Field classification, modeling and anomaly detection in unknown CAN bus networks

This paper describes a novel domain-aware anomaly detection system for in-car CAN bus traffic. Through inspection of real CAN bus communication, we discovered the presence of semantically-meaningful Constant fields, Multi-Value fields and Counter or Sensor fields. For CAN networks in which the specifications of the electronic control units (ECUs) are unknown, and hence, the borders between the bit-fields are unknown, we developed a greedy algorithm to split the messages into fields and classify the fields into the types we observed. Next, we designed a semantically-aware anomaly detection system for CAN bus traffic. In its learning phase, our system uses the classifier to characterize the fields and build a model for the messages, based on their field types. The model is based on Ternary Content-Addressable Memory (TCAM), that can run efficiently in either software or hardware. During the enforcement phase our system detects deviations from the model. We evaluated our system on simulated CAN bus traffic, and achieved very encouraging results: a median false positive rate of 1% with a median of only 89.5 TCAMs. Finally we evaluated our system on the real CAN bus traffic. With a sufficiently long period of recording, we achieved a median false positive rate of 0% with an average of 252 TCAMs.