A Real-time Anomaly-based Intrusion Detection System for Automotive Controller Area Networks
The Controller Area Network (CAN) is the most pervasive in-vehiclenetwork technology in cars. However, since CAN was designed with no securityconcerns, solutions to mitigate cyber attacks on CAN networks have been pro-posed. Prior works have shown that detecting anomalies in the CAN networktraffic is a promising solution for increasing vehicle security. One of the mainchallenges in preventing a malicious CAN frame transmission is to be able todetect the anomaly before the end of the frame. This paper presents a real-timeanomaly-based Intrusion Detection System (IDS) capable of meeting this dead-line by using the Isolation Forest detection algorithm implemented in a hardwaredescription language. A true positive rate higher than 99% is achieved in testscenarios. The system requires less than 1μs to evaluate a frame’s payload, thusbeing able to detect the anomaly before the end of the frame.
Bosch, R. (1991). Can specification version 2.0. Published by Robert Bosch GmbH (September 1991).
Buschjäger, S. and Morik, K. (2017). Decision tree and random forest implementations for fast filtering of sensor data. IEEE Transactions on Circuits and Systems I: Regular Papers, 65(1):209–222.
Checkoway, S., McCoy, D., Kantor, B., Anderson, D., Shacham, H., Savage, S., Koscher, K., Czeskis, A., Roesner, F., Kohno, T., et al. (2011). Comprehensive experimental analyses of automotive attack surfaces. In USENIX Security Symposium, volume 4, pages 447–462. San Francisco.
Di Natale, M., Zeng, H., Giusto, P., and Ghosal, A. (2012). Understanding and using the controller area network communication protocol: theory and practice. Springer Science & Business Media.
Dupont, G., Hartog, J. d., Etalle, S., and Lekidis, A. (2019). Network intrusion detection systems for in-vehicle network-technical report. arXiv preprint arXiv:1905.11587.
Freitas de Araujo-Filho, P. (2018). Contributions to in-vehicle networks: error injection and intrusion detection system for can, and audio video bridging synchronization. Master’s thesis, Universidade Federal de Pernambuco.
Giannopoulos, H., Wyglinski, A. M., and Chapman, J. (2017). Securing vehicular controller area networks: An approach to active bus-level countermeasures. IEEE Vehicular Technology Magazine, 12(4):60–68.
Kang, M. and Kang, J. (2016). A novel intrusion detection method using deep neural network for in-vehicle network security. In 2016 IEEE 83rd Vehicular Technology Conference (VTC Spring), pages 1–5.
Koyama, T., Shibahara, T., Hasegawa, K., Okano, Y., Tanaka, M., and Oshima, Y. (2019). Anomaly detection for mixed transmission can messages using quantized intervals and absolute difference of payloads. In Proceedings of the ACM Workshop on Automotive Cybersecurity, pages 19–24. ACM.
Liu, F. T., Ting, K. M., and Zhou, Z.-H. (2008). Isolation forest. In 2008 Eighth IEEE International Conference on Data Mining, pages 413–422. IEEE.
Liu, J., Zhang, S., Sun, W., and Shi, Y. (2017). In-vehicle network attacks and countermeasures: Challenges and future directions. IEEE Network, 31(5):50–58.
Miller, C. and Valasek, C. (2014). A survey of remote automotive attack surfaces. black hat USA, 2014:94.
Miller, C. and Valasek, C. (2015). Remote exploitation of an unaltered passenger vehicle. Black Hat USA, 2015:91.
Seo, E., Song, H. M., and Kim, H. K. (2018). Gids: Gan based intrusion detection system for in-vehicle network. In 2018 16th Annual Conference on Privacy, Security and Trust (PST), pages 1–6.
Struharik, J. (2011). Implementing decision trees in hardware. In 2011 IEEE 9th International Symposium on Intelligent Systems and Informatics, pages 41–46. IEEE.
Taylor, A., Leblanc, S., and Japkowicz, N. (2016). Anomaly detection in automobile control network data with long short-term memory networks. In 2016 IEEE International Conference on Data Science and Advanced Analytics (DSAA), pages 130–139. IEEE.