scission - webpages.eng.wayne.edu
Post on 31-Dec-2021
5 Views
Preview:
TRANSCRIPT
SCISSION Signal Characteristic-Based Sender Identification and
Intrusion Detection in Automotive Networks
MarcelKneibandChristopherHuthCCS2018
PresentedbyAlokparnaBandyopadhyay
Fall2018,WayneStateUniversity
Overview
• Introduction• ControlAreaNetwork(CAN)• SystemandThreatModel• SCISSION• Evaluation• Discussion&Conclusion
2
Introduction
3
Automotive Components of a Modern Car
4
Increasedconnectivityin
connectedvehicles
Security Concerns
• Moderncarswithremoteand/ordriverlesscontrolhasvariousremoteconnections(e.g.Bluetooth,CellularRadio,WiFi,etc.)
5
• AttackersexploitremoteaccesspointstocompromiseECUsinthenetwork
• Remotelycontrolorevenshutdownavehicle• Nosecurityfeaturesinmostin-vehicle
networks(e.g.CANBus)• Attackeridentificationandauthenticationnot
possible
Defense against Attacks
• EfficientIntrusionDetectionSystems(IDS)areproposedinthepasttoidentifypresenceofanattack• SignatureBased:Detectsknownattackbasedontheirmessagepatternandcontent• Problem:Difficulttodeployduetolackofdata
• AnomalyBased:Expectedcharacteristicsareexplicitlyspecifiedtodetectunknownattacks• Problem:FalsePositives
6
Motivation for Scission
• AttackerIdentificationisessential• Forensicisolationofattacker• Vulnerabilityremoval• Fastercomparedtosoftwareupdates• Economiccomparedtomanufacturerrecall
• DifferenceinCANsignalscanbeusedasfingerprints• Canbeusedforsmartsensorswithlowcomputationalcapacity• Difficultforremoteattackerstocircumventsuchsystems
7
Contribution of Scission
• UsesimmutablephysicalpropertiesofCANsignalsasfingerprintstoidentifythesenderofCANmessages• Detectunauthorizedmessagesfromcompromised,unknownoradditionalECUs• Highdetectionratewithminimalfalsepositives• Noadditionalcomputationrequired• Doesnotreducebandwidthandrequireslowresources• Costeffectivefeasibility
8
Control Area Network (CAN)
9
CANtransceivershavetwodedicatedCANwires:CANHigh(blue)andCANLow(red)
10
CAN Signal
CAN Data Frame
11
• Datatransmitted–8bytesofpayload• FramescontainuniqueIDbasedonpriorityandmeaningofdata
• Nodeaddressisnotpresent• Severalbusparticipantstrytoaccessthebroadcastbussimultaneously
• OnlyoneECUcanbroadcastatatimebasedonthepriorityofitsidentifier
Format of a standard CAN data frame
Signal Characteristics
• SourcesofsignalcharacteristicsforextractionofCANfingerprints:• Variationsinsupplyvoltages• Variationsingrounding• Variationsinresistors,terminationandcables• Imperfectionsinbustopologycausingreflections
12
System and Threat Model
13
System Model • In-vehicleprotocolused:CANBus• NetworkofseveralseparateCANBuseswithseveralECUsconnectedtoeach• In-vehiclenetworkarchitecture
• Simple:Fewerbuses,lesssecure• Complex:ECUsseparatedaccordingtofunctionality,individualbusesconnectedthroughgatewayswithadditionalsecuritymechanisms
14
System Model cont. • ScissionisphysicallyintegratedintothenetworkviaadditionalECU• ScissionECUissecuredandtrustworthy• Systemcannotbebypassedbyanattacker• GatewayscanbeusedtodeterminewhetherreceivedmessageshavebeensentfromvalidECUs
15
Threat model
• CompromisedECU• AttackersaccessthemonitoredCANthroughanexploitedvulnerabilityofanexistingECU• RemotelyandstealthilysendavarietyofCANframesusingallpossibleidentifiersandanymessagecontent
• UnmonitoredECU• Malicioususageofapassiveorunmonitoreddevice
• ExploitECUupdatemechanism
• Insertmaliciouscodeandturnapassive,listening-onlydeviceintoamessagesendingdevice
16
Threat model cont.
• AdditionalECU• Attachanadditionalbusparticipantdirectlytotheguardednetworkorusetheeasy-to-reachOn-boarddiagnostics(OBD)-IIportofthevehicle
• Physicalaccesstothevehicletocontrolthevehiclemaneuver
• Scission-awareAttacker• RemoteattackerattemptstomisleadtheIDSbyinfluencingitssignalcharacteristics
• Affectstheabsolutevoltagelevelofthesignals
17
Security Goal
• CANprovidesnosecuritymechanismtoidentifyanattacker
• ScissiondeterminessignalcharacteristicstocreatefingerprintsforsourceECUs
• Systemmonitorsnetworktraffictodetectunauthorizedmessagesfromcompromised,unknownoradditionalECUs
• Systemdetects• CounterfeitCANframesfromcompromisedandunknownECUs
• RemotelycompromisedECUs
18
SCISSION Signal Characteristic-Based Sender
Identification
19
Overview of Scission ScissionfingerprintsECUsandachievesattackeridentificationinfivephases
20
• Analogsignalsofthereceivedframesarerecorded
• Differentialsignalisuseddirectly• Requiresanadditionalcircuit• Systemrequiresfewerresourcesbecauselessdataisstoredtemporarily• Signalnoisecanbecompensated• Numberofmeasuredvaluesperbitdependsonthesamplingandbaudrate
• Separatesignalsareused• Canbeinfluencedbyelectromagneticinterferenceorothervariations• Incorrectpredictionsduetosignalnoise
21
Phase 1: Sampling
• Signalofeachbitofthemessagerecordedinsamplingstageisprocessedindividually
• Setscontainingseveralanalogvaluesaresubsequentlydividedinto3groups• Group𝐺↓10 –Setrepresentingadominantbit(0),containsarisingedge
• Group𝐺↓00 –Setrepresentingadominantbit(0),doesnotcontainarisingedge
• Group𝐺↓01 –Setrepresentingarecessivebit(1),containingafallingedge• Dominantbits,whosepreviousbitswerealsodominant,arediscardedsincethesebitsareunsuitableforclassification
22
Phase 2: Preprocessing
• Separategroupsmakesthesystemrobustandaccurate• Possibletouseallbitsaftersamplingforidentification,independentofthetransmitteddata• Distinguishablecharacteristicsofthedifferentgroupsdoesnotcounterbalanceeachother• Makestheimportantcharacteristicsmoreobservable
23
Phase 2: Preprocessing cont.
• Systemextractsandevaluatesdifferentstatisticalfeaturesforeachofthepreviouspreparedgroups
• Timedomainandmagnitudeoffrequencydomainareconsidered
• Relief-FalgorithmfromtheWeka3Toolkitisusedforselectionofmostsignificantfeatures
• Bestfeaturesofthetestsetupsarecombinedtogetageneralfeatureset
• Mostimportantcharacteristicsarefoundin𝐺↓10 ,whichcontaintherisingedges
• FeaturevectorF(V)representsthefingerprintextractedfromthereceivedCANsignal
24
Phase 3: Feature Extraction
Features considered in the selection, where x are the measured values in the time domain respectively the magnitude values in the frequency domain and N is the number of elements
Selected features for classification ordered by their rank
• FindingthesenderECUofareceivedframeisaclassificationproblem• Severalmachinelearningtechniquesareusedtoidentifytheclassofthenewobservation
• LogisticRegressionisusedfortrainingandprediction• TrainingPhase:
• GenerateFingerprintsofmultipleCANframesforeachofthedifferentECUs
• TraintheSupervisedLearningmodel
• DetectionPhase:• Comparethefeaturesofthenewlyreceivedframeswiththefeaturescollectedformodelgeneration
• PredictthesenderECU
25
Phase 4 & 5: Classification & Detection
Deployment & Lifecycle
• Vehicleisconsideredtobeinasafeenvironmentduringinitialdeploymentphase• AkeyisassignedtoeachECUtoenablesecurecommunicationwiththeIDS• Asafetrainingphaseiscarriedouttoavoidforgedframes
• Performancemonitorevaluatesthequalityoftheclassifiers• Modelconstantlyadaptstochangesensuringhighaccuracy• Stochasticalgorithmsandonlinemachinelearningmethodsareusedtoupdatetheexistingmodel
• Influenceofpotentialmaliciousdataduringthetrainingphaseisavoidedbycountermeasuresofpoisoningattacks
• Requireslessbandwidth,canbeimplementedinECUswithlessresourcesandnoadditionalhardwareaccelerators
26
Security of Scission • DetectingCompromisedECUs
• SystemcalculatestheprobabilityoftheECUbeingallowedtosendframeswiththespecifiedidentifier
• Iftheestimatedprobabilityisbelowthethreshold𝑡↓𝑚𝑖𝑛 ,theframeismarkedassuspicious• Theframemarkedassuspiciousisclassifiedasmaliciousiftheprobabilityofthesuspectdeviceexceedsthethreshold𝑡↓𝑚𝑎𝑥 andtriggeranalarm
• Iftheprobabilitydoesnotexceed𝑡↓𝑚𝑎𝑥 ,theframeisconsideredtrustworthytoreducefalsepositives
• DetectingUnmonitoredandAdditionalECUs• Fingerprintoftheunmonitored/additionalECUmatchesthatofanotherECUwhichisnotallowedtousethereceivedidentifier→Attackisdetected
• Unmonitored/additionalECUhasverysimilarcharacteristicstoatrustworthyECUwhichtheattackerimitates→Attackcannotbedetected
• NoECUcouldbeassigned→Frameismarkedassuspicious
27
Security of Scission cont. • DetectingScission-awareAttacker
• ToimpersonateaspecificECU,anattackermayinfluenceitsownvoltagelevelbyheatingorcoolingupthecompromisedECU
• Scissionisabletocontinuouslyadapttotheslightlychangingconditions• Scissionusesseveralsignalcharacteristics,itisunlikelyforanattackertoimpersonateaspecificECU• Attackerisnotabletopreciselyadaptitssignalduetotheabsenceofgeneralinformationaboutthecharacteristics
• CannotevadeScission
28
Evaluation
29
• Prototypesetuphas9ECUsinterconnectedwitheachother
• Tworeallifecarsused–Fiat500&PorschePanameraSE-Hybrid
• DigitalstorageoscilloscopePicoScope5204withasamplingrateof500MS/sandaresolutionof8bitsisusedtorecordsignals
• Twomeasurementserieswerecreatedperframe,oneforCANlowandoneforCANhigh,whichwerethencombinedtoobtainthedifferentialsignal
• EvaluationGoal• Fingerprintingapproachisabletoidentifythesendersofreceived
CANframeswithahighprobability• EvaluatetheabilityofScissiontoidentifycompromised,
unmonitoredandadditionalECUsbasedonfingerprints
30
Evaluation Setup & Goal
Performance Evaluation
31
PrototypeSetup
Fiat500
PorschePanameraSE-Hybrid
ConfusionmatrixfortheidentificationofECUs
32
ConfusionMatrixofScission
Performancefordifferentsamplingrates.
Performance Evaluation cont.
Discussion & Conclusion
33
Limitations
34
• IfanattackerworkswiththeidentifiersthattheECUisallowedtouseundernormalconditions,Scissioncannotdetectthem
• IncaseofadditionalECUs,ifthebusismodifiedwithoutinfluencingthecharacteristics,thesystemwillnotlongerbeabletoreliablyrecognizethechange
Conclusion
35
• UsageofScissonIDSinin-vehiclenetworksisapromisingtechnologyforimprovingtheirsecurity• ScissionextractsfingerprintsfromtheCANsignalsforattackeridentificationwithzerofalsepositives
• Abletoidentifythecorrectsenderwithaprobabilityof99.85%• Noimpactontheavailablebandwidth–canbeimplementedinsmartsensors
• FingerprintingtechnologycanenhanceclassicalIDSapproaches• Canbeusedasabasisforstand-alonesystemorimprovethesecurityofgatewaysconnectingdifferentbuses
THANK YOU
36
top related