# Towards a CAN IDS based on a neural-network data field predictor

**Authors:** Krzysztof Pawelec, Robert A. Bridges, Frank L. Combs

arXiv: 1812.11596 · 2019-01-08

## TL;DR

This paper explores using deep neural networks to predict CAN data at the bit level for intrusion detection, aiming to identify malicious messages without reverse engineering proprietary encodings.

## Contribution

It introduces a novel approach of bit-level CAN data prediction with neural networks to enhance vehicle-agnostic IDS capabilities, avoiding reverse engineering of proprietary message formats.

## Key findings

- Deep neural networks show promise for continuous CAN signals.
- The method struggles with discrete, binary signals.
- Potential for real-time anomaly detection in vehicle networks.

## Abstract

Modern vehicles contain a few controller area networks (CANs), which allow scores of on-board electronic control units (ECUs) to communicate messages critical to vehicle functions and driver safety. CAN provide a lightweight and reliable broadcast protocol but is bereft of security features. As evidenced by many recent research works, CAN exploits are possible both remotely and with direct access, fueling a growing CAN intrusion detection system (IDS) body of research. A challenge for pioneering vehicle-agnostic IDSs is that passenger vehicles' CAN message encodings are proprietary, defined and held secret by original equipment manufacturers (OEMs). Targeting detection of next-generation attacks, in which messages are sent from the expected ECU at the expected time but with malicious content, researchers are now seeking to leverage "CAN data models", which predict future CAN message contents and use prediction error to identify anomalous, hopefully malicious CAN messages. Yet, current works model CAN signals post-translation, i.e., after applying OEM-donated or reverse-engineered translations from raw data. In this work, we present initial IDS results testing deep neural networks used to predict CAN data at the bit level, thereby providing IDS capabilities but avoiding reverse engineering proprietary encodings. Our results suggest the method is promising for continuous signals in CAN data, but struggles for discrete, e.g., binary, signals.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1812.11596/full.md

## Figures

10 figures with captions in the complete paper: https://tomesphere.com/paper/1812.11596/full.md

## References

25 references — full list in the complete paper: https://tomesphere.com/paper/1812.11596/full.md

---
Source: https://tomesphere.com/paper/1812.11596