Intrusion Detection using Bit Timing Characteristics for CAN Bus

In today's world, most automobiles use Controller Area Network (CAN) bus for communication between various Electronic Control Units (ECUs), also called nodes on the CAN bus. Each ECU on the CAN bus is a microcontroller that sends a unique identifier used for node identification. It is possible to spoof node A by sending the same identifier through node B and thereby control node A. Thus, a hacker can control the steering using the car's internal lights and render it ineffective or misuse them. In order to combat this, we try to fingerprint each node by identifying its identifier's unique bit timing characteristics. To that extent, bit timing characteristics used are the Time of Flight (TOF) intervals between successive rising edges of identifier bits, for an ECU. Similarly, other characteristics such as TOF between successive falling edges of the CAN bus node identifier can also be used for node classification.

In order to measure these TOFs, we use a device called Time-to-Digital Convertor, which essentially triggers a ring oscillator to measure time values between rising/falling edges of a signal, to the order of picosecond accuracy. These timing values are used as features into the K-nearest neighbors (KNN) classifier algorithm. Once the classifier is trained, it can be used to predict a new timing value into a particular node category, which if different from the expected category is a sign of compromise or intrusion. It is seen that we achieve 95% accuracy of correctly predicting the compromised node under simulation tests. Thereafter, the thesis deals with experimentally predicting an intrusion in the CAN bus system utilizing EPOS Studio CAN bus position controller for Maxon motors. The clock timings being extremely accurate leads to the conclusion that employment of better statistical techniques for node characterization is needed for intrusion detection, which is outside the scope of this work.