Abstract

CAN protocol is a serial bus protocol that complements the previously existing shortcomings in the point-to-point network topology, and it provides full-duplex communications for transmitting data between the host nodes consisting of the network. In addition, the CAN protocol has many advantages in terms of scalability and efficiency for the cost to wire the network devices. Due to this fact, many car manufacturers have adapted the CAN protocol for implementing their in-vehicle networks. Even though the CAN protocol is widely used for in-vehicle networks, it still does not support any security mechanism to provide safe data transmission, because the size of CAN message is limited to 8 bytes which is insufficient to contain the fields for the security. The network nodes, ECUs using the CAN protocol basically transmit the data in a broadcast way while not applying encryption or authentication to the transmitted data. Therefore, the attackers can sniff and analyze the data transmitted through the CAN bus, and also they can inject their malformed data to control the in-vehicle network. In this paper, we propose a novel anomaly detection framework to protect the in-vehicle network that uses CAN bus protocol. Our proposed framework uses many hidden markov models to represent the normality of the network, and the models are generated using two types of network information; the transmission time interval and the payload data changes. In evaluation, we had several experiments, and it was found that the proposed framework can detect abnormal network behaviors accurately.