Abstract

Cyber-attacks on the automotive controller area network (CAN) have recently been shown to be achievable and potentially disruptive or deadly. Detecting an attack quickly will require the development of intrusion detection systems that can cope with the rapid broadcast of CAN data, the comparatively limited computational power of automotive components, and the proprietary nature of CAN data specifications. This paper presents an analysis of CAN broadcasts and consequent testing of statistical methods to detect timing changes in the CAN traffic indicative of some predicted attacks. The detection is implemented in time-defined windows. The generation of simulated attack data, and the determination of positive detections, are also considered.