Payload-Based Statistical Intrusion Detection for In-Vehicle Networks

Modern vehicles are equipped with Electronic Control Units (ECUs), and they communicate with each other over in-vehicle networks. However, since the Controller Area Network (CAN), a common communication protocol for ECUs, does not have a security mechanism, malicious attackers might take advantage of its vulnerability to inject a malicious message to cause unintended controls of the vehicle. In this paper, we study the applicability of statistical anomaly detection methods for identifying malicious CAN messages in in-vehicle networks. To incorporate various types of information included in a CAN message, we apply a rule-based field classification algorithm for extracting message features, and then obtain low dimensional embeddings of message features, and use the reconstruction error as a maliciousness score of a message. We collected CAN message data from a real vehicle, and confirmed the effectiveness of the methods in practical situations.