skip to main content
OSTI.GOV title logo U.S. Department of Energy
Office of Scientific and Technical Information

Title: Modeling inter-signal arrival times for accurate detection of CAN bus signal injection attacks

Abstract

Modern vehicles rely on hundreds of on-board electronic control units (ECUs) communicating over in-vehicle networks. As external interfaces to the car control networks (such as the on-board diagnostic (OBD) port, auxiliary media ports, etc.) become common, and vehicle-to-vehicle / vehicle-to-infrastructure technology is in the near future, the attack surface for vehicles grows, exposing control networks to potentially life-critical attacks. This paper addresses the need for securing the CAN bus by detecting anomalous traffic patterns via unusual refresh rates of certain commands. While previous works have identified signal frequency as an important feature for CAN bus intrusion detection, this paper provides the first such algorithm with experiments on five attack scenarios. Our data-driven anomaly detection algorithm requires only five seconds of training time (on normal data) and achieves true positive / false discovery rates of 0.9998/0.00298, respectively (micro-averaged across the five experimental tests).

Authors:
 [1];  [1];  [1];  [1];  [1]
  1. ORNL
Publication Date:
Research Org.:
Oak Ridge National Lab. (ORNL), Oak Ridge, TN (United States). National Transportation Research Center (NTRC)
Sponsoring Org.:
USDOE Laboratory Directed Research and Development (LDRD) Program
OSTI Identifier:
1351776
DOE Contract Number:
AC05-00OR22725
Resource Type:
Conference
Resource Relation:
Conference: Cyber and Information Security Research Conference 2017, Oak Ridge, TN, USA, 20170404, 20170406
Country of Publication:
United States
Language:
English
Subject:
CAN bus; in-vehicle security; anomaly detection; signal injection attack

Citation Formats

Moore, Michael Roy, Bridges, Robert A, Combs, Frank L, Starr, Michael S, and Prowell, Stacy J. Modeling inter-signal arrival times for accurate detection of CAN bus signal injection attacks. United States: N. p., 2017. Web. doi:10.1145/3064814.3064816.
Moore, Michael Roy, Bridges, Robert A, Combs, Frank L, Starr, Michael S, & Prowell, Stacy J. Modeling inter-signal arrival times for accurate detection of CAN bus signal injection attacks. United States. doi:10.1145/3064814.3064816.
Moore, Michael Roy, Bridges, Robert A, Combs, Frank L, Starr, Michael S, and Prowell, Stacy J. Sun . "Modeling inter-signal arrival times for accurate detection of CAN bus signal injection attacks". United States. doi:10.1145/3064814.3064816.
@article{osti_1351776,
title = {Modeling inter-signal arrival times for accurate detection of CAN bus signal injection attacks},
author = {Moore, Michael Roy and Bridges, Robert A and Combs, Frank L and Starr, Michael S and Prowell, Stacy J},
abstractNote = {Modern vehicles rely on hundreds of on-board electronic control units (ECUs) communicating over in-vehicle networks. As external interfaces to the car control networks (such as the on-board diagnostic (OBD) port, auxiliary media ports, etc.) become common, and vehicle-to-vehicle / vehicle-to-infrastructure technology is in the near future, the attack surface for vehicles grows, exposing control networks to potentially life-critical attacks. This paper addresses the need for securing the CAN bus by detecting anomalous traffic patterns via unusual refresh rates of certain commands. While previous works have identified signal frequency as an important feature for CAN bus intrusion detection, this paper provides the first such algorithm with experiments on five attack scenarios. Our data-driven anomaly detection algorithm requires only five seconds of training time (on normal data) and achieves true positive / false discovery rates of 0.9998/0.00298, respectively (micro-averaged across the five experimental tests).},
doi = {10.1145/3064814.3064816},
journal = {},
number = ,
volume = ,
place = {United States},
year = {Sun Jan 01 00:00:00 EST 2017},
month = {Sun Jan 01 00:00:00 EST 2017}
}

Conference:
Other availability
Please see Document Availability for additional information on obtaining the full-text document. Library patrons may search WorldCat to identify libraries that hold this conference proceeding.

Save / Share:
  • This paper discusses VICbus, a multiplexed, multi-master cable bus primarily intended for interconnecting backplane bus systems, such as VMEbus, but which may also be used wherever a high performance, general purpose cable bus is required. It is implemented using differential line transmission to interconnect up to 31 devices on a total cable length of 100 meters. Both compelled (asynchronous) and non-compelled (synchronous) data transmission protocols are specified. The compelled protocol is essential when the data transfer protocols of VMEbus backplanes are to be interlocked for software transparent operation, but may also be used for transfers between memories within VICbus devices,more » not involving associated backplanes. The non-compelled protocol is used in the latter case, when performance is a major factor. An efficient bus arbitration mechanism takes into consideration the long signal propagation times on cables. A simple interrupt mechanism is specified permitting the transparent use of interrupts on interconnected VMEbus backplanes.« less
  • VICbus is a standard inter-crate cable bus being developed by a working group of the ISO/IEC. Derived from an initiative of the VMEbus Working Group of ESONE, VICbus aims to provide users of multi-crate VMEbus and other backplane bus systems with a standard inter-crate connection. Multi-drop operation is provided for up to 31 devices on a cable of maximum 100 metres in length. Two data transfer protocols are specified, compelled (asynchronous) transfers for transparent interconnection of backplane bus systems (VMEbus in the first instance), and high-speed, non-compelled (synchronous) transfers between VICbus interfaces. A limited interrupt mechanism is specified, as wellmore » as simple, but efficient arbitration technique. Conventional technology is employed: copper cables, existing transcievers, and differential signal transmission, together with proven low-level protocols. Data transfer rates in excess of 30 Mbyte/s will be possible on a cable length of 30 metres.« less
  • First-arrival times are a valuable source of near-surface velocity information. In the shallow marine environment, the first arrivals are often diving waves which propagate downward to some maximum depth and then continuously refract back to the surface. Diving waves are especially sensitive to slowly varying changes in the velocity structure and are also sensitive to more localized velocity anomalies. The slowly varying features are of a much lower frequency than the traveltime effects produced by the localized anomalies. A maximum-likelihood inversion is applied to the first-arrival times (turning rays) of a shallow-marine seismic reflection data set to estimate the slowlymore » varying components of the near-surface velocity field. The earth model is represented with a low frequency parameterization designed specifically for those components of the data the authors wish to predict. Two-dimensional cubic B-splines represent the velocity field and are adjusted in the inversion. This model parameterization effectively decouples the low frequency components of the first-arrival times from the higher frequency components. This decoupling allows an inherently nonlinear problem to be treated as a linear problem where the solution is obtained in a single iteration.« less
  • The determination of the arrival time of an AE event has been studied using simulated acoustic emission (AE) signals on a Kevlar/epoxy composite. Transient recorder records were used to study the AE waveforms as well as the background electronic noise. Parameters studied include the bandpass and the relative position of the sensor with respect to the source position. The rise of the AE signal out of the background electronic noise was studied in detail by measuring the amplitude of each ''half-cycle'' of the analog signal both before the arrival of the AE event and for the first part of themore » AE signal. A relatively large amplitude difference was observed between the amplitude of the first half-cycle of the AE event and the peak amplitude of the AE event. Implications of the results obtained in these experiments are discussed relative to the commercial AE instrumentation approach of using penetration of the threshold to determine the arrival time of an AE event. In particular, it is shown that accurate source location in the composite depends on having a significantly large amplitude difference between the threshold and the peak amplitude for each channel in the AE source location array. Finally, an alternative approach is examined for potential use to determine the arrival time of an AE event.« less