Combining Anomaly- and Signaturebased Algorithms for IntrusionDetection in CAN-bus : A suggested approach for building precise and adaptiveintrusion detection systems to controller area networks

Sammanfattning: With the digitalization and the ever more computerization of personal vehicles, new attack surfaces are introduced, challenging the security of the in-vehicle network. There is never such a thing as fully securing any computer system, nor learning all the methods of attack in order to prevent a break-in into a system. Instead, with sophisticated methods, we can focus on detecting and preventing attacks from being performed inside a system. The current state of the art of such methods, named intrusion detection systems (IDS), is divided into two main approaches. One approach makes its models very confident of detecting malicious activity, however only on activities that has been previously learned by this model. The second approach is very good at constructing models for detecting any type of malicious activity, even if never studied by the model before, but with less confidence. In this thesis, a new approach is suggested with a redesigned architecture for an intrusion detection system called Multi-mixed IDS. Where we take a middle ground between the two standardized approaches, trying to find a combination of both sides strengths and eliminating its weaknesses. This thesis aims to deliver a proof of concept for a new approach in the current state of the art in the CAN-bus security research field. This thesis also brings up some background knowledge about CAN and intrusion detection systems, discussing their strengths and weaknesses in further detail. Additionally, a brief overview from a handpick of research contributions from the field are discussed. Further, a simple architecture is suggested, three individual detection models are trained and combined to be tested against a CAN-bus dataset. Finally, the results are examined and evaluated. The results from the suggested approach shows somewhat poor results compared to other suggested algorithms within the field. However, it also shows some good potential, if better decision methods between the individual algorithms that constructs the model can be found.