Abstract

Vehicles are becoming more and more connected today, with many direct interfaces and infotainment units widely deployed in in-vehicle networks. However, the increase in interfaces and units can also lead to an increase in cyberattacks surfaces. As the de facto standard for the in-vehicle network protocol, the Controller Area Network (CAN) protocol provides an efficient, stable, and cost-effective communication channel between electric control units (ECUs). Nonetheless, it is increasingly threatened by cyberattack due to the lack of security mechanisms by design. This paper proposes a novel anomaly detection methodology based on graph pattern matching, which expresses CAN traffic in terms of graph structures. Given a base graph and window graph, we determine whether the window graph represents normal or anomaly by using the distance measure on the base graph. We have validated this anomaly detection methodology on public datasets and in an actual vehicle environment. Experimental results show that this methodology significantly improved the detection of unknown attacks and outperforms other CAN traffic-based approaches.

This work is licensed under a Creative Commons Attribution 4.0 License.