CANdito: Improving Payload-based Detection of Attacks on Controller Area Networks

Over the years, the increasingly complex and interconnected vehicles raised the need for effective and efficient Intrusion Detection Systems against on-board networks. In light of the stringent domain requirements and the heterogeneity of information transmitted on Controller Area Network, multiple approaches have been proposed, which work at different abstraction levels and granularities. Among these, RNN-based solutions received the attention of the research community for their performances and promising results. In this paper, we improve CANnolo, an RNN-based state-of-the-art IDS for CAN, by proposing CANdito, an unsupervised IDS that exploits Long Short-Term Memory autoencoders to detect anomalies through a signal reconstruction process. We evaluate CANdito by measuring its effectiveness against a comprehensive set of synthetic attacks injected in a real-world CAN dataset. We demonstrate the improvement of CANdito with respect to CANnolo on a real-world dataset injected with a comprehensive set of attacks, both in terms of detection and temporal performances.