Controller Area Network Protocol Research Articles

Reconfigurable CAN Intrusion Detection and Response System

The controller area network (CAN) remains the de facto standard for intra-vehicular communication. CAN enables reliable communication between various microcontrollers and vehicle devices without a central computer, which is essential for sustainable transportation systems. However, it poses some serious security threats due to the nature of communication. According to caranddriver.com, there were at least 150 automotive cybersecurity incidents in 2019, a 94% year-over-year increase since 2016, according to a report from Upstream Security. To safeguard vehicles from such attacks, securing CAN communication, which is the most relied-on in-vehicle network (IVN), should be configured with modifications. In this paper, we developed a configurable CAN communication protocol to secure CAN with a hardware prototype for rapidly prototyping attacks, intrusion detection systems, and response systems. We used a field programmable gate array (FPGA) to prototype CAN to improve reconfigurability. This project focuses on attack detection and response in the case of bus-off attacks. This paper introduces two main modules: the multiple generic errors module with the introduction of the error state machine (MGEESM) module and the bus-off attack detection (BOAD) module for a frame size of 111 bits (BOAD111), based on the CAN protocol presenting the introduction of form error, CRC error, and bit error. Our results show that, in the scenario with the transmit error counter (TEC) value 127 for switching between the error-passive state and bus-off state, the detection times for form error, CRC error, and bit error introduced in the MGEESM module are 3.610 ms, 3.550 ms, and 3.280 ms, respectively, with the introduction of error in consecutive frames. The detection time for BOAD111 module in the same scenario is 3.247 ms.

Reconfigurable CAN Intrusion Detection and Response System

The controller area network (CAN) remains the de facto standard for intra-vehicular communication. CAN enables reliable communication between various microcontrollers and vehicle devices without a central computer, which is essential for sustainable transportation systems. However, it poses some serious security threats due to the nature of communication. According to caranddriver.com, there were at least 150 automotive cybersecurity incidents in 2019, a 94% year-over-year increase since 2016, according to a report from Upstream Security. To safeguard vehicles from such attacks, securing CAN communication, which is the most relied-on in-vehicle network (IVN), should be configured with modifications. In this paper, we developed a configurable CAN communication protocol to secure CAN with a hardware prototype for rapidly prototyping attacks, intrusion detection systems, and response systems. We used a field programmable gate array (FPGA) to prototype CAN to improve reconfigurability. This project focuses on attack detection and response in the case of bus-off attacks. This paper introduces two main modules: the multiple generic errors module with the introduction of the error state machine (MGEESM) module and the bus-off attack detection (BOAD) module for a frame size of 111 bits (BOAD111), based on the CAN protocol presenting the introduction of form error, CRC error, and bit error. Our results show that, in the scenario with the transmit error counter (TEC) value 127 for switching between the error-passive state and bus-off state, the detection times for form error, CRC error, and bit error introduced in the MGEESM module are 3.610 ms, 3.550 ms, and 3.280 ms, respectively, with the introduction of error in consecutive frames. The detection time for BOAD111 module in the same scenario is 3.247 ms.

Multi-classification in-vehicle intrusion detection system using packet- and sequence-level characteristics from time-embedded transformer with autoencoder

In recent years, the increased application of controller area network (CAN) protocols has made it the de facto standard for communication between electronic control units (ECUs) in the automotive and transportation fields. This widely used protocol was designed as a reliable and straightforward broadcast-based protocol that connects ECUs without considering security concerns such as node authentication or traffic encryption. Despite its efficiency, this tradeoff makes the CAN bus vulnerable to attacks. Implementing intrusion detection systems (IDSs) based on machine learning (ML) can address these security challenges effectively. However, existing ML-based IDSs have limited classification capabilities, lack adaptability and time sensitivity, incomprehensive analysis, and produce high false-negative rates (FNR), while attack schemes are becoming increasingly complex, resulting in insufficient capability of intrusion detection in real-time and insufficient ability to offer reliable protection. Therefore, our study proposes a novel in-vehicle IDS for multiclass classification using both packet- and sequence-level characteristics extracted from an autoencoder and a variant transformer (Time-embedded Transformer) with an improved position encoding mechanism, which analyses CAN traffic in-depth from various perspectives to overcome the existing challenges above. Both standard (Car-Hacking) and advanced (ROAD) datasets are used to evaluate the capabilities of our proposed IDS. The evaluation results demonstrated 100 % detection accuracy and 0 % FNR for both the Car-Hacking and ROAD Masquerade datasets, which also peaked at the highest F1 score for the ROAD Fabrication dataset, emphasizing superior intrusion detection to minimize FNR of the proposed model with high adaptability through its multi-dimensional analysis at packet- and sequence-level.

CICIoV2024: Advancing realistic IDS approaches against DoS and spoofing attack in IoV CAN bus

Considering the complexity of network traffic in IoV operations, methods that can identify complex patterns become useful. Machine learning fosters several techniques to enhance the detection, prevention, and mitigation of cyberattacks. However, important features are not addressed in the current state-of-the-art security datasets for IoV. For example, in the case of intra-vehicle communications, it is critical to consider the interaction among multiple Electronic Control Units (ECUs). Also, mimicking a realistic IoV environment is not simple since establishing a test environment requires considerable financial investment. Hence, there is a need for a testbed composed of several real ECUs in an IoV environment comprising network traffic. Thereupon, the main goal of this research is to propose a realistic benchmark dataset to foster the development of new cybersecurity solutions for IoV operations. To accomplish this, five attacks were executed against the fully intact inner structure of a 2019 Ford car, complete with all ECUs. However, the vehicle was immobile and incapable of causing any potential harm or injuries. Hence, all attacks were carried out on the vehicle without endangering the car’s driver or passengers. These attacks are classified as spoofing and Denial-of-Service (Dos) and were carried out through the Controller Area Network (CAN) protocol. This effort establishes a baseline complementary to existing contributions and supports researchers in proposing new IoV solutions to strengthen overall security using different techniques (e.g., Machine Learning — ML). The CICIoV2024 dataset has been published on CIC’s dataset page.

Hybrid RNN-LSTM Networks for Enhanced Intrusion Detection in Vehicle CAN Systems

Electric vehicles (EVs) use electric motors for propulsion, relying on electric energy stored in batteries or other energy storage devices. The standard communication protocol used in EVs is the Control Area Network (CAN), a communication protocol widely used in the automotive industry for networking and communication between various components within a vehicle. CAN protocol, designed without any care about protection, as automotive systems become more connected, the vulnerability to cyber threats, including intrusion attacks. The most common intrusion attacks on EVs are Denial of Service (DoS), Fuzzy, and Impersonation Attacks. These become a significant challenge due to the imperative need for robust Intrusion Detection Systems (IDS) in CAN networks. This paper explores the application of advanced deep learning techniques, specifically Recurrent Neural Networks (RNN) and Long Short-Term Memory (LSTM) networks, to enhance the effectiveness of intrusion detection in the EV domain. We will use a hybrid Deep-learning model to improve the analysis. First, we will apply the RNN model, and the output will come as input for the second model, LSTM. Our proposed hybrid model achieved an accuracy of 93%. The outcomes of this research contribute to advancing cybersecurity measures in vehicular networks, ensuring the integrity and safety of connected vehicles. The applicability of RNN and LSTM techniques in the context of CAN networks demonstrates their potential to evolve as integral components of next-generation intrusion detection systems, fostering a secure and resilient automotive ecosystem.

DivaCAN: Detecting in-vehicle intrusion attacks on a controller area network using ensemble learning

The controller area network (CAN) protocol is a critical communication mechanism in vehicular systems. However, the widespread adoption of this protocol has introduced vulnerabilities to in-vehicle communication channels, making them susceptible to various security threats, including denial-of-service, fuzzy, and impersonation attacks. There is thus an urgent need to develop effective security measures to counter these threats. Unfortunately, existing approaches to attack detection suffer from shortcomings such as suboptimal accuracy and high false-positive rates. Herein, we propose a novel methodology to address these limitations, DivaCAN. DivaCAN leverages an ensemble of classifiers, including deep neural networks, the multi-layer perceptron, the light gradient-boosting machine, extra trees, random forest, and Bagging, along with k-nearest neighbors, for intrusion-attack recognition on the CAN bus. The DivaCAN model was thoroughly evaluated, and its exceptional performance, which surpasses that of the latest methodologies, was demonstrated. It was found to achieve a precision of 94.93%, a recall of 94.98%, and an F1 score of 94.97%. One notable aspect of this research is the emphasis on achieving a low false-positive rate, which is often overlooked by other methodologies. Additionally, the DivaCAN model was found to exhibit an acceptable execution time of 406 s, highlighting the importance of considering both accuracy and efficiency when evaluating the performance of classification models. This study thus significantly enhances the security of in-vehicle communication on the CAN protocol. DivaCAN is a robust and accurate intrusion-detection system that addresses the pressing need for effective security measures in vehicular systems.

ANALYZING THE CAN PROTOCOL: VULNERABILITIES, PROTECTIVE MEASURES AND IMPROVEMENTS

The Controller Area Network (CAN) bus, originally designed for internal communication among a limited number of Electronic Control Units (ECUs) within vehicles, faces significant security challenges due to the rapid expansion of ECUs in modern automobiles. This expansion necessitates accessibility for diagnostic purposes, yet the CAN protocol lacks fundamental security features such as encryption, authentication, and integrity checks, rendering it vulnerable to various attacks including message injection, Denial of Service (DoS), and masquerading ECUs. This paper surveys existing literature and investigates potential intrusions on the CAN bus, highlighting attacks ranging from GPS spoofing to remote sensor tampering. Various solutions are discussed, including network subdivision, encryption, authentication techniques, and intrusion detection systems (IDS). Recent research proposes IDS solutions utilizing machine learning algorithms such as Random Forest, Support Vector Machine, and Deep Neural Networks (DNN), demonstrating effectiveness in detecting known attacks. However, challenges persist in identifying unknown attacks and enhancing overall system performance. Innovative approaches, such as event-triggered detection and bloom filtering techniques, show promise in mitigating specific attack vectors but may introduce overhead or limitations in real-time response. Deep learning-based IDS systems exhibit high performance but struggle with the detection of novel attacks. Furthermore, while some solutions address specific vulnerabilities, others propose more comprehensive security measures, such as preventing remote manipulation of critical vehicle functions like steering and braking. Overall, the research emphasizes the critical need for robust security measures in automotive systems to safeguard against evolving threats to vehicle safety and integrity.

Bit scanner: Anomaly detection for in-vehicle CAN bus using binary sequence whitelisting

Due to the vulnerability of in-vehicle networks, particularly the Controller Area Network (CAN), malicious remote intrusion into vehicles has been a prominent public concern in recent years. The majority of existing technologies disregard the importance of the frame payload, making it difficult to detect tampered frames. In this paper, we propose Bit Scanner, a whitelist-based anomaly detection method that employs fine-grained checking for frame payload. Bit Scanner has no dependency on the CAN periodicity or CAN protocol. Its detection capabilities are evaluated using genuine CAN traffic collected from an autonomous bus. The results show that the proposed method has a malicious frames detection rate improvement of about 20% under replay attack scenarios, and a malicious packets detection rate improvement of at least 20% under tampering attack situations compared to the state-of-art methods.

An Anomaly Detection Method Based on Multiple LSTM-Autoencoder Models for In-Vehicle Network

The CAN (Controller Area Network) protocol is widely adopted for in-vehicle networks due to its cost efficiency and reliable transmission. However, despite its popularity, the protocol lacks built-in security mechanisms, making it vulnerable to attacks such as flooding, fuzzing, and DoS. These attacks can exploit vulnerabilities and disrupt the expected behavior of the in-vehicle network. One of the main reasons for these security concerns is that the protocol relies on broadcast frames for communication between ECUs (Electronic Control Units) within the network. To tackle this issue, we present an intrusion detection system that leverages multiple LSTM-Autoencoders. The proposed system utilizes diverse features, including transmission interval and payload value changes, to capture various characteristics of normal network behavior. The system effectively detects anomalies by analyzing different types of features separately using the LSTM-Autoencoder model. In our evaluation, we conducted experiments using real vehicle network traffic, and the results demonstrated the system’s high precision with a 99% detection rate in identifying anomalies.

Optimal Control Design and Online Controller-Area-Network Bus Data Analysis for a Light Commercial Hybrid Electric Vehicle

In this article, a hybrid powertrain for the Volkswagen (VW) Crafter is designed using the Model-In-The-Loop (MIL) method. An enhanced Proportional-Integral (PI) control technique based on integral cost functions is developed by carrying out a time-based simulation in MATLAB/Simulink software to realize the optimal fuel economy of the vehicle. Moreover, a comparative study is conducted between the vehicle’s hybrid and pure electric versions to assess the optimal battery energy consumption per unit distance traveled. Communication within our vehicles’ Electronic Control Units (ECUs) is facilitated by a message-based protocol called a Controller Area Network (CAN). Consequently, this paper presents an online CAN Bus data analysis using the Hardware-In-The-Loop (HIL) method. This method uses a standard frame, J1939 CAN protocol, implemented with Net CAN Plus 110 hardware. A graphical user interface is developed on a host Personal Computer (PC) using LabVIEW for decoding the acquired raw CAN data to physical values. The simulation results reveal that the proposed controller is promising and suitable for realizing optimal performance over the HIL method.

CANASTA: Controller Area Network Authentication Schedulability Timing Analysis

The Controller Area Network (CAN) dominates in-vehicle networking systems in modern vehicles. CAN was designed with low-latency and reliability as key features. Authenticity of a CAN frame was not considered in the design, thus, most in-vehicle network nodes inherently trust received messages as coming from a legitimate source. As a result, it is trivial to program (or hack) a network node to spoof traffic. Authentication is challenging for CAN and related protocols, such as SAE J1939, due to limited frame sizes and high bus utilization. Adding a message authentication code (MAC) as a separate message can unduly stress the real-time delivery of safety-critical messages. Although this stressor is well-known, the impact of authentication protocols on real-time message delivery in CAN has not yet been thoroughly examined. In this paper, we provide the first comprehensive analysis of realtime schedulability analysis applied to authentication schemes for CAN, CAN Flexible Data-rate (CAN FD), and CAN extra long payload (CAN XL). We formulate the response time analysis for addition of MACs and periodic transmission of MACs, and we examine their impact on two case studies and through evaluation with randomized schedulability experiments over a wide range of message sets.

A Digital Watermark Method for In-Vehicle Network Security Enhancement

In recent years, automobiles have become increasingly networked with the development of information and communication technology (ICT). With the enhancement of the connectivity between the electronic control units of the vehicle and the external network, cybersecurity and driving safety issues have also arisen. However, as a traditional in-vehicle network standard, the controller area network (CAN) protocol lacks a network security mechanism design, making it vulnerable to hacker attacks. The current research on the cybersecurity enhancement method for in-vehicle CAN is a multi-objective optimization problem with response time, bandwidth consumption and computational complexity reduction. This study presents an in-vehicle message authentication method based on digital watermark and Huffman coding that are compatible with current CAN bus protocols. Our method not only minimize the delay of message authentication, but also save the storage resources to the greatest extent. Moreover, to tackle the issue of low computing resources, multiple messages can be authenticated at one time. In order to evaluate the performance, we implement our method on CAN communication platform and validate its high accuracy, low latency, and compatibility.

Design and implementation of a wireless CAN module for marine engines using ZigBee protocol

AbstractThis paper describes the design and implementation of a wireless control area network (CAN bus) protocol for communication between the smart NOx (nitrogen oxide) sensor on diesel engines and the engine control unit (ECU). In this research, the approach taken is based on a case study of Wärtsilä's smart NOx sensor on a W4L20 diesel engine with the objective of replacing the wired CAN protocol with a wireless CAN communication node. In the current setup, the smart NOx sensor is connected to the engine control unit (ECU) with a wired CAN bus connection. The XBee module, which uses the ZigBee (IEEE 802.15.4) technology was used in the design and implementation of the wireless CAN prototype. With the emergence of 5G networks and the era of IoT, the topic of wireless industrial automation becomes essential in the modern industry. In addition to the great advantages and opportunities that the use of wireless nodes has in automation systems, there are many real challenges. The practical design challenges have been addressed in this paper.

Intrusion Detection in Vehicle Controller Area Network (CAN) Bus Using Machine Learning: A Comparative Performance Study.

Electronic Control Units (ECUs) have been increasingly used in modern vehicles to control the operations of the vehicle, improve driving comfort, and safety. For the operation of the vehicle, these ECUs communicate using a Controller Area Network (CAN) protocol that has many security vulnerabilities. According to the report of Upstream 2022, more than 900 automotive cybersecurity incidents were reported in 2021 only. In addition to developing a more secure CAN protocol, intrusion detection can provide a path to mitigate cyberattacks on the vehicle. This paper proposes a machine learning-based intrusion detection system (IDS) using a Support Vector Machine (SVM), Decision Tree (DT), and K-Nearest Neighbor (KNN) and investigates the effectiveness of the IDS using multiple real-world datasets. The novelty of our developed IDS is that it has been trained and tested on multiple vehicular datasets (Kia Soul and a Chevrolet Spark) to detect and classify intrusion. Our IDS has achieved accuracy up to 99.9% with a high true positive and a low false negative rate. Finally, the comparison of our performance evaluation outcomes demonstrates that the proposed IDS outperforms the existing works in terms of its liability and efficiency to detect cyber-attacks with a minimal error rate.

An Automatic Irrigation Based on Control Area Network (CAN) Protocol

An Automatic Irrigation Based on Control Area Network (CAN) Protocol

MAC-Based Compression Ratio Improvement for CAN Security

Information security in a controller area network (CAN) is becoming more important as the connections between a vehicle’s internal and external networks increase. Encryption and authentication techniques can be applied to CAN data frames to enhance security. To authenticate a data frame, a message authentication code (MAC) needs to be transmitted with the CAN data frame. Therefore, space for transmitting the MAC is required within the CAN frame. Recently, the Triple ID algorithm has been proposed to create additional space in the data field of the CAN frame. The Triple ID algorithm ensures every CAN frame is authenticated by at least 4 bytes of MAC without changing the original CAN protocol. However, since the Triple ID algorithm uses six header bits, there is a problem associated with low data compression efficiency. In this paper, we propose an algorithm that can remove up to 15 bits from frames compressed with the Triple ID algorithm. Through simulation using CAN signals of a Kia Sorento vehicle and an LS Mtron tractor, we show that the generation of frames containing compressed messages of 4 bytes or more is reduced by up to 99.57% compared to the Triple ID method.

DT-DS: CAN Intrusion Detection with Decision Tree Ensembles

The controller area network (CAN) protocol, used in many modern vehicles for real-time inter-device communications, is known to have cybersecurity vulnerabilities, putting passengers at risk for data exfiltration and control system sabotage. To address this issue, researchers have proposed to utilize security measures based on cryptography and message authentication; unfortunately, such approaches are often too computationally expensive to be deployed in real time on CAN devices. Additionally, they have developed machine learning (ML) techniques to detect anomalies in CAN traffic and thereby prevent attacks. The main disadvantage of existing ML-based techniques is that they either depend on additional computational hardware or they heuristically assume that all communication anomalies are malicious. In this article, we show that tree-based learning ensembles outperform anomaly-based techniques like AutoRegressive Integrated Moving Average (ARIMA) and Z-Score when used to detect attacks that result in increased bus utilization. We evaluated the detection capacity of three tree-based ensembles, Adaboost, gradient boosting, and random forests, and collectively refer to these as DT-DS. We conclude that the decision tree ensemble with Adaboost performs best with an area under curve (AUC) score of 0.999, closely followed by gradient boosting and random forests with 0.997 and 0.991 AUC scores, respectively, when trained using message profiles. We observe that with an increase in the observation window, the DT-DS models present an average AUC score of 0.999, and offer a nearly perfect detection of attacks, at the cost of increased latency in detection of attacked messages. We evaluate the performance of the IDS for Aeronautical Radio, Incorporated– (ARINC) encoded CAN communication traffic in avionic systems, generated using an aerospace testbench, ARINC-825TBv2. The IDS has been evaluated against the active attacks of a state-of-the-art predictive attacker model. Additionally, we observed that the performance of IDS approaches such as ARIMA and Z-Score degrade considerably with a decrease in the size of the observation time window. In contrast, the performance of DT-DS models is consistent, with only an average drop of 0.005 in the AUC score.

Flooding attack mitigator for in-vehicle CAN using fault confinement in CAN protocol

For driver convenience and safety, a number of electronic control units (ECUs) have been installed on modern vehicles. To support communications among ECUs, the controller area network (CAN) is commonly used as in-vehicle network for several decades. However, the CAN protocol lacks security mechanisms, which means that it can be damaged by a number of cyber attacks. In particular, message flooding is one type of DoS attack known to be the easiest to perform because it continuously broadcasts a large number of CAN messages to the in-vehicle CAN without any CAN traffic analysis. To handle message flooding on the in-vehicle CAN, several countermeasures including intrusion detection and prevention have been studied, but unfortunately, these solutions could produce false positive detection rates or cause the communication failures of benign ECUs. In this paper, we introduce a message flooding attack mitigation method for the first time that does not accidentally cause the communication failures of benign ECUs. The proposed method can mitigate flooding attack attempts by using the fault confinement rule that is defined in the CAN protocol. Since the proposed method does not violate the rules of the CAN standard during mitigating, no system modifications are required. Experimental results show that the proposed mitigator guarantees a transmission rate up to 79.22% of normal messages that were not sent due to a flooding attack.

Unsupervised Deep Learning Approach for In-Vehicle Intrusion Detection System

The controller area network (CAN) is a standard communication protocol used for sending messages between electronic control unit of a modern automotive system. CAN protocol does not have any in-built security mechanisms and, hence, various attacks can affect the vehicle and cause life threats to the passengers. This article presents an unsupervised deep learning architecture for detecting intrusions on a CAN bus. The CAN intrusion detection system (IDS) architecture has an autoencoder that helps to learn the optimal features from CAN packets to differentiate between the normal and attacks. The optimal features are passed as input to the Gaussian mixture model, which helps us to cluster the CAN network packet data samples into normal and attacks. A detailed analysis of the proposed architecture is done on the CAN IDS dataset. To develop a robust CAN IDS system and achieve generalization, the proposed method is evaluated on the other two computer network intrusion datasets and a wireless sensor network dataset. In all the experiments, the proposed method has performed better than the existing unsupervised method and mainly showed a performance gain of 6.4% on the CAN IDS dataset. This indicates that the proposed method is robust and generalizable across detecting various attacks in a CAN bus and most importantly, the method can be used in real time to effectively monitor the CAN network traffic to proactively alert possible attacks.

Highly Accurate Clock Synchronization With Drift Correction for the Controller Area Network

Modern vehicles, that have to be considered as safety-critical cyber-physical systems, require highly accurate <i>clock synchronization</i> (CS) among their distributed computing devices. Since Controller Area Network (CAN) is the predominant in-vehicle communication bus, it is highly relevant to support CS for CAN. This article proposes an original CS method for distributed in-vehicle networks based on CAN with both <i>offset</i> and <i>drift correction</i> . While offset correction is performed based on timestamps in periodic reference messages (RMs), our new method benefits from the re-synchronization mechanism of the CAN bit timing to apply highly accurate drift correction. Our algorithm does not make any modifications to the CAN protocol but requires the measurement of the phase error from the CAN controller. We derive analytical bounds for the expected clock differences and further validate the practicability of the proposed method by comprehensive experiments. As the main result, our method achieves a clock accuracy below <inline-formula><tex-math notation="LaTeX">$2\;\mu$</tex-math></inline-formula> s independent of important parameters such as the bit rate, RM period, bus utilization and time-varying clock drifts.