ABSTRACT
Controller Area Network (CAN) is an in-vehicle communication protocol which provides an efficient and reliable communication link between Electronic Control Units (ECUs) in real-time. Recent studies have shown that attackers can take remote control of the targeted car by exploiting the vulnerabilities of the CAN protocol. Motivated by this fact, we propose Clock Offset-based Intrusion Detection System (COIDS) to monitor in-vehicle network and detect any intrusion. Precisely, we first measure and then exploit the clock offset of transmitter ECU's clock for fingerprinting ECU. We next leverage the derived fingerprints to construct a baseline of ECU's normal clock behaviour using an active learning technique. Based on the baseline of normal behaviour, we use Cumulative Sum method to detect any abnormal deviation in clock offset. Particularly, if the deviation in clock offset exceeds an unexpected positive or negative value, COIDS declares this change as an intrusion. Further, we use sequential change-point detection technique to determine the exact time of intrusion. We perform exhaustive experiments on real-world publicly available datasets primarily to assess the effectiveness of COIDS against three most potential attacks on CAN, i.e., DoS, impersonation and fuzzy attacks. The results show that COIDS is highly effective in defending all these three attacks. Further, the results show that COIDS considerably faster in detecting intrusion compared to a state-of-the-art solution.
- M. Basseville, I. V. Nikiforov, et al. 1993. Detection of abrupt changes: theory and application. Vol. 104. Prentice Hall Englewood Cliffs.Google Scholar
- S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, S. Savage, K. Koscher, A. Czeskis, F. Roesner, and T. Kohno. 2011. Comprehensive Experimental Analyses of Automotive Attack Surfaces. In Proc. of USENIX Security Symposium. 77--92.Google Scholar
- K. T. Cho and K. G. Shin. 2016. Finger printing Electronic Control Units for Vehicle Intrusion Detection. In Proc. of USENIX Security Symposium. 911--927.Google Scholar
- K. T. Cho and K. G. Shin. 2017. Viden: Attacker identification on in-vehicle networks. In Proc. of ACM SIGSAC Conference on Computer and Communications Security. 1109--1123.Google Scholar
- W. Choi, K. Joo, H. J. Jo, M. C. Park, and D. H. Lee. 2018. VoltageIDS: Low-Level Communication Characteristics for Automotive Intrusion Detection System. IEEE Trans. on Information Forensics and Security 13, 8 (2018), 2114--2129.Google ScholarCross Ref
- E. Weise. 2018. Chinese group hacks a Tesla for the second year in a row. [Online] Accessed on October 15. (2018). [Online]: https://eu.usatoday.com/story/tech/2017/07/28/chinese-group-hacks-tesla-second-year-row/518430001/.Google Scholar
- I. D. Foster, A. Prudhomme, K. Koscher, and S. Savage. 2015. Fast and Vulnerable: A Story of Telematic Failures. In Proc. of 9th USENIX Workshop on Offensive Technologies. 1--9.Google Scholar
- B. Groza and P. S. Murvay. 2019. Efficient Intrusion Detection with Bloom Filtering in Controller Area Networks. IEEE Trans. on Information Forensics and Security 14, 4 (2019), 1037--1051.Google ScholarDigital Library
- B. Groza, S. Murvay, A. V. Herrewege, and I. Verbauwhede. 2017. Libra-can: Lightweight broadcast authentication for controller area networks. ACM Trans. on Embedded Computing Systems 16, 3 (2017), 1--25.Google ScholarDigital Library
- H. Lee, S. H. Jeong and H. K. Kim. 2018. CAN Dataset for intrusion detection (OTIDS). [Online]: http://ocslab.hksecurity.net/Dataset/CAN-intrusion-dataset. (2018). Accessed on October 15, 2018.Google Scholar
- M. L. Han, B. I. Kwak, and H. K. Kim. 2018. Anomaly intrusion detection method for vehicular networks based on survival analysis. Vehicular communications 14 (2018), 52--63.Google Scholar
- T. Hoppe, S. Kiltz, and J. Dittmann. 2008. Security threats to automotive CAN networks--practical examples and selected short-term countermeasures. In Proc. of International Conference on Computer Safety, Reliability, and Security. 235--248.Google Scholar
- K. Huang, Q. Zhang, C. Zhou, N. Xiong, and Y. Qin. 2017. An efficient intrusion detection approach for visual sensor networks based on traffic pattern learning. IEEE Trans. on Systems, Man, and Cybernetics: Systems 47, 10 (2017), 2704--2713.Google ScholarCross Ref
- M. Kneib and C. Huth. 2018. Scission: Signal Characteristic-Based Sender Identification and Intrusion Detection in Automotive Networks. In Proc. of ACM SIGSAC Conference on Computer and Communications Security. 787--800.Google Scholar
- L. Constantin. 2018. Researchers hack Tesla Model S with remote attack. Accessed on October 15. (2018). [Online]: http://www.pcworld.com/article/3121999/security/researchers-demonstrate-remote-attack-against-tesla-models.html.Google Scholar
- V. H. Le, J. D. Hartog, and Z. Zannone. 2018. Security and Privacy for Innovative Automotive Applications: A Survey. Computer Communications 132 (2018), 17--41.Google ScholarCross Ref
- H. Lee, S. H. Jeong, and H. K. Kim. 2017. OTIDS: A novel intrusion detection system for in-vehicle network by using remote frame. In Proc. of 15th Annual Conference on Privacy, Security and Trust (PST). 57--5709.Google Scholar
- J. Liu, S. Zhang, W. Sun, and Y. Shi. 2017. In-vehicle network attacks and countermeasures: Challenges and future directions. IEEE Network 31, 5 (2017), 50--58.Google ScholarDigital Library
- M. Marchetti and D. Stabili. 2017. Anomaly detection of CAN bus messages through analysis of ID sequences. In Proc. of IEEE Intelligent Vehicles Symposium (IV). 1577--1583.Google Scholar
- J. Matsumura, Y. Matsubara, H. Takada, M. Oi, M. Toyoshima, and A. Iwai. 2013. A simulation environment based on omnet++ for automotive can--ethernet networks. Analysis Tools and Methodologies for Embedded and Real-time Systems (2013), 1--44.Google Scholar
- S. Mazloom, M. Rezaeirad, A. Hunter, and D. McCoy. 2016. A Security Analysis of an In-Vehicle Infotainment and App Platform. In Proc. of 10th USENIX Workshop on Offensive Technologies. 1--12.Google Scholar
- C. Miller and C. Valasek. 2015. Remote exploitation of an unaltered passenger vehicle. In Black Hat USA. 1--91.Google Scholar
- D. Mills. 1992. Network Time Protocol (Version 3) specification, implementation and analysis. Internet Request For Comments 1305 (1992).Google Scholar
- S. Nie, L. Liu, and Y. Du. 2017. Free-Fall: Hacking Tesla from Wireless to Can Bus. In Black Hat USA. 1--16.Google Scholar
- H. Olufowobi, U. Ezeobi, E. Muhati, G. Robinson, C. Young, J. Zambreno, and G. Bloom. 2019. Anomaly Detection Approach Using Adaptive Cumulative Sum Algorithm for Controller Area Network. In Proc. of ACM Workshop on Automotive Cybersecurity (AutoSec). 25--30.Google Scholar
- A. I. Radu and F. D. Garcia. 2016. LeiA: A lightweight authentication protocol for CAN. In Proc. of European Symposium on Research in Computer Security (ESORICS), Vol. 9879 of LNCS. 283--300.Google Scholar
- S. U.Sagong, X. Ying, A. Clark, L. Bushnell, and R. Poovendran. 2018. Cloaking the clock: emulating clock skew in controller area networks. In Proc. of 9th ACM/IEEE International Conference on Cyber-Physical Systems. 32--42.Google Scholar
- S. U. Sagong, X. Ying, R. Poovendran, and L. Bushnell. 2018. Exploring attack surfaces of voltage-based intrusion detection systems in controller area networks. ESCAR Europe (2018), 1--13.Google Scholar
- A. G. Tartakovsky, A. S. Polunchenko, and G. Sokolov. 2012. Efficient computer network anomaly detection by change-point detection methods. IEEE Journal of Selected Topics in Signal Processing 7, 1 (2012), 4--11.Google ScholarCross Ref
- A. G. Tartakovsky, B. L. Rozovskii, R. B. Blazek, and H. Kim. 2006. A novel approach to detection of intrusions in computer networks via adaptive sequential and batch-sequential change-point detection methods. IEEE Trans. on Signal Processing 54, 9 (2006), 3372--3382.Google ScholarDigital Library
- W. Wu, R. Li, G. Xie, J. An, Y. Bai, J. Zhou, and K. Li. 2019. A Survey of Intrusion Detection for In-Vehicle Networks. IEEE Trans. on Intelligent Transportation Systems (2019), 1--15, DOI: 10.1109/TITS.2019.2908074.Google Scholar
- X. Ying, S. U. Sagong, A. Clark, L. Bushnell, and R. Poovendran. 2019. Shape of the Cloak: Formal Analysis of Clock Skew-Based Intrusion Detection System in Controller Area Networks. IEEE Trans. on Information Forensics and Security 14, 9 (2019), 2300--2314.Google ScholarCross Ref
Index Terms
- COIDS: A Clock Offset Based Intrusion Detection System for Controller Area Networks
Recommendations
Cloaking the clock: emulating clock skew in controller area networks
ICCPS '18: Proceedings of the 9th ACM/IEEE International Conference on Cyber-Physical SystemsAutomobiles are equipped with Electronic Control Units (ECUs) that communicate via in-vehicle network protocol standards such as the Controller Area Network (CAN). These protocols were designed under the assumption that separating in-vehicle ...
Tracking low-precision clocks with time-varying drifts using kalman filtering
Clock synchronization is essential for a large number of applications ranging from performance measurements in wired networks to data fusion in sensor networks. Existing techniques are either limited to undesirable accuracy or rely on specific hardware ...
CANEDERLI: On The Impact of Adversarial Training and Transferability on CAN Intrusion Detection Systems
WiseML '24: Proceedings of the 2024 ACM Workshop on Wireless Security and Machine LearningThe growing integration of vehicles with external networks has led to a surge in attacks targeting their Controller Area Network (CAN) internal bus. As a countermeasure, various Intrusion Detection Systems (IDSs) have been suggested in the literature to ...
Comments