Intrusion Detection System Based on the Analysis of

Time Intervals of CAN Messages for In-Vehicle

Network

Hyun Min Song, Ha Rang Kim and Huy Kang Kim

Center for Information Security Technologies (CIST), Graduate School of Information Security
Korea University
Seoul, Republic of Korea
[email protected], [email protected], [email protected]

Abstract—Controller Area Network (CAN) bus in the vehicles network called as in-vehicle network. Also, vehicle network
is a de facto standard for serial communication to provide an can be categorized by communication type, Vehicle-to-Vehicle
efficient, reliable and economical link between Electronic Control (V2V) also known as Vehicular Ad hoc Network (VANET)
Units (ECU). However, CAN bus does not have enough security and Vehicle-to-Infrastructure (V2I). For convenience, these
features to protect itself from inside or outside attacks. Intrusion communications altogether are usually called as V2X. V2X
Detection System (IDS) is one of the best ways to enhance the communications are used for safety driving by notifying
vehicle security level. Unlike the traditional IDS for network information on the road to drivers.
security, IDS for vehicle requires light-weight detection
algorithm because of the limitations of the computing power of There are various protocols for in-vehicle networks. Table I
electronic devices reside in cars. In this paper, we propose a light- shows three well-known protocols for the in-vehicle network,
weight intrusion detection algorithm for in-vehicle network based Controller Area Network (CAN), Local Interconnect Network
on the analysis of time intervals of CAN messages. We captured (LIN) and FlexRay. CAN is a serial bus to provide an efficient,
CAN messages from the cars made by a famous manufacturer reliable and economical link between Electronic Control Units
and performed three kinds of message injection attacks. As a (ECUs). CAN is used for vehicle’s core control systems like
result, we find the time interval is a meaningful feature to detect body systems, engine management, and transmission control.
attacks in the CAN traffic. Also, our intrusion detection system LIN is a serial network protocol like CAN. LIN is developed as
detects all of message injection attacks without making false
an alternative of CAN where low-cost implementation is
positive errors.
required. LIN is usually used in the environment where
Keywords—car seucirty; controller area network; intrusion communication speed is not critical. LIN is now a complement
detection system of the CAN within vehicles. FlexRay is designed to support
faster and more reliable communication than CAN. FlexRay
I. INTRODUCTION supports two-channel communication where CAN supports
only single-channel. The maximum speed of CAN bus is 1
Today, modern vehicles become smart, intelligent and
Mbps, where the maximum speed of FlexRay is 10 Mbps.
connected. The proportion of electronic equipment in a vehicle
FlexRay also supports flexible topology configurations like a
was only 1% at the 1980s and increased to about 50%
bus, star, or hybrid topology.
nowadays. We might consider vehicles as an electronic device
or Internet of Things (IoT) device not only physical or TABLE I. CLASSIFICATION OF THE IN-VEHICLE NETWORK
mechanical device. As vehicles adopt more electronic
components and implement connectivity functions to the Protocol Description Applications
external network, security threats on electronic equipment of - Multi-master, Critical real-time
vehicles are highly rising. Most of the smart devices such as asynchronous serial communication (body
CAN
smartphone, tablet and laptop computers can have security or network systems, engine management,
privacy problems when they are compromised by malicious - Fast and reliable transmission, airbags)
attacks. Unlike the usual smart devices, smart car (or connected - Single-master,
Body control (door locks,
car) can have one more critical problem when hacked. That is LIN
multiple-slave serial
seat belts, lighting, window,
the safety problem that can seriously threat human’s daily life. network
mirror)
- Cheap and slow
Therefore, we need to develop detection and prevention
algorithms to react the emerging threats on vehicles. - Next generation
Multimedia and X-by-wire
protocol
FlexRay (drive-by-wire, brake-by-
A. Vehicle Networks - Fast and but more
wire, steering-by-wire)
expensive
Vehicle network can be categorized by logical network
location. One is the external network, and the other is internal
B. Security Threats on Vehicles were many attempts to hack a car before Miller and Valasek’s
There are many security threats on vehicle electronic work. Koscher et al. investigated practical security issues in
systems via variety access points such as V2X communication, vehicles on the road. They showed that they could take the
telematics service, Bluetooth connection of mobile devices, control of vehicle systems like the engine, brakes, beating, and
and On-Board Diagnostics (OBD) port. We described some lights. A custom tool named as CARSHARK, which can
security threats as its attack surface. As described in Table II, analyze and inject messages on CAN bus, is used for
vehicle security problem is not just about information security experimental analysis [4]. Checkoway et al. categorized
or privacy leakage. These security threats can affect the safety external attack surfaces of the vehicle. According to their
of the drivers directly. category, there are four external attack surfaces of vehicle,
OBD-II port as directly physical, CD and PassThru device as
TABLE II. SECURITY THREATS ON VEHICLE ELECTRONIC SYSTEMS indirect physical, Bluetooth as short-range wireless, and
Cellular as long-range wireless [5]. Verdult et al. found
Attack surface Security threats Related to vulnerabilities in the Hitag2 transponders that enable to retrieve
Wireless
- Remotely vehicle the secret key and can be abused to bypass immobilizer and
control start the vehicle [6]. Ishtiaq et al. introduced vulnerabilities of
communications
- Sensitive data leakage Safety/Privacy/Security
(Telematics,
- Eavesdropping via
in-vehicle wireless networks through the case study of pressure
Bluetooth, RF) monitoring system [7].
microphone
- Abusing traffic signal
Wireless control B. Research Projects on Vehicle Security
communications - Sending fake message Safety/Security(integrity) In this section, we summarized the recent research projects
(V2V/V2I) - Polluting traffic on vehicle security. Besides the listed projects below, many
information
standards (e.g. ISO 26262 [21], a safety standard on road
- Execution of non-
Diagnostic
approval function Safety/Security(integrity, vehicles, and AUTOSAR [22], an open standard architecture)
interface (OBD, are continuously making efforts to enhance the vehicle security
- Injecting messages on availability)
OBD-II)
CAN bus level. Well-known vehicle security projects are as follows.
Infortainment - Unauthorized overall
Safety/Security • SeVeCom (Secure Vehicular Communication) defines
system vehicle control
- Illegal tuning of the security architecture of inter-vehicular and vehicle-
engine infrastructure communications, mechanism of security
Physical
- Odometer fraud Safety/Security(integrity)
tampering functions and cryptographic primitives required [8].
- Usage of non-
approval equipment • While SeVeCom focused on attacks on external
communication, EVITA (E-safety Vehicle Intrusion
C. Organization of this paper Protected Applications) focused on in-vehicle systems.
EVITA developed an architecture and implemented
We introduced vehicle networks and security threats on Hardware Security Module (HSM) for automotive on-
vehicle electronic systems in Section 1. The rest of the paper is board networks to protect in-vehicle systems related to
organized as follows. Section 2 presents the recent researches security and sensitive data [9].
and projects about the vehicle security. We introduce our
intrusion detection method for CAN bus traffic of vehicle • PRECIOSA (Privacy Enabled Capability in Co-
network in Section 3. In Section 4, we describe the result of the operative Systems and Safety Applications) focused on
experiment performed on the real vehicle. Finally, we discuss privacy in V2X communication. They developed
the experiment result and conclude the paper in Section 5. guidelines for Intelligent Transport System (ITS)
privacy, trust models and ontologies for privacy, and
II. RELATED WORKS privacy-verifiable architecture [10].
A. Recent Researches • OVERSEE (Open Vehicular Secure Platform)
Recently, Samy Kamal developed the hacking tool named designed open platform that provides secure
Ownstar to hack GM’s OnStar service. He successfully gained communication between in-vehicle network and
the system control authority of OnStar and controlled remote applications. Secure Vehicle Access Service (SVAS) is
start, door, etc. [1]. Charlie Miller and Chris Valasek used for secure communication. OVERSEE uses
introduced their work on Jeep Cherokee via the wireless virtualization to isolate each workspace of applications
network. They took over full control of vehicle systems and Security Policy Module to manage application’s
including steering, acceleration, brakes and turning off the access to hardware [11].
engine at the remote side. [2]. They proved that an arbitrary
vehicle can be controlled by remote attackers when attackers • PRESERVE (Preparing Secure V2X Communication
know the IP address assigned to the vehicle. Miller and Systems) combines results from earlier research
Valasek also showed what hackers can do by injecting fake projects of European countries such as SeVeCom,
messages on CAN bus and suggested countermeasures of PRECIOSA, EVITA and OVERSEE to provide a
message injection attacks. They developed and publicly complete, scalable and cost-efficient solution for
released the attack tool named as EcomCat, which helps to security problems related to communication systems
receive and transmit messages on CAN bus [3]. In fact, there connected to vehicles [12].
 • VSCC (Vehicle Safety Communication Consortium) To overcome this problem, we suggest a light-weight
consists of 7 automobile manufacturers: BMW, intrusion detection method. Our goal is simplifying detection
DaimlerChrysler, Ford, GM, Nissan, Toyota, and VW. algorithm to respond faster and to reduce the usage of
They developed vehicle safety service using Vehicle- computing power.
to-Vehicle (V2V) communications and specified
communication requirements of vehicle safety III. LIGHT WEIGHT IDS
applications, including secure V2X communication A. Threat model
[13].
The proposed system is a hybrid IDS that can detect both of
• NoW (Network on Wheels) and CVIS (Cooperative known attack signatures and anomalous events. The number of
Vehicle-Infrastructure Systems) designed known attack signatures on a vehicle are relatively small; this
communication protocols for V2X communications. signature-based detection module does not require high
While NoW focused on V2V and data security, CVIS computing power. The proposed system is mainly designed to
focused on Vehicle-to-Infrastructure (V2I) and variety detect message injection attacks by analyzing traffic anomalies
security issues such as user authentication and data based on message frequency. As CAN is a broadcast network,
privacy [14], [15]. messages sent by one of the nodes do not contain its source or
target information. Also, these messages cannot be
C. Intrusion Detection System (IDS) for Vehicle Network manipulated or eliminated easily. But, an attacker can still
Traditional vehicles don't need to have a strong security inject messages into CAN bus to control electronic devices
system because they don’t have a network interface to such as ECU. Fig. 1 shows the conceptual diagram that
communicate with external networks. Therefore, CAN itself is describes the difference between the status under the message
like a closed network for a long time. Many components of the injection attack and a normal status.
vehicles become computerized, and vehicles become connected
to outside networks. In normal status, each message ID (0x1, 0x2, …) generated
by ECUs has its own regular frequency or interval. When
Vehicle security is closely related to safety. To detect and attackers try to inject messages to execute a command to an
prevent the attacks is important to protect the safety of drivers ECU, then this frequency or interval is unexpectedly changed.
and passengers. There have been several researches to detect While messages being injected by attackers, ECUs still send
attacks targeted on vehicles. Hoppe et al. [16] and Miller and their messages cyclically. Eventually, the rate of messages on
Valasek [17] introduced a concept for in-vehicle intrusion the network can be increased more than two times (typically 20
detection based on the analysis of the rate of messages. – 100 times higher; it depends on the attacker’s injection
Because the number of messages on CAN bus is the sum of speed).
numbers of normal messages and attack messages, they
analyzed the distribution of rates of messages (messages per We select the message rate as a significant feature for the
second) to detect anomalous message occurrences. Larson et al. proposed detection method, and that is effective. But, there is a
proposed a specification-based attack detection method [18]. gap in time between the time of attack started and the time of
They detected the traffics not fit the protocol-level security detection. For example, if we set the time window as one
specifications and ECU-behavior security specifications. second to observe and calculate the rate, there is always one-
Protocol-level security specifications define the individual second gap at max. Even though attackers begin attacks at 0
fields, dependent fields, and inter-object fields of a message. seconds, we have to receive the attack packets until the
ECU-behavior security specifications are about message minimum time window pass required to calculate the rate.
transmission, message reception, and rates of message As the other statistical methods, small size of observational
transmission and reception of each ECU. Muter and Asaj data can cause an error to make a decision. But attacks
proposed an entropy-based anomaly detection method [19]. happened at anytime; this false-negative error can cause serious
They defined the notion of entropy on CAN bus and detected accident. To solve this problem, we simplify the process of
the intrusion by comparing entropy to a reference set. Muter et detecting message injection to get the fast response while
al. [20] proposed a structured approach for anomaly detection. accuracy keeps high.
They use eight sensors to monitor variety aspects on CAN bus.
Their method showed no false positive error. However, if There are two forms of CAN injection attacks. The one is
adversary injects messages that do not violate CAN injecting CAN diagnostic messages, and another one is
specification, then this attack cannot be detected by their injecting standard messages to intimate the messages from
algorithm. ECUs. In general, diagnostic messages should not appear when
a car is on a road. If this diagnostic message happens on the
Early researches about message rate based intrusion road, then that is obviously attack or system malfunction case.
detection on CAN bus, need to collect enough amount of CAN
bus messages to compute the distribution of a message. Thus, We divided message injection attacks into three types for
their detection methods need some time to detect anomalous experiments. Type 1 is injecting messages of single CAN ID,
messages. However, the current computerized devices in type 2 is injecting random or pre-ordered messages of multiple
vehicles have limited computing power to detect and response CAN IDs, and type 3 is massively message injection such as
in real-time. Denial of Service (DoS) attack. These attacks are basically
similar but different on their purpose. Details of three types of
injection attack and countermeasures are following.
 • Type 1: Injecting specific messages of single CAN ID • Especially if time interrvals of latest messages in a row
repeatedly to make vehicle operrate according to are less than 0.2 milliseconds, then DoS attack score
injected messages. We could detectt the type-1 attack increased by 1 per messsage.
by finding a message that have shorttened time interval
abnormally. • IDS classifies that event as a DoS attack when the
score is larger than a giiven threshold.
• Type 2: Injecting random or pre-orddered messages of
multiple CAN IDs to cause a system m malfunction on a The average time interval of o messages on normal status is
vehicle. A replay attack is one of tyype-2 attack based about 0.5 milliseconds and minimum
m time interval is about
on pre-ordered messages injection. We
W could detect the 0.14 milliseconds. Because thhere are some normal messages
type-2 attack by finding multiple CAN IDs that have that have time intervals less thhan 0.2 milliseconds, a threshold
shortened time interval than normal. is used in DoS attack detectioon to reduce the false positive
ratio. We described the process of proposed system in Fig. 2.
• Type 3: Injecting massages massively to disrupt CAN
communication. An attacker can eaasily generate the
traffic to surpass the maximum capaacity of CAN bus,
only 1 Mbps. Each CAN messagge have 128 bits
maximally, and there are three 1-bitss called interframe
space between messages. Thus, DoS S attack can occur
by sending about 8,000 messages perr second.

Fig. 2. Diagram of proposed IDS. AfterA analysis of time interval of each

message, there is two part of the deetection module. The one is detecting
injection of messages for controlling or
o malfunction. Another one is detecting
DoS attack to disturb CAN communicaation.

IV. EXPEERIMENT
Fig. 1. Conceptual diagram about transmitted messages on CAN bus on (a) A. Dataset
normal status and (b) under message injection attack. As
A shown in the figure,
there are three CAN IDs, 0x01, 0x02, and 0x03. The tiime interval of 0x01 is K-car (anonymized for protecting sensitive information) is
20, of 0x02 is 40, and of 0x03 is 100 milliseconds. There
T are five injected used as a testing vehicle, and KVASER
K CAN interface is used
messages by attacker in (b) every 20 milliseconds from
m 60 to 140 millisecond to connect to CAN bus. Connnecting the laptop computer to
The time interval of 0x02 falls rapidly lesst than 10 milliseconds from 20 OBD-II port is shown as Fig. 3.3 OBD-II port of K-car is under
milliseconds
the steering wheel.

B. Intrusion Detection
There is the unique time interval of eachh CAN ID because
each ECU connected to CAN bus sends messagesm regularly.
We focused on this fact and designed our IDS based on the
analysis of time intervals of messages. Thee proposed system
detects message injection attacks with the following procedure.
• When a new message appears onn CAN bus, IDS
checks the CAN ID and computes the time interval Fig. 3. Photos about connecting to OBD-II port of K-car with a laptop
from the arrival time of the latest messsage. computer using KVASER CAN interfaace device.

• If time interval of a new messagge is shorter than We captured messages froom CAN bus on normal speed
normal, then IDS judges the messaage as an injected driving for about 40 minutes. We injected messages 30 times
message. (In this experiment, we reggard a message as for 5-10 seconds randomly for each attack. Types of attacks are
an injected message when the time interval is below injecting messages of a single CAN
C ID, multiple CAN IDs, and
the half of the normal.) massively for DoS. After that, we performed random sampling
to get a hundred 1-minute sampples mixed with the under-attack
and normal status. We divided samples intoo two status which example, the first message is generatted at 0.05715 seconds and the second
are containing injected messages (under-attaack status), and the message is generated at 0.15717 seconnds. So, the second point in (a) is at (2,
0.10002)
clean (normal status). Details about the dattaset used in each
experiment are described in the next section. Second, we injected messages of randomly selected 2-5
B. Experiment Result CAN IDs with double, quintuuple, and decuple than original
First, we injected messages of a random mly selected single speed. The difference with thhe first experiment is just the
CAN ID with double, quintuple, and decuplee faster than origin number of CAN IDs of the injjected messages. We created 39
cycle. Previous research [17] also mentioneed that an attacker attack samples and 61 norm mal samples in double speed
should send messages 20-100 times faster than the original injection, 44 attack sampless and 56 normal samples in
ECU to make the target ECU listens to the injjected messages. quintuple speed injection, and 39
3 attack samples and 61 normal
samples in decuple speed injecction. Our IDS classifies the all
As described in subsection A, we createdd 43 attack samples attack status and normal status samples with 100% accuracy as
and 57 normal samples in double speed innjection, 39 attack well as the first experimennt. Table III shows result of
samples and 61 normal samples in quintuplle speed injection, experiment I and II. As menntioned above, we successfully
and 35 attack samples and 65 normal samplees in decuple speed detected message injection attaccks in all the cases.
injection. In all case, our IDS detected message
m injection
attacks with 100% accuracy, and there is no false
f positive error. TABLE III. DE
ETECTION ACCURACY

Fig. 4 (a) and Fig. 4 (b) show the tim me intervals of the Injection Injection Attacck Normal Detection
selected CAN ID at normal status and messagge injection status, Type Speed samplles samples accuracy
Double 43 57 100 %
respectively. Messages are injected decuple faster
f than the own Single
Quintuple 39 61 100 %
cycle of the CAN ID. Therefore, the time innterval of injected CAN ID
Decuple 35 65 100 %
messages is less than 10% of the original intterval. We injected Double 39 61 100 %
message two times. The first injection staarted at 7 seconds Multiple
Quintuple 44 56 100 %
CAN ID
continued for about 3 seconds. The second injection
i started at Decuple 39 61 100 %
16 seconds and ended at 17.6 seconds. There is a clear
difference of time intervals between the normal
n status and
At last, we tested DoS atttacks on CAN bus by injecting
under-attack status.
messages massively. There are a about 2,000 messages per
second at the normal status; attackers
a can do DoS attack on
CAN bus by sending about 6,0000 messages more per second.
We set the cutoff of the time interval to 0.2 milliseconds for
detecting DoS message. As mentioned
m in section 3, there are
messages that have time intervval less than 0.2 milliseconds at
the normal status but not oftenn. We removed the false positive
error by using a scoring methhod. We increased DoS attack
score by 1 per message whenn the latest messages in a row
which have time interval less than 0.2 milliseconds. Then we
reset the score when the time interval of the latest message is
larger than 0.2 milliseconds.
We created 36 DoS attack samples
s and 64 normal samples.
We used 1, 2, 3 and five as thee threshold value to measure the
detection accuracy for each case.
c Fig. 5 shows the results
according to the threshold valuee. When the threshold value is 1,
detection accuracy is only 36 3 percent. Because there are
messages with time interval less than 0.2 milliseconds even
though there was no DoS attaack, so all samples regarded as
attack sample. However, deteection accuracy is increased as
threshold becomes larger, especcially at 3 to 93 percent and 100
percent over 3. Our IDS just reequires less than one millisecond
to detect the DoS attack since DoS attack begins. It is fast
enough to avoid an accident cauused by DoS attack.
Fig. 4. Time intervals of messages of a certain CAN C ID. Each point
represents an order and time interval of a message. The
T X-axis is message
generation number, and the Y-axis is a time intervval of a message. For
 [2] C. Miller and C. Valasek, “R Remote exploitation of an unaltered
passenger vehicle” in BlackHat USA,
U 2015.
[3] C. Miller and C. Valasek, “Dem mo: Adventures in automotive networks
and control units,” in DEFCON, 2013.
[4] K. Koscher, A. Czeskis, F. Roesner, S. Patel, T. Kohno, S. Checkoway,
D. McCoy, B. Kantor, D. Annderson, H. Shacham, and S. Savage,
"Experimental Security Analysiss of a Modern Automobile," in Proc. of
the 31st IEEE Symposium on Seccurity and Privacy, 2010, pp. 447-462.
[5] S. Checkoway , D. McCoy , B. KantorK , D. Anderson , H. Shacham , S.
Savage , K. Koscher , A. Czeskis C , F. Roesner and T. Kohno
"Comprehensive experimental analyses
a of automotive attacksurfaces",
Proc. 20th USENIX SEC, pp.6 -6 2011
[6] Roel Verdult, Flavio D. Garciia, and Josep Balasch. Gone in 360
seconds: Hijacking with Hitag2. In 21st USENIX Security Symposium
(USENIX Security 2012). USEN NIX Association, 2012.
Fig. 5. Detection accuracy of DoS attacks accordingg as threshold values. [7] I. Rouf, R. Miller, H. Mustafa, T.. Taylor, S. Oh, W. Xu, M. Gruteser, W.
Only 36 percent when the threshold value was 1. Inccreased to 100 percent Trappe, and I. Seskar, "Securityy and Privacy Vulnerabilities of In-Car
using threshold value over 4. Wireless Networks: A Tire Presssure Monitoring System Case Study," in
Proc. of the 19th USENIX Securiity Symposium, Aug. 2010.
V. CONCLUSION [8] Sevecom.org, ‘Secure of futurre vehicle communication networks',
[Online]. Available: http://www w.sevecom.org/. Accessed on: Sep 12,
We showed that there was a clear differeence between time 2015.
intervals of messages in the normal statuss and under-attack [9] Evita-project.org, 'EVITA', 2008. [Online]. Available: http://www.evita-
status in section 4. Time intervals of speecific CAN ID in project.org/. Accessed on: Sep 122, 2015.
normal were about 0.1 seconds. In contraast, time intervals [10] Preciosa-project.org, [Online]. Available: http://www.preciosa-
under injection attack status became short (aalmost 10% of the project.org/. Accessed on: Sep 122, 2015.
normal time interval). [11] Oversee-project.com, 'Oveersee'. [Online]. Available:
https://www.oversee-project.com m/. Accessed on: Sep 12, 2015.
Therefore, we propose the light-weighht IDS based on [12] Preserve-project.eu, ‘Preparing Secure
S V2X Communication Systems'.
analysis of time intervals of CAN messagges for in-vehicle [Online]. Available: https://www w.preserve-project.eu/. Accessed on: Sep
networks. This system can successfullyy detect message 12, 2015.
injection attacks in a millisecond. [13] H. Krishnan, Vehicle Safety Communications
C Project Vehicle Safety
Communications Project., 2006. [Online]. Available:
In spite of simplicity of detection algorithhm, our IDS shows http://www.sae.org/events/ads/krrishnan.pdf. Accessed on: Sep 12, 2015.
the improved performance than previous intrusioni detection [14] A. Festag , G. Noecker , M. Strasssberger , A. Lübke , B. Bochow ,
methods such as message rate based IDS. We significantly M. Torrent-Moreno , S. Schnauufer , R. Eigner , C. Catrinescu and J.
reduce the delay of detection that can cauuse a big accident Kunisch "‘NoW—Network on Wheels’: W Project objectives, technology
when a vehicle is driving on a road with highh speed. Also, the and achievements", Proc. WIT, pp.123 -128 2008 [online] Available:
http://www.network-on-wheels.dde.
proposed IDS shows 100 percent detection accuracy without
[15] Cvisproject.org. [Online]. Available:
A http://www.cvisproject.org/.
false positive errors in three kinds of message m injection Accessed on: Sep 12, 2015.
experiment. [16] T. Hoppe, S. Kiltz, and J. Dittmaann. Security threats to automotive CAN
The strength of the proposed detection algorithm
a is simple networks - practical examples annd selected short-term countermeasures.
In SAFECOMP, 2008.
and efficient to use. So, our IDS is well fit the most vehicles
[17] Charlie Miller and Chris Valassek, A Survey of Remote Automotive
that have limitations of computing power. Attack Surfaces, BlactHat USA, 2014.
2
A. Limitations and Future Works [18] U. E. Larson, D. K. Nilsson,, and E. Jonsson, "An Approach to
Specification-based Attack Detecction for In-Vehicle Networks," in Proc.
In future work, we will analyze the CAN message sequence of the IEEE Intelligent Vehicles Symposium,
S 2008, pp. 220-225.
to detect irregular message incomings. This sequence analysis [19] M. Muter and N. Asaj, "Entropy-based anomaly detection for in-vehicle
requires more computing power, but it can improve the networks, " in Intelligent Vehiicles Symposium (IV). Baden Baden,
detection accuracy by using the known message
m sequence Germany: IEEE, 2011, pp. 1110--1115.
patterns as a white-list. [20] M. Muter, A. Groll, and F. C. C Freiling, "A structured approach to
anomaly detection for in-vehiicle networks, " in 6th Int, Conf.
ACKNOWLEDGMENT Information Assurance and Secuurity (lAS). Atlanta, GA: IEEE, 2010,
pp. 92-98.
This work was supported by Samsung Research Funding [21] ISO 26262, “Road Vehicles – Functional
F Safety”, [Online]. Available:
Center of Samsung Electronics under Projecct Number SRFC- http://www.iso.org/iso/catalogue__detail?csnumber=43464. Accessed on:
TB1403-00. Sep 12, 2015.
[22] AUTOSAR, [Online]. Availablee: http://www.autosar.org. Accessed on:
REFERENCES Sep 12, 2015.
[1] S. Kamal, OwnStar: Locates, Unlocks, Remote Sttarts GM/OnStar Cars..
2015.