Contextual Anomaly Detection in Controller Area Networks

Date
2022-03
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
The Controller Area Network (CAN) has been an established standard for in-vehicular networks for over two decades. The low implementation cost of CAN together with its simple design has allowed automotive manufacturers to incorporate it at scale with ease. The onboard CAN bus facilitates real-time data exchange between Electronic Control Units (ECU) that are responsible for maintaining critical functions such as lane-keep assist, collision assist and engine control during the operation of the vehicle. Though proven to be reliable and efficient, security was never a part of CAN's design. Hence ECUs are highly susceptible to a wide range of attacks that could eventually prove fatal to passengers and all road users. Additionally, the increased connectivity in Connected and Autonomous Vehicles (CAV) has further widened the threat landscape for malicious actors to leverage. Attackers typically target specific vehicle subsytems by injecting malicious exploits into the bus and thus anomaly detection in the CAN has been actively studied in recent years. While existing detection systems are capable of identifying deviations in the behavior of an individual control unit, they are ineffective against attacks that target multiple subsystems while still adhering to the norms of the system. Such stealthy attacks are more subjective to evade the purview of an anomaly detection system that does not collectively evaluate all data points to determine the overall state of the system. In this thesis, we primarily focus on detecting these attacks by identifying contextual anomalies in CAN bus data. To this end, we employ machine learning algorithms to capture the spatio-temporal correlations among sensor readings in the CAN bus at both frame and signal levels. Neural networks are typically capable of learning intrinsic patterns in the given data without the need to comprehend its meaning and thus this use case provides an ideal ground for their application. We present NeuroCAN, a deep learning-based detection model that employs Long Short-Term Memory (LSTM) and Linear Embeddings to derive contextual inferences from other ECUs in real-time. We train and evaluate our approach on two real-world CAN bus datasets and compare its performance against other existing approaches in the literature. Following which we assess the capacity of our model to identify stealthy attacks in an open-source signal dataset that serves as a benchmark for CAN bus anomaly detection systems. The results indicate that our system is capable of achieving over 95% detection accuracy and performs significantly better than other state of the art approaches. We further incorporate multitask learning to effectively reduce the large resource overhead that arises over managing multiple trained models during detection. We also study the importance of additional sensor context and the need for a collective approach in the detection process and present our findings.
Description
Keywords
Controller Area Networks, Anomaly Detection
Citation
Balaji, P. (2022). Contextual anomaly detection in controller area networks (Master's thesis, University of Calgary, Calgary, Canada). Retrieved from https://prism.ucalgary.ca.