ANOMALY DETECTION SYSTEM

By Arun Mane and Nikhil Bogam

2

•./../Arun

•Founder and director of AmynaSec Labs

•Security (Hardware,Vehicle, ICS,IoT )

•Speaker and Trainer – Defcon,Blackhat, Nullcon,HITB,HIP,Defcon….many

•Reachable on twitter @rootkill3r

•armane@amynasec.io

mailto:armane@amynasec.io

3

•./../Nikhil Bogam

•Safety and Security Manager at Lear Corporation

•Reachable on twitter @nikhilbogam

•bogamnikhil@gmail.com

▪ Role of security in CARs

▪ Briefing of CAN bus

▪ Attack vectors

▪ Introduction of Anomaly detection system ( ADS )

▪ Why ADS could be the best solution for CAN network attacks ?

▪ ADS working principle

▪ Basic attack demo for ADS

4

Agenda

▪ Now a days car are connected to internet which lead to risk of remote attack

▪ Safety risk : e.g. Compromise brake ECU

▪ Privacy risk: e.g. driver information

▪ Brand image.

▪ etc

5

▪ Controller Area Network

▪ Modern vehicles are full of little embedded systems and electronic control units (ECUs) that can communicate using the CAN protocol.

▪ Runs on Two wires

▪ CANH

▪ CANL

▪ CAN uses differential signaling

▪ It supports OBD-2

6

▪ DOS

▪ Firehose

▪ Packet payload modification

▪ Packet replay

▪ Right after / Before attack

8

▪ Anomaly-based IDS observes a real-time system’s activities and compare it against a normal behavior that has been recorded into a profile. Whenever the deviation from normal profile behavior reaches a certain threshold, it will raise the alarm

9

Expected CAN

message flow

Actual CAN message

flow

Raise Alarm

▪ Easy to adopt to existing CAN network

▪ Low cost

▪ Other solutions need many changes in CAN network, which lead to ECU modification

▪ Changing ECU system /software is time consuming for automotive sector due to many compliances.

10

11

BCM

Brake

Sensor

ECU

Light Switch

ECUHeadlamp

ECU

Brake lamp

ECU

CAN Bus

12

BCM

Brake

Sensor

ECU

Light Switch

ECUHeadlamp

ECU

Brake lamp

ECU

CAN Bus

ADS

▪ Frequency

▪ Filtering messages

▪ Sequence of IDs

▪ Machine Learning

▪ etc

13

14

03 03

02 0202 02

05 0505 05 05 0505 05

ECU2

ECU1

ECU3

Time

Time

Time

1 secs

500 ms

250 ms

15

03 03 03 03

CAN packet

Time between

packet

ADS checks if the time between two

packets are as per expected time.

CAN

BUS

Time

16

CAN

Bus05 0003 03 05 FF00 05

Unexpected

message

packet

ADS checks if no unexpected packet

is received on the bus

1717

03 0502 02 05 03

CAN packets

ADS checks if the sequence is as per

expected sequence.

03 05

Seq 1

Seq 2

Seq 3

Seq 1Seq 2

CAN

BUS

Time

Learning

18

Get CAN

messages

information

from

network

Learn CAN message

sequence and timings

between messages

Identify Seq

and timings

between

messages

Learning

Store

Identified

Seq and

timings

Check if Seq and timings

are matching with CAN

network

Raise alarm

if mismatch

LEARNING PHASE

EXECUTION PHASE

19

BCM

Brake

Sensor

ECU

Light Switch

ECU

Headlamp

ECU

Brake lamp

ECU

CAN Bus

ADS

Alarm to

Driver

Make Bus OFF in case

of anomaly detection

Raise

Alarm in

case of

anomaly

detection

20

Thank you

21