This paper evaluates the effectiveness of information-theoretic anomaly detection algorithms applied to networks included in modern vehicles. In particular, we focus on providing an experimental evaluation of anomaly detectors based on entropy. Attacks to in-vehicle networks were simulated by injecting different classes of forged CAN messages in traces captured from a modern licensed vehicle. Experimental results show that if entropy-based anomaly detection is applied to all CAN messages it is only possible to detect attacks that comprise a high volume of forged CAN messages. On the other hand, attacks characterized by the injection of few forged CAN messages attacks can be detected only by applying several independent instances of the entropy based anomaly detector, one for each class of CAN messages.
Evaluation of anomaly detection for in-vehicle networks through information-theoretic algorithms / MARCHETTI, Mirco; Stabili, Dario; GUIDO, ALESSANDRO; COLAJANNI, Michele. - STAMPA. - (2016), pp. 429-434. (Intervento presentato al convegno IEEE 2nd International Forum on Research and Technologies for Society and Industry tenutosi a Bologna, Italy nel September 2016) [10.1109/RTSI.2016.7740627].
Evaluation of anomaly detection for in-vehicle networks through information-theoretic algorithms
MARCHETTI, Mirco;COLAJANNI, Michele
2016
Abstract
This paper evaluates the effectiveness of information-theoretic anomaly detection algorithms applied to networks included in modern vehicles. In particular, we focus on providing an experimental evaluation of anomaly detectors based on entropy. Attacks to in-vehicle networks were simulated by injecting different classes of forged CAN messages in traces captured from a modern licensed vehicle. Experimental results show that if entropy-based anomaly detection is applied to all CAN messages it is only possible to detect attacks that comprise a high volume of forged CAN messages. On the other hand, attacks characterized by the injection of few forged CAN messages attacks can be detected only by applying several independent instances of the entropy based anomaly detector, one for each class of CAN messages.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
