Using internal context to detect automotive controller area network attacks

Andrew Tomlinson, Jeremy Bryans, Siraj Ahmed Shaikh

    Research output: Contribution to journalArticlepeer-review

    9 Citations (Scopus)
    112 Downloads (Pure)


    The rise in data use within cars has led to concerns about their cybersecurity. The Controller Area Network (CAN) enables communication between components core to the car’s safety and performance, and has been demonstrated to be particularly vulnerable to hacking and malicious cyber-intrusion. CAN intrusion detection systems have been envisaged. Signatures of known attacks might be used for detection, but this method holds many limitations. Although some attacks might change packet broadcast rates or add unknown packets onto the network, attacks that have little or no effect on these, yet can alter the packet data, have also been devised. We therefore test three novelty detection methods (Local Outlier Factor, Compound Classifier and One-Class Support Vector Machine) that might identify an attack based solely on anomalies in CAN packet field data-values. The methods compare values across a cluster of CAN packets broadcast from different control units, so potentially could identify an attacked control unit even when its subsequent fabricated payload data-values remain plausible. We test the methods on data from two different makes of car across a range of manipulation magnitudes, reflecting the unpredictability of attacks. Different training regimes are tested, enabling us to assess validity across journeys. We also consider the processes needed to determine the CAN fields that might be included in the intrusion detection cluster, and present algorithms for automating those processes.
    Original languageEnglish
    Article number107048
    Number of pages14
    JournalComputers & Electrical Engineering
    Early online date9 Mar 2021
    Publication statusPublished - May 2021

    Bibliographical note

    NOTICE: this is the author’s version of a work that was accepted for publication in , Computers & Electrical Engineering. Changes resulting from the publishing process, such as peer review, editing, corrections, structural formatting, and other quality control mechanisms may not be reflected in this document. Changes may have been made to this work since it was submitted for publication. A definitive version was subsequently published in , Computers & Electrical Engineering, 91, (2021)
    DOI: 10.1016/j.compeleceng.2021.107048

    © 2021, Elsevier. Licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International


    • Intrusion detection
    • Controller area network
    • Automotive cybersecurity
    • Machine learning

    ASJC Scopus subject areas

    • Electrical and Electronic Engineering
    • Control and Systems Engineering
    • Computer Science(all)


    Dive into the research topics of 'Using internal context to detect automotive controller area network attacks'. Together they form a unique fingerprint.

    Cite this