CANdito: Improving Payload-based Detection of Attacks on Controller Area Networks

TL;DR

CANdito introduces an unsupervised LSTM autoencoder-based intrusion detection system for CAN networks, significantly improving attack detection accuracy and response times over previous RNN-based methods.

Contribution

The paper presents CANdito, a novel unsupervised IDS leveraging LSTM autoencoders for anomaly detection in CAN, enhancing detection performance over existing RNN-based solutions.

Findings

CANdito outperforms CANnolo in detection accuracy

Improved temporal detection performance

Effective against a comprehensive set of synthetic attacks

Abstract

Over the years, the increasingly complex and interconnected vehicles raised the need for effective and efficient Intrusion Detection Systems against on-board networks. In light of the stringent domain requirements and the heterogeneity of information transmitted on Controller Area Network, multiple approaches have been proposed, which work at different abstraction levels and granularities. Among these, RNN-based solutions received the attention of the research community for their performances and promising results. In this paper, we improve CANnolo, an RNN-based state-of-the-art IDS for CAN, by proposing CANdito, an unsupervised IDS that exploits Long Short-Term Memory autoencoders to detect anomalies through a signal reconstruction process. We evaluate CANdito by measuring its effectiveness against a comprehensive set of synthetic attacks injected in a real-world CAN dataset. We demonstrate the improvement of CANdito with respect to CANnolo on a real-world dataset injected with a comprehensive set of attacks, both in terms of detection and temporal performances.