COIDS: A Clock Offset Based Intrusion Detection System for Controller Area Networks

Controller Area Network (CAN) is an in-vehicle communication protocol which provides an efficient and reliable communication link between Electronic Control Units (ECUs) in real-time. Recent studies have shown that attackers can take remote control of the targeted car by exploiting the vulnerabilities of the CAN protocol. Motivated by this fact, we propose Clock Offset-based Intrusion Detection System (COIDS) to monitor in-vehicle network and detect any intrusion. Precisely, we first measure and then exploit the clock offset of transmitter ECU's clock for fingerprinting ECU. We next leverage the derived fingerprints to construct a baseline of ECU's normal clock behaviour using an active learning technique. Based on the baseline of normal behaviour, we use Cumulative Sum method to detect any abnormal deviation in clock offset. Particularly, if the deviation in clock offset exceeds an unexpected positive or negative value, COIDS declares this change as an intrusion. Further, we use sequential change-point detection technique to determine the exact time of intrusion. We perform exhaustive experiments on real-world publicly available datasets primarily to assess the effectiveness of COIDS against three most potential attacks on CAN, i.e., DoS, impersonation and fuzzy attacks. The results show that COIDS is highly effective in defending all these three attacks. Further, the results show that COIDS considerably faster in detecting intrusion compared to a state-of-the-art solution.

[1]  Jana Dittmann,et al.  Security threats to automotive CAN networks - Practical examples and selected short-term countermeasures , 2008, Reliab. Eng. Syst. Saf..

[2]  Christopher Huth,et al.  Scission: Signal Characteristic-Based Sender Identification and Intrusion Detection in Automotive Networks , 2018, CCS.

[3]  Mirco Marchetti,et al.  Anomaly detection of CAN bus messages through analysis of ID sequences , 2017, 2017 IEEE Intelligent Vehicles Symposium (IV).

[4]  Jia Zhou,et al.  A Survey of Intrusion Detection for In-Vehicle Networks , 2020, IEEE Transactions on Intelligent Transportation Systems.

[5]  Hongjoong Kim,et al.  A novel approach to detection of intrusions in computer networks via adaptive sequential and batch-sequential change-point detection methods , 2006, IEEE Transactions on Signal Processing.

[6]  Dong Hoon Lee,et al.  VoltageIDS: Low-Level Communication Characteristics for Automotive Intrusion Detection System , 2018, IEEE Transactions on Information Forensics and Security.

[7]  Aaron Hunter,et al.  A Security Analysis of an In-Vehicle Infotainment and App Platform , 2016, WOOT.

[8]  Michèle Basseville,et al.  Detection of abrupt changes: theory and application , 1993 .

[9]  Huy Kang Kim,et al.  Anomaly intrusion detection method for vehicular networks based on survival analysis , 2018, Veh. Commun..

[10]  Naixue Xiong,et al.  An Efficient Intrusion Detection Approach for Visual Sensor Networks Based on Traffic Pattern Learning , 2017, IEEE Transactions on Systems, Man, and Cybernetics: Systems.

[11]  L. Bushnell,et al.  Exploring Attack Surfaces of Voltage-Based Intrusion Detection Systems in Controller Area Networks , 2018 .

[12]  Kang G. Shin,et al.  Fingerprinting Electronic Control Units for Vehicle Intrusion Detection , 2016, USENIX Security Symposium.

[13]  Radha Poovendran,et al.  Cloaking the Clock: Emulating Clock Skew in Controller Area Networks , 2017, 2018 ACM/IEEE 9th International Conference on Cyber-Physical Systems (ICCPS).

[14]  Kang G. Shin,et al.  Viden: Attacker Identification on In-Vehicle Networks , 2017, CCS.

[15]  Radha Poovendran,et al.  Shape of the Cloak: Formal Analysis of Clock Skew-Based Intrusion Detection System in Controller Area Networks , 2018, IEEE Transactions on Information Forensics and Security.

[16]  Jerry den Hartog,et al.  Security and privacy for innovative automotive applications: A survey , 2018, Comput. Commun..

[17]  Ingrid Verbauwhede,et al.  LiBrA-CAN , 2017, ACM Trans. Embed. Comput. Syst..

[18]  Hovav Shacham,et al.  Comprehensive Experimental Analyses of Automotive Attack Surfaces , 2011, USENIX Security Symposium.

[19]  Flavio D. Garcia,et al.  LeiA: A Lightweight Authentication Protocol for CAN , 2016, ESORICS.

[20]  Gedare Bloom,et al.  Anomaly Detection Approach Using Adaptive Cumulative Sum Algorithm for Controller Area Network , 2019, AutoSec@CODASPY.

[21]  Huy Kang Kim,et al.  OTIDS: A Novel Intrusion Detection System for In-vehicle Network by Using Remote Frame , 2017, 2017 15th Annual Conference on Privacy, Security and Trust (PST).

[22]  Jiajia Liu,et al.  In-Vehicle Network Attacks and Countermeasures: Challenges and Future Directions , 2017, IEEE Network.

[23]  Stefan Savage,et al.  Fast and Vulnerable: A Story of Telematic Failures , 2015, WOOT.

[24]  Alexander G. Tartakovsky,et al.  Efficient Computer Network Anomaly Detection by Changepoint Detection Methods , 2012, IEEE Journal of Selected Topics in Signal Processing.

[25]  Bogdan Groza,et al.  Efficient Intrusion Detection With Bloom Filtering in Controller Area Networks , 2019, IEEE Transactions on Information Forensics and Security.

[26]  David L. Mills,et al.  Network Time Protocol (Version 3) Specification, Implementation and Analysis , 1992, RFC.