Cars are controlled by computers, and like any computer, they can be
hacked. Researchers have demonstrated attacks that hijack a vehicle, for
example cutting the brakes or killing the engine. These attacks can be
launched with physical access (e.g. to a diagnostic port), or even
wirelessly (e.g. over a cellular connection). Once the vehicle is
accessed, attackers send malicious messages on the Controller Area Network
(CAN) bus that connects the car's controllers. As part of a defence
against these attacks, we propose anomaly detectors for the CAN bus.
Anomaly detection can identify bogus packets, but detectors must maintain
a very low false alarm rate or their alerts will be ignored. We categorize
anomalies into three broad types and evaluate detectors for each one: a
packet insertion/deletion detector using frequency-based features,
single-packet anomaly detectors with one-class machine learners, and
packet sequence anomaly detectors using recurrent neural networks. Results
show that anomaly detection is within practical reach as a defence against
car hacking.