Table of Contents
Fetching ...

CANTXSec: A Deterministic Intrusion Detection and Prevention System for CAN Bus Monitoring ECU Activations

Denis Donadel, Kavya Balasubramanian, Alessandro Brighente, Bhaskar Ramasubramanian, Mauro Conti, Radha Poovendran

TL;DR

CAN remains a safety-critical, widely deployed protocol with intrinsic security gaps such as lack of authentication. This work introduces CANTXSec, a hardware-assisted, deterministic intrusion detection and prevention system that relies on the co-occurrence of ECU activation and frame IDs to detect attacks. It classifies attacks into Frame Injection Attacks (FIA) and Single-Bit Attacks (SBA), achieving 100% detection for both and 100% prevention for FIA in a physical testbed, without modifying ECU software. The solution is hardware-based, easy to deploy, and supports risk-based ECU coverage, offering a practical path toward retrofittable CAN security with clear limitations on SBA prevention and data-level threat coverage. Future work includes real-vehicle deployment, expanded ECU coverage, and extension toward data-level defenses.

Abstract

Despite being a legacy protocol with various known security issues, Controller Area Network (CAN) still represents the de-facto standard for communications within vehicles, ships, and industrial control systems. Many research works have designed Intrusion Detection Systems (IDSs) to identify attacks by training machine learning classifiers on bus traffic or its properties. Actions to take after detection are, on the other hand, less investigated, and prevention mechanisms usually include protocol modification (e.g., adding authentication). An effective solution has yet to be implemented on a large scale in the wild. The reasons are related to the effort to handle sporadic false positives, the inevitable delay introduced by authentication, and the closed-source automobile environment that does not easily permit modifying Electronic Control Units (ECUs) software. In this paper, we propose CANTXSec, the first deterministic Intrusion Detection and Prevention system based on physical ECU activations. It employs a new classification of attacks based on the attacker's need in terms of access level to the bus, distinguishing between Frame Injection Attacks (FIAs) (i.e., using frame-level access) and Single-Bit Attacks (SBAs) (i.e., employing bit-level access). CANTXSec detects and prevents classical attacks in the CAN bus, while detecting advanced attacks that have been less investigated in the literature. We prove the effectiveness of our solution on a physical testbed, where we achieve 100% detection accuracy in both classes of attacks while preventing 100% of FIAs. Moreover, to encourage developers to employ CANTXSec, we discuss implementation details, providing an analysis based on each user's risk assessment.

CANTXSec: A Deterministic Intrusion Detection and Prevention System for CAN Bus Monitoring ECU Activations

TL;DR

CAN remains a safety-critical, widely deployed protocol with intrinsic security gaps such as lack of authentication. This work introduces CANTXSec, a hardware-assisted, deterministic intrusion detection and prevention system that relies on the co-occurrence of ECU activation and frame IDs to detect attacks. It classifies attacks into Frame Injection Attacks (FIA) and Single-Bit Attacks (SBA), achieving 100% detection for both and 100% prevention for FIA in a physical testbed, without modifying ECU software. The solution is hardware-based, easy to deploy, and supports risk-based ECU coverage, offering a practical path toward retrofittable CAN security with clear limitations on SBA prevention and data-level threat coverage. Future work includes real-vehicle deployment, expanded ECU coverage, and extension toward data-level defenses.

Abstract

Despite being a legacy protocol with various known security issues, Controller Area Network (CAN) still represents the de-facto standard for communications within vehicles, ships, and industrial control systems. Many research works have designed Intrusion Detection Systems (IDSs) to identify attacks by training machine learning classifiers on bus traffic or its properties. Actions to take after detection are, on the other hand, less investigated, and prevention mechanisms usually include protocol modification (e.g., adding authentication). An effective solution has yet to be implemented on a large scale in the wild. The reasons are related to the effort to handle sporadic false positives, the inevitable delay introduced by authentication, and the closed-source automobile environment that does not easily permit modifying Electronic Control Units (ECUs) software. In this paper, we propose CANTXSec, the first deterministic Intrusion Detection and Prevention system based on physical ECU activations. It employs a new classification of attacks based on the attacker's need in terms of access level to the bus, distinguishing between Frame Injection Attacks (FIAs) (i.e., using frame-level access) and Single-Bit Attacks (SBAs) (i.e., employing bit-level access). CANTXSec detects and prevents classical attacks in the CAN bus, while detecting advanced attacks that have been less investigated in the literature. We prove the effectiveness of our solution on a physical testbed, where we achieve 100% detection accuracy in both classes of attacks while preventing 100% of FIAs. Moreover, to encourage developers to employ CANTXSec, we discuss implementation details, providing an analysis based on each user's risk assessment.
Paper Structure (34 sections, 7 figures, 4 tables)

This paper contains 34 sections, 7 figures, 4 tables.

Figures (7)

  • Figure 1: A standard can frame showing the bit size of each field.
  • Figure 2: The architecture of a standard ecu.
  • Figure 3: The flow chart explains the different checks CANTXSec performs during each bit of every frame sent through the bus.
  • Figure 4: The architecture (Figure \ref{['fig:testbed_schema']}) and picture (Figure \ref{['fig:testbed_pic']}) of the employed testbed.
  • Figure 5: Start of a boa as seen in an oscilloscope. The blue signal is the target frame (i.e., the malicious frame). The yellow signal represents the injection made by the officer. The first injection of a dominant value stops the malicious frame. Then, the following injections target error frames automatically generated by the attacker's ecu. This increases the attacker's ecu error counters, eventually reaching the bus-off state.
  • ...and 2 more figures