See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/330300297

A Delay based Plug-in-Monitor for Intrusion Detection in Controller Area

Network

Conference Paper · December 2018

DOI: 10.1109/AsianHOST.2018.8607178

CITATIONS READS
18 8,670

5 authors, including:

Qian Wang Zhaojun Lu

University of Maryland, College Park University of Maryland, College Park
26 PUBLICATIONS 1,153 CITATIONS 32 PUBLICATIONS 1,630 CITATIONS

SEE PROFILE SEE PROFILE

Yasser Shoukry Gang Qu

University of California, Irvine University of Maryland, College Park
9 PUBLICATIONS 94 CITATIONS 343 PUBLICATIONS 9,566 CITATIONS

SEE PROFILE SEE PROFILE

All content following this page was uploaded by Qian Wang on 08 April 2019.

The user has requested enhancement of the downloaded file.

 A Delay based Plug-in-Monitor for Intrusion
Detection in Controller Area Network
Qian Wang∗ , Yiming Qian∗ , Zhaojun Lu† , Yasser Shoukry∗ and Gang Qu∗
∗
Electrical and Computer Engineering Department
University of Maryland, College Park, MD
Email: {qwang126,yqian10,yshoukry,gangqu} @umd.edu
† School of Optical and Electronic Information, Huazhong University of Science and Technology, Wuhan, China

Email: [email protected]

Abstract—The recent developments in the automobile industry vehicle by simply delivering compromising CAN messages
and the self-driving technology necessitated an increase in the [1]. Moreover, the potential for interference in such attacks is
traditional automobile features to guarantee the drivers safety, exacerbated by the increasing external connections with the
improve the driving convenience and realize the autonomous
driving. To support these necessary functions and features, a in-vehicle control network, including USB ports, Bluetooth,
significant amount of the hardware equipment, i.e., Electronic the mandatory on-board diagnostic (OBD-II) port and the ex-
Control Unit (ECU), is integrated into the car system. However, tended connection to the Vehicular Ad-hoc Network (VANET)
these ECUs also bring security vulnerabilities because their [2]. By injecting malicious CAN messages through those ports,
communication follows the Controller Area Network (CAN) the attacker could cause intentional malfunctions to a wide set
protocol that was designed without supporting message origin
authentication. Several methods to resolve this problem have been of components including the engine, instrument panel, radio,
proposed in the literature, but most of them would require heavy heating, lights, brakes, etc. Consequently, several of those
communications and calculations to support the cryptography attacks have been demonstrated on vehicles by academic and
algorithms. In this paper, we propose a delay-based Intrusion De- industrial researchers, e.g. [3] [4]. These attacks are primarily
tection System (IDS) to protect the CAN network by identifying facilitated by injection from the connecting ports to the CAN
the location of the compromised ECU for the in-vehicle network.
We develop and implement our detection method on CAN bus bus network.
prototype, and our results show that our method is capable of Several cryptographic techniques have been proposed for
an overall detection accuracy above 97%. The proposed scheme integrating security into the current CAN architecture, [5] [6].
is demonstrated to protect the integrity of the messages on CAN Similar to traditional secure systems, these techniques rely
bus leading to a further improve the security and safety of on secure provisioning cryptography algorithms on the CAN
autonomous vehicles.
bus, e.g., message authentication code (MAC). However, using
standard cryptographic techniques to protect data originality
I. I NTRODUCTION
(such as appending messages with MAC) could violate timing
Over the past few years, automobiles have evolved from constraints for CAN communication. This stems from the fact
mechanical devices to connected communication platforms. that the CAN protocol allows only for 64 bits to be used
To assist those necessary computerized functions, sensors with for payload. That is, implementing the SHA256, for example,
Electronic Control Units (ECU) have seen increasing demand using the CAN protocol will lead to an overhead of eight
in modern vehicles. Approximately 50-100 ECUs are deployed messages to carry the computed SHA256 code; an 800%
in vehicles nowadays and they are no longer isolated from the increase in the communication bandwidth. This large increase
outside world. Indeed, each ECU is assigned with several func- in the communication bandwidth will degrade the performance
tions and is connected through the Controller Area Network of the system in terms of its ability to satisfying the required
(CAN) bus system. CAN is the most commonly used protocol hard timing constraints. When the message is safety critical,
in the vehicle industry and it has a fast reaction time and such as emergency stop, this could result in life-threatening
proper transmission reliability. It allows the ECU to control the incident.
vehicle maneuvers by sending and sharing messages through Meanwhile, the automotive Intrusion Detection System
its bus system with the guarantee of timing predictability (IDS) [7] is drawing attention as another promising method for
and fault-tolerance for communication. Unfortunately, CAN securing in-vehicle CAN networks. First, automotive IDS can
bus lacks security protection when it was designed in the be applied without causing computational and communication
late 1980s. More specifically, the primary design flaw is that overhead in the CAN protocol. Second, because of its self-
CAN has no mechanism for supporting security protocols or adaptive nature, IDS can be easily adapted in the automotive
for ensuring message confidentiality and integrity by design. domain as a seamless extension to new vehicles. Message-
The lack of security in CAN bus has aroused much attention based IDS focuses on each message by utilizes message
in both industry and research. In 2010, researchers provided information and properties (e.g., message ID, frequency, clock-
the first evidence showing that it is possible to control the skew, etc.) to detect malicious attacks [8], [9], [10]. Unfor-

978-1-5386-7471-0/18/$31.00 © 2018 IEEE

tunately, there are limitations on the kinds of attack each function of the message, and this function-mapping is defined
method can detect. For example, a frequency-based IDS is by the automobile manufacturer and is not disclosure to public.
not able to detect a stealthy attack that successfully mimics In practice, automotive designers assign a set of IDs for each
the original message’s frequency. IDS approaches also have ECU and one ID could be assigned to several ECUs as well.
overhead. For instance, IDS based on physical properties The overlaps in using message IDs would arouse a challenge
[11] can identify impersonation attacks by fingerprinting each for the detection system, even the detection mechanism could
ECU. However, it captures voltage identities to authenticate find out the malicious message based on the ID, he may fails
the sender, which need extra measurement equipment. This in knowing who is sending this. Thus, it is difficult to identify
will limit the feasibility of intrusion detection in practice. the malicious attacker based on the message IDs.
Instead, in this paper, we propose an IDS based on the physical
location of the ECU to help in finding the malicious ECU.
Our proposed scheme overcomes the blind spots of frequency
based IDS by monitoring the physical based delay differences
and is feasible to be deployed on a CAN network by adding
minimal hardware to the existing CAN bus. Fig. 1. Standard CAN data frame
The remainder of this paper is organized as follows: Section
2 reviews the fundamental concepts of the CAN bus, while
Section 3 introduces the adversary models. Our proposed plug- III. A DVERSARY M ODELS
in-monitor IDS is presented in Section 4, and in Section 5 A. Attack Interface
we demonstrate the feasibility and efficacy with CAN bus The main goal of the adversary is to transmit malicious
prototype. We provide a discussion on the future works and CAN messages intentionally causing malfunctions of the vehi-
conclude the paper in Section 6. cle without being suspected by the detection mechanism. Car
II. BACKGROUNDS hacking experiments show that the interfaces the adversary
uses to access the in-vehicle CAN network are restricted to
A. CAN Protocol several ports. Usually, the adversary would invade the in-
CAN bus, the primary communication network for most vehicle network through two common physical attack sur-
modern cars, is a broadcast medium consisting of a series faces: either by directly plugging into the OBD-II port or
of nodes connected via a twisted-pair cable with termination using remote wireless communication interface 2. In most
impedance at the end. It has two logical states, the dominant cases, the injection position the adversary uses is fixed on
0 state, where the bus is driven by a voltage, and the recessive the vehicle during the attack.All the facts discussed above
1 state, where the bus is grounded. CAN protocol implements present us a strategy to detect the malicious ECU based on
the arbitration on the logic as the frames with dominant bits its physical location. We consider an adversary that is capable
will win the bus arbitration while the recessive node will of injecting malicious messages on the CAN bus through the
be grounded as losing the capability in transmission for this ports connected to the external world. However, we assume
phase. CAN data transmission uses this bit-wise arbitration that the adversary has no capability in changing the physical
method to decide which message should be sent on the CAN layout of the CAN bus. During the injection, the adversary can
bus when multiple messages request the bus simultaneously. modify the identifier and the contents of the messages. The
This arbitration method would allow those frames with higher
priority transmitted before lower priority ones. The node with
lower priority which fails to transmit in the last time would
automatically attempt to re-transmit six-bit clocks after the end
of the last message. This makes CAN bus system very suitable
as a real-time prioritized communication system.
B. ECU Functions and CAN ID Distribution
The modern automobile may have up to 100 ECUs for
diverse subsystems. An ECU controls the specific maneuvers
for his subsystem by sending out the messages orderly and
receiving the sensor data by decoding the messages through
the CAN bus. The CAN frame contains fields such as Identifier
(ID), Data Length Code (DLC), Data field, CRC and other
Fig. 2. The attack interfaces of CAN bus and the CAN bus layout in real
control bits as shown in Fig.2. The messages sent out on CAN vehicle
bus are distributed based on the identifier (ID) preceding the
CAN frame. However, the ID is not the sender address nor the goal of this work is to demonstrate that with the existence
receiver address. It represents the priority of the message and of an adversary, the plug-in-monitor IDS could locate the
assists in the arbitration. Furthermore, the ID represents the adversary’s physical location on the bus. In observation of
the message transmission, the monitor IDS can figure out the physical topology of the CAN network. The fundamental
suspected messages which are sent by a different ECU who observation in the monitor scheme is that each ECU outputs a
has no permission in sending those messages. Moreover, the characteristic signal delay when monitoring on the two points.
IDS will also keep an eye on suspicious locations, such as the During the attack, the attacker would use the fixed attack
OBD-II port or the wireless communication ECU in order to interface of the CAN bus which will cause the measurement
spot the injection with quick response. of delay difference changing from two plug-in-monitor points.
Therefore, we can identify the malicious messages sent from
B. Attack Types the transmitter out of the expected range, thus distinguishing
In order to clearly outline the attacker profile addressed in the compromised ECU from the legitimate ones.
this work, we define the type of attacks handled in this paper
A. The Physical Layout of the CAN bus Network
in this section.
1) Injection Attack: A straightforward yet quite threatening In this section, we will describe the physical layout of the
attack on the CAN bus is the message injection attack. To CAN bus as well as the signal transmission properties on the
achieve this, the adversary would connect to the in-vehicle bus, which are relative to the delay measurement in our set-
network through the interface, and start to inject malicious up. As aforementioned, the electrical CAN signals fall into two
messages onto the CAN bus. Our proposed IDS will be able states: a dominant state (logic 0) and a recessive state (logic
to detect this aggressive attack. However, since it is also easily 1). With both high speed and low speed CAN, the speed of
detected by the other contents based IDS instances, we would the transition is faster when a recessive to dominant transition
put this kind of attack on low priority and would emphasize the occurs since the CAN wires are being actively driven. The
superior detection capability for the other, more sophisticated speed of the dominant to recessive transition depends primarily
attacks in this paper. on the length of the CAN network and the capacitance of the
2) Masquerade Attack: Masquerade attack is a kind of wire used.
sophisticated in-vehicle attack first proposed and demonstrated CAN is a multi-master serial bus standard for connecting
in [9]. The objective of a masquerade attack is to manipulate ECUs also known as nodes. The ISO 11898-2 standard pro-
an ECU that is in charge of a safe-critical function while vides guidelines for the layout of high-speed CAN network.
hiding the fact that the ECU is compromised. To mount a As shown in Figure 3, the high speed CAN uses a linear
masquerade attack without being detected, an adversary needs bus terminated at each end with 120 Ω resistors. Two or
to suspend a target ECU and then inject malicious CAN more nodes join to the linear CAN network to communicate.
messages without notice by the other ECUs. In fact, for the The complexity of the node can range from a simple I/O
masquerade attack, the CAN ID and message contents may not device up to an embedded computer with a CAN interface
change based on the attack strategy, thus making it difficult and sophisticated software. The node may also be a gateway
to be detected by the ID-based intrusion detection systems. allowing a standard computer to communicate over a USB or
However, after taking over the transmission of the legitimate Ethernet port to the devices on a CAN network. The linear
ECU, the attacker starts to transmit malicious messages at topology CAN network is usually used as a high speed CAN
a different physical location. Our proposed IDS could detect bus for automotive applications.
the masquerade attack by utilizing the information from the
physical layer of transmission.
3) Bus-off Attack: The bus-off attack is proposed by [12].
In this attack, an adversary who has an remote access to the
in-vehicle network performs simultaneous transmission of bits
in fields other than the identifier field. Due to this simultaneous
transmission, a target ECU will enter the buss-off mode. As a
result, the bus-off attacker can intentionally suspend the target
ECU. So for the bus-off attack, one promising solution is to
distinguish the transmitters even though they simultaneously Fig. 3. High Speed CAN Network.ISO 11898-2 with the IDS monitor
transmit the same message bits. Our proposed delay-based The other layout of CAN bus network is regulated in the
plug-in-monitor IDS could achieve this by finding the delay ISO 11898-3 standard. It is also called low speed or fault
difference of the two transmitters, as the bad ECU is supposed tolerant CAN, uses a star bus and is terminated at each node by
to transmit at a different location from the legitimate ECU. a fraction of the overall termination resistance4. Fault tolerant
Accordingly, we could detect the malicious messages as well CAN is often used where groups of nodes need to be connected
as the bus-off attack. together forming a sub-network. In a real vehicle, both the two
types of the layout will be applied. Moreover, the length of
IV. P ROPOSED M ETHODS the bus network will be extended to 3-10 meters based on
To cope with the sophisticated attacks targeted on the in- the scale and design of the real vehicle. The physical layout
vehicle CAN bus, we propose a delay based plug-in-monitor of ECUs will not be altered after manufacturing, even under
based IDS which takes use of the unaltered property of the cyber attacks where the attacker could easily achieve access
 attached to two points of the bus. The monitor would watch
the messages transmitted on the bus and calculate the delay
difference from his two plug-in points. Thus, it is crucial to
choose the monitor plug-in positions to enlarge the coverage
of the bus system. We propose the following specific rules
based on the layouts of the CAN bus network,
1) The first rule is to maximize the delay difference of
ECUs in the network. For the high-speed CAN network,
we will place the two-point monitor and the end of the
bus network in order to cover the maximum number
of ECUs in supervision. For the fault tolerant CAN
network, the best strategy is to place the two monitor
points in two separated clusters of the network. If the
network only has one central cluster, the two points can
Fig. 4. Low Speed CAN Network.ISO 11898-3 with the IDS monitor
be placed in any two nodes in the network.
2) The second rule is to keep the distribution distinguish-
on the bus but have no capability in changing the physical able. If we place the plug-in points much far away from
layout of the CAN bus. the observation network, the monitor would not tell the
delay difference for the sub-network. Thus, considering
B. Effects of Transmission Delay the sub-CAN network structure, we design the monitor
The cause for the latency of the message transmitting on which is responsible for a number of 5 to 20 ECUs in
CAN bus could be summarized as the speed of different the sub-network.
CAN controllers and transceivers, gateway processing delays,
propagation delay of wire, propagation delay of connectors C. Electrical CAN Signal Measurement and Reprocessing
and the clock drift or skew of the oscillators. In our work, all More specifically, we design the procedure of the plug-
of the delays discussed above will count for the final delay in-monitor IDS into three phases, which are respectively the
difference captured by the monitor. delay measurement, learning parameter settings, and the final
Implementing a CAN node requires a CAN transceiver and intrusion detection.
a CAN controller or processor with the appropriate protocol • Phase I : Profiling the delay differences for each
stack. In either case, the CAN controller must be configured to ECU The first step is to measure the delay difference
reconcile the data rate and timing on the bus with the hardware and register the legitimate ECU based on the measure-
oscillator used for the controller. The different implementation ments when the vehicle is in normal driving. The delay
of the CAN node might cause observable delay differences on difference from the transmitter ECU to the two plug-in
the CAN bus. As cable length increases, the high-frequency points would be recorded with its ID into the system.
content of the signal is attenuated, so data rates are limited Then, for each message ID transmitted on the bus, the
for long distances. Propagation delay, which also increases system has the location of its legal transmitters. The
with cable length, can interfere with the synchronization and profiling information will be used by the IDS to determine
arbitration between nodes. The typical propagation delay of whether or not the message originated from the legitimate
a twisted pair cable for the CAN bus is 5ns/m. Thus, for transmitters in the following step. Phase I runs as the
a traditional network of length up to 50m (the maximum initialization and registration step of IDS and will update
length for CAN bus), the difference in the time the trans- the record of ECU when it is necessary.
mitter drives (or releases) the bus and an observer observes a • Phase II: Exploiting the threshold of the delay dif-
signal transition can be up to 250ns. Though such delays are ferences Based on the data collected during the profiling
accommodated within the CAN bit timing specification for a stage, the IDS can build the distribution map for each
correct sampling of the bit value, they can be exploited by message ID with its legitimate transmitters. Further ana-
the monitor to identify the transmitter. Except for the typical lyzing the statistical distribution, the system will decide
propagation delay caused by the cable length, the relative bit the threshold for each ID to distinguish between legiti-
timing difference observed by a monitor for two transmitters mate transmitters and malicious transmitters. The details
can be augmented by the other delays along the transmission in setting the threshold will be discussed in section V.
path as well. • Phase III: Attack detection For each transmitted mes-
The objective of our work is to fingerprint the transmitter sage, only one ECU is assigned to its transmission in
ECU by the delay difference from the victim ECU to the most cases and the position of the ECU is fixed unless
attacked ECU. The two topology of the intrusion detection the vehicle is broken into. Based on the timing delay
system with CAN bus layout is shown in Fig.3 for High-speed difference, the IDS could estimate the transmission range
CAN and Fig.4 for Low-speed CAN. We place one monitor of the ECU and further decide whether it is legitimate or
connecting the CAN-BUS network through two wires directly not.
 V. E VALUATION
We now evaluate the practicability and efficiency of the
IDS in achieving an accurate attacker identification on the
CAN bus. At first, we will demonstrate the delay difference
existence on the prototype of CAN bus. Then, we will show
how the IDS could identify the transmitter based on the delay
difference and detect the attack consequently.
A. Experiment Set-up
Our experimental setup utilizes the Arduino UNO with a
seeed studio CAN bus shield to prototype the ECU. The CAN
bus shield consists of a microchip MCP 2515 CAN controller
and an MCP 2551 CAN transceiver to provide the can bus
communications, and the micro-controllers are connected via Fig. 5. Monitor delay changes over length of the cable
the standard CAN twist pair cable with a terminal resistor.
The typical CAN architecture consists of several sub- observed characteristics and their associated IDs. And later we
networks of ECUs connected by one or more powerful nodes could classify the messages to the transmitter ECUs based on
that act as gateway(GW). However, for our system, the nodes the delay difference. We also test the delay when the message
are connected in a single chain with the GW at one end. content is modified. According to the data, the message with
This setup closely emulates one subnet of the network found all 0 has the largest delay. The reason for this is because zero
in most modern cars. We use another micro-controller as a padding messages tend to have more stuffing bits.
monitor to probe the bus and record the delay time for both
online and offline processing.
B. Delay Profiling
First, we use three Arduino UNO boards to prototype the
propagation delay related to the distance. One Arduino UNO
board is regarded as the master, and other two are slaves
to it. A laptop is used to monitor the CAN-BUS communi-
cation and activities, so all three Arduino UNO boards are
connected to the same laptop. Regarding the communication
part, we majorly use the communication library provided by
Seeed studio to achieve the message delivery in the CAN
bus system. The whole system starts by sending messages
from the master with time-stamps (t1 ). Then the slave who
receives the message will echo a message back to the master Fig. 6. Histogram of delay distribution
to confirm it already received the message. When the master
receives the echo-back message (time-stamp t2 ), we calculate C. Attack Detection
the difference of t2 − t1 which is the delay of the whole echo- A distance profile represents the ECU behavior of the
back communication. During the time-stamp process, the timer message transmission. The IDS would exploit every newly
(16MHz) inside the Arduino is used but we add the interrupt derived message to construct the range of message trans-
function to improve the time resolution. Hence, the time-stamp mitter. Although the monitor is triggered on each message
1
accuracy can be reached up to 16 microsecond to in our and associated with message ID, if messages originate from
system. The distinguishable delay difference is shown in the the same transmitter, their results are near-equivalent. Thus,
Figure 5, we measure it at length from 0.5m, 1m, 2m, and 4m. the IDS could detect the presence of malicious attackers by
Notice that this delay contains the initial processing delay of monitoring the delay difference in the network, where the
the micro-controller which is estimated as 190ns in this case. delay difference indicates the location of the transmitter. After
The real prorogation delay should be the absolute value shown the delay profiling procedure discussed before, the IDS is
in the figure minus the baseline delay. As the resolution for the accomplishing in collecting the difference of the delay to
timer of the microcontroller is limited, we need to accumulate form the range of transmitters for each message. When the
multiple tests in order to generate the concrete results. The messages are transmitted on the can bus, the IDS would refer
results shown in the figure are averaged by 1000 echo-back to the profile stored and make a comparison on the record. If
traces. In practice, there is enough statistical dispersion for the delay difference falls outside the legitimate range, it will
two ECUs, as depicted in the Figure 6. From this histogram, trigger the system an injection attack.
we can see the delay of two slaves (t2 − t1 ) is distinguishable. The precision, recall and the F-1 score of the tests are
Based on this, it is possible to build a mapping between the shown in the TableI. Precision measures the percentage of true
 −(x−µ)2
positive over the sum of true positive and false positive. While where, the probability density is p(x) = σ√12π e 2σ2 . If the
recall measure the corresponding true positive over the sum distribution of ECUs is identical, the best threshold line would
of true positive plus false negative. F-1 score is the average of be in the middle of the cross area. The best case is that the
precision and recall. To make a confident decision, we could two ECUs are apart to each other and there is no overlap for
take a threshold as the mismatch rate to generate a confidential densities. In phase II, the decision boundary should be chosen
alert of the system. as the optimum threshold and record it in the system.
TABLE I
R ESULTS ON ATTACK DETECTION VI. C ONCLUSION
Precision Recall F1-score More and more stealthy attacks targeted on in-vehicle
Benign 0.98 0.97 0.97 network threaten the confidentiality of the regular messages
Attack 0.97 0.98 0.97 transmitting on the bus. In this paper, we propose the novel
avg/total 0.97 0.97 0.97
idea of fingerprinting the ECUs on bus, which measures the
D. Detection Error Rate Analysis delay difference between two monitor points when transmit-
The detection rate of the IDS discussed above is based on ting messages. We successfully demonstrated our proposed
the physical layout of the ECU testbed. Eventually, the result idea on CAN-bus prototype built on Arduino micro-controllers
relies on the distance of the attack ECU from the victim ECU. and CAN bus shields. The proposed method only requires the
Here we will use a statistical method to analyze the detection installation of a monitor on the CAN bus network without any
error rate of the IDS. modification of the protocol and ECU functions. Compared
First, based on the experimental results, we figure out the to other IDS in fingerprinting ECUs, our method does not
delay variances obey the Gaussian distribution as N (µ, σ 2 ). need any extra equipment to do the measurement and the
Assume there are two ECUs on the bus, and each would have monitor function can be realized in the ECU itself. Therefore,
the distribution as N (µ0 , σ02 ), N (µ1 , σ12 ). First, the decision we conclude that the plug-in-monitor IDS is a feasible and
is made by the threshold th, and the delay is represented as effective approach for securing the in-vehicle networks.
variable d. As a result, the decision rule for two ECUs could R EFERENCES
be summarized as
[1] Karl Koscher, Alexei Czeskis, Franziska Roesner, Shwetak Patel, Ta-
• If d < th, then the message is sent by ECU 0 dayoshi Kohno, Stephen Checkoway, Damon McCoy, Brian Kantor,
• If d > th, then the message is sent by ECU 1 Danny Anderson, Hovav Shacham, et al. Experimental security analysis
of a modern automobile. In Security and Privacy (SP), 2010 IEEE
Symposium on, pages 447–462. IEEE, 2010.
[2] Zhaojun Lu, Wenchao Liu, Qian Wang, Gang Qu, and Zhenglin Liu. A
privacy-preserving trust model based on blockchain for vanets. IEEE
Access, 2018.
[3] Charlie Miller and Chris Valasek. Adventures in automotive networks
and control units. DEF CON, 21:260–264, 2013.
[4] Charlie Miller and Chris Valasek. Remote exploitation of an unaltered
passenger vehicle. Black Hat USA, 2015, 2015.
[5] Kyusuk Han, André Weimerskirch, and Kang G Shin. Automotive
cybersecurity for in-vehicle communication. In IQT QUARTERLY,
volume 6, pages 22–25, 2014.
[6] Weiying Zeng, Mohammed AS Khalid, and Sazzadur Chowdhury. In-
vehicle networks outlook: Achievements and challenges. IEEE Commu-
nications Surveys & Tutorials, 18(3):1552–1571, 2016.
[7] Tobias Hoppe, Stefan Kiltz, and Jana Dittmann. Security threats to
automotive can networks–practical examples and selected short-term
countermeasures. In International Conference on Computer Safety,
Reliability, and Security, pages 235–248. Springer, 2008.
Fig. 7. An example for delay distribution and the error region [8] Mirco Marchetti and Dario Stabili. Anomaly detection of can bus
messages through analysis of id sequences. In Intelligent Vehicles
If the means are close to each other µ0 ≈ µ1 , there will be Symposium (IV), 2017 IEEE, pages 1577–1583. IEEE, 2017.
an overlap of the decision boundary as the Figure7 shows, the [9] Kyong-Tak Cho and Kang G Shin. Fingerprinting electronic control
units for vehicle intrusion detection. In USENIX Security Symposium,
threshold is drawn in the vertical line. The decision boundary pages 911–927, 2016.
is used to determine the source of the message follows the [10] Qian Wang, Zhaojun Lu, and Gang Qu. An entropy analysis based
rule described above. The error region is drawn in red, based intrusion detection system for controller area network in vehicles. In
System-on-Chip Conference (SOCC), 2018 31th IEEE International.
on the distribution we can derive the error probability is IEEE, 2018.
Z Th Z ∞ [11] Wonsuk Choi, Kyungho Joo, Hyo Jin Jo, Moon Chan Park, and
BER = Pr(b = 0) p0 (x)dx + Pr(b = 1) p1 (x)dx Dong Hoon Lee. Voltageids: Low-level communication characteristics
for automotive intrusion detection system. IEEE Transactions on
−∞ Th
(1) Information Forensics and Security, 13(8):2114–2129, 2018.
[12] Kyong-Tak Cho and Kang G Shin. Error handling of in-vehicle networks
We need to choose the threshold such that the error rate is makes them vulnerable. In Proceedings of the 2016 ACM SIGSAC
minimized. Conference on Computer and Communications Security, pages 1044–
1055. ACM, 2016.
∂BER
= 0 ⇒ p0 (T h) = p1 (T h) (2)
∂T h

View publication stats