Securing Vehicular Networks: A Rules-Based CAN Intrusion Detection System Using IoT Edge Architecture

Abstract

The increasing interconnectivity of modern safety-critical embedded systems has led to an ever-increasing attack surface. The automotive and maritime industries are but two industries that use safety-critical embedded systems. A common protocol used in both industries is the Controller Area Network (CAN) protocol, which has been proven to have multiple security flaws.

This thesis proposes a novel rules-based CAN Intrusion Detection System (IDS) to protect against possible attacks via the CAN protocol and alert end users in real-time. A rules-based approach was chosen due to the ability to dynamically adapt to the varying state of CAN messages. Previous rules-based implementations use a small number of rules, leading to the potential to misclassify incoming CAN messages. This thesis expands on previous implementations by proposing 16 established rules in total.

The proposed rules-based CAN IDS leverages an IoT (Internet of Things) architecture to provide centralised management of the IDS and to give the capability of deploying the IDS at scale. This thesis tests the proposed rules-based CAN IDS on two real-world systems that use the J1939 and NMEA 2000 protocols, with the primary testing performed on a 2016 Peterbilt 579 truck. Interesting observations from testing the rules-based CAN IDS found that manufacturers do not follow J1939 standards and a five-millisecond per message limitation in the Azure IoT Edge infrastructure.