skip to main content
OSTI.GOV title logo U.S. Department of Energy
Office of Scientific and Technical Information

Title: Modeling inter-signal arrival times for accurate detection of CAN bus signal injection attacks

Abstract

Modern vehicles rely on hundreds of on-board electronic control units (ECUs) communicating over in-vehicle networks. As external interfaces to the car control networks (such as the on-board diagnostic (OBD) port, auxiliary media ports, etc.) become common, and vehicle-to-vehicle / vehicle-to-infrastructure technology is in the near future, the attack surface for vehicles grows, exposing control networks to potentially life-critical attacks. This paper addresses the need for securing the CAN bus by detecting anomalous traffic patterns via unusual refresh rates of certain commands. While previous works have identified signal frequency as an important feature for CAN bus intrusion detection, this paper provides the first such algorithm with experiments on five attack scenarios. Our data-driven anomaly detection algorithm requires only five seconds of training time (on normal data) and achieves true positive / false discovery rates of 0.9998/0.00298, respectively (micro-averaged across the five experimental tests).

Authors:
 [1];  [1];  [1];  [1];  [1]
  1. ORNL
Publication Date:
Research Org.:
Oak Ridge National Lab. (ORNL), Oak Ridge, TN (United States). National Transportation Research Center (NTRC)
Sponsoring Org.:
USDOE Laboratory Directed Research and Development (LDRD) Program
OSTI Identifier:
1351776
DOE Contract Number:  
AC05-00OR22725
Resource Type:
Conference
Resource Relation:
Conference: Cyber and Information Security Research Conference 2017, Oak Ridge, TN, USA, 20170404, 20170406
Country of Publication:
United States
Language:
English
Subject:
CAN bus; in-vehicle security; anomaly detection; signal injection attack

Citation Formats

Moore, Michael Roy, Bridges, Robert A, Combs, Frank L, Starr, Michael S, and Prowell, Stacy J. Modeling inter-signal arrival times for accurate detection of CAN bus signal injection attacks. United States: N. p., 2017. Web. doi:10.1145/3064814.3064816.
Moore, Michael Roy, Bridges, Robert A, Combs, Frank L, Starr, Michael S, & Prowell, Stacy J. Modeling inter-signal arrival times for accurate detection of CAN bus signal injection attacks. United States. doi:10.1145/3064814.3064816.
Moore, Michael Roy, Bridges, Robert A, Combs, Frank L, Starr, Michael S, and Prowell, Stacy J. Sun . "Modeling inter-signal arrival times for accurate detection of CAN bus signal injection attacks". United States. doi:10.1145/3064814.3064816.
@article{osti_1351776,
title = {Modeling inter-signal arrival times for accurate detection of CAN bus signal injection attacks},
author = {Moore, Michael Roy and Bridges, Robert A and Combs, Frank L and Starr, Michael S and Prowell, Stacy J},
abstractNote = {Modern vehicles rely on hundreds of on-board electronic control units (ECUs) communicating over in-vehicle networks. As external interfaces to the car control networks (such as the on-board diagnostic (OBD) port, auxiliary media ports, etc.) become common, and vehicle-to-vehicle / vehicle-to-infrastructure technology is in the near future, the attack surface for vehicles grows, exposing control networks to potentially life-critical attacks. This paper addresses the need for securing the CAN bus by detecting anomalous traffic patterns via unusual refresh rates of certain commands. While previous works have identified signal frequency as an important feature for CAN bus intrusion detection, this paper provides the first such algorithm with experiments on five attack scenarios. Our data-driven anomaly detection algorithm requires only five seconds of training time (on normal data) and achieves true positive / false discovery rates of 0.9998/0.00298, respectively (micro-averaged across the five experimental tests).},
doi = {10.1145/3064814.3064816},
journal = {},
number = ,
volume = ,
place = {United States},
year = {Sun Jan 01 00:00:00 EST 2017},
month = {Sun Jan 01 00:00:00 EST 2017}
}

Conference:
Other availability
Please see Document Availability for additional information on obtaining the full-text document. Library patrons may search WorldCat to identify libraries that hold this conference proceeding.

Save / Share: