Using Streaming Data Algorithm for Intrusion Detection on the Vehicular Controller Area Network
Abstract
The Controller Area Network (CAN), which is a protocol for the in-vehicle network, is lacking in security features, making the CAN bus vulnerable to a range of cyberattacks such as message injections, replay attacks, and denial of service attacks. This has prompted researchers to develop statistical and machine learning based intrusion detection systems for the CAN bus that use various features such as message timing and frequency to detect attacks. In this paper, the adapted streaming data Isolation Forest (iForestASD) algorithm has been applied to CAN intrusion detection. While the Isolation Forest (iForest) anomaly detection algorithm has a linear time complexity and low memory requirement, iForestASD adapts iForest by employing a sliding window that introduces the ability to handle concept drift, which is often characteristic of streaming data such as CAN bus traffic. The detection model is trained with only message timing information, making it applicable to all vehicles regardless of make and model. Results of experiments that compare the attack detection performance of iForestASD and iForest show that CAN traffic stream demonstrates insignificant concept drift and the detection model does not benefit from being retrained with a sliding window of latest CAN traffic, as in iForestASD. The size of the training sample is, however, found to be an important consideration - a model trained with only 30 s of CAN traffic always yields better detection performance than a model trained with a larger window of CAN traffic.
Keywords
Controller Area Network Intrusion detection Isolation forest Message insertion AutomotiveReferences
- 1.Avatefipour, O., et al.: An intelligent secured framework for cyberattack detection in electric vehicles’ CAN bus using machine learning. IEEE Access 7, 127580–127592 (2019). https://doi.org/10.1109/ACCESS.2019.2937576CrossRefGoogle Scholar
- 2.Avatefipour, O., Malik, H.: State-of-the-art survey on in-vehicle network communication (CAN-Bus) security and vulnerabilities. Int. J. Comput. Sci. Netw. 6(6), 720–727 (2017)Google Scholar
- 3.Bozdal, M., Samie, M., Jennions, I.: A survey on CAN bus protocol: attacks, challenges, and potential solutions. In: 2018 International Conference on Computing, Electronics & Communications Engineering (iCCECE), pp. 201–205 (2018). https://doi.org/10.1109/iCCECOME.2018.8658720
- 4.Charette, R.N.: How software is eating the car. IEEE Spectrum, June 2021. https://spectrum.ieee.org/cars-that-think/transportation/advanced-cars/software-eating-car
- 5.Checkoway, S., et al.: Comprehensive experimental analyses of automotive attack surfaces. In: Proceedings of the 20th USENIX Conference on Security, SEC 2011, p. 6. USENIX Association (2011)Google Scholar
- 6.Corrigan, S.: Introduction to the controller area network (CAN). Application report, Texas Instruments (2016)Google Scholar
- 7.Ding, Z., Fei, M.: An anomaly detection approach based on isolation forest algorithm for streaming data using sliding window. IFAC Proc. Vol. 46(20), 12–17 (2013). https://doi.org/10.3182/20130902-3-CN-3020.00044. https://www.sciencedirect.com/science/article/pii/S1474667016314999
- 8.Dupont, G., Lekidis, A., den Hartog, J.J., Etalle, S.S.: Automotive controller area network (CAN) bus intrusion dataset v2, November 2019. https://doi.org/10.4121/uuid:b74b4928-c377-4585-9432-2004dfa20a5d
- 9.Gmiden, M., Gmiden, M.H., Trabelsi, H.: An intrusion detection method for securing in-vehicle CAN bus. In: 2016 17th International Conference on Sciences and Techniques of Automatic Control and Computer Engineering (STA), pp. 176–180 (2016). https://doi.org/10.1109/STA.2016.7952095
- 10.Klopfenstein, T., Kravets, I., Francis, C.M.: SparkFun CAN-bus Arduino library (2017). https://github.com/sparkfun/SparkFun_CAN-Bus_Arduino_Library
- 11.Koscher, K., et al.: Experimental security analysis of a modern automobile. In: 2010 IEEE Symposium on Security and Privacy, pp. 447–462 (2010). https://doi.org/10.1109/SP.2010.34
- 12.Le, V.H., den Hartog, J., Zannone, N.: Security and privacy for innovative automotive applications: a survey. Comput. Commun. 132, 17–41 (2018)CrossRefGoogle Scholar
- 13.Liu, F.T., Ting, K.M., Zhou, Z.H.: Isolation forest. In: 2008 Eighth IEEE International Conference on Data Mining, pp. 413–422 (2008). https://doi.org/10.1109/ICDM.2008.17
- 14.Mansor, H., Markantonakis, K., Akram, R.N., Mayes, K., Gurulian, I.: Log your car: the non-invasive vehicle forensics. In: 2016 IEEE Trustcom/BigDataSE/ISPA, pp. 974–982 (2016). https://doi.org/10.1109/TrustCom.2016.0164
- 15.Marchetti, M., Stabili, D.: Anomaly detection of CAN bus messages through analysis of ID sequences. In: 2017 IEEE Intelligent Vehicles Symposium (IV), pp. 1577–1583 (2017). https://doi.org/10.1109/IVS.2017.7995934
- 16.Marchetti, M., Stabili, D.: READ: Reverse engineering of automotive data frames. IEEE Trans. Inf. Forensics Secur. 14(4), 1083–1097 (2019). https://doi.org/10.1109/TIFS.2018.2870826CrossRefGoogle Scholar
- 17.Miller, C., Valasek, C.: A survey of remote automotive attack surfaces. Black Hat, USA (2014)Google Scholar
- 18.Miller, C., Valasek, C.: Remote exploitation of an unaltered passenger vehicle. Black Hat, USA (2015)Google Scholar
- 19.Moore, M.R., Bridges, R.A., Combs, F.L., Starr, M.S., Prowell, S.J.: Modeling inter-signal arrival times for accurate detection of CAN bus signal injection attacks: a data-driven approach to in-vehicle intrusion detection. In: Proceedings of the 12th Annual Conference on Cyber and Information Security Research, CISRC 2017. Association for Computing Machinery, New York (2017). https://doi.org/10.1145/3064814.3064816
- 20.Olufowobi, H., et al.: Anomaly detection approach using adaptive cumulative sum algorithm for controller area network. In: Proceedings of the ACM Workshop on Automotive Cybersecurity, AutoSec 2019, pp. 25–30. Association for Computing Machinery, New York (2019). https://doi.org/10.1145/3309171.3309178
- 21.Pedregosa, F., et al.: Scikit-learn: machine learning in Python. J. Mach. Learn. Res. 12(85), 2825–2830 (2011). http://jmlr.org/papers/v12/pedregosa11a.html
- 22.Seo, E., Song, H.M., Kim, H.K.: GIDS: GAN based intrusion detection system for in-vehicle network. In: 2018 16th Annual Conference on Privacy, Security and Trust (PST), pp. 1–6 (2018). https://doi.org/10.1109/PST.2018.8514157
- 23.Sharmin, S., Mansor, H.: Intrusion detection on the in-vehicle network using machine learning. In: 2021 3rd International Cyber Resilience Conference (CRC), pp. 1–6 (2021). https://doi.org/10.1109/CRC50527.2021.9392627
- 24.Song, H.M., Kim, H.R., Kim, H.K.: Intrusion detection system based on the analysis of time intervals of CAN messages for in-vehicle network. In: 2016 International Conference on Information Networking (ICOIN), pp. 63–68 (2016). https://doi.org/10.1109/ICOIN.2016.7427089
- 25.Taylor, A., Japkowicz, N., Leblanc, S.: Frequency-based anomaly detection for the automotive CAN bus. In: 2015 World Congress on Industrial Control Systems Security (WCICSS), pp. 45–49 (2015). https://doi.org/10.1109/WCICSS.2015.7420322
- 26.Tomlinson, A.J., Bryans, J., Shaikh, S.: Towards viable intrusion detection methods for the automotive controller area network. In: 2nd Computer Science in Cars Symposium - Future Challenges in Artificial Intelligence Security for Autonomous Vehicles (CSCS 2018). Association for Computing Machinery, September 2018Google Scholar
- 27.Tomlinson, A., Bryans, J., Shaikh, S.: Using a one-class compound classifier to detect in-vehicle network attacks. In: Proceedings of the Genetic and Evolutionary Computation Conference Companion, pp. 1926–1929. Association for Computing Machinery, July 2018. https://doi.org/10.1145/3205651.3208223
- 28.Umair, A., Khan, M.G.: Communication technologies and network protocols of automotive systems. Adv. Netw. 6(1), 48–65 (2018). https://doi.org/10.11648/j.net.20180601.15CrossRefGoogle Scholar
- 29.Weber, M., Klug, S., Sax, E., Zimmer, B.: Embedded hybrid anomaly detection for automotive CAN communication. In: 9th European Congress on Embedded Real Time Software and Systems (ERTS 2018), January 2018Google Scholar
- 30.Woo, S., Jo, H.J., Lee, D.H.: A practical wireless attack on the connected car and security protocol for in-vehicle CAN. IEEE Trans. Intell. Transp. Syst. 16(2), 993–1006 (2015). https://doi.org/10.1109/TITS.2014.2351612CrossRefGoogle Scholar
- 31.Young, C., Zambreno, J., Olufowobi, H., Bloom, G.: Survey of automotive controller area network intrusion detection systems. IEEE Des. Test 36(6), 48–55 (2019). https://doi.org/10.1109/MDAT.2019.2899062CrossRefGoogle Scholar