SCISSION Signal Characteristic-Based Sender Identification and

Intrusion Detection in Automotive Networks

MarcelKneibandChristopherHuthCCS2018

PresentedbyAlokparnaBandyopadhyay

Fall2018,WayneStateUniversity

Overview

•  Introduction• ControlAreaNetwork(CAN)•  SystemandThreatModel•  SCISSION•  Evaluation• Discussion&Conclusion

2

Introduction

3

Automotive Components of a Modern Car

4

Increasedconnectivityin

connectedvehicles

Security Concerns

•  Moderncarswithremoteand/ordriverlesscontrolhasvariousremoteconnections(e.g.Bluetooth,CellularRadio,WiFi,etc.)

5

•  AttackersexploitremoteaccesspointstocompromiseECUsinthenetwork

•  Remotelycontrolorevenshutdownavehicle•  Nosecurityfeaturesinmostin-vehicle

networks(e.g.CANBus)•  Attackeridentificationandauthenticationnot

possible

Defense against Attacks

•  EfficientIntrusionDetectionSystems(IDS)areproposedinthepasttoidentifypresenceofanattack•  SignatureBased:Detectsknownattackbasedontheirmessagepatternandcontent•  Problem:Difficulttodeployduetolackofdata

•  AnomalyBased:Expectedcharacteristicsareexplicitlyspecifiedtodetectunknownattacks•  Problem:FalsePositives

6

Motivation for Scission

•  AttackerIdentificationisessential•  Forensicisolationofattacker•  Vulnerabilityremoval•  Fastercomparedtosoftwareupdates•  Economiccomparedtomanufacturerrecall

•  DifferenceinCANsignalscanbeusedasfingerprints•  Canbeusedforsmartsensorswithlowcomputationalcapacity•  Difficultforremoteattackerstocircumventsuchsystems

7

Contribution of Scission

•  UsesimmutablephysicalpropertiesofCANsignalsasfingerprintstoidentifythesenderofCANmessages•  Detectunauthorizedmessagesfromcompromised,unknownoradditionalECUs•  Highdetectionratewithminimalfalsepositives•  Noadditionalcomputationrequired•  Doesnotreducebandwidthandrequireslowresources•  Costeffectivefeasibility

8

Control Area Network (CAN)

9

CANtransceivershavetwodedicatedCANwires:CANHigh(blue)andCANLow(red)

10

CAN Signal

CAN Data Frame

11

•  Datatransmitted–8bytesofpayload•  FramescontainuniqueIDbasedonpriorityandmeaningofdata

•  Nodeaddressisnotpresent•  Severalbusparticipantstrytoaccessthebroadcastbussimultaneously

•  OnlyoneECUcanbroadcastatatimebasedonthepriorityofitsidentifier

Format of a standard CAN data frame

Signal Characteristics

•  SourcesofsignalcharacteristicsforextractionofCANfingerprints:•  Variationsinsupplyvoltages•  Variationsingrounding•  Variationsinresistors,terminationandcables•  Imperfectionsinbustopologycausingreflections

12

System and Threat Model

13

System Model •  In-vehicleprotocolused:CANBus•  NetworkofseveralseparateCANBuseswithseveralECUsconnectedtoeach•  In-vehiclenetworkarchitecture

•  Simple:Fewerbuses,lesssecure•  Complex:ECUsseparatedaccordingtofunctionality,individualbusesconnectedthroughgatewayswithadditionalsecuritymechanisms

14

System Model cont. •  ScissionisphysicallyintegratedintothenetworkviaadditionalECU•  ScissionECUissecuredandtrustworthy•  Systemcannotbebypassedbyanattacker•  GatewayscanbeusedtodeterminewhetherreceivedmessageshavebeensentfromvalidECUs

15

Threat model

•  CompromisedECU•  AttackersaccessthemonitoredCANthroughanexploitedvulnerabilityofanexistingECU•  RemotelyandstealthilysendavarietyofCANframesusingallpossibleidentifiersandanymessagecontent

•  UnmonitoredECU•  Malicioususageofapassiveorunmonitoreddevice

•  ExploitECUupdatemechanism

•  Insertmaliciouscodeandturnapassive,listening-onlydeviceintoamessagesendingdevice

16

Threat model cont.

•  AdditionalECU•  Attachanadditionalbusparticipantdirectlytotheguardednetworkorusetheeasy-to-reachOn-boarddiagnostics(OBD)-IIportofthevehicle

•  Physicalaccesstothevehicletocontrolthevehiclemaneuver

•  Scission-awareAttacker•  RemoteattackerattemptstomisleadtheIDSbyinfluencingitssignalcharacteristics

•  Affectstheabsolutevoltagelevelofthesignals

17

Security Goal

•  CANprovidesnosecuritymechanismtoidentifyanattacker

•  ScissiondeterminessignalcharacteristicstocreatefingerprintsforsourceECUs

•  Systemmonitorsnetworktraffictodetectunauthorizedmessagesfromcompromised,unknownoradditionalECUs

•  Systemdetects•  CounterfeitCANframesfromcompromisedandunknownECUs

•  RemotelycompromisedECUs

18

SCISSION Signal Characteristic-Based Sender

Identification

19

Overview of Scission ScissionfingerprintsECUsandachievesattackeridentificationinfivephases

20

•  Analogsignalsofthereceivedframesarerecorded

•  Differentialsignalisuseddirectly•  Requiresanadditionalcircuit•  Systemrequiresfewerresourcesbecauselessdataisstoredtemporarily•  Signalnoisecanbecompensated•  Numberofmeasuredvaluesperbitdependsonthesamplingandbaudrate

•  Separatesignalsareused•  Canbeinfluencedbyelectromagneticinterferenceorothervariations•  Incorrectpredictionsduetosignalnoise

21

Phase 1: Sampling

•  Signalofeachbitofthemessagerecordedinsamplingstageisprocessedindividually

•  Setscontainingseveralanalogvaluesaresubsequentlydividedinto3groups•  Group𝐺↓10 –Setrepresentingadominantbit(0),containsarisingedge

•  Group𝐺↓00 –Setrepresentingadominantbit(0),doesnotcontainarisingedge

•  Group𝐺↓01 –Setrepresentingarecessivebit(1),containingafallingedge•  Dominantbits,whosepreviousbitswerealsodominant,arediscardedsincethesebitsareunsuitableforclassification

22

Phase 2: Preprocessing

•  Separategroupsmakesthesystemrobustandaccurate•  Possibletouseallbitsaftersamplingforidentification,independentofthetransmitteddata•  Distinguishablecharacteristicsofthedifferentgroupsdoesnotcounterbalanceeachother•  Makestheimportantcharacteristicsmoreobservable

23

Phase 2: Preprocessing cont.

•  Systemextractsandevaluatesdifferentstatisticalfeaturesforeachofthepreviouspreparedgroups

•  Timedomainandmagnitudeoffrequencydomainareconsidered

•  Relief-FalgorithmfromtheWeka3Toolkitisusedforselectionofmostsignificantfeatures

•  Bestfeaturesofthetestsetupsarecombinedtogetageneralfeatureset

•  Mostimportantcharacteristicsarefoundin𝐺↓10 ,whichcontaintherisingedges

•  FeaturevectorF(V)representsthefingerprintextractedfromthereceivedCANsignal

24

Phase 3: Feature Extraction

Features considered in the selection, where x are the measured values in the time domain respectively the magnitude values in the frequency domain and N is the number of elements

Selected features for classification ordered by their rank

•  FindingthesenderECUofareceivedframeisaclassificationproblem•  Severalmachinelearningtechniquesareusedtoidentifytheclassofthenewobservation

•  LogisticRegressionisusedfortrainingandprediction•  TrainingPhase:

•  GenerateFingerprintsofmultipleCANframesforeachofthedifferentECUs

•  TraintheSupervisedLearningmodel

•  DetectionPhase:•  Comparethefeaturesofthenewlyreceivedframeswiththefeaturescollectedformodelgeneration

•  PredictthesenderECU

25

Phase 4 & 5: Classification & Detection

Deployment & Lifecycle

•  Vehicleisconsideredtobeinasafeenvironmentduringinitialdeploymentphase•  AkeyisassignedtoeachECUtoenablesecurecommunicationwiththeIDS•  Asafetrainingphaseiscarriedouttoavoidforgedframes

•  Performancemonitorevaluatesthequalityoftheclassifiers•  Modelconstantlyadaptstochangesensuringhighaccuracy•  Stochasticalgorithmsandonlinemachinelearningmethodsareusedtoupdatetheexistingmodel

•  Influenceofpotentialmaliciousdataduringthetrainingphaseisavoidedbycountermeasuresofpoisoningattacks

•  Requireslessbandwidth,canbeimplementedinECUswithlessresourcesandnoadditionalhardwareaccelerators

26

Security of Scission •  DetectingCompromisedECUs

•  SystemcalculatestheprobabilityoftheECUbeingallowedtosendframeswiththespecifiedidentifier

•  Iftheestimatedprobabilityisbelowthethreshold𝑡↓𝑚𝑖𝑛 ,theframeismarkedassuspicious•  Theframemarkedassuspiciousisclassifiedasmaliciousiftheprobabilityofthesuspectdeviceexceedsthethreshold𝑡↓𝑚𝑎𝑥 andtriggeranalarm

•  Iftheprobabilitydoesnotexceed𝑡↓𝑚𝑎𝑥 ,theframeisconsideredtrustworthytoreducefalsepositives

•  DetectingUnmonitoredandAdditionalECUs•  Fingerprintoftheunmonitored/additionalECUmatchesthatofanotherECUwhichisnotallowedtousethereceivedidentifier→Attackisdetected

•  Unmonitored/additionalECUhasverysimilarcharacteristicstoatrustworthyECUwhichtheattackerimitates→Attackcannotbedetected

•  NoECUcouldbeassigned→Frameismarkedassuspicious

27

Security of Scission cont. •  DetectingScission-awareAttacker

•  ToimpersonateaspecificECU,anattackermayinfluenceitsownvoltagelevelbyheatingorcoolingupthecompromisedECU

•  Scissionisabletocontinuouslyadapttotheslightlychangingconditions•  Scissionusesseveralsignalcharacteristics,itisunlikelyforanattackertoimpersonateaspecificECU•  Attackerisnotabletopreciselyadaptitssignalduetotheabsenceofgeneralinformationaboutthecharacteristics

•  CannotevadeScission

28

Evaluation

29

•  Prototypesetuphas9ECUsinterconnectedwitheachother

•  Tworeallifecarsused–Fiat500&PorschePanameraSE-Hybrid

•  DigitalstorageoscilloscopePicoScope5204withasamplingrateof500MS/sandaresolutionof8bitsisusedtorecordsignals

•  Twomeasurementserieswerecreatedperframe,oneforCANlowandoneforCANhigh,whichwerethencombinedtoobtainthedifferentialsignal

•  EvaluationGoal•  Fingerprintingapproachisabletoidentifythesendersofreceived

CANframeswithahighprobability•  EvaluatetheabilityofScissiontoidentifycompromised,

unmonitoredandadditionalECUsbasedonfingerprints

30

Evaluation Setup & Goal

Performance Evaluation

31

PrototypeSetup

Fiat500

PorschePanameraSE-Hybrid

ConfusionmatrixfortheidentificationofECUs

32

ConfusionMatrixofScission

Performancefordifferentsamplingrates.

Performance Evaluation cont.

Discussion & Conclusion

33

Limitations

34

•  IfanattackerworkswiththeidentifiersthattheECUisallowedtouseundernormalconditions,Scissioncannotdetectthem

•  IncaseofadditionalECUs,ifthebusismodifiedwithoutinfluencingthecharacteristics,thesystemwillnotlongerbeabletoreliablyrecognizethechange

Conclusion

35

•  UsageofScissonIDSinin-vehiclenetworksisapromisingtechnologyforimprovingtheirsecurity•  ScissionextractsfingerprintsfromtheCANsignalsforattackeridentificationwithzerofalsepositives

•  Abletoidentifythecorrectsenderwithaprobabilityof99.85%•  Noimpactontheavailablebandwidth–canbeimplementedinsmartsensors

•  FingerprintingtechnologycanenhanceclassicalIDSapproaches•  Canbeusedasabasisforstand-alonesystemorimprovethesecurityofgatewaysconnectingdifferentbuses

THANK YOU

36