Modeling inter-signal arrival times for accurate detection of CAN bus signal injection attacks

by Michael R Moore, Robert A. Bridges, Frank L. Combs, Michael S. Starr, Stacy J. Prowell


Modern vehicles rely on hundreds of on-board electronic control units (ECUs) communicating over in-vehicle networks. As external interfaces to the car control networks (such as the on-board diagnostic (OBD) port, auxiliary media ports, etc.) become common, and vehicle-to-vehicle / vehicle-to-infrastructure technology is in the near future, the attack surface for vehicles grows, exposing control networks to potentially life-critical attacks. This paper addresses the need for securing the CAN bus by  detecting anomalous traffic patterns via unusual refresh rates of certain commands. While previous works have identified signal frequency as an important feature for CAN bus intrusion detection, this paper provides the first such algorithm with experiments on five attack scenarios. Our data-driven anomaly detection algorithm requires only five seconds of training time (on normal data) and achieves true positive / false discovery rates of 0.9998/0.00298, respectively (micro-averaged across the five experimental tests).

Publication Citation

2017 Cyber and Information Security Research Conference 2017 April 4, 2017 to April 6, 2017 Oak Ridge, Tennessee
DOI: 10.1145/3064814.3064816