Applications

Abstract:Controller area networks (CANs) are the de-facto standard for in-vehicle networks and enable real-time data communication between the electronic control units in a vehicle. However, owing to inadequate security mechanisms, CANs are vulnerable to cyberattacks. The sophistication of these attacks evolves constantly and new types of attacks emerge over time. Most existing intrusion detection systems (IDSs) can handle known attacks, but their ability to detect unknown attacks requires urgent improvements. Although IDSs can be updated via the Internet of Vehicles cloud to improve their detection performance, an unacceptable amount of time is required to collect enough labeled data and the updates are slow. Considering these problems, we propose a transfer learning-based self-learning IDS (TLSIDS) for CANs. The proposed TLSIDS uses a cascade detection approach that is capable of detecting both known and unknown attacks with high performance, and the self-learning function can solve the problem of slow updates, thus improving the speed and performance of the TLSIDS in detecting unknown attacks. The TLSIDS consists of four modules, namely the basic detection module (BDM), the advanced detection module (ADM), the unknown attacks classification module (UACM), and the self-learning module (SLM). The efficacy of the TLSIDS was evaluated using a public dataset provided by the Hacking and Countermeasure Research Lab (HCRL). The results revealed that our proposed TLSIDS has effectiveness and robustness in distinct scenarios.

computer science, artificial intelligence

Zachariah Tyree,Robert A. Bridges,Frank L. Combs,Michael R. Moore

DOI: https://doi.org/10.48550/arXiv.1808.10840

2018-08-28

Abstract:Modern vehicles rely on scores of electronic control units (ECUs) broadcasting messages over a few controller area networks (CANs). Bereft of security features, in-vehicle CANs are exposed to cyber manipulation and multiple researches have proved viable, life-threatening cyber attacks. Complicating the issue, CAN messages lack a common mapping of functions to commands, so packets are observable but not easily decipherable. We present a transformational approach to CAN IDS that exploits the geometric properties of CAN data to inform two novel detectors--one based on distance from a learned, lower dimensional manifold and the other on discontinuities of the manifold over time. Proof-of-concept tests are presented by implementing a potential attack approach on a driving vehicle. The initial results suggest that (1) the first detector requires additional refinement but does hold promise; (2) the second detector gives a clear, strong indicator of the attack; and (3) the algorithms keep pace with high-speed CAN messages. As our approach is data-driven it provides a vehicle-agnostic IDS that eliminates the need to reverse engineer CAN messages and can be ported to an after-market plugin.

Cryptography and Security