Exploiting the Shape of CAN Data for In-Vehicle Intrusion Detection

Proceedings of the ACM Workshop on Automotive Cybersecurity

Combs

2019

Self Cite

Modern vehicles contain a few controller area networks (CANs), which allow scores of on-board electronic control units (ECUs) to communicate messages critical to vehicle functions and driver safety. CAN provides a lightweight and reliable broadcast protocol but is bereft of security features. As evidenced by many recent research works, CAN exploits are possible both remotely and with direct access, fueling a growing CAN intrusion detection system (IDS) body of research. A challenge for pioneering vehicle-agnostic IDSs is that passenger vehicles' CAN message encodings are proprietary, defined and held secret by original equipment manufacturers (OEMs). Targeting detection of next-generation attacks, in which messages are sent from the expected ECU at the expected time but with malicious content, researchers are now seeking to leverage "CAN data models", which predict future CAN messages and use prediction error to identify anomalous, hopefully malicious CAN messages. Yet, current works model CAN signals post-translation, i.e., after applying OEM-donated or reverse-engineered translations from raw data. We present initial IDS results testing deep neural networks used to predict CAN data at the bit level, targeting IDS capabilities that avoiding reverse engineering proprietary encodings. Our results suggest the method is promising for data with signals exhibiting dependence on previous or concurrent inputs.

Section: Related Can Ids Workmentioning

confidence: 99%

Towards a CAN IDS Based on a Neural Network Data Field Predictor

Pawelec

Proceedings of the ACM Workshop on Automotive Cybersecurity

Combs

2019

Self Cite

“…Attacks that seek to change vehicle states abruptly may manipulate the messages in an unexpected and discontinuous way. To test this hypothesis, we employed manifold learning techniques to learn a lower dimensional representation of CAN data and found that testing on emulated attacks shows a discontinuous jump in the lower dimensional representation providing a novel avenue for detection [Tyree, et al 2018]. The above method is a "black box" method (knowing nothing of the data's meaning, but identifying correlations mathematically), which detracts from interpretability.…”

Section: Michael F Wehner and Christina M Patricolamentioning

confidence: 99%

GovMath

Notices Amer. Math. Soc.

2019

Modern vehicles rely on scores of small computers called electronic control units (ECUs) that continually communicate life-critical messages, e.g., wheel speeds and steering angle, through a few controller area networks (CANs). Originally designed as a closed network for the life of the vehicle, CAN protocol developed bereft of security features (e.g., authentication or encryption). For emission testing, updates, and other diagnostics, vehicle CANs are now phys

“…Some research opts for handlabeled drive states (i.e accelerate, reverse, key in, speedometer reading of 20mph, ect.) [7][8][9], while others used external data loggers [10].…”

Section: B Vehicle Information and Diagnosticsmentioning

confidence: 99%

“…Others implemented machine learning methods (Hidden Markov Models, Neural Nets, Manifold Learning, etc.) that implicitly learn relationships between raw binary data and vehicular states [7][8][9][10][16][17][18].…”

Section: E Impactmentioning

confidence: 99%

ACTT: Automotive CAN Tokenization and Translation

Verma

2018 International Conference on Computational Science and Computational Intelligence (CSCI)

Hollifield

2018

Modern vehicles contain scores of Electrical Control Units (ECUs) that broadcast messages over a Controller Area Network (CAN). Vehicle manufacturers rely on security through obscurity by concealing their unique mapping of CAN messages to vehicle functions which differs for each make, model, year, and even trim. This poses a major obstacle for after-market modifications notably performance tuning and in-vehicle network security measures. We present ACTT: Automotive CAN Tokenization and Translation, a novel, vehicle-agnostic, algorithm that leverages available diagnostic information to parse CAN data into meaningful messages, simultaneously cutting binary messages into tokens, and learning the translation to map these contiguous bits to the value of the vehicle function communicated.