Effective Intrusion Detection and Prevention for the Commercial Vehicle SAE J1939 CAN Bus

Detecting and preventing intrusions on in-vehicle buses is a topic of great importance which may have an even greater significance in the context of commercial vehicles that are liable for the security of the demanding tasks they carry, passengers or goods not least. In this respect, the SAE J1939 protocol, which is a CAN based higher-layer protocol for commercial vehicles, requires special attention due to the existence of both specific procedures in the standard, e.g., address claims and multi-frame transmissions, as well as due to sharp specifications regarding the content of messages which may facilitate the deployment of a more targeted intrusion detection system. Needless to say, most of the research works on CAN intrusion detection are treating in-vehicle traffic as black-box with no concerns over the actual meaning of the frames content. In this context, we pursue the development of a targeted solution for J1939 buses. We collect real-world traffic from a commercial vehicle bus, compliant to the J1939 standard, and make a comprehensive analysis of its structure and content. This allows us to design an effective intrusion prevention system that detects and eliminates in real-time all frames that were manipulated by an adversary by overriding them with error flags. To prove the correctness of our approach, we present results with a proof-of-concept implementation on high-end automotive-grade controllers.