2022 IEEE Global Communications Conference: Communication & Information Systems Security

IDS for CAN: A Practical Intrusion Detection

System for CAN Bus Security
Brooke Lampe∗ and Weizhi Meng†
∗ Schoolof Cybersecurity and Privacy, Georgia Institute of Technology, USA
† SPTAGE Lab, DTU Compute, Technical University of Denmark, Denmark

Abstract—Modern automobiles depend heavily on electronics, Foster et al. [6] demonstrated remote attacks via compromise
controlled by the vehicle’s internal network. The controller area of telematic devices often used by insurance companies or
network (CAN bus) is the predominant protocol, known for its
GLOBECOM 2022 - 2022 IEEE Global Communications Conference | 978-1-6654-3540-6/22/$31.00 ©2022 IEEE | DOI: 10.1109/GLOBECOM48099.2022.10001536

found in fleet vehicles. These devices plug into the vehicles’

reliability but also its grievous lack of security. Unfortunately,
security is expensive and automotive manufacturers seem disin- diagnostic ports, once again providing remote access to the
clined to invest in CAN bus protection. Thus, consumers are left CAN bus.
with few options to improve security. In this work, we develop IDS a) Security issues and analysis: As current vehicles
for CAN – an Android application that functions as an intrusion require more and more ECUs to operate, automobile designers
detection system (IDS) for the CAN bus system. In particular,
it communicates with a standard ELM 327-type device, plugged
realized that adding wires to connect every ECU with every
into the diagnostic port that is mandatory in the United States other ECU would be impractical and expensive. The CAN bus
and Europe. The application will detect suspicious traffic on was developed so that just one dual-wire line, using a serial
the CAN bus and generate an alert to notify the user. In our protocol, could facilitate communications between ECUs. At
evaluation, we investigate the performance with both datasets the time of its invention, vehicles were self-contained, and
and real vehicles. The results indicate the practicability and the
effectiveness of our proposed system. Our application will allow
the CAN bus system was merely a dual wire running along
consumers to take charge of automotive security. the frame of the vehicle. As automobiles evolved, the CAN
bus became more powerful as more ECUs were attached, and
Keywords-Automotive, Controller area network, Intrusion de-
tection system, Android application, OBD-II, Vehicular security
its attack surface expanded as external connections, such as
infotainment systems, were added.
The CAN bus was devised with reliability in mind, but
I. I NTRODUCTION not security. The bus has no confidentiality; anyone capable
of sniffing the bus can read the unencrypted messages. The
The Controller Area Network (CAN) bus system is all but CAN bus uses cyclic redundancy checking (CRC) for integrity
ubiquitous in modern automobiles. The system is highly reli- validation in the event of transmission errors; however, it lacks
able, especially in terms of error-handling, but is also highly integrity validation in the context of injected data. When two
insecure. The CAN bus facilitates communication between an or more ECUs transmit simultaneously, the CAN bus arbitrates
automobile’s embedded systems, dubbed Electronic Control by ceding transmission to the highest priority ECU. As such,
Units (ECUs), and its sensors [1]. Historically, automobiles if an attacker injects messages of the highest priority, then
had little, if any, external connectivity. Security of the CAN lower priority ECUs will be unable to communicate; there is
bus was not a concern, because an adversary would have to also no guarantee of availability [1]. Thus, all three principles
physically access the vehicle before launching any attacks. In of the CIA triad–confidentiality, integrity, and availability–are
the modern day, the situation is drastically different, as au- violated [7].
tomobiles may provide Bluetooth, Wi-Fi, and cellular access, One of the main issues with the CAN protocol is the lack
and are produced with all manner of wireless attack surfaces. of authentication. CAN packets do not contain information
Some security researchers [2], [3] demonstrated a remote about either the sender or the intended recipient. All CAN
attack in which attackers could seize control of several safety- packets are transmitted to all ECUs. As such, the receiver
critical vehicle systems in a 2014 Jeep Cherokee, including the does not know which ECU sent the packet, if it was even sent
transmission and the brakes. The vehicle can be compromised by an ECU, nor does the receiver know if it was the packet’s
via the Chrysler Uconnect infotainment system. From there, intended recipient [8]. The CAN bus performs an acknowl-
attackers could pivot to the CAN bus, where they could send edgement check, and if the check fails, an error is raised and
spoofed CAN messages to whichever ECU they desired. A the message is retransmitted. However, the acknowledgement
year later, some further research [4], [5] showed that attackers check only guarantees that at least one ECU correctly received
would be able to leverage the CAN bus to perform much more the message. It does not guarantee that the intended recipient
dangerous attacks, such as disabling or activating the vehicle’s received the message [9].
brakes at any speed, instructing the vehicle to accelerate, b) Motivation: The CAN bus is extraordinarily vulnera-
and sharply turning the steering wheel at any speed. Then, ble to replay attack, because similar and identical commands
978-1-6654-3540-6/22 © 2022 IEEE tend to result in similar and identical CAN messages. To

1782
Authorized licensed use limited to: Hellenic Mediterranean University. Downloaded on February 19,2024 at [Link] UTC from IEEE Xplore. Restrictions apply.
 2022 IEEE Global Communications Conference: Communication & Information Systems Security

the CAN bus, these messages would appear legitimate, even without tools [10]. An inexpensive piece of standard hardware,
expected. An intrusion detection system (IDS) might recognize an ELM 327-type device [11], connects the OBD-II port to the
an increase in traffic, as the legitimate messages compete IDS application on the consumer’s smartphone. This Android-
with the injected messages. An IDS might also observe a based IDS application is called IDS for CAN.
change in the timing or identifier patterns of the messages.
However, the CAN bus will not. For example, an ECU sends
the vehicle speed to the speedometer on the dashboard. A flood
of messages asserting a different speed will drown out the
messages containing the real speed, and, in most vehicles, the
speedometer will display the spoofed speed because it tries to
display the most recently reported speed. Before it can display
the real speed, the next spoofed message will arrive, so with
a sufficient volume of spoofed messages, the real speed is
never displayed [4], [5]. An IDS would detect the substantial
increase in speed-reporting messages, but the CAN bus and
the ECU controlling the speedometer will not.
c) Contributions: In order to enhance security in auto-
motive networks, many researchers have designed IDS-based
mechanisms to defend against attacks. However, most existing
solutions are lacking in practicality and may also entail high Fig. 1: Our Setup: An ELM 327-type device (foreground) that
implementation cost due to required hardware or complex inserts into the OBD-II port (background). The 2015 Chevrolet
algorithms. Motivated by the above observations, we aim to Silverado is pictured.
develop a practical IDS for CAN bus security with low cost.
Our application alerts the consumer if suspicious communi-
Our contributions can be summarized as below:
cation is detected. When the application’s IDS identifies traffic
• We develop IDS for CAN, a practical ID sequence-based
that does not match the vehicle’s profile, IDS for CAN gener-
IDS, as a security enhancement to the existing security ates an Android notification to warn the user that the vehicle
mechanisms on modern automobiles. It is deployed as an may be compromised. The user should set the application’s
Android application to identify malicious activities (ID notification tone to a sound that he or she will immediately
sequences) on the CAN bus system. associate with the automotive security application. If the alert
• In the evaluation, we investigate the performance of IDS
occurs while the user is driving, then the user should hear the
for CAN with both CAN datasets and real vehicles. The alert tone and find a safe place to stop as soon as possible.
experimental results demonstrate the expected detection The user can then inspect the vehicle for additional indicators
performance with low false positives. of compromise, read the text of the alert to understand which
The rest of this paper is organized as follows. Section II type of alert has occurred, and potentially restart the vehicle
introduces our proposed IDS for CAN, including the selection to see if the alert persists. The user may take additional action
of detection methods and the implementation details. In Sec- he or she deems appropriate.
tion III, we provide a performance evaluation based on CAN
datasets. Section IV presents our evaluation with real vehicles. A. ID Sequence-based Detection
Section V introduces some related work on IDS in the CAN
system and Section VI discusses limitations and future work. There are two main approaches to an IDS [12]: signature-
Finally, we conclude the work in Section VII. based and anomaly-based. A signature-based IDS relies on the
signatures that identify known attacks. An anomaly-based IDS
II. O UR P ROPOSED A PPROACH has some form of baseline for normal behavior, and it detects
In this work, we develop IDS for CAN as a practical security deviations from normal behavior that are significant enough
enhancement that would be attainable to the average consumer. to warrant an alert. An anomaly-based IDS can develop its
The proposed enhancement is both low-cost and low-effort for baseline via a number of methodologies, such as specifications
the consumer, in order to encourage adoption. of expected behavior, a training phase in a machine-learning
We have devised and implemented a practical IDS that will process, or the tracking of statistical data [13].
alert consumers if any suspicious communication occurs in the When selecting an IDS type, we had to consider the fact
CAN bus system. The IDS comes in the form of an Android that, because we are creating an application that is affordable
smartphone application and interfaces with the vehicle via to the average consumer and utilizes standard hardware, it is
an inexpensive, standard piece of hardware. The Onboard going to be limited by the specifications of that hardware.
Diagnostic Protocol II (OBD-II) is a diagnostics port that has ELM 327-type hardware, especially with the latencies intro-
been mandatory in U.S.-made cars and light trucks since 1996 duced by Bluetooth, is known to occasionally drop packets.
and became mandatory in the European Union (EU) in 2001. Furthermore, on low-end devices, the messaging rate on the
It lies within arms’ reach of the drivers’ seat and is accessible CAN bus will exceed the sniffing rate of the device. As such,

1783
Authorized licensed use limited to: Hellenic Mediterranean University. Downloaded on February 19,2024 at [Link] UTC from IEEE Xplore. Restrictions apply.
 2022 IEEE Global Communications Conference: Communication & Information Systems Security

TABLE I: Boolean matrix identifiers or unusual patterns of identifiers. If the IDS detects
013 0AA 0BD unknown IDs, it will generate the following alert: “Invalid
013 F T F messages have been detected. This may indicate a bus error
0AA F F T
0BD T F F
or an attack.” If, instead, the IDS detects a suspicious traffic
sequence, the following alert will be raised: “Unusual patterns
the IDS needs to be robust in the event of occasional packet of messages have been detected. This may be the result of
loss or inexact message timings. unusual activity, or it may indicate an attack.” The second
Ultimately, an ID sequence-based IDS was selected and type of alert is shown in Fig. 2.
implemented in this work. The IDS should track the sequences
of arbitration identifiers that appear in attack-free CAN traffic,
and develop a profile of the vehicle, in the form of a matrix,
which contains every transition from one identifier to another.
The matrix is initialized to the Boolean “False” value, and
the transitions observed in healthy CAN traffic are entered
as “True”, while all others remain false. During monitoring
mode, if a transition is “True” in the matrix, then it is normal
traffic. If a transition is “False” in the matrix, then it is
considered an anomaly [14], [15]. Algorithm 1 describes the
matrix generation process. The matrix serves as a profile for
ID sequence-based detection. The rows and columns of the
matrix correspond to the arbitration identifiers observed in the
CAN data. The matrix will be square, and its size will be
equivalent to the number of unique identifiers.

Algorithm 1 Matrix generation for the ID sequence-based

IDS.
Input CAN frames from the CAN bus
Output Boolean Matrix
1: for CAN f rame = 1, 2, . . . , N do
2: Store the frame’s arbitration ID in list ID LIST
3: Discard the remaining data
4: end for
5: Copy ID LIST to ID LIST COPY
6: Remove duplicates from ID LIST COPY
7: Generate a square Boolean matrix of size kID LIST COPYk
8: Initialize the matrix to FALSE
9: for each arbitration ID in list ID LIST do
10: Use the current ID as the matrix row index Fig. 2: An alert pop-up for a suspicious sequence of arbitration
11: Use the next ID (current ID + 1) as the matrix column index
12: Set the value at this index to TRUE identifiers.
(current ID − > next ID is a valid transition since it appeared in our
ordered list of transitions) Rather than immediately generating an Android notification
13: end for when one anomaly is detected, we decided to set a threshold,
and when the anomaly counter reached that threshold, then the
For example, if there is an ID sequence list as follows: application would generate an alert. There may be incidents
0AA, 0BD, 013, 0AA, 0BD, 013, 0AA, 0BD, 013, in which the application drops packets, at which point two
then the valid transitions are 0AA − > 0BD, 0BD − > 013, identifiers that do not appear sequentially in normal traffic
013 − > 0AA. Table I shows the output boolean matrix. would seem to be sequential. The user might leverage a feature
he or she typically does not use, resulting in unusual, but not
B. Implementation dangerous, traffic. For example, if the user never set cruise
We developed the IDS for CAN Android application1 , which control during training mode, the use of cruise control during
connects to an ELM 327-type device via Bluetooth, and the monitoring mode might appear suspicious. That said, it is
device, in turn, physically plugs into the vehicle’s diagnostic also important to avoid false negatives, so experiments were
port. The application is supported on Android devices running conducted to find a threshold that is a balance between false
API 21 (5.0 Lollipop) or higher.2 positives and false negatives.
The system builds a profile of normal ID sequences, which In addition to the alert threshold, the application contains
it uses to detect anomalies, such as unrecognized arbitration behavior that allows the matrix to update itself in the event of
1 The source code of IDS for CAN is publicly available at: [Link] an occasional anomaly that is surrounded by healthy traffic.
com/brooke-lampe/ids for can. Most of the attacks demonstrated by automotive security
2 A demo of IDS for CAN is available at: [Link] researchers depend on injection of a large number of attack

1784
Authorized licensed use limited to: Hellenic Mediterranean University. Downloaded on February 19,2024 at [Link] UTC from IEEE Xplore. Restrictions apply.
 2022 IEEE Global Communications Conference: Communication & Information Systems Security

packets in order to overwhelm the packets from the legitimate dataset, which frequently produced upwards of 500,000 alerts,
ECU. As such, an occasional anomaly is more likely to be a differences of one or two digits of alerts were common.
less common legitimate packet, not a symptom of an attack. 1) Attack-free (Normal) State: Alerts raised during replay
We then crafted two criteria to allow the matrix to update in of the attack-free dataset are false positives. Raising the alert
the event of an occasional anomaly that is probably a false threshold can reduce these false positives, while lowering the
positive. threshold raises these false positives. Because users will ignore
• One criteria is a streak of healthy messages following the application’s notifications if they occur too frequently,
the initial anomaly. For example, if an anomaly occurs, reducing false positives is paramount.
and then 5,000 healthy messages follow, the anomaly is 2) Denial of Service Attack: A Denial of Service (DoS)
perhaps a false positive. If an anomaly occurs, and then, 5 attack delivers a high volume of CAN packets with the highest
messages later, a second anomaly occurs, then it is more priority arbitration identifiers in the hopes of crippling the
prudent to think in terms of an attack. CAN system. Because these packets have the highest priority,
• The second path to a matrix update is identification of a they will supersede legitimate packets of lower priority, such
high ratio of healthy messages to unhealthy–anomalous– that legitimate packets cannot use the system. The DoS attack
messages. The ratio is evaluated once a certain number of dataset is highly detectable, as the traffic is extremely abnor-
messages have been received since the last evaluation. For mal. Each variation of the experiment produced over 500,000
example, if 2,000 messages have been received, and, out alerts for invalid IDs.
of the total number of messages, the percent of healthy 3) Fuzzy Attack: A fuzzy attack, in this particular dataset,
messages is higher than 90%, then the matrix should involves sending CAN packets with random values for the ID
be updated. If the percent of healthy messages is lower, and data fields. The fuzzy attack raises fewer alerts, but it is
perhaps 60%, then an attack might be ongoing and an consistently detected under all experimental variations.
update will not occur. 4) Impersonation Attack: In an impersonation attack, the
attacker masquerades as a particular ECU and sends messages
III. E VALUATION WITH DATASETS as though they came from that particular ECU. Of the three
In the evaluation, we adopted the datasets produced by Lee attack datasets, the impersonation attack proved most difficult
et al. [16], [17]. They had developed an IDS for the CAN bus for the IDS to detect. If the alert threshold is high to reduce
that tracked and analyzed the offset ratio and time interval false positives, then the impersonation attack goes undetected.
between the CAN request and the CAN response messages. There is a narrow range of thresholds that are both low enough
In particular, they developed four CAN datasets: a control to detect the impersonation attack and high enough to avoid
set, a denial of service (DoS) attack, a fuzzy attack, and an false positives in the attack-free dataset.
impersonation attack. The data was extracted from a Kia Soul. In our experiments, we determined that the alert threshold
In order to replay the datasets, we had to convert the datasets could be as low as 3 without generating false positives in the
to the format expected by canplayer [18]. attack-free dataset, and it could also be as high as 7 with-
out generating false negatives in the impersonation dataset–
A. Experimental Setup provided that the remaining parameters were set appropriately.
The experiments were conducted in a stand-alone Java Hence an alert threshold of 5 seemed to be an appropriate
application we set up specifically for IDS development and balance between the two, and to reduce the danger of false
evaluation. Our machine was running the Linux Mint operating negatives, the matrix update parameters were set to somewhat
system and utilizing SocketCAN to replay the datasets. The stricter values. If the matrix were to update such that attack
first 1,000,000 messages in the attack-free dataset were used traffic was treated as legitimate traffic, there would be a serious
for training, while the remaining 1,369,398 messages were problem. As such, the streak of healthy traffic required to
used for testing. update the matrix is set to 2,500, and the percent healthy traffic
out of total traffic cannot be checked until 5,000 messages
B. Discussion of Results are received, such that the percent is more stable when it is
In the ideal case, the attack-free dataset should not raise checked.
any alerts, while all other datasets should raise at least one
alert. We restarted and retrained the IDS for each experiment, IV. E VALUATION WITH R EAL V EHICLES
so that matrix updates in one experiment did not affect a We further collected our own data to validate the per-
subsequent experiment. Note that even with a virtual replay formance of our IDS for CAN application. We tested some
of CAN frames, packet loss does occur, so an experiment run hardware and eventually found a CAN-to-USB device that
multiple times may produce different results every time. That connected our Linux machine to our vehicle and allowed to
said, we observed that if an experiment raised at least one collect traces and conduct attacks. While testing our applica-
alert the first time, it would raise at least one alert the second tion on all the vehicles available–a Chevrolet Impala, Traverse,
time. If no alerts were generated the first time, no alerts would and Silverado, we finally selected the 2011 Chevrolet Impala
be generated the second time. For some of the datasets that for our experimental evaluation. This is because Impala had
produced an extreme number of alerts, such as the DoS attack fewer electronic systems than the others, which meant its

1785
Authorized licensed use limited to: Hellenic Mediterranean University. Downloaded on February 19,2024 at [Link] UTC from IEEE Xplore. Restrictions apply.
 2022 IEEE Global Communications Conference: Communication & Information Systems Security

TABLE II: Outcome of experimentation on a 2011 Chevrolet Impala

Datasets Number of invalid ID alerts raised Number of invalid ID sequence alerts raised Total number of alerts raised
attack-free-driving-1 0 0 0
attack-free-driving-2 0 2 2
attack-free-idle-1 0 1 1
attack-driving-1 0 3602 3602
attack-driving-2 0 10 10
attack-driving-3 0 202 202
attack-idle-1 0 22 22
attack-idle-2 0 120 120

CAN traffic was easier to comprehend. In addition, because it Attack, idle - 1 (936,256 messages)
was more mechanical and less electronic, we had less risk of Attack, idle - 2 (123,963 messages)
sending a message that could be damaging or dangerous.
C. Interpreting the Results
A. Crafting the Attack Similar to our evaluation using the datasets from Lee et
When tracing the Impala, we were able to determine that the al. [16], [17], we used the first 1,000,000 attack-free CAN
arbitration identifier “0C9” is associated with the Revolutions messages as training data. To assess false positives, we re-
per Minute (RPM) gauge. By observing the corresponding data played the remaining collections of normal traffic. There were
field, we were able to construct CAN messages to spoof the two false positives in the second attack-free driving dataset,
RPM gauge. We could set the gauge to zero while accelerating, and there was one false positive in the attack-free idle dataset,
and we could set it to 2000 RPMs when the vehicle was parked as summarized in Table II. Here, “alert” refers to an Android
with the engine off. The settings are summarized as below: notification warning the user that a potential attack has been
detected. An alert will not be generated unless the anomaly
The following CAN packet sets the gauge to zero RPMs:
threshold has been reached. An “anomaly” refers to an unusual
0C9#00000000004008
event, such as an unknown arbitration identifier or a suspicious
The following CAN packet sets the gauge to 2000 RPMs: ID sequence. In this experiment, the anomaly threshold for ID
0C9#8021C0071B101000 sequences was set to five, meaning that the IDS will raise
While manipulating the RPM gauge, we also found that the an alert if it detects five or more suspicious ID sequences in
arbitration identifier “0C9” is used to indicate if the vehicle a short period. Table II shows that all of the attack datasets
is in gear (not in “park”) or if the vehicle is not in gear (in triggered alerts, even when the attacks were extremely short.
“park”). The second to last byte is “40” when in park, and it is This is an extremely promising result.
“41” when in drive, neutral, reverse, etc. In the Impala, telling V. R ELATED W ORK
the vehicle it was in park while driving had no discernible
In the literature, many research studies have been devoted to
effect. However, when we tried this attack on a 2011 Chevrolet
addressing security concerns in automotive networks, includ-
Traverse, telling the vehicle it was in park while driving, the
ing multiple variations of the ID sequence-based IDS [19].
vehicle would behave as though in neutral: the accelerator
Miller and Valasek [5] developed an intrusion prevention
did not work, but the vehicle continued to roll until it ran
system (IPS) for the CAN bus. They implemented the IPS on
out of momentum. By checking the behavioral discrepancy
a board computer, though they pointed out that it could be
between the two vehicles, we discovered that the Traverse has
implemented as an ECU or used to augment an existing ECU.
an electronic transmission, so the transmission was reacting to
However, to our knowledge, the technical details of this IPS
the spoofed CAN message. The Impala’s transmission is not
have never been published, including hardware specifications,
fully electronic, so it did not react to our attack messages.
algorithms, and source code. When the IPS shorts the CAN
B. Assembling the Datasets bus, the attack stops–and so does all CAN communication.
Ultimately, we collected traces of normal traffic–both driv- Abbott-McCune and Shay [20] outlined an IDS approach that
ing and idling–from the 2011 Chevrolet Impala, followed by can be extended into intrusion prevention. They suggested
traces of attack traffic. The descriptions of the datasets, as well adding an additional CAN transceiver which will, in the event
as the number of messages in each, are as follows:3 of a malicious CAN packet, send several dominant bits (“0”
bits), causing a bus error and invalidating the malicious packet.
Attack-free data, driving - 1 (1,027,968 messages)
This approach is more sophisticated and safer than shorting the
Attack-free data, driving - 2 (392,921 messages)
CAN bus, but the system involves a lot of added hardware and
Attack-free data, idle - 1 (267,884 messages)
wiring, which might increase the cost.
Attack, driving - 1 (168,415 messages)
Olufowobi et al. [21] proposed an IPS based on reboot-
Attack, driving - 2 (36,498 messages)
recovery, in which an IDS is required to be placed in the
Attack, driving - 3 (189,554 messages)
CAN system to observe all traffic. When it detects suspicious
3 Our collected datasets are available at: [Link] traffic, it transmits an error frame that increments the error
ids for can/tree/master/datasets. counter of the anomalous node, ultimately leading to reboot.

1786
Authorized licensed use limited to: Hellenic Mediterranean University. Downloaded on February 19,2024 at [Link] UTC from IEEE Xplore. Restrictions apply.
 2022 IEEE Global Communications Conference: Communication & Information Systems Security

This approach is not secure enough, as persistent attackers ACKNOWLEDGEMENTS

may re-infect the ECU every time it is rebooted. They may To help build the Bluetooth functionality and the CAN bus
also flash the ECU such that a reboot will not cleanse them connectivity, we acknowledge the source code from Android
from the ECU. Furthermore, this technique assumes that the OBD-II Reader ([Link]
attacker is not able to compromise the CAN controller. and OBD-II Java API ([Link]
Recently, many researchers have built IDSs based mostly on
R EFERENCES
deep learning [22], [23] and graph-based features [24], [25].
However, these methods often require high computational re- [1] M. Bozdal, M. Samie, S. Aslam, and I. Jennions, “Evaluation of CAN
bus security challenges,” Sensors, vol. 20, no. 8, p. 2364, 2020.
sources (i.e., running algorithms and generating graphs), which [2] A. Greenberg, “Hackers remotely kill a jeep on the highway–with
may increase the implementation cost, and most of them did me in it.” Wired. [Online]. Available: [Link]
not showcase a real IDS system (i.e., no evaluation performed hackers-remotely-kill-jeep-highway/
[3] C. Miller and C. Valasek, “Remote exploitation of an unaltered
on a real system or real vehicles). In the comparison, our passenger vehicle.” BlackHat. [Online]. Available: [Link]
proposed IDS for CAN is a practical IDS application with low details/youtube-MAcHkASmXEc
cost and was evaluated with real vehicles. [4] A. Greenberg, “The jeep hackers are back to prove car hacking can get
much worse.” Wired. [Online]. Available: [Link]
08/jeep-hackers-return-high-speed-steering-acceleration-hacks/
VI. L IMITATIONS AND D ISCUSSION [5] C. Miller and C. Valasek, “Advanced can injection techniques for
IDS for CAN is purely an IDS, while implementing an vehicle networks.” BlackHat. [Online]. Available: [Link]
details/youtube-4wgEmNlu20c
intrusion prevention system (IPS) would require careful con- [6] I. D. Foster, A. Prudhomme, K. Koscher, and S. Savage, “Fast and
sideration of several intricacies of the CAN bus environment, vulnerable: A story of telematic failures,” Proc. WOOT, 2015.
given that an IPS would need to affect the CAN system, not [7] A. Friedman and P. W. Singer, “What do we mean by security
anyway?” Brookings. [Online]. Available: [Link]
merely listen to it. An imperfect IPS could prove extremely opinions/what-do-we-mean-by-security-anyway/
dangerous to a vehicle traveling on the road, if, for example, [8] S. Lokman, A. T. B. Othman, and M. Abu-Bakar, “Intrusion detection
it inadvertently shut down communications to the anti-lock system for automotive controller area network (CAN) bus system: a
review,” EURASIP J. Wirel. Commun. Netw., vol. 2019, p. 184, 2019.
braking system (ABS). Thus, a significantly higher standard [9] Kvaser. Can bus protocol tutorial. [Online]. Available: [Link]
of accuracy and precision would be required. [Link]/course/can-protocol-tutorial/
IDS for CAN is an Android application supported on all [10] OBD2 Explained – A Simple Intro [2021]. [Online]. Available:
[Link]
newer Android devices and many older ones. If the user owns [11] E. Electronics. Elm327: Obd to rs232 interpreter. [Online]. Available:
an Android phone or tablet, he or she can use IDS for CAN. [Link]
However, many people favor the iOS platform and purchase [12] W. Meng, W. Li, and L. Kwok, “EFM: enhancing the performance
of signature-based network intrusion detection systems using enhanced
iPhones, iPods, and iPads. Future work might involve creating filter mechanism,” Comput. Secur., vol. 43, pp. 189–204, 2014.
an IDS for CAN that is supported on iOS devices. [13] Y. Meng, “The practice on using machine learning for network anomaly
At the moment, the Android application leverages an ID intrusion detection,” Proc. ICMLC, pp. 576–581, 2011.
[14] M. Marchetti and D. Stabili, “Anomaly detection of CAN bus messages
sequence-based IDS, which analyzes the arbitration identifiers through analysis of ID sequences,” Proc. IEEE Intelligent Vehicles
of the CAN packets but not the data field. While this fact Symposium, pp. 1577–1583, 2017.
can be kind of savings in terms of processing and storage, it [15] T. C. M. Dönmez, “Anomaly detection in vehicular CAN bus using
message identifier sequences,” IEEE Access, pp. 136 243–136 252, 2021.
also means that an attack that affects the data field but not [16] H. Lee, S. H. Jeong, and H. K. Kim, “OTIDS: A novel intrusion
the pattern of identifiers could potentially escape detection. detection system for in-vehicle network by using remote frame,” Proc.
Future work might involve augmenting the IDS to include 15th PST, pp. 57–66, 2017.
[17] CAN dataset for intrusion detection (OTIDS). [Online]. Available:
some examination of the data field, as well as the integration [Link]
of deep learning algorithms. [18] L. N. Documentation. Socketcan - controller area network. [Online].
Available: [Link]
VII. C ONCLUSION [19] C. Miller and C. Valasek, “A survey of remote automotive attack
surfaces.” BlackHat. [Online]. Available: [Link]
The Controller Area Network (CAN) is a brilliant piece of youtube-MAGacjNw0Sw
engineering, capable of operating reliably in a noisy, hostile [20] S. Abbott-McCune and L. A. Shay, “Intrusion prevention system of
automotive network CAN bus,” Proc. ICCST, pp. 1–8, 2016.
environment. In this work, we developed IDS for CAN, an [21] H. Olufowobi, S. Hounsinou, and G. Bloom, “Controller area network
Android application that puts automotive security back in the intrusion prevention system leveraging fault recovery,” Proc. CPS-
hands of consumers. The application is an IDS that interfaces SPC@CCS, pp. 63–73, 2019.
[22] M. Hanselmann, T. Strauss, K. Dormann, and H. Ulmer, “Canet: An
with inexpensive, standard hardware in order to monitor the unsupervised intrusion detection system for high dimensional CAN bus
CAN bus and alert consumers if suspicious traffic is detected. data,” IEEE Access, vol. 8, pp. 58 194–58 205, 2020.
It has been evaluated with public datasets against several types [23] M. D. Hossain, H. Inoue, H. Ochiai, D. Fall, and Y. Kadobayashi, “An
effective in-vehicle CAN bus intrusion detection system using CNN deep
of attacks, and, with the proper thresholds, it is capable of learning approach,” Proc. GLOBECOM, pp. 1–6, 2020.
detecting all of them without generating false positives. Also, [24] R. Islam, M. K. Devnath, M. D. Samad, and S. M. J. A. Kadry, “GGNB:
it has been subject to live tests in real vehicles (2011 Chevrolet graph-based gaussian naive bayes intrusion detection system for CAN
bus,” Veh. Commun., vol. 33, p. 100442, 2022.
Impala), demonstrating that it functions as designed. Our work [25] R. U. D. Refat, A. A. Elkhail, A. Hafeez, and H. Malik, “Detecting
aims to stimulate more research on this topic, and encourage CAN bus intrusion by applying machine learning method to graph based
automotive manufacturers to put more effort into security. features,” Proc. 2021 IntelliSys, pp. 730–748, 2021.

1787
Authorized licensed use limited to: Hellenic Mediterranean University. Downloaded on February 19,2024 at [Link] UTC from IEEE Xplore. Restrictions apply.