SAIDuCANT: Specification-Based Automotive Intrusion Detection Using Controller Area Network (CAN) Timing

The proliferation of embedded devices in modern vehicles has opened the traditionally-closed vehicular system to the risk of cybersecurity attacks through physical and remote access to the in-vehicle network such as the controller area network (CAN). The CAN bus does not implement a security protocol that can protect the vehicle against the increasing cyber and physical attacks. To address this risk, we introduce a novel algorithm to extract the real-time model parameters of the CAN bus and develop SAIDuCANT, a specification-based intrusion detection system (IDS) using anomaly-based supervised learning with the real-time model as input. We evaluate the effectiveness of SAIDuCANT with real CAN logs collected from two passenger cars and on an open-source CAN dataset collected from real-world scenarios. Experimental results show that SAIDuCANT can effectively detect data injection attacks with low false positive rates. Over four real attack scenarios from the open-source dataset, SAIDuCANT observes at most one false positive before detecting an attack whereas other detection approaches using CAN timing features detect on average more than a hundred false positives before a real attack occurs.

[1]  Sebastian Fischmeister,et al.  Anomaly Detection Using Inter-Arrival Curves for Real-Time Systems , 2016, 2016 28th Euromicro Conference on Real-Time Systems (ECRTS).

[2]  Gedare Bloom,et al.  Work-in-Progress: Real-Time Modeling for Intrusion Detection in Automotive Controller Area Network , 2018, 2018 IEEE Real-Time Systems Symposium (RTSS).

[3]  Gedare Bloom,et al.  Anomaly Detection Approach Using Adaptive Cumulative Sum Algorithm for Controller Area Network , 2019, AutoSec@CODASPY.

[4]  Alan Burns,et al.  Calculating controller area network (can) message response times , 1994 .

[5]  Karl N. Levitt,et al.  A specification-based intrusion detection system for AODV , 2003, SASN '03.

[6]  Andy J. Wellings,et al.  Analysing real-time communications: controller area network (CAN) , 1994, 1994 Proceedings Real-Time Systems Symposium.

[7]  Je-Won Kang,et al.  Intrusion Detection System Using Deep Neural Network for In-Vehicle Network Security , 2016, PloS one.

[8]  Nathalie Japkowicz,et al.  Frequency-based anomaly detection for the automotive CAN bus , 2015, 2015 World Congress on Industrial Control Systems Security (WCICSS).

[9]  Hovav Shacham,et al.  Comprehensive Experimental Analyses of Automotive Attack Surfaces , 2011, USENIX Security Symposium.

[10]  D.K. Nilsson,et al.  An approach to specification-based attack detection for in-vehicle networks , 2008, 2008 IEEE Intelligent Vehicles Symposium.

[11]  Gedare Bloom,et al.  Survey of Automotive Controller Area Network Intrusion Detection Systems , 2019, IEEE Design & Test.

[12]  R. Sekar,et al.  Experiences with Specification-Based Intrusion Detection , 2001, Recent Advances in Intrusion Detection.

[13]  Vincent Nicomette,et al.  A language-based intrusion detection approach for automotive embedded networks , 2015, Int. J. Embed. Syst..

[14]  Kang G. Shin,et al.  Fingerprinting Electronic Control Units for Vehicle Intrusion Detection , 2016, USENIX Security Symposium.

[15]  Gedare Bloom,et al.  Automotive Intrusion Detection Based on Constant CAN Message Frequencies Across Vehicle Driving Modes , 2019, AutoSec@CODASPY.

[16]  Ing-Ray Chen,et al.  Behavior Rule Specification-Based Intrusion Detection for Safety Critical Medical Cyber Physical Systems , 2015, IEEE Transactions on Dependable and Secure Computing.

[17]  Ravi Sankar,et al.  A Survey of Intrusion Detection Systems in Wireless Sensor Networks , 2014, IEEE Communications Surveys & Tutorials.

[18]  Jana Dittmann,et al.  Security threats to automotive CAN networks - Practical examples and selected short-term countermeasures , 2008, Reliab. Eng. Syst. Saf..

[19]  Alan Burns,et al.  Timing Analysis of Real-Time Communication Under Electromagnetic Interference , 2005, Real-Time Systems.

[20]  Felix C. Freiling,et al.  A structured approach to anomaly detection for in-vehicle networks , 2010, 2010 Sixth International Conference on Information Assurance and Security.

[21]  Wael A. Farag,et al.  CANTrack: Enhancing automotive CAN bus security using intuitive encryption algorithms , 2017, 2017 7th International Conference on Modeling, Simulation, and Applied Optimization (ICMSAO).

[22]  Naim Asaj,et al.  Entropy-based anomaly detection for in-vehicle networks , 2011, 2011 IEEE Intelligent Vehicles Symposium (IV).

[23]  Richard R. Brooks,et al.  Automobile ECU Design to Avoid Data Tampering , 2015, CISR.

[24]  Jana Dittmann,et al.  Security threats to automotive CAN networks - Practical examples and selected short-term countermeasures , 2011, Reliab. Eng. Syst. Saf..

[25]  Dong Hoon Lee,et al.  VoltageIDS: Low-Level Communication Characteristics for Automotive Intrusion Detection System , 2018, IEEE Transactions on Information Forensics and Security.

[26]  Jerry den Hartog,et al.  From System Specification to Anomaly Detection (and back) , 2017, CPS-SPC@CCS.

[27]  Antoine Boulanger,et al.  A simple intrusion detection method for controller area network , 2016, 2016 IEEE International Conference on Communications (ICC).

[28]  Andreas Peter,et al.  Automatic Deployment of Specification-based Intrusion Detection in the BACnet Protocol , 2017, CPS-SPC@CCS.

[29]  Yves Deswarte,et al.  Survey on security threats and protection mechanisms in embedded automotive networks , 2013, 2013 43rd Annual IEEE/IFIP Conference on Dependable Systems and Networks Workshop (DSN-W).

[30]  Ing-Ray Chen,et al.  Specification based intrusion detection for unmanned aircraft systems , 2012, Airborne '12.

[31]  Tomas Olovsson,et al.  Security aspects of the in-vehicle network in the connected car , 2011, 2011 IEEE Intelligent Vehicles Symposium (IV).

[32]  Gedare Bloom,et al.  Connected Cars: Automotive Cybersecurity and Privacy for Smart Cities , 2019 .

[33]  Michele Colajanni,et al.  Evaluation of anomaly detection for in-vehicle networks through information-theoretic algorithms , 2016, 2016 IEEE 2nd International Forum on Research and Technologies for Society and Industry Leveraging a better tomorrow (RTSI).

[34]  Matti Valovirta,et al.  Experimental Security Analysis of a Modern Automobile , 2011 .

[35]  Huy Kang Kim,et al.  Intrusion detection system based on the analysis of time intervals of CAN messages for in-vehicle network , 2016, 2016 International Conference on Information Networking (ICOIN).

[36]  Yasushi Okano,et al.  Anomaly Detection for Mixed Transmission CAN Messages Using Quantized Intervals and Absolute Difference of Payloads , 2019, AutoSec@CODASPY.

[37]  Huy Kang Kim,et al.  OTIDS: A Novel Intrusion Detection System for In-vehicle Network by Using Remote Frame , 2017, 2017 15th Annual Conference on Privacy, Security and Trust (PST).

[38]  Hans A. Hansson,et al.  Response time analysis under errors for CAN , 2000, Proceedings Sixth IEEE Real-Time Technology and Applications Symposium. RTAS 2000.

[39]  Alan Burns,et al.  Controller Area Network (CAN) schedulability analysis: Refuted, revisited and revised , 2007, Real-Time Systems.

[40]  Hisashi Kashima,et al.  Supervised and Unsupervised Intrusion Detection Based on CAN Message Frequencies for In-vehicle Network , 2018, J. Inf. Process..

[41]  Stacy J. Prowell,et al.  Modeling inter-signal arrival times for accurate detection of CAN bus signal injection attacks: a data-driven approach to in-vehicle intrusion detection , 2017, CISRC.