Machine Learning based ECU Detection for Automotive Security Azeem Hafeez CECS Department University of Michigan Dearborn, USA azeemh@umich.edu Janani Mohan CECS Department University of Michigan Dearborn, USA janmohan@umich.edu Mansi Girdhar CECS Department University of Michigan Dearborn, USA gmansi@umich.edu Selim S. Awad CECS Department University of Michigan Dearborn, USA sawad@umich.edu Abstract—Due to digital transformation, an autonomous vehi- cle (AV) is realized as a network of multiple electronic control units (ECUs) for providing ubiquitous connectivity and control- ling various electronic functions ranging from essential safety (power steering, airbags) to comfort (driver or passenger seats), to security and access (keyless entry). Out of different commu- nication busses, controller area network (CAN) is a cardinal bus protocol used as a real-time communication interface between these different electronic devices or ECUs embedded in a vehicle. However, an insufficient security design of CAN bus has rendered the network to be vulnerable to innumerable cyber-attacks and risks, hence jeopardizing its cybersecurity. To address the security issues, it is predominant to realize the malicious ECUs in an in- vehicle CAN bus network. Therefore, this paper proposes a novel ECU fingerprinting technique, where unique digital signatures extracted as a result of intrinsic characteristics of the ECUs are used to detect the ECU liable for broadcasting counterfeit messages received on the CAN bus. Further, the proposed work analyzes the data from seven distinct ECUs by employing three machine learning (ML) algorithms, i.e., k-Nearest Neighbors (k- NN), Support Vector Machine (SVM) and Logistic Regression (LR). Further, the performance of the proposed cybersecurity framework is evaluated and compared using the above-mentioned algorithms. Index Terms—ECU fingerprinting, cybersecurity, CAN bus network, ML algorithms I. INTRODUCTION AND MOTIVATION The automotive industry has progressed significantly over the recent years into extensive robotization by using diverse sensors and actuators. These sensors and various computation units are controlled by embedded ECUs which are integrated and designed for optimizing of a wide variety of functions. There are hundreds of ECUs fitted in the modern electric vehicles, and this number is anticipated to amplify in the subsequent years. CAN is used as a legacy standard protocol, owing to its reliability, robustness and simplicity for in-vehicle communication. However, despite many built-in functional safety features, unencrypted nature of the CAN messages and lack of authentication of message sources render CAN net- work vulnerable to multiple cyber-attacks, e.g., spoofing and modification attacks [1]. As a result, these attacks can cause severe implications, for instance, data breach, and jeopardize the safety and security concerns of the vehicle industry [2]. As shown in Fig. 1, CAN data link connects multiple ECUs together as nodes to send or receive messages, enabling engine Figure 1. ECUs connected across serial CAN Bus. operations. It consists of two wires twisted as a pair, namely CAN high and CAN low, and is terminated with a resistor on each end. CAN bus can have one of the two logic states, logical or recessive, where a logical 0 corresponds to dominant bus level, and a logical 1 is termed as the recessive level. When the bus is idle, i.e., when there is no transmission of ECU information, voltage level on the bus is recessive (2.5V), and once a message is transmitted it goes into dominant state (3.5V) [3]. This whole system works as a multi-master system, where every device within the system sends or receives information [4]. However, only a single device or ECU is allowed to send a message at a given time. There has been an extensive research carried out in seeking the possible vulnerabilities, detection and mitigation of the communication attacks on CAN bus. Literature has proposed a number of preventive methods like, message authentication based approaches which implement security at data link layer [5]–[13], and intrusion detection based approaches which implement security at physical layer [14]–[35]. However, due to the inefficiency of the data encryption based methodologies, an intelligent solution of ECU identifi- cation is considered. In a CAN network, the source ECU of a packet transmitted over the communication channel is possibly unmapped [4]. Hence, in case of abnormal behaviors, it is critical to associate malicious CAN packet to its sender node to improve the CAN efficiency, which is a grueling task. The 73 978-1-7281-6448-9/21/$31.00 ©2021 IEEE 2021 17th International Computer Engineering Conference (ICENCO) | 978-1-7281-6448-9/21/$31.00 ©2021 IEEE | DOI: 10.1109/ICENCO49852.2021.9698889 Authorized licensed use limited to: UNIVERSITY OF MICHIGAN - DEARBORN. Downloaded on August 22,2022 at 21:20:47 UTC from IEEE Xplore. Restrictions apply.