Universally applicable signal-based controller area network (CAN) intrusion detection system
Inventors
Bridges, Robert A. • Verma, Kiren E. • Iannacone, Michael • Hollifield, Samuel C. • Moriano, Pablo • Sosnowski, Jordan
Assignees
Publication Number
US-12282548-B2
Publication Date
2025-04-22
Expiration Date
2042-04-21
Interested in licensing this patent?
MTEC can help explore whether this patent might be available for licensing for your application.
Abstract
A system and method for intrusion detection on automotive controller area networks. The system and method can detect various CAN attacks, such as attacks that cause unintended acceleration, deactivation of vehicle's brakes, or steering the vehicle. The system and method detects changes in nuanced correlations of CAN timeseries signals and how they cluster together. The system reverse engineers CAN signals and detect masquerade attacks by analyzing timeseries extracted from raw CAN frames. Specifically, anomalies in the CAN data can be detected by computing timeseries clustering similarity using hierarchical clustering on the vehicle's CAN signals and comparing the clustering similarity across CAN captures with and without attacks.
Core Innovation
The invention provides a system and method for intrusion detection on automotive controller area networks (CAN) by automatically decoding CAN signals without relying on proprietary CAN data mappings. The system reverse engineers the signal definitions from raw CAN frames, mapping byte and bit boundaries, endianness, and signedness to produce decoded timeseries signals. These decoded signals are then analyzed using clustering techniques to model the inherent relationships among vehicle subsystems, enabling the identification of anomalies such as those produced by masquerade attacks.
The core innovation centers around detecting nuanced changes in the correlations between decoded CAN timeseries signals by applying agglomerative hierarchical clustering and comparing clustering similarities across CAN data captured in benign and attack scenarios. Unlike previous approaches, this solution operates without access to secret OEM mappings or diagnostic probes, and can decode signals for any vehicle, including when both big and little endian byte orders or signed/unsigned encodings are present within the same CAN ID.
The system addresses the inadequacy of traditional intrusion detection methods that either rely on known proprietary CAN mappings or diagnostic inquiries, or that only perform time-based or header-based anomaly detection. By learning and monitoring the relationships between signals at the decoded level, the invention enables robust detection of advanced and stealthy CAN attacks, such as masquerades, which modify payloads without disturbing frame timing.
Claims Coverage
The patent claims cover several inventive features directed to a CAN intrusion detection system capable of reverse engineering signal definitions from CAN frames, modeling relationships between decoded timeseries, and detecting masquerade attacks using clustering-based analytics.
Automatic reverse engineering of CAN signal definitions for each arbitration ID
The system includes a processor that generates a signal definition for each arbitration identifier (AID) by mapping up to 64-bit data payloads of CAN frames to tokenized and translated signals. The mapping accounts for start bit, signal length, endianness (byte order), and signedness, enabling decoding of previously unobservable vehicle signals from raw CAN data without reliance on proprietary information.
Learning relationships between decoded uninterpreted timeseries signals for both training and test data
The processor learns inherent relationships between uninterpreted timeseries signals by analyzing decoded CAN training and test payload data without dependence upon CAN diagnostic inquiries. This enables the modeling of temporal and correlation structures in the CAN data independent of external sensor input or OEM-provided mappings.
Detection of masquerade attacks by contrasting signal relationships using hierarchical clustering similarity
The inventive system detects masquerade attacks by contrasting the learned relationships from decoded CAN training and test payload data. The processor computes correlations between timeseries signals, generates agglomerative hierarchical clusterings, computes clustering similarity distributions, and compares these distributions between training and testing conditions to identify anomalies indicative of attacks.
Integration of anomaly alerting and logging upon detection of a masquerade attack
Upon detecting a masquerade attack in the CAN test payload data, the processor is configured to transmit anomaly-notification messages and/or log information related to the detected attack. This feature supports automated alerting and forensic tracking capabilities within the same apparatus.
In summary, the patent claims a vehicle-agnostic CAN intrusion detection system that can reverse engineer signal definitions, model and compare inherent signal relationships through clustering analytics, and robustly detect advanced CAN attacks, specifically including masquerade-type payload manipulations, without access to proprietary mappings.
Stated Advantages
Enables automatic decoding of CAN signals in real time for any vehicle without proprietary mapping information.
Detects stealthy and sophisticated attacks, such as masquerade attacks, by identifying changes in relationships among decoded signals rather than relying on timing or signature-based rules.
Accommodates both big and little endian byte orderings and signedness encodings present in CAN data, increasing decoding accuracy compared to previous approaches.
Reduces dependence on external sensors or OEM cooperation, allowing for vehicle-agnostic deployment, including via OBD-II plugin hardware.
Provides near-real time or post-drive intrusion detection, supporting both in-situ and offline analytics.
Enables creation of a usable CAN signal database (DBC file) for real-time decoding, performance analysis, or integration with other vehicle analytics technologies.
Documented Applications
Detection of masquerade, fabrication, or suspension attacks on automotive CAN networks, including attacks that induce unintended acceleration, brake deactivation, or unauthorized steering.
Real-time or post-drive intrusion detection and analytics on CAN bus traffic for vehicle cybersecurity applications.
Creation and usage of decoded signal definitions (DBC files) for vehicle performance analysis, driver identification, after-market tuning, fleet management, fault diagnosis, forensics technologies, and insurance applications.
Integration with OBD-II hardware plugins for deployment on virtually any vehicle equipped with a standard CAN bus.
Development of universally applicable security technologies and after-market solutions for vehicles, regardless of OEM or proprietary signal mapping.
Interested in licensing this patent?