Modeling inter-signal arrival times for accurate detection of CAN bus signal injection aacks ∗ A data-driven approach to in-vehicle intrusion detection Michael R. Moore, 1 Robert A. Bridges, 2 Frank L. Combs, 3 Michael S. Starr, 1 & Stacy J. Prowell 2 1 Global Security Directorate, 2 Computer & Computational Sciences Directorate, 3 Energy & Environmental Sciences Directorate, Oak Ridge National Laboratory 1 Bethel Valley Road, Oak Ridge, TN 37831, USA [mooremr,bridgesra,combsfl,starrms,prowellsj][@ornl.gov] ABSTRACT Modern vehicles rely on hundreds of on-board electronic control units (ECUs) communicating over in-vehicle networks. As external interfaces to the car control networks (such as the on-board diag- nostic (OBD) port, auxiliary media ports, etc.) become common, and vehicle-to-vehicle / vehicle-to-infrastructure technology is in the near future, the aack surface for vehicles grows, exposing control networks to potentially life-critical aacks. is paper ad- dresses the need for securing the controller area network (CAN) bus by detecting anomalous traffic paerns via unusual refresh rates of certain commands. While previous works have identified signal frequency as an important feature for CAN bus intrusion detection, this paper provides the first such algorithm with experi- ments using three aacks in five (total) scenarios. Our data-driven anomaly detection algorithm requires only five seconds of training time (on normal data) and achieves true positive / false discovery rates of 0.9998/0.00298, respectively (micro-averaged across the five experimental tests). CCS CONCEPTS •Security and privacy →Artificial immune systems; KEYWORDS CAN bus, in-vehicle security, anomaly detection, signal injection ACM Reference format: Michael R. Moore, 1 Robert A. Bridges, 2 Frank L. Combs, 3 Michael S. Starr, 1 & Stacy J. Prowell 2 . 2017. Modeling inter-signal arrival times for accurate detection of CAN bus signal injection aacks. In Proceedings of Cyber & Information Security Research Conference, Oak Ridge, TN, USA, April 04 - 06, 2017 (CISRC ’17), 4 pages. DOI: hp://dx.doi.org/10.1145/3064814.3064816 ∗ is manuscript has been authored by UT-Baelle, LLC under Contract No. DE-AC05-00OR22725 with the U.S. De- partment of Energy. e United States Government retains and the publisher, by accepting the article for publication, acknowledges that the United States Government retains a non-exclusive, paid-up, irrevocable, world-wide license to publish or reproduce the published form of this manuscript, or allow others to do so, for United States Government purposes. e Department of Energy will provide public access to these results of federally sponsored research in ac- cordance with the DOE Public Access Plan hp://energy.gov/downloads/doe- public-access- plan. Parts of this research performed at the Vehicle Security Lab at the National Transportation Research Center. 1 Author Michael S. Starr, Lt Col, USAF Fellow Publication rights licensed to ACM. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of the United States government. As such, the Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only. CISRC ’17, Oak Ridge, TN, USA © 2017 Copyright held by the owner/author(s). Publication rights licensed to ACM. 978-1-4503-4855-3/17/04. . . $15.00 DOI: hp://dx.doi.org/10.1145/3064814.3064816 1 INTRODUCTION A modern vehicle relies on scores of engine control units (ECUs), which are embedded computers controlling the vehicle’s many sub- systems. Because of the number of ECUs, dedicated connections for all ECU traffic is unfeasible and a single bus allowing all signals to be broadcast to all ECUs is standard. In particular, we focus on the high-speed (125Kbs-1Mbs) controller area network (CAN) bus used for much of modern vehicle communications. Because ECUs con- trol most of the vehicle’s functions (sensors, lights, braking, etc.), it follows that adversarial manipulation of signals on the CAN bus has potentially severe consequences. Exacerbating the potential for interference is the proliferation of external connections with the vehicle control network, including USB ports, WiFi, Bluetooth, and the mandatory on-board diagnostic (OBD-II) port that gives direct access to vehicle buses. Near-future advancements, including vehicle-to-vehicle and vehicle-to-infrastructure wireless communi- cation, increase the need for vehicle network security. Protecting these critical control networks has led to increasing study of their vulnerabilities and mitigations for those vulnerabilities. [2, 9, 10] CAN bus signals are indexed by a process ID (PID), specified in the packet header, and are generally associated with a fixed function (running lights, sensors, door locks, etc.) e specific PID-to-function mapping of signals is dependent on the make and model; e.g., signals with PID 3A1 may code for the brake lights in one make/model, but something different in another. is map- ping poses problems for creating universally effective offensive and defensive cyber capabilities. is work relies on the observation that most PID signals are sent regularly and redundantly. Command injection aackers for these PIDs’ functions, therefore, need to produce regular, redun- dant signal injections to achieve a desired response in the vehicle’s actions, and we define this class of aacks as regular-frequency signal injection aacks. Our hypothesis is that by modeling and detecting anomalies in the inter-signal wait times we can exploit the regularity of the CAN bus signals and can produce an accurate detection capability for this well-defined class of aacks. To test our proposed detector, we define and execute three signal injection aacks. is serves to illuminate both the ease of exe- cution and the potential for danger of these aacks. We present accuracy results of the detector under both normal (non-aack) and aack conditions. Rather than disclose details of vulnerabilities exploited, we have informed the vendor. For this reason the make, model, and production year of the testing car, as well as the injected PIDs and values, are not included.