Research On Anomaly Detection Technology For In-Vehicle CAN Bus Network

With the rapid development of Internet of Things and mobile communication technology,the automobiles are becoming more and more connected and intelligent.However,the frequent occurrences of automobile information security incidents in recent years show that automobiles are facing severe information security threats.After the attacker invades an automobile through various ways,he could control the automobile through sending malicious instructions to the in-vehicle network.CAN bus protocol is the most widely used protocol in in-vehicle network,transmitting instructions and status information.Therefore,the protection for CAN bus is the key to ensure the security of in-vehicle network.As an important means of network security defense,anomaly detection can be embedded into CAN bus in the form of a bus node.Without affecting the in-vehicle communication,it can report anomaly network behaviors,which is suitable for in-vehicle network.However,our study founds that the existing schemes still have the following shortcomings:(1)Existing anomaly detection schemes based on information entropy do not consider the influence of bus transmission rate and aperiodic message on entropy value,nor make use of the relationship between different messages,which leads to false alarms and cannot get the ID of anomaly messages.(2)Malicious instructions are stored in the data domain of CAN messages,but because of the confidentiality of CAN bus communication matrix,existing schemes take little account of the data domain of CAN message and cannot detect tamper attacks effectively,furthermore,fail to locate the anomaly messages in fine granularity.Aiming at the security problems of CAN bus and the shortcomings of existing schemes,according to the different features of CAN bus message,this paper proposes two corresponding anomaly detection schemes to protect the security of CAN bus.The main research of this paper includes: 1.The information security problems of automobiles and the existing anomaly detection schemes are analyzed deeply.We describe the attack interfaces of automobiles and the security problems brought by them,as well as introduce the characteristics of CAN bus in detail.Then,the security threats and attack modes faced by CAN bus are summarized.Finally,according to the characteristics of CAN bus,we put forward the challenges of the security protection for it.In this paper,the difficulties of anomaly detection for in-vehicle network are summarized and the existing anomaly detection schemes for in-vehicle network are classified and introduced.2.Aiming at the shortcomings of existing CAN bus anomaly detection schemes based on information entropy,a CAN bus anomaly detection scheme based on relative entropy is proposed.In our scheme,a sliding window with fixed number of messages,instead of fixed time,is used and messages are paired according to the connection between CAN messages.By calculating two kinds of relative entropy,anomaly can be detected effectively and the ID of anomaly messages can be determined.At last,the validity of our scheme is verified on the CAN bus dataset from real-life,and replay attack and DoS attack can be detected accurately.Then,the setting of anomaly detection threshold and the influence of sliding window size on the detection results are discussed.3.Aiming at the problem of existing schemes having little consideration for the data domain of CAN bus messages,we propose a CAN bus anomaly detection scheme based on the data domain.This scheme designs algorithms to extracts the constant,multiple and loop features in the data domain of CAN messages,then builds a normal message model based on these features to realize fine-grained detection and location of anomaly messages.At last,experiments are carried out on CAN bus datasets collected from different in-vehicle networks to verify the performance of this scheme in terms of accuracy,detection rate,false alarm rate and false negative rate.