Multiple Observation HMM-Based CAN Bus Intrusion Detection System for In-Vehicle Network

Abstract

As modern vehicles become more intelligent and connected, the number of ECUs and communication interfaces with external networks (such as 3G/4G and Bluetooth) has increased significantly, which raises potential network security risks. Due to the absence of effective security measures, there is a frequent occurrence of cybersecurity incidents targeting vehicles, particularly the in-vehicle CAN bus network. As the main bus in the vehicle, the CAN bus faces important challenges in its safety due to the lack of security mechanisms. Therefore, we propose a CAN bus intrusion detection system based on multiple observation HMM for in-vehicle networks to enhance the security of the vehicle. Specifically, the proposed algorithm builds a multiple observation HMM-based on the ID and data fields of normal CAN bus traffic. According to the established HMMs, we calculate the existence probability of the frame under the defined time window as the detection threshold. When the existence probability of the frame to be detected exceeds the normal threshold range, it is considered abnormal. Furthermore, we establish four common attack models based on the collected real vehicle data and evaluate the performance of the proposed algorithm in these attack scenarios. The experimental results show that the proposed method has better detection performance than other frame-by-frame anomaly detection methods in four attack scenarios.