Skip to main content

Time-Based CAN Intrusion Detection Benchmark...

Publication Type
Conference Paper
Book Title
Workshop on Automotive and Autonomous Vehicle Security (AutoSec) 2021
Publication Date
Page Number
Conference Name
Network and Distributed Systems Security Symposium 2021 (NDSS)
Conference Location
San Diego, California, United States of America
Conference Sponsor
Internet Society
Conference Date

Modern vehicles are complex cyber-physical systems made of hundreds of electronic control units (ECUs) that communicate over controller area networks (CANs). This inherited complexity has expanded the CAN attack surface by the injection of malicious messages that vary their time-based characteristics. To detect these malicious messages, time-based intrusion detection systems (IDS) have been proposed. However, time-based IDS are usually trained and tested on low-fidelity datasets with unrealistic labeled attacks. This makes difficult the task of evaluating, comparing, and validating IDS. Here we detail and benchmark four time-based IDS in a dataset with real and advanced attacks. We found that methods with strong assumptions regarding the distribution of inter-arrival times have lower performance than distribution agnostic based methods. In particular, distribution agnostic based methods outperform distribution based methods at least on $55\%$ in area under the precision-recall (AUC-PR) curve. Our results expand the body of knowledge of CAN time-based IDS by providing details of these methods and reporting their results when tested on datasets with real and advanced attacks. We describe limitations, open challenges, and how lessons learnt from this research can inform the design of deployable time-based IDS in modern vehicles.