ICS 2022

Research efforts have demonstrated many critical security weaknesses in modern vehicles, specifically involving their Controller Area Networks (CAN). The CAN bus serves as the main communication network between all control systems in the vehicle. Due to its importance and weak security properties, the CAN Bus presents an attractive attack surface for cyberattacks; but also a useful resource for detecting any attacks or other anomalous vehicle conditions.

We present an overview of three recent contributions. First, we describe a research testbed that allows for replaying, modifying, or generating synthetic CAN traffic. This is complementary to testing approaches that involve real vehicles, allowing simpler and easier development and testing, especially at earlier stages in research and development. Next, we present a method for decoding the (proprietary) encoded contents of CAN messages. This automatically determines what signals are present in each message type, and then uses known (standardized) diagnostic queries to label the meaning and units of these learned signals. Finally, we implement a system to find anomalous network traffic on the CAN bus. This includes monitoring the timing characteristics of CAN messages and detecting missing or unexpected messages. In addition, we used the extracted signals described above to detect unusual or tampered message contents. We then combine these approaches into an ensemble detector to demonstrate its effectiveness.