Time-Based CAN Intrusion Detection BenchmarkThis manuscript has been co-authored by UT-Battelle, LLC, under contract DE-AC05-00OR22725 with the US Department of Energy (DOE). The US government retains and the publisher, by accepting the article for publication, acknowledges that the US government retains a nonexclusive, paid-up, irrevocable, worldwide license to publish or reproduce the published form of this manuscript, or allow others to do so, for US government purposes. DOE will provide public access to these results of federally sponsored research in accordance with the DOE Public Access Plan (http://energy.gov/downloads/doe-public-access-plan).

Time-Based CAN Intrusion Detection Benchmark1


Modern vehicles are complex cyber-physical systems made of hundreds of electronic control units (ECUs) that communicate over controller area networks (CANs). This inherited complexity has expanded the CAN attack surface which is vulnerable to message injection attacks. These injections change the overall timing characteristics of messages on the bus, and thus, to detect these malicious messages, time-based intrusion detection systems (IDSs) have been proposed. However, time-based IDSs are usually trained and tested on low-fidelity datasets with unrealistic, labeled attacks. This makes difficult the task of evaluating, comparing, and validating IDSs. Here we detail and benchmark four time-based IDSs against the newly published ROAD dataset, the first open CAN IDS dataset with real (non-simulated) stealthy attacks with physically verified effects. We found that methods that perform hypothesis testing by explicitly estimating message timing distributions have lower performance than methods that seek anomalies in a distribution-related statistic. In particular, these “distribution-agnostic” based methods outperform “distribution-based” methods by at least in area under the precision-recall curve (AUC-PR). Our results expand the body of knowledge of CAN time-based IDSs by providing details of these methods and reporting their results when tested on datasets with real advanced attacks. Finally, we develop an after-market plug-in detector using lightweight hardware, which can be used to deploy the best performing IDS method on nearly any vehicle.


I Introduction

Modern vehicles are commonly drive-by-wire. That means that the states of vehicle subsystems are constantly being updated through broadcast messages between small dedicated computers called electronic control units (ECUs). With the increasing connectivity between ECUs, inherent security risks are becoming evident. Controller Area Network (CAN) is the default protocol used in the automotive industry [2]. It reduces wiring complexity by allowing ECUs to communicate on a common channel or bus with a standard protocol. Due to the continuously growing attack surface and the lack of authentication and lack of encryption, CAN is one of the main means by which adversaries can attack vehicles.

Vehicle complexity increases the attack surface by allowing the execution of (remote) attacks that have been shown to be life threatening. Examples include the injection of malicious messages through cellular networks with the purpose of taking control of targeted vehicles [5, 18] and the demonstrated attacks by Miller and Valasek causing unintended acceleration, deactivation of vehicles’ brakes, as well as turning the steering wheel [15, 16]. In addition to these remote attacks, direct access to the CAN bus is generally easy to obtain, and for research purposes, most CAN attacks are administered via adding a node (ECU) through a the standard on-board diagnostic (OBD) II port.

I-a Preliminaries

CAN messages or frames have two main parts: an arbitration ID (AID), typically composed of 11 bits, and a data field, composed of up to 64 bits. The AID functions as a label for the frame and serves to determine, by a process called arbitration, which message is received by the CAN bus when messages are transmitted simultaneously. The data communicates the current state of a vehicle system—for example, the anti-lock braking system. Commonly, messages with the same AID are sent regularly—most AIDs occur at their fixed frequency with minor aberrations—and often with redundant data.

CAN attacks have been classified using a three-tiered taxonomy: fabrication, suspension, and masquerade attacks [6]. Here we focus on fabrication attacks that, by definition, add a node (ECU) to the CAN bus and transmits messages with the intention of overloading the bus or overwriting messages to manipulate vehicle functionality. While these are the simplest attacks to execute, their effect on vehicles has been repeatedly proven [24, 17]. Notably, adding messages to the bus changes the time gap between subsequent messages, which leads to our focus—intrusion detection systems (IDSs) targeting fabrication attacks via identifying message timing anomalies.

Due to the redundancy of CAN messages, to “overwrite” a particular AID’s message in a fabrication attack (Targeted ID Attack), an attacker must either broadcast messages at a rate faster than the true message (flooding delivery) or directly after the true message with the target ID is sent (flam delivery) [7]. A targeted ID attack using flam delivery is the most stealthy kind of fabrication attack, as the resulting timing perturbation is relatively minor, and thus provide the most difficult fabrication attack testing for time-based detection methods. Denial of service (DOS) and fuzzing attacks use flooding delivery with the goal of overloading the bus rather than targeting a particular ID, resulting in less stealthy fabrication attacks.

I-B Related Work

After early vehicle security work of Hoppe et al. [13], who note that monitoring for increased message frequency poses a potentially effective CAN IDS, initial research began to prove the concept that fabrication attacks can be accurately identified via message timing anomalies. Following works considered simple heuristics based on the counts of messages in a time window [21] or the average observed time gap between messages [9, 24, 17]. Later works began applying more sophisticated statistical machinery to the problem of unsupervised fabrication attack detection via timing-based methods: Tomlinson et al. [25] consider two online methods and one pre-trained unsupervised method, all based on the mean inter-message time gap; Hamada et al. [10] train Gaussian mixture models to identify time gaps in the future that occur with low probability; Olufowobi et al. [19] create a complex simulation for message timing from CPU scheduling research, which unfortunately exhibits low precision (many false alerts); Kuwahara et al. [14] create vectors of message counts in a time window, then use a z-score on nearest neighbor distance to find anomalous windows; Han et al. [11] test survival analysis techniques; Olufowobi et al. [20] use CUMSUM change detection; Young et al. [27] apply the Fast Fourier Transform (FFT) to a square wave representation of messages and find anomalies in the frequency domain representation; Avatefipour et al. [1] test a combination of a modified bat algorithm with a one-class support vector machine (OCSVM).

Noteworthy takeaways from the survey above include:

  • Very simple methods, e.g. see Moore et al. [17] report strong detection results as do more sophisticated methods, e.g., Olufowobi et al. [20].

  • Methods that process a time window of data can, depending on implementation, introduce a lag in detection (of up to the length of the time window) and an inability to distinguish specific inter-message time gaps that are anomalous [21, 10].

  • Few of proposed methods are evaluated on real (non-simulated), public data, as appropriate public CAN datasets were not available at the time of the earlier research, although a few later works (e.g., [20, 14]) use now-public datasets.

  • Most of the works fail to cite many directly comparable previous works.

I-C Motivation & Contributions

The newly released ROAD Dataset [7] provides real (non-simulated), physically-verified, CAN data with labeled fabrication attacks, in particular many using the stealthy flam delivery. In light of T1 and T3, we leverage this opportunity to benchmark some intuitive, straightforward approaches to time-based detection of fabrication attacks. The methods chosen aim to identify and compare the statistical concepts foundational to time-based CAN IDS methods on a high fidelity dataset. To the best of our knowledge, an analysis benchmarking several different time-based IDS methods has not yet been thoroughly performed.

The contributions of this research are summarized as follows. In light of T4, we provide a thorough survey of the previous time-based CAN IDS research targeting fabrication attacks. Second, we provide definitions of four different time-based IDSs, stating the conditions needed to raise alarms in each of the methods. We implement the detailed methods, enabling their further deployment and comparison. Third, we test the implemented methods on a publicly available CAN IDS dataset, ROAD [7]. In contrast with previous work in the area, the test set includes many fabrication attacks that were administered to a real vehicle’s CAN with effect to the vehicle physically verified; notably, this dataset is publicly available and does not contain simulated data. Fourth, we compare the proposed time-based IDS methods based on their detection ability. Lastly, we discuss implementation details and the operation of the best performing method in an OBD II plugin. In light of T2, this includes detection latency analysis of our Binning detector.

Ii Methods

In this section, we define the threat model and dataset used throughout the paper (Sec. II-A), the detection methods that we compared (Sec. II-B), an analysis of detection latency (Sec. II-C), and the accuracy metrics we used for comparison (Sec. II-D).

Ii-a Threat Model & Dataset

Cho and Shin [6] provide a widely known CAN attack terminology. Specifically, they used the term weakly compromised ECU to denote an ECU that an adversary is able to silence by suspending message transmission. Conversely, they used the term fully compromised ECU for an ECU over which an adversary has complete control, including the ability to send fabricated messages and gain memory access.

In this work, we used the ROAD dataset [7] that involve a fully compromised ECU introduced to the CAN bus using the OBD-II port. The ROAD Dataset is the first open dataset with real (non-simulated), stealthy (using flam delivery) fabrication attacks that have physically verified effects on the vehicle. These characteristics make the ROAD dataset ideal for benchmarking time-based IDS methods.

The ROAD dataset consists of 12 ambient captures (log files) containing about three hours of ambient (non-attack) data and 33 attack captures that last in total about 30 minutes. Table I lists contents of attacks and logs in the ROAD dataset, and indicates the subset of logs used in this paper. The ROAD dataset contains several types of attacks (see Table I, bottom): (1) fabrication attacks, including fuzzing attacks and several different targeted ID attacks using flam delivery; (2) masquerade attacks and (3) an advanced “Accelerator” attack. Note that (2) and (3) do not alter timing characteristics and are thus out of scope for this paper. For thorough testing, several of the attacks are run and logged more than once. The ROAD data was obfuscated to ensure anonymity of the vehicle while preserving aspects that are needed for testing IDS methods. For more details on the data collection and obfuscation procedure, refer to the work by Verma et al. [7].

Below we describe the specifics of the data we used from the ROAD dataset for the training and testing phases.

Description # Logs Used Duration (min)


Dynamometer Various Ambient 10 108.2
Road Various Ambient 2 70.6
Total 12 10 178.8


Accelerator Attack (In Drive) 2 2.7
Accelerator Attack (In Reverse) 2 3.2
Correlated Signal Fabrication Attack 3 1.3
Correlated Signal Masquerade Attack 3 1.3
Fuzzing Fabrication Attack 3 0.7
Max Engine Coolant Temp Fabrication Attack 1 0.4
Max Engine Coolant Temp Masquerade Attack 1 0.4
Max Speedometer Fabrication Attack 3 3.9
Max Speedometer Masquerade Attack 3 3.9
Reverse Light Off Fabrication Attack 3 2.1
Reverse Light Off Masquerade Attack 3 2.1
Reverse Light On Fabrication Attack 3 3.2
Reverse Light On Masquerade Attack 3 3.2
Total 33 16 28.4
TABLE I: Logs in ROAD CAN Intrusion Detection Dataset.


Training or ambient data in the ROAD dataset was collected when the vehicle was on the dynamometer or on the road while performing diverse, potentially unusual but benign, driving activities (e.g., unbuckling seatbelts or opening doors while driving). In this work, for training, we used all 10 data logs that were generated on the dynamometer only (see Table I, top). We select only these ambient dynamometer logs since all logs containing attacks, which make up our test data, were collected on a dynamometer.

The time-based IDS methods that we benchmark in this work rely on analyzing inter-message time distributions of each AID. Thus, characterizing inter-message time distributions is an important step during the training phase. Fig. 1 shows the inter-message time distribution of AID 0xD0 (a targeted AID in one of the attacks). We annotate the figure with the values of the mean , standard deviation , minimum value , and maximum value . Fig. 1(a) shows the distribution without removing outliers in training. We notice that although most inter-message times are short (contained in the bar with almost six orders of magnitude), there are a few outliers corresponding to events transmitted at asynchronous rates (more than 50 seconds). Given that these outliers have the potential to skew the inter-message time distributions, we test results with and without outliers.

To remove outliers, we used the Minimum Covariant Determinant (MCD) method [23]. MCD is an estimator of multivariate location (mean) and scatter (covariance) that is robust to outliers in the data and for which a fast algorithm is available. MCD serves as a convenient and efficient tool for identifying and omitting outliers while fitting a Gaussian to the remaining inliers. For removing outliers, we used the EllipticEnvelope class in SciKit-Learn [22]. We set the contamination argument to to control the proportion of expected outliers. Fig. 1 shows the inter-message time distribution (a) with and (b) without outliers in training. Clearly data in (a) (with outliers) is non-Gaussian; in (b) (without outliers), the Gaussian is plotted in black over the data histogram.

We observe that removing the outliers significantly shrinks the domain of the random variable ( with outliers versus without). By removing outliers, we believe we can ensure a better characterization of the inter-message time distribution, and thereby obtain a better detector. We test this hypothesis by comparing results with and without outliers in Sec. III.

Fig. 1: Probability Density Function (logscale) of inter-message time distributions for AID 0xD0 in the training dataset (a) with outliers and (b) without outliers and with the Gaussian fit of the PDF shown in black. Note that without removing outliers, data is not Gaussian.


We used all 16 available log files for testing time-based detectors (namely, those containing fabrication attacks): the fuzzing attacks and the five different fabrication targeted ID attacks (see Table I, bottom). We aggregated all of these logs for evaluating the performance of the time-based IDS methods. Note that we did not remove outliers in the testing dataset. Importantly, among the 16 logs files that we used for testing, there was a total of 1,588,263 messages, of which 61,516 were attacks. This means that the proportion of positive samples is about , which makes the testing dataset highly imbalanced. We revisit the imbalanced effect of the testing dataset in Sec. III.

Ii-B Detection Methods

We tested four detection methods that exploit the timing regularities of CAN messages: Mean Inter-Message Time (Sec. II-B1), Binning (Sec. II-B2), Fitting a Gaussian Distribution (Sec. II-B3), and Kernel Density Estimation (KDE) (Sec. II-B4). While the first two rely on heuristics based on the inter-message times, the latter two follow previous anomaly detection works by fitting a continuous distribution to the inter-message times and detecting time gaps with low -value [3]. We employ the two-sided -value (of a sample given a probability distribution ), denoted by , where is the probability with respect to as:


All methods except for Binning use a two-step process for determining if a message is malicious. Step (1) Comparison: this step identifies whether a message is suspicious by comparing it to a threshold identified during training. Step (2) Check for sufficiency: this step determines whether the frames identified as suspicious in Step (1) are sufficiently anomalous to warrant an alert. This is done by checking if suspicious inter-message times occur repeatedly; the intuition is that to manifest physical changes, fabrication attacks must have repeated injections to continually overwrite the ambient messages. If sufficiency is confirmed, the messages are marked as malicious.

In this section, let be the set of inter-message times for a particular AID in the ROAD dataset and let be an arbitrary inter-message time in . Again, denotes the average inter-message time for this AID. We run each method using a range of detection thresholds , where is defined below for each.

Mean Inter-Message Time (Mean)

The first method uses the empirical mean calculated during training and a given threshold . (1) Comparison: consider if inter-message time . (2) Check for sufficiency: if holds for three out of the last six inter-message times, the frame is labeled malicious. We compute results for thresholds for . We use 18 thresholds to be consistent with the distribution-based methods (II-B3, II-B4).


The second method considers the number of messages transmitted during a certain window of time. We let for . In order to identify the appropriate threshold, for each , we labeled a message malicious when the last six frames arrived in less than seconds. As intuition, note that in a time window of length we expect messages to occur. Hence for , this method will alert when extra messages are occurring.

Fitting a Gaussian Distribution (Gaussian)

The third method fits a Gaussian distribution, , to the inter-message times (regardless of the shape of the data) and computes the two-sided -value defined in Eq. 1. Let Detection was run for each as follows. (1) Comparison: for each , compute (as in Eq. 1). (2) Check for sufficiency: if for three consecutive inter-message times, the frame is labeled malicious.

Kernel Density Estimation (KDE)

The final method uses a KDE using a Gaussian kernel to establish a probability density function, , of the inter-message time data. Steps for detection follow the Gaussian method’s (1) and (2) with instead of . Detection results are computed for each as in the Gaussian method (II-B3).

Ii-C Detection Latency

For all methods except Binning, each frame is scored and alerted; hence, latency is simply the computational time for the detection. Note that the Binning method, by design does not compute counts for moving time windows, but instead stores the previous five message times and asks if the next message occurs too soon, specifically if the last six messages occurred in less than s. Hence, detection latency depends on Here we suppose that there is at least one illegitimate frame sent between each pair of ambient frames. If detection is immediate (simply computation time for the algorithm) as the previous five message (all legitimate) will require s; thus, the time gap from the first initial illegitimate frame to the sixth previous will be under . Similarly, the time gap from the second illegitimate frame to the sixth previous is at most , meaning for detection latency is plus computational time. Finally, the time gap from the third or any subsequent illegitimate frame to the sixth previous message is at most . This means our detection latency will be at most plus computation time for Note that detection accuracy may vary greatly among different values of . To put this in context, most AID frequencies are on the order of 10Hz to 100Hz, so the latency is a fraction of a second for all thresholds .

Ii-D Detection Ability Comparison

The basis for the comparison between the time-based IDS methods is based on counting the number of CAN messages that were labeled as true positives (TP), false positives (FP), false negatives (FN), and true negatives (TN). Several important classification metrics are based on these numbers: Precision, defined as , gives the likelihood that a detected message is an attack; Recall, defined as , gives the likelihood that an attack is detected. Since higher precision often comes at the price of higher recall (and vice versa), it is important to consider a balance of both metrics, and the standard balanced metric is the F1 score, defined as .

To compare the performance of these time-based methods over a range of detection thresholds (), we consider the Precision-Recall (PR) curve, which plots precision against the recall at different thresholds. We choose to use the PR curve rather than the more commonly used ROC curve, which is less suited to imbalanced datasets [8] (recall that the proportion of attack messages, i.e., positive samples, is about 3.9%). This PR curve illustrates how the accuracy of a method changes at different performance thresholds, and the optimal threshold in terms of F1 score will generally appear towards the furthest top-right point of the curve. In our evaluation, we determine the optimal threshold to be the threshold that results in the highest F1 score.

This curve is also provides an important metric for evaluating a methods head-to-head independent of a specific threshold, namely, the area under the PR curve (AUC-PR), where a higher percentage indicates better overall performance. Note that is is important to consider this threshold-independent metric, since a true unsupervised method cannot consult the test data to determine an optimal threshold. Note that the baseline of the PR curve is the proportion of positive samples .

Iii Results

For each method, the PR curve is shown in Fig. 2 and the AUC-PR is given in Table II.

We first consider the method performance independent of a detection threshold. We report the performance comparison between the four methods across every threshold using AUC-PR in Table II, and highlight the method with best performance in bold. Overall, we find that methods that rely heavily on the distribution (i.e., Gaussian and KDE methods) tend to perform much worse and be significantly affected by outliers, as opposed to methods that do not have these distributional assumptions (i.e., Mean and Binning methods). With outliers present, the AUC-PR for both the Gaussian and KDE method are near 0, and while they perform significantly better when these outliers are removed from the training set, both still have a very low AUC-PR of under 15%. Removing outliers also makes the performance of the Mean method slightly better (from 68.90 to 69.05) but interestingly, it worsens the performance of the Binning method (from 87.63 to 82.18). The Binning method has the best performance both with and without outliers in training, achieving over 82% in both cases.

We next consider the performance of the methods at different threshold values. This is done illustrate how these thresholds affect the methods and determine the optimal threshold and resulting F1 score for each. Fig. 2 gives a more detailed illustration of the conclusions given above: regardless of the presence of outliers, both Gaussian and KDE methods tend to perform poorly at all detection thresholds, while the Mean and Binning methods perform much better, particularly at certain thresholds (indicated by the blue and orange points near ).

For the distribution-agnostic methods, we found that the optimal threshold and resulting optimal F1 score were essentially the same with or without outliers present in training. We found that the optimal threshold value for the Mean method is , At this threshold, the value of the F1 score is (precision is 97.6% and recall is 99.6%). This means that reporting (as anomalies) messages that are less than of the expected inter-arrival time mean (per AID) produces the best tradeoff between precision and recall. We also found that for the binning method, the optimal value for the threshold (for this method, the window length) is 3.5. At this threshold, the F1 score is (precision is 98.6% and recall is 99.2%). This means that reporting messages (as anomalies) that do not resemble the expected number of messages in a window of length of 3.5 produces the best tradeoff between precision and recall.

For the distribution-based methods, we consider only the case in which outliers are removed, since these methods are essentially useless without this preprocessing step. The optimal threshold (the p-value) for the Gaussian and KDE methods was . At this value the F1 score achieved is and , respectively.

Method With Outliers Without Outliers
Mean 68.90% 69.05%
Binning 87.63% 82.18%
Gaussian 0.00% 8.99%
KDE 0.02% 13.88%
TABLE II: AUC-PR comparison with and without outliers in training. The Binning method (in bold), is the best performing method in both cases.
Fig. 2: Performance comparison based on PRC. (a) with (b) without outliers. The Binning method performs best overall.

Iii-a OBD-II Plugin Prototype

To prove the proposed detector is a viable vehicle-agnostic detector able to run on small edge computing devices efficiently, we implemented the Binning method (Sec II-B2) on an OBD-II plugin. We devised an edge computing device using a Raspberry Pi 3B+ with Raspbian Buster providing 1GB of RAM, a 1.4GHz ARMv8 processor, and Python support coupled with an interface board, Industrial Berry’s CANBerry Dual 2.1 [4] to facilitate CAN communication. Once attached to the CAN bus (plugged into an OBD II of a running vehicle), the device runs an algorithm to identify the CAN’s pre-configured bitrate along with other metadata, e.g., the vehicle identification number (VIN). The device then automatically collects CAN data from the vehicle and trains the parameters for each AID’s detector. At this point the driver would ideally exercise as much of the vehicle’s functionality as possible in order to determine the timing characteristics of the most possible AIDs. Once trained, the device can deploy the time-based detectors in real time and receive alerts visually via LEDs, with metadata and logs of the alerts stored on the prototype. The stages of the process are started/stopped with a switch on the device. The implementation into hardware follow our previous work [26]. We provide a demonstration video of the hardware running the Binning detector on a passenger vehicle while implementing an attack online (https://www.youtube.com/watch?v=mQxkycW0mV4).

Iv Discussion

Recalling the takeaways from our survey of the related literature, Sec. I-B, specifically, T1 (simple detectors have garnered strong results) and T4 (few previous works use real, public, physically-verified, high-fidelity attack datasets for testing), we formally define, implement, comparatively evaluate four different time-based intrusion detection system (IDS) methods on the ROAD Dataset [7], a publicly available CAN dataset with labeled attacks. The Mean method (II-B1) represents the many initial works that use heuristics based on differences from the average inter-message timing, while the Binning method (II-B2) represents the early methods that count messages in a time-window. As these both rely heavily on the learned mean inter-message time, a logical next step is to leverage also the second moment, variance, specifically, fitting a Gaussian to training data and detecting events in the tail (II-B3). Peeking at the training data (Fig. 1) we note that outliers may ruin the Gaussian fit. Alternatively, one may argue that non-Gaussian data should be fit with a more flexible class of distributions. To this end we also tested an analogous detector based on the very flexible kernel density estimate (KDE) method (both with and without outliers in training) to test this hypothesis.

Unsurprisingly considering previous works, the two simple, distribution-agnostic (Mean, Binning) achieve strong results (F1 scores of 0.986, 0.990, respectively). Moreover, our results with and without outliers in the training data show the methods are fairly robust to outliers as their results are not substantially affected.

Perhaps shockingly, the two distribution-based methods pale in comparison. Our analysis of results when fitting these distributions to training data with and without outliers shows that these poor detection results exhibit only minor improvements (F1 scores of 0.260, 0.278, respectively); hence, they are not amended by this pre-processing maneuver. Rather, it seems that the tails of the Gaussian (and KDE, whose tails are near identical) are insufficient to characterize these. In the case of the Gaussian, these result suggest that considering the inter-message time as a fraction of the mean is an informative statistic but as a -score is not, perhaps because the variance is so small in these distributions. As the tails of the Gaussian and KDE distributions are similar, this provides intuition for the poor results of these distributional methods.

Overall, these results suggest that counting methods are perhaps slightly better than those that consider inter-message timing, and more dramatically, the heuristic/distribution-agnostic methods far outperform those that explicitly seek tails of an estimated distribution. Inspecting the testing data reveals an artifact of flam attacks (that send one illegitimate message just after a legitimate message); i.e., they force the attack inter-message times to be a bi-modal distribution.

The following are some limitations of our study. First, we do not consider CAN messages without fixed timing. Second, the ROAD dataset only includes data from a single car. It is clear from the research that these techniques will succeed on a wide variety of vehicles, but specifics, e.g., the optimal thresholds found via our test data, may or may not translate to other vehicles. Third, as these are unsupervised methods, how to set the threshold with no attack data is a real-world need that we do not address. Finally, the methods we tested are exclusively of a time-based nature and the scope of our paper is limited to fabrication attacks. These methods are not intended to detect attacks that do not alter message frequencies, e.g., masquerade attacks. For detecting such anomalous event messages, methods should also take into account changes in the payload (e.g., see [12]).

To the best of our knowledge, the results from this research show for the first time a systematic comparison of time-based detection methods on an open CAN IDS dataset with verified real-world attacks. While this may seem like a solved problem we note that the results of the Binning and Mean detectors (and likely most all previous works) are in fact insufficient when put in context. Referring to the Dataset Section (II-A), the test data was minutes of driving data comprised of M CAN messages. With the optimal Binning detector’s precision of 98.6%, this still produces approximately M = 1,821 alerts per minute. In short, systematically pushing the state of the art in this area is still needed, and we hope this benchmark of the straightforward approaches in the area helps. In summary, our results indicate that future researchers may wish to focus on counting algorithms that can increase precision at (ideally) no expense to recall, and statistical machinery that relies on distributional estimates.


  1. thanks: This manuscript has been co-authored by UT-Battelle, LLC, under contract DE-AC05-00OR22725 with the US Department of Energy (DOE). The US government retains and the publisher, by accepting the article for publication, acknowledges that the US government retains a nonexclusive, paid-up, irrevocable, worldwide license to publish or reproduce the published form of this manuscript, or allow others to do so, for US government purposes. DOE will provide public access to these results of federally sponsored research in accordance with the DOE Public Access Plan (http://energy.gov/downloads/doe-public-access-plan).
  2. publicationid: pubid: Workshop on Automotive and Autonomous Vehicle Security (AutoSec) 2021 21 February 2021 ISBN 1-891562-68-1 https://dx.doi.org/10.14722/autosec.2021.23xxx www.ndss-symposium.org


  1. O. Avatefipour, A. S. Al-Sumaiti, A. M. El-Sherbeeny, E. M. Awwad and M. A. Elmeligy (2019) An intelligent secured framework for cyberattack detection in electric vehicles’ can bus using machine learning. IEEE Access. External Links: ISSN 2169-3536, Document Cited by: §I-B.
  2. R. Bosch (1991) CAN specification version 2.0. Rober Bousch GmbH, Postfach 300240, pp. 72. Cited by: §I.
  3. R. A. Bridges, J. D. Jamieson and J. W. Reed (2017) Setting the threshold for high throughput detectors: a mathematical approach for ensembles of dynamic, heterogeneous, probabilistic anomaly detectors. In Proceedings of the IEEE International Conference on Big Data, pp. 1071–1078. Cited by: §II-B.
  4. CAN bus shield for raspberry with 2 can interfaces. Note: \urlhttp://www.industrialberry.com/canberrydual-v2-1/ Cited by: §III-A.
  5. S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, S. Savage and K. Koscher (2011) Comprehensive experimental analyses of automotive attack surfaces. In Proceeding of the USENIX Security Symposium, Vol. , pp. 447–462. Cited by: §I.
  6. K. Cho and K. G. Shin (2016) Fingerprinting electronic control units for vehicle intrusion detection. In Proceedings of the 25th USENIX Security Symposium, pp. 911–927. Cited by: §I-A, §II-A.
  7. F. L. Combs (2020-12) ROAD: the real ORNL automotive dynamometer controller area network intrusion detection dataset (with a comprehensive CAN IDS dataset survey & guide). arXiv: 2012.14600 [cs]. External Links: Link Cited by: §I-A, §I-C, §I-C, §II-A, §II-A, §IV.
  8. J. Davis and M. Goadrich (2006) The relationship between precision-recall and roc curves. In Proceedings of the 23rd international conference on Machine learning, pp. 233–240. Cited by: §II-D.
  9. M. Gmiden, M. H. Gmiden and H. Trabelsi (2016-12) An intrusion detection method for securing in-vehicle can bus. In 2016 17th IEEE International Conference on Sciences and Techniques of Automatic Control and Computer Engineering, External Links: ISBN 978-1-5090-3407-9, Document Cited by: §I-B.
  10. Y. Hamada, M. Inoue, H. Ueda, Y. Miyashita and Y. Hata (2018-05) Anomaly-based intrusion detection using the density estimation of reception cycle periods for in-vehicle networks. SAE Int. J. Transp. Cybersecur. Privacy 1 (1), pp. 39–56. External Links: ISSN 2572-1054, Document Cited by: item T2, §I-B.
  11. M. L. Han, B. I. Kwak and H. K. Kim (2018-10) Anomaly intrusion detection method for vehicular networks based on survival analysis. Veh. Commun. 14, pp. 52–63. External Links: ISSN 2214-2096 Cited by: §I-B.
  12. M. Hanselmann, T. Strauss, K. Dormann and H. Ulmer (2020) CANet: an unsupervised intrusion detection system for high dimensional CAN bus data. IEEE Access 8. Cited by: §IV.
  13. T. Hoppe, S. Kiltz and J. Dittmann (2009) Applying intrusion detection to automotive it – early insights and remaining challenges. Journal of Information Assurance and Security (JIAS) 4 (6), pp. 226–235. Cited by: §I-B.
  14. T. Kuwahara, Y. Baba, H. Kashima, T. Kishikawa and J. Tsurumi (2018) Supervised and unsupervised intrusion detection based on can message frequencies for in-vehicle network. Journal of Information Processing 26. External Links: ISSN 1882-6652, Document Cited by: item T3, §I-B.
  15. C. Miller and C. Valasek (2015) Remote exploitation of an unaltered passenger vehicle. Black Hat USA 2015, pp. 91. Cited by: §I.
  16. C. Miller and C. Valasek (2016) CAN message injection: OG dynamite edition. Tech. Rep.. Cited by: §I.
  17. M. R. Moore, R. A. Bridges, F. L. Combs, M. S. Starr and S. J. Prowell (2017) Modeling inter-signal arrival times for accurate detection of CAN bus signal injection attacks: a data-driven approach to in-vehicle intrusion detection. In Proceedings of the 12th Annual Conference on Cyber and Information Security Research, Cited by: item T1, §I-A, §I-B.
  18. S. Nie, L. Liu and Y. Du (2017) Free-fall: hacking tesla from wireless to CAN bus. Briefing, Black Hat USA 25, pp. 1–16. Cited by: §I.
  19. H. Olufowobi, G. Bloom, C. Young and J. Zambreno (2018-12) Work-in-progress: real-time modeling for intrusion detection in automotive controller area network. In 2018 IEEE Real-Time Systems Symposium, pp. 161–164. External Links: Document Cited by: §I-B.
  20. H. Olufowobi, U. Ezeobi, E. Muhati, G. Robinson and C. Young (2019) Anomaly detection approach using adaptive cumulative sum algorithm for controller area network. In Proceedings of the ACM Workshop on Automotive Cybersecurity, pp. 25–30. Cited by: item T1, item T3, §I-B.
  21. S. Otsuka, T. Ishigooka, Y. Oishi and K. Sasazawa (2014-04) CAN Security: Cost-Effective Intrusion Detection for Real-Time Control Systems. Technical report SAE Technical Paper. External Links: Document Cited by: item T2, §I-B.
  22. F. Pedregosa (2011) Scikit-learn: machine learning in Python. J. Mach. Learn. Res. 12, pp. 2825–2830. Cited by: §II-A1.
  23. P. J. Rousseeuw and K. V. Driessen (1999) A fast algorithm for the minimum covariance determinant estimator. Technometrics 41 (3), pp. 212–223. Cited by: §II-A1.
  24. H. M. Song, H. R. Kim and H. K. Kim (2016) Intrusion detection system based on the analysis of time intervals of CAN messages for in-vehicle network. In Proceedings of the International Conference on Information Networking, Cited by: §I-A, §I-B.
  25. A. Tomlinson, J. Bryans, S. A. Shaikh and H. K. Kalutarage (2018) Detection of Automotive CAN Cyber-Attacks by Identifying Packet Timing Anomalies in Time Windows. In Proceedings of the 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops, Vol. . Cited by: §I-B.
  26. M. E. Verma, R. A. Bridges, J. J. Sosnowski, S. C. Hollifield and M. D. Iannacone (2020-06) CAN-D: a modular four-step pipeline for comprehensively decoding controller area network data. arXiv:2006.05993 [cs, eess]. Cited by: §III-A.
  27. C. Young, H. Olufowobi, G. Bloom and J. Zambreno (2019) Automotive intrusion detection based on constant can message frequencies across vehicle driving modes. In Proceedings of the ACM Workshop on Automotive Cybersecurity, pp. 9–14. External Links: ISBN 978-1-4503-6180-4, Document Cited by: §I-B.
Comments 0
Request Comment
You are adding the first comment!
How to quickly get a good reply:
  • Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
  • Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
  • Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
The feedback must be of minimum 40 characters and the title a minimum of 5 characters
Add comment
Loading ...
This is a comment super asjknd jkasnjk adsnkj
The feedback must be of minumum 40 characters
The feedback must be of minumum 40 characters

You are asking your first question!
How to quickly get a good answer:
  • Keep your question short and to the point
  • Check for grammar or spelling errors.
  • Phrase it like a question
Test description