Abstract
This work presents an experimental evaluation of the detection performance of eight different algorithms for anomaly detection on the Controller Area Network (CAN) bus of modern vehicles based on the analysis of the timing or frequency of CAN messages. This work solves the current limitations of related scientific literature, that is based on private dataset, lacks of open implementations, and detailed description of the detection algorithms. These drawback prevent the reproducibility of published results, and makes it impossible to compare a novel proposal against related work, thus hindering the advancement of science. This paper solves these issues by publicly releasing implementations, labeled datasets and by describing an unbiased experimental comparisons.
- M. Bozdal, M. Samie, and I. Jennions. 2018. A Survey on CAN Bus Protocol: Attacks, Challenges, and Potential Solutions. In 2018 International Conference on Computing, Electronics Communications Engineering (iCCECE). 201–205. https://doi.org/10.1109/iCCECOME.2018.8658720Google ScholarCross Ref
- V. Chandola, A. Banerjee, and V. Kumar. 2012. Anomaly detection for discrete sequences: A survey. IEEE Trans. on Knowledge and Data Engineering 24, 5(2012).Google ScholarDigital Library
- K.T. Cho and K. G. Shin. 2016. Fingerprinting Electronic Control Units for Vehicle Intrusion Detection. In USENIX Security Symposium.Google Scholar
- K. T. Cho and K. G. Shin. 2017. Viden: Attacker Identification on In-Vehicle Networks. arXiv 1109.1123.Google Scholar
- G. Dupont, J. den Hartog, S. Etalle, and A. Lekidis. 2019. A survey of network intrusion detection systems for controller area network. In 2019 IEEE Int’l Conf. on Vehicular Electronics and Safety.Google Scholar
- Robert Bosch GmbH. 1991. CAN Specification Version 2.0. Tech. Rep.Google Scholar
- M. Gmiden, M. H. Gmiden, and H. Trabelsi. 2016. An intrusion detection method for securing in-vehicle CAN bus. In 2016 17th International Conference on Sciences and Techniques of Automatic Control and Computer Engineering (STA). 176–180. https://doi.org/10.1109/STA.2016.7952095Google Scholar
- H. J. Jo and W. Cho2016Fingerprinting. 2021. A Survey of Attacks on Controller Area Networks and Corresponding Countermeasures. IEEE Transactions on Intelligent Transportation Systems (2021), 1–19. https://doi.org/10.1109/TITS.2021.3078740Google ScholarDigital Library
- Ken Tindell. [n. d.]. Canis Automotive Labs - The CANPico Board. https://kentindell.github.io/canpicoGoogle Scholar
- M. Kneib and C. Huth. 2018. Scission: Signal Characteristic-Based Sender Identification and Intrusion Detection in Automotive Networks. In Proc. 2018 ACM SIGSAC Conf. on Computer and Communications Security. ACM.Google Scholar
- Sekar Kulandaivel, Tushar Goyal, Arnav Kumar Agrawal, and Vyas Sekar. 2019. CANvas: Fast and Inexpensive Automotive Network Mapping. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA, 389–405. https://www.usenix.org/conference/usenixsecurity19/presentation/kulandaivelGoogle Scholar
- H. Lee, K. Choi, K. Chung, J. Kim, and K. Yim. 2015. Fuzzing CAN Packets into Automobiles. In 2015 IEEE 29th International Conference on Advanced Information Networking and Applications (AINA). IEEE Computer Society, Los Alamitos, CA, USA, 817–821. https://doi.org/10.1109/AINA.2015.274Google Scholar
- H. Lee, S. H. Jeong, and H. K. Kim. 2017. OTIDS: A Novel Intrusion Detection System for In-vehicle Network by Using Remote Frame. In 2017 15th Annual Conference on Privacy, Security and Trust (PST), Vol. 00. 57–5709. https://doi.org/10.1109/PST.2017.00017Google ScholarCross Ref
- C. Ling. 2012. An Algorithm for Detection of Malicious Messages on CAN Buses. In Conf. Innovative Trends in Computer Science.Google Scholar
- M. Marchetti and D. Stabili. 2017. Anomaly detection of CAN bus messages through analysis of ID sequences. In IEEE Proc. Intelligent Vehicles Symp.Google Scholar
- M. Marchetti, D. Stabili, A. Guido, and M. Colajanni. 2016. Evaluation of anomaly detection for in-vehicle networks through information-theoretic algorithms. In IEEE 2nd Int’l Forum Research and Technologies for Society and Industry Leveraging a better tomorrow.Google Scholar
- C. Miller and C. Valasek. 2014. Adventures in Automotive Networks and Control Units. https://www.ioactive.com/pdfs/IOActive_Adventures_in_Automotive_Networks_and_Control_Units.pdf.Google Scholar
- C. Miller and C. Valasek. 2015. Remote Exploitation of an Unaltered Passenger Vehicle. http://illmatics.com/Remote Car Hacking.pdf.Google Scholar
- M. R. Moore, R. A. Bridges, F. L. Combs, M. S. Starr, and S. J. Prowell. 2017. Modeling inter-signal arrival times for accurate detection of CAN bus signal injection attacks. In CISRC ’17 Proc. 12th Annual Conf. on Cyber and Information Security Research.Google ScholarDigital Library
- M. Müter and N. Asaj. 2011. Entropy-based anomaly detection for in-vehicle networks. In IEEE Proc. Intelligent Vehicles Symp.Google Scholar
- N. Nowdehi, W. Aoudi, M. Almgren, and T. Olovsson. 2019. CASAD: CAN-Aware Stealthy-Attack Detection for In-Vehicle Networks.Google Scholar
- Habeeb Olufowobi, Clinton Young, Joseph Zambreno, and Gedare Bloom. 2020. SAIDuCANT: Specification-Based Automotive Intrusion Detection Using Controller Area Network (CAN) Timing. IEEE Transactions on Vehicular Technology 69, 2 (2020), 1484–1494. https://doi.org/10.1109/TVT.2019.2961344Google ScholarCross Ref
- S. Otsuka, T. Ishigooka, Y. Oishi, and K. Sasazawa. 2014. CAN Security: Cost-Effective Intrusion Detection for Real-Time Control Systems. In SAE 2014 World Congress and Exhibition. 11. https://doi.org/10.4271/2014-01-0340Google Scholar
- PEAK System. 2015. PCAN-USB. Technical Report.Google Scholar
- F. Pollicino, D. Stabili, and M. Marchetti. [n. d.]. Material used for the submission at ACM TCPS - Special Issue. https://weblab.ing.unimore.it/people/stabili/resources/tcps.shtml password: PSM_TCPS.Google Scholar
- H.M. Song, H. R. Kim, and H. K. Kim. 2016. Intrusion detection system based on the analysis of time intervals of CAN messages for in-vehicle network. In 2016 International Conference on Information Networking (ICOIN). 63–68. https://doi.org/10.1109/ICOIN.2016.7427089Google ScholarDigital Library
- D. Stabili, L. Ferretti, M. Andreolini, and M. Marchetti. 2021. DAGA: Detecting Attacks to in-vehicle networks via n-Gram Analysis. arXiv 0000.0000.Google Scholar
- D. Stabili and M. Marchetti. 2019. Detection of Missing CAN Messages through Inter-Arrival Time Analysis. In 2019 IEEE 90th Vehicular Technology Conf.Google Scholar
- D. Stabili, M. Marchetti, and M. Colajanni. 2017. Detecting attacks to internal vehicle networks through Hamming distance. In AEIT Int’l Annual Conf.Google Scholar
- A. Taylor, N. Japkowicz, and S. Leblanc. 2015. Frequency-based anomaly detection for the automotive CAN bus. In 2015 World Congress on Industrial Control Systems Security (WCICSS). 45–49. https://doi.org/10.1109/WCICSS.2015.7420322Google ScholarCross Ref
- A. Tomlinson, J Bryans, and S. A. Shaikh. 2021. Using internal context to detect automotive controller area network attacks. Computers and Electrical Engineering 91 (2021), 107048. https://doi.org/10.1016/j.compeleceng.2021.107048Google ScholarCross Ref
Recommendations
Comparative Evaluation of Anomaly-Based Controller Area Network IDS
ICSCA '23: Proceedings of the 2023 12th International Conference on Software and Computer ApplicationsThe vulnerability of in-vehicle networks, particularly those based on the Controller Area Network (CAN) protocol, has prompted the development of numerous techniques for intrusion detection on the CAN bus. However, these CAN IDS are often evaluated in ...
A Clustering Method for Improving Performance of Anomaly-Based Intrusion Detection System
Intrusion detection system (IDS) has played a central role as an appliance to effectively defend our crucial computer systems or networks against attackers on the Internet. The most widely deployed and commercially available methods for intrusion ...
Unknown Attacks Detection Using Feature Extraction from Anomaly-Based IDS Alerts
SAINT '12: Proceedings of the 2012 IEEE/IPSJ 12th International Symposium on Applications and the InternetIntrusion Detection Systems (IDSs) play an important role detecting various kinds of attacks and defend our computer systems from them. There are basically two main types of detection techniques: signature-based and anomaly-based. A signature-based IDS ...
Comments