CANPak: An Intrusion Detection System against Error Frame Attacks for Controller Area Network

The automotive industry has experienced significant evolution and expansion in recent years, resulting in increasingly complex in-vehicle networks and a growing number of ex- ternal communication interfaces and on-board Electronic Control Units (ECUs). Despite advancements, the Controller Area Network (CAN) protocol and its enhanced version, the CAN with Flexible Data-rate (CAN FD) protocol, continue to be widely used due to their reliable and efficient real-time transmission capabilities. However, the CAN protocol was not originally designed with security in mind, lacking authentication mechanisms for communications. This vulnerability allows attackers to send spoofed messages across the bus. While application-level Intrusion Detection Systems (IDSs) can identify these spoofed messages, sophisticated attackers can bypass such security measures by disconnecting the target ECU before initiating the spoofing attack. This disconnection can be achieved through error frame injection attacks, a known vulnerability of the CAN protocol. In this work, we propose an IDS that defends against error frame injection attacks, recognizing an attacker’s attempt to force a victim ECU to disconnect itself from the network. Our ap- proach detects these attacks with up to 0.97 accuracy, without requiring any modifications to existing ECUs or the network architecture.