Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

X-CANIDS: Signal-Aware Explainable Intrusion Detection System for Controller Area Network-Based In-Vehicle Network

Seonghoon Jeong, Sangho Lee, Hwejae Lee, Huy Kang Kim

TL;DR

X-CANIDS dissects the payloads in CAN messages into human-understandable signals using a CAN database, which improves the intrusion detection performance compared with the use of bit representations of raw payloads and can detect zero-day attacks.

Abstract

Controller Area Network (CAN) is an essential networking protocol that connects multiple electronic control units (ECUs) in a vehicle. However, CAN-based in-vehicle networks (IVNs) face security risks owing to the CAN mechanisms. An adversary can sabotage a vehicle by leveraging the security risks if they can access the CAN bus. Thus, recent actions and cybersecurity regulations (e.g., UNR 155) require carmakers to implement intrusion detection systems (IDSs) in their vehicles. The IDS should detect cyberattacks and provide additional information to analyze conducted attacks. Although many IDSs have been proposed, considerations regarding their feasibility and explainability remain lacking. This study proposes X-CANIDS, which is a novel IDS for CAN-based IVNs. X-CANIDS dissects the payloads in CAN messages into human-understandable signals using a CAN database. The signals improve the intrusion detection performance compared with the use of bit representations of raw payloads. These signals also enable an understanding of which signal or ECU is under attack. X-CANIDS can detect zero-day attacks because it does not require any labeled dataset in the training phase. We confirmed the feasibility of the proposed method through a benchmark test on an automotive-grade embedded device with a GPU. The results of this work will be valuable to carmakers and researchers considering the installation of in-vehicle IDSs for their vehicles.

X-CANIDS: Signal-Aware Explainable Intrusion Detection System for Controller Area Network-Based In-Vehicle Network

TL;DR

X-CANIDS dissects the payloads in CAN messages into human-understandable signals using a CAN database, which improves the intrusion detection performance compared with the use of bit representations of raw payloads and can detect zero-day attacks.

Abstract

Controller Area Network (CAN) is an essential networking protocol that connects multiple electronic control units (ECUs) in a vehicle. However, CAN-based in-vehicle networks (IVNs) face security risks owing to the CAN mechanisms. An adversary can sabotage a vehicle by leveraging the security risks if they can access the CAN bus. Thus, recent actions and cybersecurity regulations (e.g., UNR 155) require carmakers to implement intrusion detection systems (IDSs) in their vehicles. The IDS should detect cyberattacks and provide additional information to analyze conducted attacks. Although many IDSs have been proposed, considerations regarding their feasibility and explainability remain lacking. This study proposes X-CANIDS, which is a novel IDS for CAN-based IVNs. X-CANIDS dissects the payloads in CAN messages into human-understandable signals using a CAN database. The signals improve the intrusion detection performance compared with the use of bit representations of raw payloads. These signals also enable an understanding of which signal or ECU is under attack. X-CANIDS can detect zero-day attacks because it does not require any labeled dataset in the training phase. We confirmed the feasibility of the proposed method through a benchmark test on an automotive-grade embedded device with a GPU. The results of this work will be valuable to carmakers and researchers considering the installation of in-vehicle IDSs for their vehicles.
Paper Structure (57 sections, 9 equations, 9 figures, 8 tables, 1 algorithm)

This paper contains 57 sections, 9 equations, 9 figures, 8 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Terminology
  4. CAN Frame
  5. CAN Database
  6. Adversary and Attack Model
  7. Fuzzing Attack
  8. Fabrication Attack
  9. Suspension Attack
  10. Masquerade Attack
  11. Replay Attack
  12. Methodology
  13. Message Receiver
  14. Feature Generator
  15. Payload Sampler
  16. ...and 42 more sections

Figures (9)

  • Figure 1: CAN 2.0A frame structure. An ECU application refers to the arbitration and data field.
  • Figure 2: Snippet of CAN database hyundai_2015_ccan.dbcopendbc.
  • Figure 3: Considered in-vehicle network architecture.
  • Figure 4: Proposed framework. In the training phase, the proposed framework uses attack-free CAN messages to train the autoencoder and to determine the threshold. In the inference phase, the proposed framework determines the signal that is affected by the adversary if the CAN bus is under attack.
  • Figure 5: Bitwise Hamming distance measurements to compare the payload dynamics of two CAN datasets captured during idling and driving. Each cell represents a value [0, 1] calculated by the number of bits flipped over the observation count. A dark cell means that a bit was flipped nearly every time a message arrived. A light green cell means that a bit was flipped only once or several times. A blank cell indicates no bit flips. A comparison of the two datasets reveals that the payloads changed more dynamically while the vehicle moved.
  • ...and 4 more figures