Intrusion detection system for automotive Controller Area Network (CAN) bus system: a review

Lokman, Siti-Farhana; Othman, Abu Talib; Bakar, Muhamad Husaini Abu

doi:10.1186/s13638-019-1484-3

Cited by 138 publications

(57 citation statements)

References 61 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A traditional IDS is unable to detect malfunction attacks on the CAN bus; thus, it is challenging for it to distinguish unknown attacks. Based on the requirements and functionalities, there are different types of IDS: signature-based, anomaly-based, misuse-based, and hybrid [7], [8]. A signature-based IDS is unable to detect unknown attacks, whereas an anomaly-based IDS is capable of detecting unknown and malfunction attacks.…”

Section: Introductionmentioning

confidence: 99%

LSTM-Based Intrusion Detection System for In-Vehicle Can Bus Communications

et al. 2020

View full text Add to dashboard Cite

The modern automobile is a complex piece of technology that uses the Controller Area Network (CAN) bus system as a central system for managing the communication between the electronic control units (ECUs). Despite its central importance, the CAN bus system does not support authentication and authorization mechanisms, i.e., CAN messages are broadcast without basic security features. As a result, it is easy for attackers to launch attacks at the CAN bus network system. Attackers can compromise the CAN bus system in several ways including Denial of Service (DoS), Fuzzing and Spoofing attacks. It is imperative to devise methodologies to protect modern cars against the aforementioned attacks. In this paper, we propose a Long Short-Term Memory (LSTM)-based Intrusion Detection System (IDS) to detect and mitigate the CAN bus network attacks. We generate our own dataset by first extracting attack-free data from our experimental car and by injecting attacks into the latter and collecting the dataset. We use the dataset for testing and training our model. With our selected hyper-parameter values, our results demonstrate that our classifier is efficient in detecting the CAN bus network attacks, we achieved an overall detection accuracy of 99.995%. We also compare the proposed LSTM method with the Survival Analysis for automobile IDS dataset which is developed by the Hacking and Countermeasure Research Lab, Korea. Our proposed LSTM model achieves a higher detection rate than the Survival Analysis method. INDEX TERMS Modern Car Security, Controller Area Network, Deep Learning, LSTM, Intrusion Detection System FIGURE 1. CAN message format in 11bit mode with DLC=8. There are no security features implemented in this protocol.

show abstract

Section: Introductionmentioning

confidence: 99%

LSTM-Based Intrusion Detection System for In-Vehicle Can Bus Communications

et al. 2020

View full text Add to dashboard Cite

show abstract

“…As a result, different machine learning techniques have been used, for example, neural network classifiers, Bayesian classifiers, Bayesian regularized neural networks, naive Bayes, support vector machines (SVM), and self-organization maps (SOM) [28,29].…”

Section: Related Workmentioning

confidence: 99%

“…The CAN bus is a message-based protocol designed for in-vehicle networks. It enables numerous electronic components, throughout the in-vehicle system, to communicate with each other through a single/dual-wire bus [29]. Consequently, all the nodes in a CAN bus can receive all packet transmissions and a frame is defined as a structure [30].…”

Section: Control Area Network (Can)mentioning

confidence: 99%

A Kohonen SOM Architecture for Intrusion Detection on In-Vehicle Communication Networks

et al. 2020

View full text Add to dashboard Cite

The diffusion of connected devices in modern vehicles involves a lack in security of the in-vehicle communication networks such as the controller area network (CAN) bus. The CAN bus protocol does not provide security systems to counter cyber and physical attacks. Thus, an intrusion-detection system to identify attacks and anomalies on the CAN bus is desirable. In the present work, we propose a distance-based intrusion-detection network aimed at identifying attack messages injected on a CAN bus using a Kohonen self-organizing map (SOM) network. It is a power classifier that can be trained both as supervised and unsupervised learning. SOM found broad application in security issues, but was never performed on in-vehicle communication networks. We performed two approaches, first using a supervised X–Y fused Kohonen network (XYF) and then combining the XYF network with a K-means clustering algorithm (XYF–K) in order to improve the efficiency of the network. The models were tested on an open source dataset concerning data messages sent on a CAN bus 2.0B and containing large traffic volume with a low number of features and more than 2000 different attack types, sent totally at random. Despite the complex structure of the CAN bus dataset, the proposed architectures showed a high performance in the accuracy of the detection of attack messages.

show abstract

“…The CAN facilitates the interaction of 20 to 100 Electronic Control Units (ECU) which coordinate, monitor and control loads of internal vehicle components such as engine system, brake system and telematics system through the exchange of information among them [1]. Nevertheless, the exchange of information within the CAN bus system has exposed it to external penetration threats which can harm drivers, the operating environment as well as other vehicles [2,3]. CAN works by broadcasting packets to its bus which means all nodes and ECUs attached to the bus can receive all transmitted packets.…”

Section: Introductionmentioning

confidence: 99%

“…Meanwhile, nodes and ECUs have no authentication mechanism for identifying the legitimacy or source of packets which makes them vulnerable to attacks. When the CAN is compromised, attackers can inject malicious messages to ECUs that can trigger physical action such as steering and braking, manipulate speedometer display information, etc [3,4]. The attacks on the In-vehicular network can be analyzed in terms of attack surface and attack vector [5]; In the attack surface aspect, the attack can be launched directly through the On-Board Diagnostic II (OBD-II) port or indirectly through firmware such as the media player.…”

Section: Introductionmentioning

confidence: 99%

A Blockchain-Based Federated Forest for SDN-Enabled In-Vehicle Network Intrusion Detection System

et al. 2021

View full text Add to dashboard Cite

In the modern transportation system, In-vehicle communication systems are managed by controllers know as controller area networks (CAN). The CAN facilitates the interaction of 20 to 100 Electronic Control Units (ECU) which coordinate, monitor and control loads of internal vehicle components such as engine system, brake system and telematics system through the exchange of information among them. CAN operates by broadcasting packets to its bus. This means that all nodes and ECUs attached to the bus can receive the packets, without an authentication mechanism for identifying the legitimacy/source of packets. This makes it vulnerable to attacks. An Intrusion Detection System (IDS) can be used to detect attacks on CAN. Machine learning for the IDS, in particular, would be useful for creating models to detect non-linear attack patterns. However, car manufacturers and owners are might not be willing to just share the sensitive information required for training the models. In this paper, we propose a Blockchain-based Federated Forest Software-Defined Networking (SDN)-enabled Intrusion detection system (BFF-IDS) for an In-vehicle network to address the problem of sharing the sensitive CAN data. Due to the limited scalability of blockchain, InterPlanetary File System (IPFS) was used to host the models, while a hash of the model and a pointer to its location was stored and shared via the blockchain. The SDN provides the dynamic routing of packets and model exchanges from IPFS through the blockchain. In the detection model system, a Federated Learning (FL) method creates a radom forest model in a distributed manner by aggregating partially trained models that were trained by individuals with their data kept confidential during the process. Using Fourier transform, we decomposed the CAN IDs cycle from CAN bus traffic in the frequency domain for better generalization in multiclass detection of attacks. Multiple statistical and entropy features were extracted to handle the high complexity and non-linearity in CAN bus traffic. With this proposed system, manufacturers and car owners may be willing to contribute to the training of the models, as their sensitive data is protected due to the use of FL. By storing hashes of the models on a blockchain, the risk of adversaries poisoning the models is reduced and a single point of failure is avoided. The evaluation was conducted by performing experiments in a testbed. We found that the proposed system has efficient use of memory and CPU resources, and that the detection rate of closely related attacks was high.

show abstract

Intrusion detection system for automotive Controller Area Network (CAN) bus system: a review

Cited by 138 publications

References 61 publications

LSTM-Based Intrusion Detection System for In-Vehicle Can Bus Communications

LSTM-Based Intrusion Detection System for In-Vehicle Can Bus Communications

A Kohonen SOM Architecture for Intrusion Detection on In-Vehicle Communication Networks

A Blockchain-Based Federated Forest for SDN-Enabled In-Vehicle Network Intrusion Detection System

Contact Info

Product

Resources

About