Using CAN Electrical Signals for Cybersecurity and Harness Diagnostics

This paper describes a novel invention which is an Intrusion Detection System based on fingerprints of the CAN bus analogue features. Clusters of CAN message analogue fingerprints can be associated with each ECU on the network. During a learning mode of operation, fingerprints can be learnt with the prior knowledge of which CAN identifier should be transmitted by each ECU. During normal operation, if the fingerprint of analogue features of a particular CAN identifier does not match the one that was learnt then there is a strong possibility that this particular CAN identifier’s message is symptomatic of a problem. It could be that the message has been sent by either an intruder ECU or an existing ECU has been hacked to send the message. In this case an intruder can be defined as a device that has been added to the CAN bus OR a device that has been hacked/manipulated to send CAN messages that it was not designed to (i.e. could be originally transmitted by another device). It could also be caused by a side effect of this technology that provides features such as harness failure detection. In other words, the alarm raised could be caused by an intruder ECU, a hacked ECU or some kind of electrical failure in the CAN_H and CAN_L wiring caused by a wiring or ECU fault. Therefore, the application of the technology is in both cybersecurity and harness diagnostics. The approach is not just applicable to CAN. It can also be applied to other technologies based on differential signaling such as CAN FD and CAN XL.