Fingerprinting Electronic Control Units for Vehicle Intrusion Detection

As more software modules and external interfaces are getting added on vehicles, new attacks and vulnerabilities are emerging. Researchers have demonstrated how to compromise in-vehicle Electronic Control Units (ECUs) and control the vehicle maneuver. To counter these vulnerabilities, various types of defense mechanisms have been proposed, but they have not been able to meet the need of strong protection for safety-critical ECUs against in-vehicle network attacks. To mitigate this deficiency, we propose an anomaly-based intrusion detection system (IDS), called Clock-based IDS (CIDS). It measures and then exploits the intervals of periodic in-vehicle messages for fingerprinting ECUs. The thus-derived fingerprints are then used for constructing a baseline of ECUs' clock behaviors with the Recursive Least Squares (RLS) algorithm. Based on this baseline, CIDS uses Cumulative Sum (CUSUM) to detect any abnormal shifts in the identification errors - a clear sign of intrusion. This allows quick identification of in-vehicle network intrusions with a low false-positive rate of 0.055%. Unlike state-of-the-art IDSs, if an attack is detected, CIDS's fingerprinting of ECUs also facilitates a rootcause analysis; identifying which ECU mounted the attack. Our experiments on a CAN bus prototype and on real vehicles have shown CIDS to be able to detect a wide range of in-vehicle network attacks.

[1]  Jana Dittmann,et al.  Security threats to automotive CAN networks - Practical examples and selected short-term countermeasures , 2011, Reliab. Eng. Syst. Saf..

[2]  Wade Bartlett,et al.  Accuracy of Event Data in the 2010 and 2011 Toyota Camry During Steady State and Braking Conditions , 2012 .

[3]  Erland Jonsson,et al.  Efficient In-Vehicle Delayed Data Authentication Based on Compound Message Authentication Codes , 2008, 2008 IEEE 68th Vehicular Technology Conference.

[4]  Пол Ричард Филлипс,et al.  on-board diagnostic system , 2008 .

[5]  Donald F. Towsley,et al.  Estimation and removal of clock skew from network delay measurements , 1999, IEEE INFOCOM '99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320).

[6]  Darryl Veitch,et al.  Robust synchronization of software clocks across the internet , 2004, IMC '04.

[7]  Donal Heffernan,et al.  TTCAN: a new time-triggered controller area network , 2002, Microprocess. Microsystems.

[8]  Sebastian Zander,et al.  An Improved Clock-skew Measurement Technique for Revealing Hidden Services , 2008, USENIX Security Symposium.

[9]  William H. Woodall,et al.  THE STATISTICAL DESIGN OF CUSUM CHARTS , 1993 .

[10]  Steve Rogers,et al.  Adaptive Filter Theory , 1996 .

[11]  Donal Heffernan,et al.  Clock synchronisation on multiple TTCAN network channels , 2004, Microprocess. Microsystems.

[12]  Matti Valovirta,et al.  Experimental Security Analysis of a Modern Automobile , 2011 .

[13]  Robert I. Davis,et al.  Controller Area Network (CAN) Schedulability Analysis with FIFO Queues , 2011, 2011 23rd Euromicro Conference on Real-Time Systems.

[14]  Jana Dittmann,et al.  Security threats to automotive CAN networks - Practical examples and selected short-term countermeasures , 2008, Reliab. Eng. Syst. Saf..

[15]  Shangping Ren,et al.  Comparision of FieldBus Systems CAN, TTCAN, FlexRay and LIN in Passenger Vehicles , 2009, 2009 29th IEEE International Conference on Distributed Computing Systems Workshops.

[16]  Andreas Steininger,et al.  An investigation of the clique problem in FlexRay , 2008, 2008 International Symposium on Industrial Embedded Systems.

[17]  Shengbing Jiang,et al.  Model checking based analysis of end-to-end latency in embedded, real-time systems with clock drifts , 2008, 2008 45th ACM/IEEE Design Automation Conference.

[18]  Stefan Savage,et al.  Fast and Vulnerable: A Story of Telematic Failures , 2015, WOOT.

[19]  Shwetak N. Patel,et al.  Experimental Security Analysis of a Modern Automobile , 2010, 2010 IEEE Symposium on Security and Privacy.

[20]  Naim Asaj,et al.  Entropy-based anomaly detection for in-vehicle networks , 2011, 2011 IEEE Intelligent Vehicles Symposium (IV).

[21]  Michèle Basseville,et al.  Detection of abrupt changes: theory and application , 1993 .

[22]  Haibo Zeng,et al.  Understanding and Using the Controller Area Network Communication Protocol: Theory and Practice , 2012 .

[23]  T. Kohno,et al.  Remote physical device fingerprinting , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[24]  Sneha Kumar Kasera,et al.  On Fast and Accurate Detection of Unauthorized Wireless Access Points Using Clock Skews , 2010, IEEE Transactions on Mobile Computing.

[25]  Philip Koopman,et al.  Low cost multicast network authentication for embedded control systems , 2012 .

[26]  Reinder J. Bril,et al.  Integrating hardware limitations in CAN schedulability analysis , 2010, 2010 IEEE International Workshop on Factory Communication Systems Proceedings.

[27]  Douglas C. Montgomery,et al.  Introduction to Statistical Quality Control , 1986 .

[28]  Vern Paxson,et al.  On calibrating measurements of packet transit times , 1998, SIGMETRICS '98/PERFORMANCE '98.

[29]  Felix C. Freiling,et al.  A structured approach to anomaly detection for in-vehicle networks , 2010, 2010 Sixth International Conference on Information Assurance and Security.

[30]  Jeremy S. Daily,et al.  Analysis of Critical Speed Yaw Scuffs Using Spiral Curves , 2012 .

[31]  Darryl Veitch,et al.  PC based precision timing without GPS , 2002, SIGMETRICS '02.

[32]  Ingrid Verbauwhede,et al.  CANAuth - A Simple, Backward Compatible Broadcast Authentication Protocol for CAN bus , 2011 .

[33]  Hovav Shacham,et al.  Comprehensive Experimental Analyses of Automotive Attack Surfaces , 2011, USENIX Security Symposium.

[34]  Fred Spiring,et al.  Introduction to Statistical Quality Control , 2007, Technometrics.

[35]  Kang G. Shin,et al.  CPS approach to checking norm operation of a brake-by-wire system , 2015, ICCPS.