Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

SecCAN: An Extended CAN Controller with Embedded Intrusion Detection

Shashwat Khandelwal, Shreejith Shanker

TL;DR

SecCAN addresses the vulnerability of CAN networks by embedding a lightweight IDS directly in the CAN controller datapath, enabling IDS inference during frame reception and eliminating ECU software overhead. The architecture uses a 4-bit quantised MLP (QMLP) as a dataflow accelerator, overlapped with the CAN reception to hide latency within the reception window $T_{max}$. Trained with quantisation-aware training on CAN attack datasets, the model achieves 99.993% and 99.966% accuracy with a latency of 36.5 µs at 1 Mbps, while consuming 73.7 µJ per message. Implemented on a Zynq XCZU7EV FPGA, SecCAN offers line-rate IDS with modest resource overhead (<30% LUT, <1% FF) and substantial energy advantages over embedded and edge baselines, representing a scalable path toward smarter automotive network security.

Abstract

Recent research has highlighted the vulnerability of in-vehicle network protocols such as controller area networks (CAN) and proposed machine learning-based intrusion detection systems (IDSs) as an effective mitigation technique. However, their efficient integration into vehicular architecture is non-trivial, with existing methods relying on electronic control units (ECUs)-coupled IDS accelerators or dedicated ECUs as IDS accelerators. Here, initiating IDS requires complete reception of a CAN message from the controller, incurring data movement and software overheads. In this paper, we present SecCAN, a novel CAN controller architecture that embeds IDS capability within the datapath of the controller. This integration allows IDS to tap messages directly from within the CAN controller as they are received from the bus, removing overheads incurred by existing ML-based IDSs. A custom-quantised machine-learning accelerator is developed as the IDS engine and embedded into SecCAN's receive data path, with optimisations to overlap the IDS inference with the protocol's reception window. We implement SecCAN on AMD XCZU7EV FPGA to quantify its performance and benefits in hardware, using multiple attack datasets. We show that SecCAN can completely hide the IDS latency within the CAN reception window for all CAN packet sizes and detect multiple attacks with state-of-the-art accuracy with zero software overheads on the ECU and low energy overhead (73.7 uJ per message) for IDS inference. Also, SecCAN incurs limited resource overhead compared to a standard CAN controller (< 30% LUT, < 1% FF), making it ideally suited for automotive deployment.

SecCAN: An Extended CAN Controller with Embedded Intrusion Detection

TL;DR

SecCAN addresses the vulnerability of CAN networks by embedding a lightweight IDS directly in the CAN controller datapath, enabling IDS inference during frame reception and eliminating ECU software overhead. The architecture uses a 4-bit quantised MLP (QMLP) as a dataflow accelerator, overlapped with the CAN reception to hide latency within the reception window . Trained with quantisation-aware training on CAN attack datasets, the model achieves 99.993% and 99.966% accuracy with a latency of 36.5 µs at 1 Mbps, while consuming 73.7 µJ per message. Implemented on a Zynq XCZU7EV FPGA, SecCAN offers line-rate IDS with modest resource overhead (<30% LUT, <1% FF) and substantial energy advantages over embedded and edge baselines, representing a scalable path toward smarter automotive network security.

Abstract

Recent research has highlighted the vulnerability of in-vehicle network protocols such as controller area networks (CAN) and proposed machine learning-based intrusion detection systems (IDSs) as an effective mitigation technique. However, their efficient integration into vehicular architecture is non-trivial, with existing methods relying on electronic control units (ECUs)-coupled IDS accelerators or dedicated ECUs as IDS accelerators. Here, initiating IDS requires complete reception of a CAN message from the controller, incurring data movement and software overheads. In this paper, we present SecCAN, a novel CAN controller architecture that embeds IDS capability within the datapath of the controller. This integration allows IDS to tap messages directly from within the CAN controller as they are received from the bus, removing overheads incurred by existing ML-based IDSs. A custom-quantised machine-learning accelerator is developed as the IDS engine and embedded into SecCAN's receive data path, with optimisations to overlap the IDS inference with the protocol's reception window. We implement SecCAN on AMD XCZU7EV FPGA to quantify its performance and benefits in hardware, using multiple attack datasets. We show that SecCAN can completely hide the IDS latency within the CAN reception window for all CAN packet sizes and detect multiple attacks with state-of-the-art accuracy with zero software overheads on the ECU and low energy overhead (73.7 uJ per message) for IDS inference. Also, SecCAN incurs limited resource overhead compared to a standard CAN controller (< 30% LUT, < 1% FF), making it ideally suited for automotive deployment.

Paper Structure

This paper contains 9 sections, 3 figures, 3 tables.

Table of Contents

  1. Introduction and Background
  2. SecCAN Architecture
  3. Extending Datapath for IDS
  4. Model & Dataset for training and testing
  5. Evaluation & Results
  6. Accuracy
  7. Detection Latency
  8. Resource & Energy Consumption
  9. Conclusion

Figures (3)

  • Figure 1: The figure illustrates conventional integration strategies for CAN IDSs reported in the literature, and the proposed case for embedding IDS within the controller.
  • Figure 2: The figure illustrates the integration of the IDS within the CAN controller. The red arrows show the standard datapath and the purple arrows indicate the augmented path for IDS.
  • Figure 3: The waveform shows the signalling within the SecCAN controller for a 5-byte CAN message from the bus. The IDS operation is overlapped with the protocol checks on the bus and is completed before the frame is ready to be read by the ECU.