CANter: data-link layer detection of drop-and-spoof attacks on CAN and CAN FD

The automotive industry has experienced significant growth and innovation in recent years, resulting in increasingly complex in-vehicle networks and a higher number of Electronic Control Units (ECUs) on-board. Communication between ECUs is primarily accomplished using the Controller Area Network (CAN) protocol, which is considered the standard in the industry due to its reliable and efficient transmission. However, security concerns have arisen due to the fact that these protocols were initially designed without much consideration for security, leaving vehicles vulnerable to attackers who can transmit spoofed messages on the bus. Current Intrusion Detection Systems (IDSs) detect these messages, but an attacker can avoid defenses through drop-and-spoof attacks, by first disconnecting the target ECU and then spoofing the messages. In response to these vulnerabilities, this paper presents CANter , an IDS designed to detect and respond to attacks on in-vehicle networks. CANter utilizes the CAN and CAN FD speci- fications, as well as a frequency analysis of time intervals between frames on the network, to detect drop-and-spoof attacks without requiring any modifications to the existing network structure or ECUs, being installed as a stand-alone device on the network.