Research Overview of In-Vehicle CAN Bus IDS Technology

1. Introduction

With the advancement of Internet of Things (IoT) technology and the widespread application of Electronic Control Units (ECUs), the automotive industry is undergoing a significant transformation, with intelligence and networking becoming the mainstream trends. Intelligent connected vehicles achieve extensive interconnectivity between the vehicle and the external environment through advanced in-vehicle networks, such as the Controller Area Network (CAN), enhancing the driving experience, efficiency, and safety. However, this technological advancement also brings new challenges to information security.

The increasing connections between vehicles and external devices (such as mobile devices and infrastructure) and the open interfaces of vehicle systems expose intelligent connected vehicles to growing cybersecurity risks. These risks include not only data leakage and privacy violations but also direct threats to personal safety. For example, attacks through the CAN bus can control critical functions of the vehicle, such as braking and steering systems, posing serious threats to the safety of drivers and passengers. The hacking incident involving Chrysler’s intelligent connected vehicle is a stark example.

In the face of these challenges, the current in-vehicle CAN bus lacks effective security protection technologies and information security protection mechanisms. Since the in-vehicle networks of intelligent connected vehicles differ from traditional computer networks, traditional network security analysis methods and protection measures cannot be directly applied to intelligent connected vehicles. Therefore, researching and developing security protection technologies specific to the network structure and data messages of intelligent connected vehicles is particularly important. This is not only a necessary requirement for the development of the automotive industry but also a key to ensuring the safety of drivers and passengers.

2. Overview of CAN Bus

The CAN bus, short for Controller Area Network, is a serial communication protocol developed by Robert Bosch GmbH in the early 1980s, originally designed to solve communication problems between various electronic control units (ECUs) within vehicles. It has been widely applied in the automotive industry. After some controversies, such as the “Vehicle Area Network” (VAN) developed by French automakers, the ISO-11898 standard for CAN bus was published in November 1993. In 1995, the ISO-11898 standard introduced an extended frame using a 29-bit CAN identifier in its appendix, expanding the frame format of the CAN bus. Due to its efficiency, reliability, and low cost, the application of the CAN bus has expanded to many other fields, including industrial automation, medical equipment, and aerospace.

The CAN bus is developed according to the ISO-11898 standard, characterized by providing a highly reliable communication mechanism, especially for real-time control system communication in noisy environments. In the CAN protocol, information is transmitted in the form of data frames. Each data frame contains an identifier and data content, where the identifier not only indicates the priority of the information but also serves as a routing mechanism. This design allows any node on the bus to initiate communication without going through a central host, commonly referred to as “multi-master control” or “non-master control.” The CAN protocol is divided into the transport layer, data link layer, and physical layer. A standard CAN data frame can carry 0 to 8 bytes of data, and the message can use either an 11-bit standard frame ID or a 29-bit extended frame ID. In the CAN protocol, all messages are sent in a fixed format [1][2]. The standard format of the data frame is shown in Figure 1 below.

Research Overview of In-Vehicle CAN Bus IDS Technology

Figure 1 Standard CAN Frame Format

3. Security Challenges of CAN

Based on the following six characteristics of the CAN bus, these characteristics largely determine its vulnerability when facing network attacks, which is also why intrusion detection on the CAN bus is necessary.

(1) Lack of Authentication: The CAN protocol does not design an authentication mechanism. This means that any node connected to the CAN bus can freely send or receive messages without any permission control or user authentication. Therefore, once an attacker successfully connects to the CAN bus, they can listen to or even tamper with the communication on the network without being detected.

(2) Lack of Encryption: The CAN protocol did not consider data security during its design, and therefore it does not use any form of encryption to protect the communication content. This allows attackers to read and understand any information collected from the CAN bus without cracking any encryption protection. Worse still, due to the absence of an encryption mechanism, attackers can easily forge or modify data frames and then resend them to the network, causing the CAN bus to receive incorrect information, which could severely impact the vehicle’s control systems.

(3) Broadcast Nature: The communication mode of the CAN bus is based on broadcasting, meaning that all information is sent to all nodes connected to the bus. Although this communication mode ensures timely information dissemination, it also allows attackers to listen to all communication content simply by connecting to the bus. Moreover, since there is no concept of source and destination addresses, attackers can easily forge the origin of messages, thereby hiding their true identity.

(4) Lack of Integrity Check: Although the CAN protocol has an error detection mechanism that can detect and correct transmission errors, this does not include checking the integrity of the data. This means that attackers can modify the contents of data frames, and such modifications will not be regarded as transmission errors. For example, classic replay attacks, message reconstruction attacks, and fuzzing attacks can occur without triggering error recovery mechanisms. This allows attackers to tamper with data without obstruction, thereby affecting the operation of the vehicle.

(5) Openness at the Physical Layer: The CAN bus is open at the physical layer, allowing any device that can connect to the bus to send and receive information. Although this design generally ensures the flow of information, it also facilitates the network access of malicious devices. Once a malicious device connects, it can potentially affect the entire system. Moreover, since the CAN protocol itself does not have an access authentication mechanism, malicious devices can relatively easily connect to the CAN bus.

(6) Uniformity of Data Format: The CAN protocol defines a uniform data format, which undoubtedly facilitates information exchange and parsing to some extent, but it also provides convenience for potential attackers. Due to the openness and uniformity of the CAN protocol, attackers only need to obtain the necessary hardware and software to parse or even forge CAN messages, conducting message masquerade attacks or man-in-the-middle attacks, etc.

4. Overview of Anomaly Detection Technology

The in-vehicle network IDS is an important method for protecting the security of the in-vehicle network. It can check for suspicious activities and external intrusions in the in-vehicle network while issuing intrusion alerts to ensure that drivers can take timely measures. Unlike other information security enhancement methods (such as data encryption, message authentication technologies, etc.), intrusion detection systems do not occupy a large amount of computational resources within the in-vehicle network, making them suitable for resource-constrained environments like in-vehicle networks.

Figure 2 Anomaly Detection Model Diagram

Intrusion detection is divided into signature-based intrusion detection systems and anomaly-based intrusion detection systems based on detection technology. Among them, signature-based intrusion detection systems achieve intrusion detection by monitoring a predefined list of attack signatures. Studnia et al. analyzed the specific characteristics of the CAN network and derived a set of forbidden message sequences (i.e., signatures) for intrusion detection. The signature library they created can be used for a lifetime without the need for secondary updates.

Although signature-based in-vehicle CAN network intrusion detection systems (IDS) have advantages such as fast matching speed and high accuracy for known attacks, maintaining such a super-large database is also a challenge. Moreover, hackers have various methods of attacking in-vehicle networks, and when hackers use new malicious signature attacks on the CAN network, it may lead to the failure of signature-based intrusion detection systems.

Anomaly-based intrusion detection systems primarily establish normal feature behavior patterns through feature extraction or statistical data. When a violation of these patterns occurs, it is considered that an intrusion has taken place. The features can include many concepts, including physical characteristics such as in-vehicle voltage, clock skew, etc., as well as data characteristics such as the content, identifiers, and categories of CAN messages. Anomaly detection technology can be divided into three categories based on detection methods: physical feature-based anomaly detection, statistical anomaly detection, and anomaly detection based on machine learning and deep learning.

Physical feature-based methods focus on the physical characteristics of the CAN network. Tian et al. proposed a temperature-variable fingerprint technology intrusion detection system. They demonstrated that the clock skew of ECUs changes with temperature increases, thereby utilizing the clock skew of ECUs to establish a relationship with temperature changes to identify whether an intrusion has occurred. Zhao et al. established a unique fingerprint for each ECU using the clock skew and designed an intrusion detection method named ClockIDS, whose average detection time is only 1.99 ms.

Figure 3 Anomaly Detection Model Based on Features and Information Entropy

Statistical anomaly detection primarily uses information entropy, the relative distance between previous and subsequent messages, etc., as a basis, believing that under normal conditions, the entropy value of messages transmitted in the in-vehicle network remains relatively low. When the entropy value of the network changes significantly, it indicates that the in-vehicle network has been invaded. Marchetti et al. believe that the entropy value of information exchanged in the in-vehicle CAN network is stable and resembles a normal distribution, proposing an anomaly detection algorithm based on entropy calculation. Islam et al. proposed a graph-based CAN network intrusion detection method that leverages graph theory, statistical analysis, and chi-square tests to detect abnormal CAN messages. Figure 3 illustrates a common process for anomaly detection based on features and information entropy.

Machine learning and deep learning-based methods simulate the construction of a model to predict vehicle abnormal states by collecting CAN messages from different vehicles or under different vehicle conditions. Given that CAN messages have temporal characteristics, Hidden Markov Models (HMM) and Long Short-Term Memory (LSTM) networks are initially considered for intrusion detection. Levi et al. used HMM modeling to simulate vehicle behavior and established a regression model based on time features to predict time interval likelihood scores, detecting anomalies by comparing the differences between the two models. Ding et al. designed a sliding window strategy, establishing a BiLSTM-based intrusion detection system according to the temporal logic present in different messages on the CAN bus. Additionally, some scholars have attempted to use Generative Adversarial Networks (Seo et al.), deep convolutional neural networks (Song et al.) for intrusion detection.

5. Conclusion

This article delves into key issues regarding the security of in-vehicle CAN networks. The hidden dangers of the CAN bus differ from other network security risks; they no longer simply involve information theft or leakage but pose a tangible threat to our safety. Protecting the information security of the in-vehicle CAN bus through detection technologies such as anomaly detection is of great significance. This article first introduces the CAN bus and analyzes the six security challenges it faces. Next, it reviews the intrusion detection methods for in-vehicle CAN networks in recent years and summarizes the current state of research on intrusion detection methods for in-vehicle CAN networks. We believe that despite facing numerous challenges, these issues will eventually be overcome with the continuous advancement of technology and in-depth research. In the future, we will witness the birth of safer and more reliable intelligent connected vehicle technologies.

References

[1] Navet N, Song Y, Simonot-Lion F, et al. Trends in Automotive Communication Systems[J]. Proceedings of the IEEE, 2005, 93(6):1204-1223.

[2] Qayyum A, Islam M H, Jamil M. Taxonomy of statistical based anomaly detection techniques for intrusion detection[C]. Emerging Technologies, 2005. Proceedings of the IEEE Symposium on. 2005:270 – 276.

[3] NAVAZ A S S, SANGEETHA V, PRABHADEVI C. Entropy based anomaly detection system to prevent DDoS attacks in cloud[J]. arXiv Preprint, arXiv:1308.6745, 2013.

[4] STUDNIA I, ALATA E, NICOMETTE V, et al. A language based intrusion detection approach for automotive embedded networks[J]. International Journal of Embedded Systems, 2018, 10(1):1-12.

[5] TIAN M Q, JIANG R B, XING C Q, et al. Exploiting temperature-varied ECU fingerprints for source identification in in-vehicle network intrusion detection[C]. 2019 IEEE 38th International Performance Computing and Communications Conference (IPCCC). Piscataway: IEEE Press, 2019:1-8.

[6] ZHAO Y L, XUN Y J, LIU J J. ClockIDS: a real-time vehicle intrusion detection system based on clock skew[J]. IEEE Internet of Things Journal. 2022, 9(17):15593-15606.

[7] MARCHETTI M, STABILI D, GUIDO A, et al. Evaluation of anomaly detection for in-vehicle networks through information theoretic algorithms[C]. IEEE International Forum on Research and Technologies for Society and Industry Leveraging a Better Tomorrow. Piscataway: IEEE Press, 2016:1-6

[8] ISLAM R, REFAT R U D, YERRAM S M, et al. Graph-Based intrusion detection system for controller area networks[J]. IEEE Transactions on Intelligent Transportation System, 2022, 23(3):1727-1736.

[9] LEVI M, ALLOUCHE Y, KONTOROVICH A. Advanced analytics for connected car cybersecurity[J]. IEEE 87th Vehicular Technology Conference, Piscataway: IEEE Press. 2018:1-7

[10] DING D F, ZHU L, XIE J Y, et al. In-vehicle network intrusion detection system based on BiLSTM[C]. 2022 7th International Conference on Intelligent Computing and Signal Processing (ICSP). Piscataway: IEEE Press, 2022:580-583.

[11] SEO E, SONG H M, KIM H K, et al. GIDS: GAN based intrusion detection system for in-vehicle network[C]. Annual Conference on Privacy, Security and Trust, Piscataway: IEEE Press, 2018:1-6.

[12] SONG H M, WOO J Y, KIM H K, et al. In-vehicle network intrusion detection using deep convolutional neural network[J]. Vehicular Communications, 2020, 21:100198.

China Association for Confidentiality

Scientific and Technological Branch

Scan the code to follow us

Author: Zhang Jianrong, Institute of Information Engineering, Chinese Academy of Sciences

Editor: Yan Jie

Related posts

Leave a Comment Cancel reply