Detection of Injection Attacks in Compressed CAN Traffic Logs

  • András GazdagEmail author
  • Dóra Neubrandt
  • Levente Buttyán
  • Zsolt Szalay
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11552)


Prior research has demonstrated that modern cars are vulnerable to cyber attacks. As such attacks may cause physical accidents, forensic investigations must be extended into the cyber domain. In order to support this, CAN traffic in vehicles must be logged continuously, stored efficiently, and analyzed later to detect signs of cyber attacks. Efficient storage of CAN logs requires compressing them. Usually, this compressed logs must be decompressed for analysis purposes, leading to waste of time due to the decompression operation itself and most importantly due to the fact that the analysis must be carried out on a much larger amount of decompressed data. In this paper, we propose an anomaly detection method that works on the compressed CAN log itself. For compression, we use a lossless semantic compression algorithm that we proposed earlier. This compression algorithm achieves a higher compression ratio than traditional syntactic compression methods do such as gzip. Besides this advantage, in this paper, we show that it also supports the detection of injection attacks without decompression. Moreover, with this approach we can detect attacks with low injection frequency that were not detected reliably in previous works.


CAN Anomaly detection CAN traffic compression 



The work presented in this paper was partially supported from the grant GINOP-2.1.1-15. The project has been supported by the European Union, co-financed by the European Social Fund. EFOP-3.6.2-16-2017-00002.


  1. 1.
    Miller, C., Valasek, C.: Adventures in automotive networks and control units. Technical report, IOActive Labs Research, August 2013Google Scholar
  2. 2.
    Koscher, K., et al.: Experimental security analysis of a modern automobile, pp. 447–462 (2010)Google Scholar
  3. 3.
    Checkoway, S., et al.: Comprehensive experimental analyses of automotive attack surfaces. In: Proceedings of the 20th USENIX Conference on Security, SEC 2011. USENIX Association, Berkeley (2011)Google Scholar
  4. 4.
    Gazdag, A., Buttyan, L., Szalay, Z.: Efficient lossless compression of CAN traffic logs. In: 2017 25th International Conference on Software, Telecommunications and Computer Networks (SoftCOM), Split (2017)Google Scholar
  5. 5.
    Taylor, A., Japkowicz, N., Leblanc, S.: Frequency-based anomaly detection for the automotive CAN bus. In: World Congress on Industrial Control Systems Security (WCICSS), London, pp. 45–49 (2015)Google Scholar
  6. 6.
    Song, H.M., Kim, H.R., Kim, H.K.: Intrusion detection system based on the analysis of time intervals of CAN messages for in-vehicle network. In: 2016 International Conference on Information Networking (ICOIN), Kota Kinabalu, pp. 63–68 (2016)Google Scholar
  7. 7.
    Miller, C., Valasek, C.: Remote exploitation of an unaltered passenger vehicle. Black Hat USA (2015)Google Scholar
  8. 8.
    Taylor, A., Leblanc, S., Japkowicz, N.: Anomaly detection in automobile control network data with long short-term memory networks. In: 2016 IEEE International Conference on Data Science and Advanced Analytics (DSAA), Montreal, QC, pp. 130–139 (2016)Google Scholar
  9. 9.
    Evenchick, E.: Hopping On the CAN Bus. Black Hat Asia (2015)Google Scholar
  10. 10.
    Marchetti, M., Stabili, D.: Anomaly detection of CAN bus messages through analysis of ID sequences. In: IEEE Intelligent Vehicles Symposium (IV), Los Angeles, CA, pp. 1577–1583 (2017)Google Scholar
  11. 11.
    Narayanan, S.N., Mittal, S., Joshi, A.: OBD\(\_\)SecureAlert: an anomaly detection system for vehicles. In: 2016 IEEE International Conference on Smart Computing (SMARTCOMP), St. Louis, MO (2016)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • András Gazdag
    • 1
    Email author
  • Dóra Neubrandt
    • 1
  • Levente Buttyán
    • 1
  • Zsolt Szalay
    • 2
  1. 1.Laboratory of Cryptography and System Security, Department of Networked Systems and ServicesBudapest University of Technology and EconomicsBudapestHungary
  2. 2.Department of Automotive Technologies, Faculty of Transportation Engineering and Vehicle EngineeringBudapest University of Technology and EconomicsBudapestHungary

Personalised recommendations