WIP: Intrusion Detection and Localization for CAN by Extracting Propagation Delay Features from Message Intervals

The Controller Area Network (CAN bus) is a critical communication protocol used in vehicles. Its lack of built-in security allows an attacker with bus access to launch various impersonation attacks, such as spoofing and replay. Researchers proposed defense approaches to counter these attacks using various features, such as message frequencies, voltages, signal asymmetries, and more recently, timing. In this paper, we propose a new timing feature which we call "transmit signatures" (TS). TS strongly depends on the physical distances and propagation delays between ECUs, allowing us to detect and localize impersonation attacks. Unlike prior approaches, we extract TS from the natural time intervals between messages, without installing additional wiring or modifying ECUs' software and traffic. We formulate a hypothesis about TS' distance dependency. We then conduct experiments to validate and refine our hypothesis. Using the refined theory, we introduce and evaluate a TS modeling approach and propose attack detection and localization methods.