ArticlePDF Available

An Algorithm for Detection of Malicious Messages on CAN Buses

Authors:
Congli Ling
Congli Ling
Congli Ling
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Dongqin Feng
Dongqin Feng
Dongqin Feng
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Download full-text PDF
Read full-text
Download citation

Abstract and Figures

Control systems are encountering increasing security threats; as one of the common systems, CAN control system is very facile to be attacked. Aiming at the improvement of CAN control system security, an algorithm for detection of malicious CAN messages is given, and it has been implemented in the CANoe simulation environment. The result shows that this algorithm has powerful detection function and valuable practice signification.
Figures - available via license: Creative Commons Attribution-NonCommercial 4.0 International
Content may be subject to copyright.
Available via license: CC BY-NC 4.0
Content may be subject to copyright.
An Algorithm for Detection of Malicious Messages
on CAN Buses
Congli Ling
State Key Laboratory of Industrial Control Technology
Institute of Cyber-Systems and Control, Zhejiang University
Hangzhou, China,(86)18768188589,
lingdatabase@sina.com,
Dongqin Feng*
State Key Laboratory of Industrial Control Technology
Institute of Cyber-Systems and Control, Zhejiang University
Hangzhou,China,(86)13957166054
*dqfeng@iipc.zju.edu.cn
Abstract—Control systems are encountering increasing security
threats; as one of the common systems, CAN control system is
very facile to be attacked. Aiming at the improvement of CAN
control system security, an algorithm for detection of malicious
CAN messages is given, and it has been implemented in the
CANoe simulation environment. The result shows that this
algorithm has powerful detection function and valuable practice
signification.
Keywords- CAN bus; detection algorithm; malicious messages;
CANoe
I. INTRODUCTION
Safety is the degree to which accidental harm is prevented,
reduced, and properly reacted to; and security is the degree to
which malicious harm is prevented, reduced, and properly
reacted to [1], so this paper aims at the security of CAN control
systems.
CAN control systems have long been used in areas like
automobile, shipbuilding, industrial automation, aerospace,
medical equipment, industrial equipment etc. Recently, ever-
increasing general protocols, hardware and software have been
the dominant parts of CAN control systems. Meanwhile, in
present competitive markets, isolated control system networks
are being inter-connected. Due to connecting these networks,
and introducing IT components into the control systems,
security problems arise. CAN protocol have been designed by
Robert Bosch in 1986 for automotive applications as a method
for enabling robust serial communication[2].The inherited
vulnerabilities of such a protocol constitute the main threats of
CAN control system. Some security problems in embedded
systems are introduced[3]. Vulnerabilities of the automotive
CAN control system are analyzed and verified by
experiments[4].A simulation of sniffer and replay attack on
CAN buses was carried out[5].The security of automobile
systems was summarized[6]. It pointed out the security threats,
especially DoS attack and information leakage in CAN systems,
in FlexRay, LIN and MOST Systems, and put forward a few
general defensive strategies. The security problems become
sharply severe, but the counterparts are awfully scanty.
This paper will analyze the inherited security problems of
CAN control systems from the perspective of technical features
of CAN protocol and design an algorithm for detection of
malicious CAN messages. In the end, the algorithm is
implemented in CANoe simulation environment.
II. CAN PROTOCOL
A. Main Features of CAN Protocol
CAN protocol has defined the physical layer and data link
layer of ISO/OSI reference model. It has two kinds format of
message: one that has 11bits identifier is called standard
message, and the other one that has 29bits identifier is called
extended message. The difference between them is the length
of arbitration field, as shown in Fig.1.
1) the Messages’ Priority .
The sending sequence of messages on CAN bus depends on
a message’s identifier. When two or more nodes send messages,
a message with smallest ID will get the priority. So it can meet
different requirements of real-time.
2) CSMA/CD.
When two or more nodes send messages, nodes with low
priority will automatically quit from the bus. Nodes with
topmost priority can continue to send messages without being
disturbed. Though under heavy network load, it can avoid
network paralysis.
3) Nodes Identified by Node Number.
CAN nodes have no code information similar to "address".
Adding or removing nodes will not influence the others on the
bus.
4) Multi-master.
Besides the master-slave mode, CAN bus also has multi-
master mode. When the bus is idle, all nodes can access it, and
the first one will get the right of use. In case of collision, the
right will depend on the value of messages’ ID.
5) Effective Eerror Detection Mechanism.
An error detected by either the sender of a message, or
receiver stations of the message, is signaled to the sender
station. The sender then re-transmits the message. So the
reliability of data transmission is greatly improved.
Furthermore, it contains mechanisms for automatic fault
localization including disconnection of the faulty controller.
“Industrial Control System Network Security Technology Research “ 863
project .
Figure 1.Standard and extended CAN Frame
B. Vulnerabilities of CAN Protocol
1) Jam the Bus or Modify Messages
From the perspective of technical features of CAN
protocol, the transmission mechanism based on CSMA/CD
on the one side guarantees that high priority messages can be
transmitted preferentially, on the other side enables attacks
that jam the communication channel. Constantly introduced
topmost priority nonsense messages may be forwarded
always first, even though they will be immediately discarded
by the receiving controllers, and permanently prevent the
transmission of all the other normal CAN messages. The
attacker may modify the messages with malicious data to
compromise the bus or sniffer data from the bus.
2) Well-directed Error Flags
Whenever a transmitter detects five consecutive bits of
identical value in the bit stream to be transmitted, it
automatically inserts a complementary bit in the actual
transmitted bit stream. Error bit sequences destroy the bit
stuffing rules between the Start of Frame and CRC delimiter
or the fixed form from ACK field to the End of Frame field.
Utilizing the CAN error detection mechanism, attackers can
deliberately manufacture CAN bus error. The controllers will
response this error without discrimination; hence the current
transmission is interrupted. Malicious CAN messages may
disturb normal operation of the bus or allow the
disconnection of every single controller by posting several
well-directed error flags.
III. THE DETECTION ALGORITHM
A. Declaration of the Algorithm
According to the content discussed above, the length of
CAN ID regardless of 11bits or 29bits is far less than the
maximum of 64bits data length. In addition, once the used
IDs are configured, they will stay the same. This drastically
contributes to detecting the malicious messages. Combined
the ID transmitted on the bus with its uninterruptible
occurrence frequency, the alarm threshold can be calculated.
Meanwhile it avoids using large amounts of compute and
storage resources, which are limited in the embedded CAN
controllers.
B. Detection Algorithm
1) step1
Take each ID and its threshold (ID_threshold)
configured in the CAN control system to be detected,
as well as the unknown ID’s
threshold(UN_threshold) as known input;
Then set all counters and flags to 0;
2) Step2
Listening the CAN bus to get the messages’ IDs;
3) Step3
Make judgment to the obtained ID;
4) Step3.1
If the ID belongs to the input set, then increment the
ID’s counter (ID_counter)by one, set the ID’s
continuity flag(ID_flag), clear the unknown ID’s
counter(UN_counter) and its continuity
flag(UN_flag);
Do further judgment;
If ID_counter exceeds ID_threshold and ID_flag
equals 1, Then do alarm operation , clear the
ID_counter and ID_flag;
Else return to the step2;
5) Step3.2
Else Increment the unknown ID’s counter by one
and set the unknown ID’s flag, clear the known ID’s
counter and its continuity flag;
Do further judgment;
If UN_counter exceeds UN_threshold and UN_flag
equals 1, Then do alarm operation , clear the
UN_counter and UN_flag
Else return to the step2.
IV. ALGORITHM AND DETECTION SYSTEM
IMPLEMENTATION BASED ON CANOE
A. Detection System Implementation
CANoe is a special bus simulation tool, developed by the
German VECTOR company. A series of CAN network
system level of design, analysis and development tools it
provides can help researchers to complete the whole system
simulation work of bus network. CANoe can simultaneously
simulate network bus communication and nodes’ various
control functions. The detection system implemented by
CANoe is shown in Fig.2. Device #D responses to the
messages sent by the trigger, and periodically sends out
heartbeat message. Malicious device Intruder sends out
malicious messages. The ID of malicious messages can be
detected by the Detector, then send out the ID and alarm flag
within a message.
Figure 2. System implementation based on CANoe
B. Messages Design
Here to make a statement, all the messages in this paper
just have research meaning but no practical significance.
1) Trigger
We suppose that the Trigger which may not exist in
practice and is just used for research periodically send
messages whose IDs are 0x180 and 0x181.
2) #D
0x280, 0x380 and 0x500respectively, represents the
messages ID of speed, frequency and heartbeat forwarded by
#D .
3) Intruder
After 100ms delay from the beginning of system
powered on, the designed malicious message 0x444 2C 2C
will be forwarded by the Intruder. Then after 1000ms delay,
it will consecutively forward malicious frequency message
0x380 FF FF FF twice.
4) Detector
When alarm threshold is exceeded, the Detector will
forward message 0x555 byte0 byte1 byte2 FF. Among
them, byte0 and byte1 represent the ID of the detected
malicious message; byte2 represents the alarm threshold of
this ID; while FF represents the alarm flag.
C. Algorithm Implementation
Vector CAN Communication Application Programming
Language (CAPL) is a C-like language, which is the
programming language foundation of Vector CANoe and a
rich, robust tool used to extend the power of CANoe beyond
the tool’s interfaces and to customize tool functionality
based on CAN protocol to the user’s requirements. The
algorithm is just implemented by CAPL. Fig.3 shows the
definitions of used variables and Fig.4 shows the flow chart.
Figure 3. Variables used in the implementation
Figure 4. Flow chart of Algorithm Implementation
Figure 5. Alarm triggered by malicious messgage ID 0x444
Figure 6. Alarm triggered by malicious fequency messgage ID 0x380
D. Test results
After the implementation of all modules, the whole system
is tested. The results are shown in Fig.5 and Fig.6. After the
Intruder sent out the malicious message 0x444 2C 2C or
malicious frequency message 0x380 FF FF FF FF, and when
the threshold was exceeded, the Detector alarmed.
V. CONCLUSION
This paper puts forward an algorithm for detection of CAN
malicious messages based on CAN identifier for the problems
that CAN control systems are very vulnerable when encounter
malicious messages. By virtue of CAPL and CANoe simulation
environment, the algorithm is verified, and the results show that
both wrongful IDs and right IDs exceeding alarm threshold will
trigger the alarm. The research in this paper supports the
defense of CAN control systems significantly.
ACKNOWLEDGMENT
I am very grateful for my teacher and colleagues, Thanks
for their guidance and help. I would like to express my
gratitude to Zhejiang University for the support of the
“Industrial Control System Network Security Technology
Research” 863 project.
REFERENCES
[1] D.G. Firesmith, Common concepts underlying safety, security, and
survivability engineering, Tech. Rep., CMU/SEI-2003-TN-033,
Software Engineering Institute, Pittsburgh, PA, December 2003.
[2] Dongqin Feng, You Wang, Lei Xie. Industrial automation network.
China Electric Power Press.2011.07
[3] P. Koopman. “Embedded system security”. IEEE Computer,
37(7),pp:95-97, July 2004.
[4] K. Koscher, A. Czeskis, F. Roesner, et al. Experimental security analysis
of a modern automobile. In D. Evans and G. Vigna, editors, IEEE
Symposium on Security and Privacy. IEEE Computer Society, May
2010.
[5] Tobias Hoppe , Jana Dittman. Sniffing/Replay attacks on CAN Buses: a
simulated attack on the electric window lift classified using an adapted
CERT taxonomy. In Proceedings of the 2nd Workshop on Embedded
Systems Security (WESS), Salzburg, Austria, 2007.
[6] Marko Wolf, André Weimerskirch, and Christof Paar. Security in
automotive bus systems. In Workshop on Embedded IT-Security in Cars
(escar), 2004.
... Some of these solutions focus on the analysis of the low-level characteristics of the ECUs [4,10], other solutions focus on the analysis of the in-vehicle network communications. Of this last group of solutions, security researchers have developed intrusion detection systems based on the statistical analysis of the content of the CAN bus [16,20,21], while other solutions are focused on the analysis of the content of the CAN data frames [14,15,27,29,31]. ...
Performance comparison of timing-based anomaly detectors for Controller Area Network: a reproducible study
Preprint
Full-text available
  • Jul 2023
This work presents an experimental evaluation of the detection performance of eight different algorithms for anomaly detection on the Controller Area Network (CAN) bus of modern vehicles based on the analysis of the timing or frequency of CAN messages. This work solves the current limitations of related scientific literature, that is based on private dataset, lacks of open implementations, and detailed description of the detection algorithms. These drawback prevent the reproducibility of published results, and makes it impossible to compare a novel proposal against related work, thus hindering the advancement of science. This paper solves these issues by publicly releasing implementations, labeled datasets and by describing an unbiased experimental comparisons.
View
... Some of these solutions focus on the analysis of the low-level characteristics of the ECUs [4,10], other solutions focus on the analysis of the in-vehicle network communications. Of this last group of solutions, security researchers have developed intrusion detection systems based on the statistical analysis of the content of the CAN bus [16,20,21], while other solutions are focused on the analysis of the content of the CAN data frames [14,15,27,29,31]. ...
Performance Comparison of Timing-Based Anomaly Detectors for Controller Area Network: A Reproducible Study
Article
  • Jun 2023
This work presents an experimental evaluation of the detection performance of eight different algorithms for anomaly detection on the Controller Area Network (CAN) bus of modern vehicles based on the analysis of the timing or frequency of CAN messages. This work solves the current limitations of related scientific literature, that is based on private dataset, lacks of open implementations, and detailed description of the detection algorithms. These drawback prevent the reproducibility of published results, and makes it impossible to compare a novel proposal against related work, thus hindering the advancement of science. This paper solves these issues by publicly releasing implementations, labeled datasets and by describing an unbiased experimental comparisons.
View
... Whereas a payload-based IDS inspects the content of messages to detect potential intrusions, a flow-based IDS examines the transmission patterns of messages. Generally, flow-based IDSs are suitable for detecting intrusions that affect the frequency and order of messages (e.g., [6][7][8]) but their performance is inadequate when the attack affects the content of the messages [5] while payload-based IDSs (e.g., [9][10][11]) are effective to such attacks but display weaknesses in detecting attacks that affect the timing and sequence of messages (e.g., message injection attack) [5]. Combining the aforementioned approaches, hybrid IDSs aim to combine the strengths of both approaches [5]. ...
A Novel Intrusion Detection Method for Intra-Vehicle Networks Using Recurrence Plots and Neural Networks
Article
Full-text available
  • Jan 2023
Proliferation of connected services in modern vehicles could make them vulnerable to a wide range of cyber-attacks through intra-vehicle networks that connect various vehicle systems. Designers usually equip vehicles with predesigned counter-measures, but these may not be effective against novel cyber-attacks. Intrusion Detection Systems (IDSs) serve as an additional layer of defence when conventional measures that are implemented by the designers fail. Several intrusion detection techniques, such as rule-based IDS, have been proposed in the literature but these techniques have limited capability in detecting novel cyber-attacks. This paper proposes a new Machine Learning (ML)-based IDS for detecting novel cyber-attacks in intra-vehicle networks, specifically in Controller Area Networks (CANs). The proposed IDS generates high-level representations of CAN messages transmitted on the bus exploiting their temporal properties as well as the intra and inter message dependencies through the use of Recurrence Plot (RP), which are then fed into a bespoke Neural Network, designed and trained to detect novel intrusions. Evaluations of the performance of the proposed IDS in comparison with that of the state-of-the-art existing IDS schemes namely Decision Tree (DT), Random Forest (RF) and other well-known approaches demonstrate the superiority of the proposed IDS in this paper.
View
View
View
A Systematic Review on Security Mechanism of Electric Vehicles
Chapter
  • Jun 2023
A classic protocol for in-vehicle network communication is the Controller Area Network (CAN) bus for electric vehicles. The key characteristics of CAN bus are its simplicity, reliability, and applicability for real-time applications. Unfortunately, the lack of a message authentication mechanism in the CAN bus protocol leaves it opens to numerous cyberattacks, making it easier for attackers to access the network. In this paper existing anomaly detection model based survey is proposed, also proposed model based on one-class SVM is proposed approach is to enhanced security control in EV. Additionally, to demonstrate that the suggested method can be used with existing datasets. The suggested method's independence from the meaning of each message ID and data field, which allows the model to be applied to various CAN datasets, is demonstrated by benchmarking with additional CAN bus traffic datasets.KeywordsSecurityCANElectrical vehicleAttack
View
Automotive Controller Area Network Intrusion Detection Systems
Chapter
  • Mar 2023
The technological development observed in recent years has led to the expansion of automotive systems communication capabilities. Consequently, several security vulnerabilities and additional attack surfaces that a threat agent can potentially exploit are increased. The most employed communication protocol in a vehicle is the controller area network (CAN) serial bus protocol, designed with robust fault tolerance in mind, but little to no concern for security. This chapter offers a primer on the controller area network typical architecture, what messages are used in communication, its error management system, and its vulnerabilities. Possible CAN attack surfaces and attack methods are also presented, followed by an exposition on intrusion detection systems (IDS) as a potential solution to the security concerns raised by CAN bus vulnerabilities. Several case studies on IDS implementations for secure CAN bus systems are also presented, including a recently proposed framework to facilitate further development in this field of study.
View
View
DT-DS: CAN Intrusion Detection with Decision Tree Ensembles
Article
  • Jan 2023
The controller area network (CAN) protocol, used in many modern vehicles for real-time inter-device communications, is known to have cybersecurity vulnerabilities, putting passengers at risk for data exfiltration and control system sabotage. To address this issue, researchers have proposed to utilize security measures based on cryptography and message authentication; unfortunately, such approaches are often too computationally expensive to be deployed in real-time on CAN devices. Additionally, they have developed machine learning (ML) techniques to detect anomalies in CAN traffic, and thereby prevent attacks. The main disadvantage of existing ML-based techniques is that they either depend on additional computational hardware, or they heuristically assume that all communication anomalies are malicious. In this paper, we show that tree-based learning ensembles outperform anomaly-based techniques like ARIMA and Z-Score when used to detect attacks that result in increased bus utilization. We evaluated the detection capacity of three tree-based ensembles, Adaboost, gradient boosting, and random forests, and collectively refer to these as DT-DS. We conclude that the decision tree ensemble with Adaboost performs best with an area under curve (AUC) score of 0.999, closely followed by gradient boosting and random forests with 0.997 and 0.991 AUC scores, respectively, when trained using message profiles. We observe that with an increase in the observation window, the DT-DS models present an average AUC score of 0.999, and offer a nearly perfect detection of attacks, at the cost of increased latency in detection of attacked messages. We evaluate the performance of the IDS for ARINC-encoded CAN communication traffic in avionic systems, generated using an aerospace testbench, ARINC-825TBv2. The IDS has been evaluated against the active attacks of a state-of-the-art predictive attacker model. Additionally, we observed that the performance of IDS approaches such as ARIMA and Z-Score degrade considerably with a decrease in the size of the observation time window. In contrast, the performance of DT-DS models is consistent, with only an average drop of 0.005 in the AUC score.
View
View
View
Security in automotive bus systems
Article
Full-text available
This work presents a study of current and future bus systems with respect to their security against various malicious attacks. After a brief description of the most well-known and established vehicular com-munication systems, we present feasible attacks and potential exposures for these automotive networks. We also provide an approach for secured automotive communication based on modern cryptographic mechanisms that provide secrecy, manipulation prevention and authentication to sol-ve most of the vehicular bus security issues.
View
Experimental Security Analysis of a Modern Automobile
Conference Paper
Full-text available
  • Jan 2010
Modern automobiles are no longer mere mechanical devices; they are pervasively monitored and controlled by dozens of digital computers coordinated via internal vehicular networks. While this transformation has driven major advancements in efficiency and safety, it has also introduced a range of new potential risks. In this paper we experimentally evaluate these issues on a modern automobile and demonstrate the fragility of the underlying system structure. We demonstrate that an attacker who is able to infiltrate virtually any Electronic Control Unit (ECU) can leverage this ability to completely circumvent a broad array of safety-critical systems. Over a range of experiments, both in the lab and in road tests, we demonstrate the ability to adversarially control a wide range of automotive functions and completely ignore driver inputdash including disabling the brakes, selectively braking individual wheels on demand, stopping the engine, and so on. We find that it is possible to bypass rudimentary network security protections within the car, such as maliciously bridging between our car's two internal subnets. We also present composite attacks that leverage individual weaknesses, including an attack that embeds malicious code in a car's telematics unit and that will completely erase any evidence of its presence after a crash. Looking forward, we discuss the complex challenges in addressing these vulnerabilities while considering the existing automotive ecosystem.
View
Embedded system security
Article
  • Aug 2004
From cars to cell phones, video equipment to MP3 players, and dishwashers to home thermostats - embedded computers increasingly permeate our lives. But security for these systems is an open question and could prove a more difficult long-term problem than security does today for desktop and enterprise computing. Security issues are nothing new for embedded systems. However, as more embedded systems are connected to the Internet, the potential damages from such vulnerabilities scale up dramatically. Internet connections expose applications to intrusions and malicious attacks. Unfortunately, security techniques developed for enterprise and desktop computing might not satisfy embedded application requirements.
View
Industrial automation network
  • Jan 2011
  • 7
  • Dongqin Feng
  • You Wang
  • Lei Xie
Dongqin Feng, You Wang, Lei Xie. Industrial automation network. China Electric Power Press.2011.07
Sniffing/Replay attacks on CAN Buses: a simulated attack on the electric window lift classified using an adapted CERT taxonomy
  • Jan 2007
  • Tobias Hoppe
  • Jana Dittman
Tobias Hoppe, Jana Dittman. Sniffing/Replay attacks on CAN Buses: a simulated attack on the electric window lift classified using an adapted CERT taxonomy. In Proceedings of the 2nd Workshop on Embedded Systems Security (WESS), Salzburg, Austria, 2007.