Intrusion Detection System for the MIL-STD-1553 Communication Bus

MIL-STD-1553 is a military standard that defines the specification of a serial communication bus that has been implemented in military and aerospace avionic platforms for over 40 years. MIL-STD-1553 was designed for a high level of fault tolerance while less attention was paid to cyber security issues. Thus, as indicated in recent studies, it is exposed to various threats. In this article, we suggest enhancing the security of MIL-STD-1553 communication buses by integrating a machine learning-based intrusion detection system (IDS); such an IDS will be capable of detecting cyber attacks in real time. The IDS consists of two modules: 1) a remote terminal (RT) authentication module that detects illegitimately connected components and data transfers and 2) a sequence-based anomaly detection module that detects anomalies in the operation of the system. The IDS showed high detection rates for both normal and abnormal behavior when evaluated in a testbed using real 1553 hardware, as well as a very fast and accurate training process using logs from a real system. The RT authentication module managed to authenticate RTs with +0.99 precision and +0.98 recall; and detect illegitimate component (or a legitimate component that impersonates other components) with +0.98 precision and +0.99 recall. The sequence-based anomaly detection module managed to perfectly detect both normal and abnormal behavior. Moreover, the sequence-based anomaly detection module managed to accurately (i.e., zero false positives) model the normal behavior of a real system in a short period of time ($\sim$22 s).

[1]  Kang G. Shin,et al.  Fingerprinting Electronic Control Units for Vehicle Intrusion Detection , 2016, USENIX Security Symposium.

[2]  Kazuomi Oishi,et al.  A Method of Preventing Unauthorized Data Transmission in Controller Area Network , 2012, 2012 IEEE 75th Vehicular Technology Conference (VTC Spring).

[3]  Tomas Olovsson,et al.  Security aspects of the in-vehicle network in the connected car , 2011, 2011 IEEE Intelligent Vehicles Symposium (IV).

[4]  Hafedh Trabelsi,et al.  An intrusion detection method for securing in-vehicle CAN bus , 2016, 2016 17th International Conference on Sciences and Techniques of Automatic Control and Computer Engineering (STA).

[5]  Jana Dittmann,et al.  Security threats to automotive CAN networks - Practical examples and selected short-term countermeasures , 2008, Reliab. Eng. Syst. Saf..

[6]  Naim Asaj,et al.  Entropy-based anomaly detection for in-vehicle networks , 2011, 2011 IEEE Intelligent Vehicles Symposium (IV).

[7]  Shai Ben-David,et al.  Understanding Machine Learning: From Theory to Algorithms , 2014 .

[8]  Wenyuan Xu,et al.  Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study , 2010, USENIX Security Symposium.

[9]  Gabriel Maciá-Fernández,et al.  Anomaly-based network intrusion detection: Techniques, systems and challenges , 2009, Comput. Secur..

[10]  Christof Paar,et al.  Security in Automotive Bus Systems , 2004 .

[11]  Huy Kang Kim,et al.  Intrusion detection system based on the analysis of time intervals of CAN messages for in-vehicle network , 2016, 2016 International Conference on Information Networking (ICOIN).

[12]  B. Hicks Transforming avionics architectures to support network centric warfare , 2004, The 23rd Digital Avionics Systems Conference (IEEE Cat. No.04CH37576).

[13]  Christopher J. Guerra,et al.  Measuring and Assessing the Cybersecurity Risk of Support Equipment to Complex Systems , 2018, 2018 IEEE AUTOTESTCON.

[14]  Yuval Elovici,et al.  On the Security of MIL-STD-1553 Communication Bus , 2018, ISSA/CSITS@ESORICS.

[15]  Hovav Shacham,et al.  Comprehensive Experimental Analyses of Automotive Attack Surfaces , 2011, USENIX Security Symposium.

[16]  Nong Ye,et al.  A Markov Chain Model of Temporal Behavior for Anomaly Detection , 2000 .