TIDAL-CAN: Differential Timing Based Intrusion Detection and Localization for Controller Area Network

Since the first reports on its lack of security, the Controller Area Network (CAN) was in focus for numerous research works. A specific area of research has employed physical layer characteristics that can be used to uniquely identify network nodes. But there are common downsides in existing approaches such as vulnerabilities in front of attacks involving node replacement or insertion or the inability to locate the intruder node within the network. In this work, we propose a new intrusion detection system for CAN which is based on monitoring the propagation time of the physical signals sent on the bus. Indeed, quite a number of recent works addressed the use of physical or timing characteristics to identify network nodes or to create covert channels. In our approach, by accounting for intrinsic delay characteristics of the bus and by monitoring the difference in signal arrival time at the two bus ends, we can identify nodes by location-related differential delays and provide relevant information for estimating the relative location of a transmitter node on the bus. The results of our experimental evaluation show that our approach provides very high identification rates and accurate localization in case of attacks from compromised nodes. The ability to detect attacks that replace an existing node or plug new adversarial nodes on the bus is also illustrated along with discussions on estimating sender location in these cases.