Efficient Intrusion Detection With Bloom Filtering in Controller Area Networks

Due to its cost efficiency, the controller area network (CAN) is still the most wide-spread in-vehicle bus, and the numerous reported attacks demonstrate the urgency in designing new security solutions for CAN. In this paper, we propose an intrusion detection mechanism that takes advantage of Bloom filtering to test frame periodicity based on message identifiers and parts of the data-field which facilitates detection of potential replay or modification attacks. This proves to be an effective approach since most of the traffic from in-vehicle buses is cyclic in nature and the format of the data-field is fixed due to rigid signal allocation. Bloom filters provide an efficient time-memory tradeoff which is beneficial for the constrained resources of automotive grade controllers. We test the correctness of our approach and obtain good results on an industry-standard CANoe-based simulation for a J1939 commercial-vehicle bus and also on CAN with flexible data-rate traces obtained from a real-world high-end vehicle. The proposed filtering mechanism is straightforward to adapt for any other time-triggered in-vehicle bus, e.g., FlexRay, since it is built on time-driven characteristics.