Intrusion Detection for In-Vehicle CAN Communication Using Deep Neural Networks

Widstam, Bianca; Sundfeldt, Frida

Intrusion Detection for In-Vehicle CAN Communication Using Deep Neural Networks

Mark

Widstam, Bianca ^LU and Sundfeldt, Frida ^LU (2024) EITM01 20241
Department of Electrical and Information Technology

Abstract: As the automotive industry progresses with the development of connected vehicles, this digital evolution comes with inherent cyber security risks and thus securing vehicle communication systems, particularly the Controller Area Network (CAN) bus, is crucial. International regulations such as UN Regulation No 155, necessitate cyber security measures for threat detection, prevention, and mitigation. In this regard, vehicle manufacturers are mandated to implement measures to detect and prevent cyber-attacks against vehicles. Thus, onboard Intrusion Detection
Systems (IDSs) for in-vehicle networks, e.g. the CAN bus, can help detect various cyber-attacks with different mechanisms such as Fabrication (e.g., Denial of Service and Fuzzy),... (More); As the automotive industry progresses with the development of connected vehicles, this digital evolution comes with inherent cyber security risks and thus securing vehicle communication systems, particularly the Controller Area Network (CAN) bus, is crucial. International regulations such as UN Regulation No 155, necessitate cyber security measures for threat detection, prevention, and mitigation. In this regard, vehicle manufacturers are mandated to implement measures to detect and prevent cyber-attacks against vehicles. Thus, onboard Intrusion Detection
Systems (IDSs) for in-vehicle networks, e.g. the CAN bus, can help detect various cyber-attacks with different mechanisms such as Fabrication (e.g., Denial of Service and Fuzzy), Suspension, Masquerade (e.g. Spoofing attack), and Replay. Network IDSs provide a layer of security by monitoring and analyzing the data traffic, and identifying suspicious activities that could indicate an intrusion. To address this, the thesis, first, introduces a tool that generates attack data by analyzing normal data files, including both open-source and proprietary data provided
by Scania—collected from a test vehicle. Along with that, it uses real-world labeled open-source attack datasets to identify realistic patterns that correspond to various types of attacks. Following this analysis, the process involves altering the proprietary dataset to mimic real attack scenarios closely. This tool will aid with testing the IDS’s effectiveness in detecting attacks on the CAN bus. Secondly,
the thesis investigates the viability of a machine learning-based IDS, using two different supervised deep learning models, Convolutional Neural Network (CNN) and Long Short-Term Memory (LSTM), to identify attacks on the CAN bus. An empirical evaluation of the models is performed—considering sequence inputs with various lengths—and the results indicate that with a longer sequential input, more instances of Spoofing and Replay attacks, as more complex attack classes, can be correctly detected. Moreover, despite showing comparable accuracy, the LSTM
models can lead to a slightly higher rate of misclassified normal states as attacks compared to CNN. Furthermore, the validity of the synthetically generated data, the limitations, and the importance of developing models that can adapt to new, unknown attack types are also elaborated and discussed. (Less)
Popular Abstract (Swedish): Med ökande uppkoppling i fordon växer risken för cyberattacker, vilket hotar både individens och allmänhetens säkerhet. Vårt examensarbete
förbättrar säkerheten inom fordon genom att utveckla och testa ett maskininlärningsbaserat intrångsdetekteringssystem för CAN-bussen, med syntetiskt genererad och verklig fordonsdata från Scania.

Våra bilar blir allt smartare, men även mer sårbara för cyberattacker. Moderna fordon är uppbyggda av många elektroniska styrenheter (ECUs), som hanterar alla möjliga typer av funktioner. Dessa enheter kommunicerar med varandra genom det så kallade CAN-bussystemet, en teknik som liknar internet där meddelanden utbyts mellan varje styrenhet. Till skillnad från dagens internet, som har avancerade... (More); Med ökande uppkoppling i fordon växer risken för cyberattacker, vilket hotar både individens och allmänhetens säkerhet. Vårt examensarbete
förbättrar säkerheten inom fordon genom att utveckla och testa ett maskininlärningsbaserat intrångsdetekteringssystem för CAN-bussen, med syntetiskt genererad och verklig fordonsdata från Scania.

Våra bilar blir allt smartare, men även mer sårbara för cyberattacker. Moderna fordon är uppbyggda av många elektroniska styrenheter (ECUs), som hanterar alla möjliga typer av funktioner. Dessa enheter kommunicerar med varandra genom det så kallade CAN-bussystemet, en teknik som liknar internet där meddelanden utbyts mellan varje styrenhet. Till skillnad från dagens internet, som har avancerade säkerhetsåtgärder som kryptering och autentisering, saknar CAN många av dessa skydd. Detta öppnar upp för en rad potentiella hot, som exempelvis skadliga meddelandeinjektioner som kan påverka bilens kritiska funktioner. Forskare har bevisat att det är möjligt att manipulera bland annat bilens broms och hastighets-
funktioner genom att ta kontroll över någon av styrenheterna eller bilens diagnosuttag (OBD-II) och skicka felaktiga meddelanden.
För att bemöta dessa hot har vi utvecklat ett maskininlärningsbaserat intrångsdetekteringssystem (IDS) som använder två typer av djupinlärningsmodeller, CNN (Convolutional Neural Network) och LSTM (Long Short-Term Memory). En IDS
kan effektivt identifiera anomala mönster i CAN-trafiken som kan innebära att en meddelandeinjektionsattack har skett.
Genom att analysera CAN-data insamlad från ett testfordon hos Scania och jämföra denna med öppen källdata från ytterligare tre fordon, har vi skapat flera filer med syntetisk attackdata. Denna data simulerar CAN-kommunikation under olika typer av cyberattacker och har använts för att träna våra modeller. Dessa lär sig att känna igen tecken på att systemet är under attack, vilket gör det möjligt för dem att detektera och klassificera olika cyberhot med en noggrannhet på upp till 99,84 %. (Less)

Please use this url to cite or link to this publication: http://lup.lub.lu.se/student-papers/record/9154458

author

Widstam, Bianca ^LU and Sundfeldt, Frida ^LU

supervisor

Christian Gehrmann ^LU

organization

Department of Electrical and Information Technology

course

EITM01 20241

year

2024

type

H2 - Master's Degree (Two Years)

subject

Technology and Engineering

keywords

CAN, IDS, cyber security, attack generator, deep learning

report number

LU/LTH-EIT 2024-973

language

English

id

9154458

date added to LUP

2024-06-04 13:14:50

date last changed

2024-06-04 13:14:50

@misc{9154458,
  abstract     = {{As the automotive industry progresses with the development of connected vehicles, this digital evolution comes with inherent cyber security risks and thus securing vehicle communication systems, particularly the Controller Area Network (CAN) bus, is crucial. International regulations such as UN Regulation No 155, necessitate cyber security measures for threat detection, prevention, and mitigation. In this regard, vehicle manufacturers are mandated to implement measures to detect and prevent cyber-attacks against vehicles. Thus, onboard Intrusion Detection
Systems (IDSs) for in-vehicle networks, e.g. the CAN bus, can help detect various cyber-attacks with different mechanisms such as Fabrication (e.g., Denial of Service and Fuzzy), Suspension, Masquerade (e.g. Spoofing attack), and Replay. Network IDSs provide a layer of security by monitoring and analyzing the data traffic, and identifying suspicious activities that could indicate an intrusion. To address this, the thesis, first, introduces a tool that generates attack data by analyzing normal data files, including both open-source and proprietary data provided
by Scania—collected from a test vehicle. Along with that, it uses real-world labeled open-source attack datasets to identify realistic patterns that correspond to various types of attacks. Following this analysis, the process involves altering the proprietary dataset to mimic real attack scenarios closely. This tool will aid with testing the IDS’s effectiveness in detecting attacks on the CAN bus. Secondly,
the thesis investigates the viability of a machine learning-based IDS, using two different supervised deep learning models, Convolutional Neural Network (CNN) and Long Short-Term Memory (LSTM), to identify attacks on the CAN bus. An empirical evaluation of the models is performed—considering sequence inputs with various lengths—and the results indicate that with a longer sequential input, more instances of Spoofing and Replay attacks, as more complex attack classes, can be correctly detected. Moreover, despite showing comparable accuracy, the LSTM
models can lead to a slightly higher rate of misclassified normal states as attacks compared to CNN. Furthermore, the validity of the synthetically generated data, the limitations, and the importance of developing models that can adapt to new, unknown attack types are also elaborated and discussed.}},
  author       = {{Widstam, Bianca and Sundfeldt, Frida}},
  language     = {{eng}},
  note         = {{Student Paper}},
  title        = {{Intrusion Detection for In-Vehicle CAN Communication Using Deep Neural Networks}},
  year         = {{2024}},
}

LUP Student Papers

LUND UNIVERSITY LIBRARIES

Intrusion Detection for In-Vehicle CAN Communication Using Deep Neural Networks