Anomaly detection of CAN bus messages through analysis of ID sequences

Marchetti, Mirco; Stabili, Dario

doi:10.1109/ivs.2017.7995934

Cited by 172 publications

(92 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Marchetti and Stabili developed an algorithm in building a model based on the sequence of the transition between packet IDs observed in the CAN bus system [71]. The workflow of the proposed model is comprised of two main phases: training phase and a detection phase.…”

Section: Statistical-based Methodsmentioning

confidence: 99%

Intrusion detection system for automotive Controller Area Network (CAN) bus system: a review

Lokman

Othman

Bakar

2019

J Wireless Com Network

140

View full text Add to dashboard Cite

The modern vehicles nowadays are managed by networked controllers. Most of the networks were designed with little concern about security which has recently motivated researchers to demonstrate various kinds of attacks against the system. In this paper, we discussed the vulnerabilities of the Controller Area Network (CAN) within invehicle communication protocol along with some potential attacks that could be exploited against it. Besides, we present some of the security solutions proposed in the current state of research in order to overcome the attacks. However, the main goal of this paper is to highlight a holistic approach known as intrusion detection system (IDS) which has been a significant tool in securing networks and information systems over the past decades. To the best of our knowledge, there is no recorded literature on a comprehensive overview of IDS implementation specifically in the CAN bus network system. Thus, we proposed an in-depth investigation of IDS found in the literature based on the following aspects: detection approaches, deployment strategies, attacking techniques, and finally technical challenges. In addition, we also categorized the anomaly-based IDS according to these methods, e.g., frequencybased, machine learning-based, statistical-based, and hybrid-based as part of our contributions. Correspondingly, this study will help to accelerate other researchers to pursue IDS research in the CAN bus system.

show abstract

Section: Statistical-based Methodsmentioning

confidence: 99%

Intrusion detection system for automotive Controller Area Network (CAN) bus system: a review

Lokman

Othman

Bakar

2019

J Wireless Com Network

140

View full text Add to dashboard Cite

show abstract

“…A further study [10] proposed an actual attack model using a malicious smartphone app in the connected car environment and demonstrated it through practical experiments, and at the same time designed a security protocol that could be applied to the car environment. Some further studies [11][12][13] present a set of broadcast authentication protocols, which can utilize the simplest one-way functions that are computationally efficient while authentication does not depend on disclosure delays as in the case of protocols based on one-way chains and time synchronization. A new intrusion detection algorithm is presented in [14], which is designed to identify malicious CAN messages injected by attackers in the modern vehicle CAN bus.…”

Section: Anomaly Detection Based On Traditional Methodsmentioning

confidence: 99%

Anomaly Detection of CAN Bus Messages Using A Deep Neural Network for Autonomous Vehicles

Zhou

Shen

2019

Applied Sciences

View full text Add to dashboard Cite

The in-vehicle controller area network (CAN) bus is one of the essential components for autonomous vehicles, and its safety will be one of the greatest challenges in the field of intelligent vehicles in the future. In this paper, we propose a novel system that uses a deep neural network (DNN) to detect anomalous CAN bus messages. We treat anomaly detection as a cross-domain modelling problem, in which three CAN bus data packets as a group are directly imported into the DNN architecture for parallel training with shared weights. After that, three data packets are represented as three independent feature vectors, which corresponds to three different types of data sequences, namely anchor, positive and negative. The proposed DNN architecture is an embedded triplet loss network that optimizes the distance between the anchor example and the positive example, makes it smaller than the distance between the anchor example and the negative example, and realizes the similarity calculation of samples, which were originally used in face detection. Compared to traditional anomaly detection methods, the proposed method to learn the parameters with shared-weight could improve detection efficiency and detection accuracy. The whole detection system is composed of the front-end and the back-end, which correspond to deep network and triplet loss network, respectively, and are trainable in an end-to-end fashion. Experimental results demonstrate that the proposed technology can make real-time responses to anomalies and attacks to the CAN bus, and significantly improve the detection ratio. To the best of our knowledge, the proposed method is the first used for anomaly detection in the in-vehicle CAN bus.Appl. Sci. 2019, 9, 3174 2 of 12 start-stop, parking, Accessory system, and information entertainment systems that can be connected with smart devices such as mobile phones. These systems will obtain data from the CAN bus network on the vehicle. From the perspective of intelligent development, it is inevitable for automobiles to connect to the Internet, and these electronic devices and intelligent information systems may become a way for hackers to intrude into the automobile network system. Once hackers invade these systems and successfully connect to the car CAN bus network, the driver may lose control of the vehicle [3]. At the Black Hat conference in 2014, researchers released a report on the network security of more than 20 models on the market, assessing the ability of different car manufacturers to withstand malicious attacks on different models [4]. In addition, the (Identity Document) ID in the CAN bus protocol only represents the priority of the message, and there is no original address information in the protocol. The receiving electronic control unit (ECU) cannot confirm whether the received data is the original data or not; that is, the authenticity of the received message cannot be confirmed under the existing mechanism, which easily leads to forgery and tampering of the CAN bus message by injecting false information. Wha...

show abstract

“…Hence, there is an urgent need for securing CAN buses. Security solutions for CAN can be broadly classified into schemes that add cryptographic measures to the CAN bus [8]- [10], [18] and anomaly-based IDSs that 1) analyze the traffic on the CAN bus including message contents [19]- [21], timing/frequency [15], [22]- [25], entropy [26], and survival rates [27], 2) exploit the physical characteristics of ECUs extracted from in-vehicle sensing data [28]- [30] or measurements [11], [13], [14], [31], [32], and 3) exploit the characteristics of the CAN protocol, such as the remote frame [33]. Compared to the CAN traffic, it is more difficult for adversaries to imitate the physical characteristics of ECUs, such as the mean squared error of voltage measurements [11].…”

Section: Accumulated Offsetmentioning

confidence: 99%

Shape of the Cloak: Formal Analysis of Clock Skew-Based Intrusion Detection System in Controller Area Networks

Xiang

Sagong

Clark

et al. 2019

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

This paper presents a new masquerade attack called the cloaking attack and provides formal analyses for clock skewbased Intrusion Detection Systems (IDSs) that detect masquerade attacks in the Controller Area Network (CAN) in automobiles. In the cloaking attack, the adversary manipulates the message inter-transmission times of spoofed messages by adding delays so as to emulate a desired clock skew and avoid detection. In order to predict and characterize the impact of the cloaking attack in terms of the attack success probability on a given CAN bus and IDS, we develop formal models for two clock skew-based IDSs, i.e., the state-of-the-art (SOTA) IDS and its adaptation to the widely used Network Time Protocol (NTP), using parameters of the attacker, the detector, and the hardware platform. To the best of our knowledge, this is the first paper that provides formal analyses of clock skew-based IDSs in automotive CAN. We implement the cloaking attack on two hardware testbeds, a prototype and a real vehicle (the University of Washington (UW) EcoCAR), and demonstrate its effectiveness against both the SOTA and NTP-based IDSs. We validate our formal analyses through extensive experiments for different messages, IDS settings, and vehicles. By comparing each predicted attack success probability curve against its experimental curve, we find that the average prediction error is within 3.0% for the SOTA IDS and 5.7% for the NTP-based IDS.

show abstract

Anomaly detection of CAN bus messages through analysis of ID sequences

Cited by 172 publications

References 9 publications

Intrusion detection system for automotive Controller Area Network (CAN) bus system: a review

Intrusion detection system for automotive Controller Area Network (CAN) bus system: a review

Anomaly Detection of CAN Bus Messages Using A Deep Neural Network for Autonomous Vehicles

Shape of the Cloak: Formal Analysis of Clock Skew-Based Intrusion Detection System in Controller Area Networks

Contact Info

Product

Resources

About