Unpublished working draft. Not for distribution. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 Context-aware Anomaly Detector for Monitoring Cyber Atacks on Automotive CAN Bus Harsha Kumara Kalutarage Omar Al-Kadri h.kalutarage@rgu.ac.uk o.alkadri@rgu.ac.uk Cyber Security Group, School of Computing Science and Digital Media, Robert Gordon University Aberdeen, United Kingdom Madeline Cheah Garikayi Madzudzo madeline.cheah@horiba-mira.com garikayi.madzudzo@horiba-mira.com HORIBA-MIRA Ltd Nuneaton, United Kingdom ABSTRACT Automotive electronics is rapidly expanding. An average vehicle contains million lines of software codes, running on 100 of elec- tronic control units (ECUs), in supporting number of safety, driver assistance and infotainment functions. These ECUs are networked using a Controller Area Network (CAN). Security of the CAN bus has not historically been a major concern, however, recent research demonstrate that CAN has many vulnerabilities to cyber attacks. This paper presents a contextualised anomaly detector for monitor- ing cyber attacks on the CAN bus. Proposed algorithm is based on message sequence modelling, using so called N-grams distributions. It utilises only benign data (one class) for training and threshold estimation. Performance of the algorithm was tested against two diferent attack scenarios, RPM and gear gauge messages spoofng, using data captured from a real vehicle. Experimental outcomes demonstrate that proposed algorithm is capable of detecting both attacks with %100 accuracy, using far smaller time windows (100ms) which is essential for a practically deployable automotive cyber security solution. KEYWORDS In-Vehicle Networks, CAN bus, Automotive Cyber Security, Context- aware Anomaly Detection ACM Reference Format: Harsha Kumara Kalutarage, Omar Al-Kadri, Madeline Cheah, and Garikayi Madzudzo. 2018. Context-aware Anomaly Detector for Monitoring Cyber Attacks on Automotive CAN Bus. In Proceedings of CSCS ’19: ACM COM- PUTER SCIENCE IN CARS Symposium (CSCS ’19). ACM, New York, NY, USA, 8 pages. https://doi.org/10.1145/1122445.1122456 1 INTRODUCTION Modern automobiles are increasingly becoming intelligent and smarter, ofering range of exciting new features such as telemat- ics, advanced driver assistance and augmented reality displays. An average vehicle contains a million lines of software codes running Unpublished working draft. Not for distribution. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for proft or commercial advantage and that copies bear this notice and the full citation on the frst page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specifc permission and/or a fee. Request permissions from permissions@acm.org. CSCS ’19, October 08, 2019, Kaiserslautern, Germany © 2018 Association for Computing Machinery. ACM ISBN 978-1-4503-9999-9/18/06. . . $15.00 https://doi.org/10.1145/1122445.1122456 on 100 of micro computers (known as ECUs) to facilitate these services [28]. These ECUs spread over the entire vehicle and largely connected to one another using bus-based network called CAN, low latency, low overhead high performance bus standard. Moreover modern vehicles have number of external communication inter- faces to communicate with the outside world, for example, with personal devices, vehicular ad-hoc networks and the Internet. Esti- mates show that 75% of cars shipped globally by 2020 will be built with the necessary hardware to connect to the internet [1]. Despite the fact that security of some of these connections and software codes may be strengthened by automotive manufactures or original equipment manufacturers (OEMs), having so many lines of codes and increased connectivity extends the potential attack surface that can be exploited by a cyber criminal. Security researchers demon- strate that their ability to implement attacks to real vehicles [30]. Vehicle hacks are potentially disastrous. Illegitimately accessing and modifying data in a vehicle is not only a security issue but also a safety issue. For example, corrupted ECU driving the brakes can lead to an accident with serious consequences for passengers, peo- ple and goods in the surrounding environment. Therefore security of connected and autonomous vehicles is a big concern for auto- motive manufacturers and OEMs who are now seeking methods to secure their products against Cyberattacks. Security research in this area has taken many forms, encom- passing anything from hardware security to encryption of various aspects of the vehicle (see Section 2.2). One of the larger areas of research identifed was the need for the trafc stream of the inter- nal vehicle to be in some way monitored for potentially malicious behaviour. This paper focuses on contextualising anomaly detec- tion on the intra-vehicular network bus (see Section 2.1). Anomaly detection for security monitoring on the CAN bus has been difcult due to the fact that many actions or reactions on a vehicle can be construed as anomalous; for example, an emergency braking event carried out by the driver, whilst legitimate, is always anomalous in day-to-day driving scenarios. To mitigate or avoid false positives, context is required to tell between a legitimate anomaly and one that could be interpreted as a potentially malicious action. The contribution of this paper starts by modelling of normal CAN behaviour, then we propose a novel context-aware anomaly detector using n-gram distributions. The main features of the proposed algorithm can be summarised as follows. (1) The algorithm depends only on benign data (one class) for the training purpose and threshold estimation. This avoids the need of large amount of realistic attack data for model 2019-09-02 19:24. Page 1 of 1ś8.