Supervised and Unsupervised Intrusion Detection Based on CAN Message Frequencies for In-vehicle Network

Kuwahara, Tomohiro; Baba, Yukino; Kashima, Hisashi; Kishikawa, Takeshi; Tsurumi, Junichi; Haga, Tomoyuki; Ujiie, Yoshihiro; Sasaki, Takuma; Matsushima, Hideki

doi:10.2197/ipsjjip.26.306

Cited by 31 publications

(17 citation statements)

References 12 publications

(21 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…the attacker floods the bus with messages intended to override legitimate messages in the CAN bus [9], [10]. Machine learning methods have been applied on injection attacks, but these techniques have not been tested against low-rate attacks [11]. Detecting low-rate attacks is non-trivial in the domain of network security [12], [13].…”

Section: Introductionmentioning

confidence: 99%

Detecting Low-Rate Replay-Based Injection Attacks on In-Vehicle Networks

et al. 2020

View full text Add to dashboard Cite

The lack of security in today's in-vehicle network make connected vehicles vulnerable to many types of cyber-attacks. Replay-based injection attacks are one of the easiest type of denial-of-service attacks where the attacker floods the in-vehicle network with malicious traffic with intent to alter the vehicle's normal behavior. The attacker may exploit this vulnerability to launch targeted low-rate injection attacks which are difficult to detect because the network traffic during attacks looks like regular network traffic. In this paper, we propose a sequence mining approach to detect low-rate injection attacks in Control Area Network (CAN). We discuss four different types of replay attacks that can be used by the adversary, and evaluate the effectiveness of proposed method for varying attack characteristics and computational performance for each of the attacks. We observe that the proposed sequence-based anomaly detection achieves over 99% f-score, and outperforms existing dictionary based and multi-variate Markov chain based approach. Given that the proposed technique only uses CAN identifiers, the techniques could be adaptable to any type of vehicle manufacturer.

show abstract

Section: Introductionmentioning

confidence: 99%

Detecting Low-Rate Replay-Based Injection Attacks on In-Vehicle Networks

et al. 2020

View full text Add to dashboard Cite

show abstract

“…The frequencies of packets were also explored to detect anomalies by sliding window to measure the inter-packets timing [19]. In addition, statistical analyses were employed for the detection of anomalies from CAN IDs frequencies [20]. Besides, clockwise, remote frame and network time protocol (NTP) based features have also been proposed for intrusion detection in CAN [21][22][23].The summary of the related works in given in Table I.…”

Section: Related Workmentioning

confidence: 99%

A Blockchain-Based Federated Forest for SDN-Enabled In-Vehicle Network Intrusion Detection System

et al. 2021

View full text Add to dashboard Cite

In the modern transportation system, In-vehicle communication systems are managed by controllers know as controller area networks (CAN). The CAN facilitates the interaction of 20 to 100 Electronic Control Units (ECU) which coordinate, monitor and control loads of internal vehicle components such as engine system, brake system and telematics system through the exchange of information among them. CAN operates by broadcasting packets to its bus. This means that all nodes and ECUs attached to the bus can receive the packets, without an authentication mechanism for identifying the legitimacy/source of packets. This makes it vulnerable to attacks. An Intrusion Detection System (IDS) can be used to detect attacks on CAN. Machine learning for the IDS, in particular, would be useful for creating models to detect non-linear attack patterns. However, car manufacturers and owners are might not be willing to just share the sensitive information required for training the models. In this paper, we propose a Blockchain-based Federated Forest Software-Defined Networking (SDN)-enabled Intrusion detection system (BFF-IDS) for an In-vehicle network to address the problem of sharing the sensitive CAN data. Due to the limited scalability of blockchain, InterPlanetary File System (IPFS) was used to host the models, while a hash of the model and a pointer to its location was stored and shared via the blockchain. The SDN provides the dynamic routing of packets and model exchanges from IPFS through the blockchain. In the detection model system, a Federated Learning (FL) method creates a radom forest model in a distributed manner by aggregating partially trained models that were trained by individuals with their data kept confidential during the process. Using Fourier transform, we decomposed the CAN IDs cycle from CAN bus traffic in the frequency domain for better generalization in multiclass detection of attacks. Multiple statistical and entropy features were extracted to handle the high complexity and non-linearity in CAN bus traffic. With this proposed system, manufacturers and car owners may be willing to contribute to the training of the models, as their sensitive data is protected due to the use of FL. By storing hashes of the models on a blockchain, the risk of adversaries poisoning the models is reduced and a single point of failure is avoided. The evaluation was conducted by performing experiments in a testbed. We found that the proposed system has efficient use of memory and CPU resources, and that the detection rate of closely related attacks was high.

show abstract

“…Pawelec et al 47 test the effectiveness of employing DNN to predict CAN message at the bit level, which would offer the IDS capability but avoiding reverse engineering proprietary encodings of CAN messages. Kuwahara et al 48 study the applicability of statistical anomaly detection methods to identify malicious CAN messages, where a pipeline technology is proposed to extract the timestamp and ID information in each messages quickly, and the efficiency of the proposed method is evaluated in real message datasets and in supervised and unsupervised cases. Besides NNs, other artificial intelligence algorithms, such as LSTM, 49 Bayesian networks, 50 hidden Markov models, 51 SVM, 52 compound classifier, 53 and singular spectrum analysis 54 are also introduced to build an IDS for CAN bus.…”

Section: The State‐of‐the‐art Work About Security Protection Of In‐vehicle Networkmentioning

confidence: 99%

Cybersecurity protection on in‐vehicle networks for distributed automotive cyber‐physical systems: State‐of‐the‐art and future challenges

Xie

Zhou

et al. 2021

Softw Pract Exp

View full text Add to dashboard Cite

The ever‐evolving trip mode of human being leads the automobiles moving toward connected, autonomous, sharing, and electrified vehicles rapidly. But the connection introduces new cybersecurity problems on in‐vehicle networks, which poses great challenges for safety guarantee of distributed automotive cyber‐physical systems. This article first analyzes the cybersecurity vulnerabilities and defines the security requirements for in‐vehicle networks, and then introduces the architecture evolution of in‐vehicle network. Based on the definition on architecture of in‐vehicle networks, this article defines a security protection framework for it. And then, it surveys the state‐of‐the‐art works for availability protection, integrity protection, and confidentiality protection of in‐vehicle networks, respectively, and detailed analysis and comparisons are given about the proposed cybersecurity protection mechanisms. Finally, it summarizes the future challenges for cybersecurity protection of in‐vehicle networks, and proposes possible solutions for these challenges.

show abstract

Supervised and Unsupervised Intrusion Detection Based on CAN Message Frequencies for In-vehicle Network

Cited by 31 publications

References 12 publications

Detecting Low-Rate Replay-Based Injection Attacks on In-Vehicle Networks

Detecting Low-Rate Replay-Based Injection Attacks on In-Vehicle Networks

A Blockchain-Based Federated Forest for SDN-Enabled In-Vehicle Network Intrusion Detection System

Cybersecurity protection on in‐vehicle networks for distributed automotive cyber‐physical systems: State‐of‐the‐art and future challenges

Contact Info

Product

Resources

About