Modern vehicles rely on Controller Area Networks (CAN) buses for in-vehicle communication. CAN protocol is reliable and safe, but not a secure communication protocol, making it vulnerable to security threats. This thesis presents a modular Intrusion Detection System (IDS) architecture using Machine Learning (ML) based on real-world traffic datasets consisting of two modules: Detector and Classifier. It was identified that in real-world scenarios, the attack traffic is scarce when compared to benign traffic – making it difficult for ML algorithms to learn attack patterns for detection and classification. The proposed IDS architecture implements sliding windows to capture the time dependency of attack traffic to detect and classify attack patterns in CAN traffic. This study uses a reference dataset containing data collected in real-time from vehicle manufacturers Chevrolet and Subaru. It evaluates the performance of the IDS to observe how effectively it detects an attack and classifies it to the correct attack type, among many, such as denial of service, spoofing, fuzzing attacks, etc. It also evaluates the proposed IDS on its consistency and generalisation in detecting attacks over different vehicles CAN traffic and varying attack types in the reference dataset. This thesis also emphasises the use of sliding windows implementation during training, about how it affects the performance of the IDS. It was observed that the proposed IDS was effective in detecting the attacks with up to 94% true positive rate, and partially robust in classifying the attacks into the correct categories, only classifying the attacks consistently with known vehicles, and attack types that the IDS has seen during training. We also provide a modular architecture that can be expanded and further improved upon for future work.

Keywords: Controller Area Networks, CAN, Intrusion Detection System, Machine Learning, Real-World Datasets, Classifier, Detector, Chevrolet, Subaru