CANLP: Intrusion Detection for Controller Area Networks using Natural Language Processing and Embedded Machine Learning

Abstract

The Controller Area Network (CAN) protocol is the most widely used standard in the automotive industry for in-vehicle networks. However, the CAN protocol lacks essential security features such as encryption and message authentication. Absence of such security features has been shown to make the vehicle network vulnerable to exploits by an adversary. Although multiple types ofintrusion detection systems (IDS) have been developed for CAN, it can be difficult to deploy them in real-time with low latency. Many of these IDSs are unable to isolate a specific transmitting Electronic Control Unit (ECU) and CAN frame on which an attack has been mounted, which makes it challenging to design defense mechanisms. In this thesis, we develop CANLP, a Natural Language Processing (NLP)-based intrusion detection system to determine whether each transmitted message originated from a legitimate ECU or an adversary. CANLP uses Term Frequency-Inverse Document Frequency (TF-IDF), a NLP technique to discern complex features associated with CAN data and trains machine learning models to identify three types of attacks- fuzzing, spoofing, and masquerade. When an attack is detected, CANLP identifies the compromised transmitter ECU and malicious CAN frame, which is important for developing resilient systems. Extensive experiments on 4 publicly available vehicle network datasets (which represent data collected from over three vehicle makes and four models) show that CANLP performs attack classification with high F1-scores of 0.9974. We also show thatCANLP can be deployed for attack detection on resource-constrained hardware through experiments on a testbed with latency as low as < 0.05 ms, hence improving the accuracy-compute tradeoff and making it perfect for real-world automotive applications.