基于通信特征的CAN总线泛洪攻击检测方法

doi:10.11959/j.issn.2096-109x.2020005

Chinese Journal of Network and Information Security ›› 2020, Vol. 6 ›› Issue (1): 27-37.doi: 10.11959/j.issn.2096-109x.2020005

• Papers • Previous Articles Next Articles

CAN bus flood attack detection based on communication characteristics

Yimu JI^1,^2,^3,⁴,Zhipeng JIAO^1,³(),Shangdong LIU^1,^2,^3,⁴,Fei WU^3,⁵,Jing SUN^1,³,Na WANG^1,³,Zhiyu CHEN^1,³,Qiang BI^1,³,Penghao TIAN^1,³

¹ School of Computer Science,Nanjing University of Posts and Telecommunications,Nanjing 210023,China
² Jiangsu Key Laboratory of High-Tech Research on Wireless Sensor Networks,Nanjing University of Posts and Telecommunications,Nanjing 210023,China
³ Institute of High Performance Computing and Big Data Processing,Nanjing University of Posts and Telecommunications,Nanjing 210023,China
⁴ Research Center for High Performance Computing and Intelligent Processing Engineering,Nanjing University of Posts and Telecommunications,Nanjing 210023,China;5.School of Automation,Nanjing University of Posts and Telecommunications,Nanjing 210023,China
⁵ School of Automation,Nanjing University of Posts and Telecommunications,Nanjing 210023,China

Revised:2019-07-29 Online:2020-02-15 Published:2020-03-23
Supported by:
The National Key R＆D Program of China(2017YFB1401302);The National Key R＆D Program of China(2017YFB0202200);The National Natural Science Foundation of China(61572260);The National Natural Science Foundation of China(61872196);The Jiangsu Natural Science Foundation Excellent Youth Fund Project(BK20170100);The Jiangsu Provincial Key R＆D Program(BE2017166)

Abstract

Abstract:

CAN has become the most extensive fieldbus for contemporary automotive applications due to its outstanding reliability and flexibility.However,the standard CAN protocol does not provide sufficient security measures and is vulnerable to eavesdropping,replay,flooding,and denial of service attacks.In order to effectively detect whether the CAN bus is attacked,and to filter malicious messages when subjected to flooding attacks.The characteristics of vehicle CAN bus message communication were analyzed,and an intrusion detection method was proposed,which could effectively perform intrusion detection and malicious message filtering.Through experimental verification,the method can detect whether the CAN bus is attacked by 100%,and the accuracy of malicious packet filtering can reach over 99%.

Key words: CAN bus, communication characteristics, intrusion detection, malicious message filtering

CLC Number:

TP336

Yimu JI,Zhipeng JIAO,Shangdong LIU,Fei WU,Jing SUN,Na WANG,Zhiyu CHEN,Qiang BI,Penghao TIAN. CAN bus flood attack detection based on communication characteristics[J]. Chinese Journal of Network and Information Security, 2020, 6(1): 27-37.

Figures/Tables 10

References 15

[1]	WOLF M , WEIMERSKIRCH A , WOLLINGER T ,et al. State of the art:embedding security in vehicles[J]. EURASIP Journal on Embedded Systems, 2007(5): 1-16.
[2]	NOLTE T , HANSSON H , BELLO L L ,et al. Automotive communications-past,current and future[C]// IEEE International Conference on Emerging Technologies and Factory Automation. 2005: 19-22.
[3]	CHECKOWAY S , MCCOY D , KANTOR B ,et al. Comprehensive experimental analyses of automotive attack surfaces[C]// USENIX Security Symposium. 2011.
[4]	AVATEFIPOUR O.MALIK H . State-of-the-art survey on in-vehicle network communication can-bus security and vulnerabilities[J]. Comput Sci Netw, 2017,6: 720-727.
[5]	ANDREEA R , FLAVIO D . LeiA:A lightweight authentication protocol for CAN[C]// Computer Science-ESORIC, 2016: 283-300
[6]	YING X , BERNIERI G , CONTI M ,et al. TACAN:transmitter authentication through covert channels in controller area networks[J].arXiv preprint arXiv.1903.05231,2019. arXiv preprint arXiv.1903.05231, 2019.
[7]	HOPPE T , KILTZ S , DITTMANN J ,et al. Security threats to automotive can networks practical examples and selected short term countermeasures[J]. Reliability Engineering and System Safety, 2011(96): 11-25.
[8]	TAYLOR A , JAPKOWICZ N , LEBLANC S ,et al. Frequency-based anomaly detection for the automotive CAN bus[C]// World Congress on Industrial Control Systems Security. 2015: 45-49.
[9]	SONG H M , KIM H R , KIM H K ,et al. Intrusion detection system based on the analysis of time intervals of CAN messages for in-vehicle network[C]// 2016 International Conference on Information Networking (ICOIN). 2016: 63-68.
[10]	MUTER M , ASAJ N . Entropy-based anomaly detection for in-vehicle networks[J]..2011:1110-1115. IEEE Intelligent Vehicles Symposium, 2011: 1110-1115.
[11]	MUTER M , GROLL A , FRELING F ,et al. A structured approach to anomaly detection for in-vehicle networks[C]// International Conference on Information Assurance and Security. 2010: 92-98.
[12]	MOORE M R , BRIDGES R A , COMBS F L ,et al. Modeling inter-signal arrival times for accurate detection of can bus signal injection attacks:a data-driven approach to in-vehicle intrusion detection[C]// Annual Conference on Cyber and Information Security Research. 2017:11.
[13]	MILLER C , VALASEK C . Adventures in automotive networks and control units[C]// Def Con. 2013: 260-264.
[14]	MILLER C , VALASEK C . A survey of remote automotive attack surfaces[C]// BlackHat USA, 2014:94.
[15]	SAGONG S U , YING X , BUSHNELL L ,et al. Exploring attack surfaces of voltage-based intrusion detection systems in controller area networks[C]// ESCAR Europe 2018. 2018: 1-13.

Metrics

Recommended 0

No Suggested Reading articles found!

索引	接收时间	发送/接收	ID	帧类型	帧格式	长度	字节0	字节1	字节2	字节3	字节4	字节5	字节6	字节 7
1	000.001.335	接收	OCFF01DC	数据帧	扩展帧	8	0	0	0	0	8	0	0	128
2	000.016.289	接收	18C00301	数据帧	扩展帧	8	186	13	150	78	0	66	72	1
3	000.019.992	接收	18C00301	数据帧	扩展帧	8	186	13	150	78	0	66	72	1
4	000.002.463	接收	08FF01DD	数据帧	扩展帧	8	8	152	0	0	0	0	0	0
5	000.010.220	接收	OCFF00DC	数据帧	扩展帧	8	132	12	69	0	0	0	0	16
6	000.007.359	接收	18C00301	数据帧	扩展帧	8	186	13	150	78	0	66	72	1
7	000.019.993	接收	18C00301	数据帧	扩展帧	8	186	13	150	78	0	66	72	1
8	000.000.560	接收	17COEEF4	数据帧	扩展帧	8	209	14	14	166	14	15	58	1
9	000.000.568	接收	17COEEF4	数据帧	扩展帧	8	150	0	186	13	4	78	0	0
10	000.000.584	接收	17FF00F4	数据帧	扩展帧	8	0	0	0	0	0	0	0	0
11	000.000.607	接收	18C00501	数据帧	扩展帧	8	0	0	3	0	0	0	0	0
12	000.009.985	接收	08FF00DD	数据帧	扩展帧	8	0	0	171	1	0	0	0	0
13	000.007.689	接收	18C00301	数据帧	扩展帧	8	186	13	150	78	0	66	72	1
14	000.003.654	接收	0CFF01DC	数据帧	扩展帧	8	0	0	0	0	8	0	0	144
15	000.000.578	接收	401	数据帧	扩展帧	8	0	2	0	0	0	0	0	0
16	000.015.782	接收	18C00301	数据帧	扩展帧	8	186	13	150	78	0	66	72	1

接收时间	ID	字节0	字节1	字节2	字节3	字节4	字节5	字节6	字节7
32.016	CFF01DC	0	0	1	0	8	0	0	32
132.845	CFF01DC	0	0	1	0	8	0	0	48
232.033	CFF01DC	0	0	1	0	8	0	0	64
332.203	CFF01DC	0	0	1	0	8	0	0	80
432.096	CFF01DC	0	0	1	0	8	0	0	96
532.469	CFF01DC	0	0	1	0	8	0	0	112
632.033	CFF01DC	0	0	1	0	8	0	0	128
732.047	CFF01DC	0	0	1	0	8	0	0	144
832.423	CFF01DC	0	0	1	0	8	0	0	160
932.861	CFF01DC	0	0	1	0	8	0	0	176
1032.065	CFF01DC	0	0	1	0	8	0	0	192
1132.058	CFF01DC	0	0	1	0	8	0	0	208
1232.251	CFF01DC	0	0	1	0	8	0	0	224
1332.487	CFF01DC	0	0	1	0	8	0	0	240
1432.079	CFF01DC	0	0	1	0	8	0	0	0
1532.063	CFF01DC	0	0	1	0	8	0	0	16
1632.116	CFF01DC	0	0	1	0	8	0	0	32
1732.500	CFF01DC	0	0	1	0	8	0	0	48
1832.062	CFF01DC	0	0	1	0	8	0	0	64

检测系统	攻击检测准确率	恶意报文过滤准确率
CLAD	100.00%	大于99.00%
IDS based on the analysis of time intervals^[9]	100.00%	—
IDS based on anomaly frequency^[12]	99.98%	—

CAN bus flood attack detection based on communication characteristics

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 10

References 15

Related Articles 9

Metrics

Recommended 0

[1]	Tianpeng YE, Xiang LIN, Jianhua LI, Xuankai ZHANG, Liwen XU. Personalized lightweight distributed network intrusion detection system in fog computing [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 28-37.
[2]	Xiangdong HU, Lingling TANG. Method on intrusion detection for industrial internet based on light gradient boosting machine [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 46-55.
[3]	ANTONG P, Wen CHEN, Lifa WU. IoT intrusion detection method for unbalanced samples [J]. Chinese Journal of Network and Information Security, 2023, 9(1): 130-139.
[4]	Yimu JI, Weidong YANG, Kui LI, Shangdong LIU, Qiang LIU, Sisi SHAO, Shuai YOU, Naijiao HUANG. Container intrusion detection method based on host system call frequency [J]. Chinese Journal of Network and Information Security, 2021, 7(4): 18-29.
[5]	Gansen ZHAO,Zhijian XIE,Xinming WANG,Jiahao HE,Chengzhi ZHANG,Chengchuang LIN,ZHOU Ziheng,Bingchuan CHEN,RONG Chunming. ContractGuard:defend Ethereum smart contract with embedded intrusion detection [J]. Chinese Journal of Network and Information Security, 2020, 6(2): 35-55.
[6]	Bin ZHANG,Lixun LI,Shuqin DONG. Malware detection approach based on improved SOINN [J]. Chinese Journal of Network and Information Security, 2019, 5(6): 21-30.
[7]	Binghao YAN,Guodong HAN. Combinatorial intrusion detection model based on deep recurrent neural network and improved SMOTE algorithm [J]. Chinese Journal of Network and Information Security, 2018, 4(7): 48-59.
[8]	Jialin WANG, Jiqiang LIU, Di ZHAO, Yingdi WANG, Yingxiao XIANG, Tong CHEN, Endong TONG, Wenjia NIU. Intrusion detection model based on non-symmetric convolution auto-encode and support vector machine [J]. Chinese Journal of Network and Information Security, 2018, 4(11): 57-68.
[9]	Di FAN,Jing LIU,Jun-xi ZHUANG,Ying-xu LAI. Research on attack scenario reconstruction method based on causal knowledge discovery [J]. Chinese Journal of Network and Information Security, 2017, 3(4): 58-68.