CANTXSec: A Deterministic Intrusion Detection and Prevention System for CAN Bus Monitoring ECU Activations

TL;DR

CANTXSec is a deterministic intrusion detection and prevention system for CAN bus that accurately detects and prevents attacks based on physical ECU activations, addressing a critical security gap in vehicle and industrial systems.

Contribution

It introduces a novel deterministic IDS/IPS based on physical ECU activations, capable of detecting both classical and advanced CAN bus attacks with 100% accuracy.

Findings

Achieves 100% detection accuracy for attack classification.

Prevents 100% of Frame Injection Attacks.

Effective on a physical testbed.

Abstract

Despite being a legacy protocol with various known security issues, Controller Area Network (CAN) still represents the de-facto standard for communications within vehicles, ships, and industrial control systems. Many research works have designed Intrusion Detection Systems (IDSs) to identify attacks by training machine learning classifiers on bus traffic or its properties. Actions to take after detection are, on the other hand, less investigated, and prevention mechanisms usually include protocol modification (e.g., adding authentication). An effective solution has yet to be implemented on a large scale in the wild. The reasons are related to the effort to handle sporadic false positives, the inevitable delay introduced by authentication, and the closed-source automobile environment that does not easily permit modifying Electronic Control Units (ECUs) software. In this paper, we propose CANTXSec, the first deterministic Intrusion Detection and Prevention system based on physical ECU activations. It employs a new classification of attacks based on the attacker's need in terms of access level to the bus, distinguishing between Frame Injection Attacks (FIAs) (i.e., using frame-level access) and Single-Bit Attacks (SBAs) (i.e., employing bit-level access). CANTXSec detects and prevents classical attacks in the CAN bus, while detecting advanced attacks that have been less investigated in the literature. We prove the effectiveness of our solution on a physical testbed, where we achieve 100% detection accuracy in both classes of attacks while preventing 100% of FIAs. Moreover, to encourage developers to employ CANTXSec, we discuss implementation details, providing an analysis based on each user's risk assessment.