Modern vehicles rely on scores of electronic control units (ECUs)
broadcasting messages over a few controller area networks (CANs). Bereft of
security features, in-vehicle CANs are exposed to cyber manipulation and
multiple researches have proved viable, life-threatening cyber attacks.
Complicating the issue, CAN messages lack a common mapping of functions to
commands, so packets are observable but not easily decipherable. We present a
transformational approach to CAN IDS that exploits the geometric properties of
CAN data to inform two novel detectors--one based on distance from a learned,
lower dimensional manifold and the other on discontinuities of the manifold
over time. Proof-of-concept tests are presented by implementing a potential
attack approach on a driving vehicle. The initial results suggest that (1) the
first detector requires additional refinement but does hold promise; (2) the
second detector gives a clear, strong indicator of the attack; and (3) the
algorithms keep pace with high-speed CAN messages. As our approach is
data-driven it provides a vehicle-agnostic IDS that eliminates the need to
reverse engineer CAN messages and can be ported to an after-market plugin.