Using internal context to detect automotive controller area network attacks

Abstract

The rise in data use within cars has led to concerns about their cybersecurity. The Controller Area Network (CAN) enables communication between components core to the car’s safety and performance, and has been demonstrated to be particularly vulnerable to hacking and malicious cyber-intrusion. CAN intrusion detection systems have been envisaged. Signatures of known attacks might be used for detection, but this method holds many limitations. Although some attacks might change packet broadcast rates or add unknown packets onto the network, attacks that have little or no effect on these, yet can alter the packet data, have also been devised. We therefore test three novelty detection methods (Local Outlier Factor, Compound Classifier and One-Class Support Vector Machine) that might identify an attack based solely on anomalies in CAN packet field data-values. The methods compare values across a cluster of CAN packets broadcast from different control units, so potentially could identify an attacked control unit even when its subsequent fabricated payload data-values remain plausible. We test the methods on data from two different makes of car across a range of manipulation magnitudes, reflecting the unpredictability of attacks. Different training regimes are tested, enabling us to assess validity across journeys. We also consider the processes needed to determine the CAN fields that might be included in the intrusion detection cluster, and present algorithms for automating those processes.