Posted by Robert Vamosi on June 8, 2016
Maybe you’re not yet worried about a remote hacker disabling the brakes on your car, but anti-virus vendor Symantec has produced an anomaly detection system for automobiles that doesn’t require OEMs to install new hardware and claims to identify zero-day attacks.
Symantec’s Anomaly Detection for Automotive is a software-based solution, which the company says learns from the Controller Area Network (CAN) bus traffic what is normal behavior, and identifies anomalous activity that may indicate an attack. The product can provide Deep Packet Inspection of every message and also prioritize incidents based on perceived criticality, with low false-positive rates.
There have been several technical papers on the concept. A 2010 IEEE paper, for example, A Structured Approach to Anomaly Detection for In-Vehicle Networks, appears to detail a similar CAN-bus technology. And more recent paper from the University of Ottawa. And this Anomaly Detection Systems, Cybersecurity Considerations presentation from the University of Michigan and SAE.
Symantec claims its small footprint enables deployment is ideal for head units, IVN gateways, and On-Board Diagnostic (OBD-II) dongles. The company says “by using advanced machine learning techniques, the solution can automatically discriminate potentially dangerous anomalous messaging behavior from normal behavior. Using machine learning in this way avoids
the pain of manually crafting detailed policies.”
Without knowing more, or what specific OEMs have signed on, it would appear to be some sort of heuristic anti-malware solution for the automotive industry.
More on the product can be found on the Symantec site.