Field classification, modeling and anomaly detection in unknown CAN bus networks

This paper describes a novel domain-aware anomaly detection system for in-car CAN bus network traffic. Through inspection of real CAN bus communication, we were able to split the messages into fields and identify the field types, without any prior knowledge of the message formats. We discovered the presence of Constant fields, Multi-Value fields and Counter or Sensor fields. Next we developed a classifier that automatically identifies the boundaries and types of these fields. In its learning phase, our anomaly detection system uses the classifier to characterize the fields and build a model for the messages, based on their field types. The model is based on Ternary Content-Addressable Memory (TCAM), that can run efficiently in either software or hardware. During the enforcement phase our system detects deviations from the model. We evaluated our system on simulated CAN bus traffic, and achieved very encouraging results: a median false positive rate of 1% with a median of only 89.5 TCAMs.