Go to DBLP homepageFine-grained Graph-based Anomaly Detection on Vehicle Controller Area Networks
Abstract: Electronic components in vehicles communicate with one another by broadcasting messages over the controller area network (CAN) bus. The CAN message protocol is notoriously insecure, lacking both encryption and authentication for performance reasons. Vehicle manufacturers instead opt for "security through obscurity" and try to keep the meanings of CAN messages industry secrets. This approach has led to the discovery of several alarming, and unaddressed vulnerabilities. For this reason, it is imperative to develop a security monitoring system for the CAN bus. However, any such intrusion detection system is limited by severe memory constraints–in-vehicle ECUs rarely have more than 1MB of RAM. In this work, we explore the potential for lightweight graph kernel-based intrusion detection systems that work in conjunction with byte analysis of individual messages. Our approach extends the state-of-the-art in this field, which only classifies batches of messages as malicious or benign, rather than performing fine-grained anomaly detection. We analyze the precedence graph formed by CAN message ordering in conjunction with the bytes those messages contain to create a high-performance, low-memory anomaly detector. Our analysis revealed that this approach can detect a wide variety of attack types in both moving and stationary vehicles. We demonstrated that our method performs more precisely than prior works in the same field while requiring less than 100KB of memory.
Loading