Hidden Markov Model based Anomaly Detection Method for Ye Neung Kim, Seok
Min Ko, and TaeGuen Kim+
Soonchunhyang University,
Asan City, Republic of Korea Abstract CAN protocol is a serial bus protocol
that complements the previously existing shortcomings in the point-to-point
network topology, and it provides full-duplex communications for transmitting
data between the host nodes consisting of the network. In addition, the CAN
protocol has many advantages in terms of scalability and efficiency for the
cost to wire the network devices. Due to this fact, many car manufacturers
have adapted the CAN protocol for implementing their in-vehicle networks.
Even though the CAN protocol is widely used for in-vehicle networks, it still
does not support any security mechanism to provide safe data transmission,
because the size of CAN message is limited to 8 bytes which is insufficient
to contain the fields for the security. The network nodes, ECUs using the CAN
protocol basically transmit the data in a broadcast way while not applying
encryption or authentication to the transmitted data. Therefore, the
attackers can sniff and analyze the data transmitted through the CAN bus, and
also they can inject their malformed data to control the in-vehicle network.
In this paper, we propose a novel anomaly detection framework to protect the
in-vehicle network that uses CAN bus protocol. Our proposed framework uses
many hidden markov models to represent the normality of the network, and the
models are generated using two types of network information; the transmission
time interval and the payload data changes. In evaluation, we had several
experiments, and it was found that the proposed framework can detect abnormal
network behaviors accurately. Keywords: Controller Area Network,
In-Vehicle Network, Hidden Markov Model, Anomaly Detection, Intrusion
Detection System. +: Corresponding author: TaeGuen Kim Journal of Internet Services and
Information Security (JISIS), 12(2): 115-125, May 2022 |