Abstract
With the rapid growth of connectivity and autonomy for today’s automobiles, their security vulnerabilities are becoming one of the most urgent concerns in the automotive industry. The lack of message authentication in Controller Area Network (CAN), which is the most popular in-vehicle communication protocol, makes it susceptible to cyber attack. It has been demonstrated that the remote attackers can take over the maneuver of vehicles after getting access to CAN, which poses serious safety threats to the public.
To mitigate this issue, we propose a novel intrusion detection system (IDS), called BTMonitor (Bit-time-based CAN Bus Monitor). It utilizes the small but measurable discrepancy of bit time in CAN frames to fingerprint their sender Electronic Control Units (ECUs). To reduce the requirement for high sampling rate, we calculate the bit time of recessive bits and dominant bits, respectively, and extract their statistical features as fingerprint. The generated fingerprint is then used to detect intrusion and pinpoint the attacker. BTMonitor can detect new types of masquerade attack that the state-of-the-art clock-skew-based IDS is unable to identify. We implement a prototype system for BTMonitor using Xilinx Spartan 6 FPGA for data collection. We evaluate our method on both a CAN bus prototype and a real vehicle. The results show that BTMonitor can correctly identify the sender with an average probability of 99.76% on the real vehicle.
- Christoph Böhm and Maximilian Hofer. 2012. Physical Unclonable Functions in Theory and Practice. Springer Science and Business Media.Google Scholar
- Christoph Böhm, Maximilian Hofer, and Wolfgang Pribyl. 2011. A microcontroller SRAM-PUF. In Proceedings of the 5th International Conference on Network and System Security. IEEE, 269--273.Google Scholar
Cross Ref
- Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage, Karl Koscher, Alexei Czeskis, Franziska Roesner, and Tadayoshi Kohno. 2011. Comprehensive experimental analyses of automotive attack surfaces. In Proceedings of the USENIX Conference on Security Symposium. 447--462.Google Scholar
- Kyong-Tak Cho and Kang G. Shin. 2016. Fingerprinting electronic control units for vehicle intrusion detection. In Proceedings of the USENIX Conference on Security Symposium.Google Scholar
- Kyong-Tak Cho and Kang G. Shin. 2017. Viden: Attacker identification on in-vehicle networks. In Proceedings of the ACM Conference on Computer and Communications Security. 1109--1123.Google Scholar
- Wonsuk Choi, Hyo Jin Jo, Samuel Woo, Ji Young Chun, Jooyoung Park, and Dong Hoon Lee. 2018. Identifying ECUs using inimitable characteristics of signals in controller area networks. IEEE Trans. Vehic. Technol. 67, 6 (2018), 4757--4770.Google Scholar
Cross Ref
- Wonsuk Choi, Kyungho Joo, Hyo Jin Jo, Moon Chan Park, and Dong Hoon Lee. 2018. Voltageids: Low-level communication characteristics for automotive intrusion detection system. IEEE Trans. Info. Forens. Secur. 13, 8 (2018), 2114--2129.Google Scholar
Cross Ref
- FlexRay Consortium. 2005. FlexRay Communication system protocol specification version 2.1. (2005).Google Scholar
- Sanorita Dey, Nirupam Roy, Wenyuan Xu, Romit Roy Choudhury, and Srihari Nelakuditi. 2014. AccelPrint: Imperfections of accelerometers make smartphones trackable. In Proceedings of the Annual Network and Distributed System Security Symposium.Google Scholar
Cross Ref
- Marco Di Natale and Haibo Zeng. 2013. Practical issues with the timing analysis of the controller area network. In Proceedings of the IEEE Conference on Emerging Technologies and Factory Automation.Google Scholar
Cross Ref
- Marco Di Natale, Haibo Zeng, Paolo Giusto, and Arkadeb Ghosal. 2012. Understanding and Using the Controller Area Network Communication Protocol: Theory and Practice. Springer Science 8 Business Media.Google Scholar
Digital Library
- João Gama, Indrė Žliobaitė, Albert Bifet, Mykola Pechenizkiy, and Abdelhamid Bouchachia. 2014. A survey on concept drift adaptation. Comput. Surveys 46, 4 (2014), 44:1--44:37.Google Scholar
- Bogdan Groza and Pal-Stefan Murvay. 2019. Efficient intrusion detection with bloom filtering in controller area networks. IEEE Trans. Info. Forens. Secur. 14, 4 (2019), 1037--1051.Google Scholar
Digital Library
- Florian Hartwich. 2012. CAN with flexible data-rate. In Proceedings of the International CAN Conference.Google Scholar
- Tobias Hoppe, Stefan Kiltz, and Jana Dittmann. 2008. Security threats to automotive CAN networks—Practical examples and selected short-term countermeasures. In Proceedings of the Conference on Computer Safety, Reliability, and Security. 235--248.Google Scholar
Digital Library
- IEEE. 1995. IEEE guide for measurement of environmental sensitivities of standard frequency generators. IEEE Standard 1993--1994 (1995).Google Scholar
- Infineon. [n.d.]. Microcontroller. Infineon. Retrieved from http://www.infineon.com/microcontrollers.Google Scholar
- Marcel Kneib and Christopher Huth. 2018. Scission: Signal characteristic-based sender identification and intrusion detection in automotive networks. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 787--800.Google Scholar
Digital Library
- Igor Kononenko. 1994. Estimating attributes: Analysis and extensions of RELIEF. In Proceedings of the European Conference on Machine Learning. Springer, 171--182.Google Scholar
Digital Library
- K. Koscher, A. Czeskis, F. Roesner, S. Patel, T. Kohno, S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, and S. Savage. 2010. Experimental security analysis of a modern automobile. In Proceedings of the IEEE Symposium on Security and Privacy.Google Scholar
- Gabriel Leen and Donal Heffernan. 2002. TTCAN: A new time-triggered controller area network. Microprocess. Microsyst. 26, 2 (2002), 77--94.Google Scholar
Cross Ref
- Libxtract. 2012. Libxtract: Feature extraction library documentation. Retrieved from http://jamiebullock.github.io/LibXtract/documentation/.Google Scholar
- Chung-Wei Lin and Alberto Sangiovanni-Vincentelli. 2012. Cyber-security for the controller area network (CAN) communication protocol. In Proceedings of the IEEE International Conference on Cyber Security. 1--7.Google Scholar
Digital Library
- Weiqiang Liu, Lei Zhang, Zhengran Zhang, Chongyan Gu, Chenghua Wang, Maire O’neill, and Fabrizio Lombardi. 2019. XOR-based low-cost reconfigurable PUFs for IoT security. ACM Trans. Embed. Comput. Syst. 18, 3 (2019), 25.Google Scholar
Digital Library
- Mehrdad Majzoobi, Masoud Rostami, Farinaz Koushanfar, Dan S. Wallach, and Srinivas Devadas. 2012. Slender PUF protocol: A lightweight, robust, and secure authentication by substring matching. In Proceedings of the IEEE Symposium on Security and Privacy Workshops. IEEE, 33--44.Google Scholar
Digital Library
- Charlie Miller and Chris Valasek. 2013. Adventures in automotive networks and control units. SANS Whitepaper 21 (2013), 260--264.Google Scholar
- Charlie Miller and Chris Valasek. 2015. Remote exploitation of an unaltered passenger vehicle. In Black Hat USA, Vol. 2015. 1--91.Google Scholar
- David Mills. 1992. Network Time Protocol (Version 3) specification, implementation, and analysis. Technical Report.Google Scholar
- Michael R. Moore, Robert A. Bridges, Frank L. Combs, Michael S. Starr, and Stacy J. Prowell. 2017. Modeling inter-signal arrival times for accurate detection of CAN bus signal injection attacks: A data-driven approach to in-vehicle intrusion detection. In Proceedings of the ACM Conference on Cyber and Information Security Research. 11.Google Scholar
- Philipp Mundhenk, Sebastian Steinhorst, Martin Lukasiewycz, Suhaib A. Fahmy, and Samarjit Chakraborty. 2015. Lightweight authentication for secure automotive networks. In Proceedings of the Conference on Design, Automation, and Test in Europe. 285--288.Google Scholar
Cross Ref
- Steven J. Murdoch. 2006. Hot or not: Revealing hidden services by their clock skew. In Proceedings of the 13th ACM Conference on Computer and Communications Security. ACM, 27--36.Google Scholar
Digital Library
- Michael Müter and Naim Asaj. 2011. Entropy-based anomaly detection for in-vehicle networks. In Proceedings of the IEEE Intelligent Vehicles Symposium. 1110--1115.Google Scholar
Cross Ref
- NXP Semiconductor. [n.d.]. NXP Automotive MCUs and MPUs. NXP Semiconductor. Retrieved from www.nxp.com/docs/en/product-selector-guide/BRAUTOPRDCTMAP.pdf.Google Scholar
- Vern Paxson. 1998. On calibrating measurements of packet transit times. In ACM SIGMETRICS Performance Evaluation Review, Vol. 26. 11--21.Google Scholar
Digital Library
- Sang Uk Sagong, Xuhang Ying, Andrew Clark, Linda Bushnell, and Radha Poovendran. 2018. Cloaking the clock: Emulating clock skew in controller area networks. In Proceedings of the ACM/IEEE International Conference on Cyber-Physical Systems. 32--42.Google Scholar
Digital Library
- Georgios Selimis, Mario Konijnenburg, Maryam Ashouei, Jos Huisken, Harmke de Groot, Vincent van der Leest, Geert-Jan Schrijen, Marten van Hulst, and Pim Tuyls. 2011. Evaluation of 90nm 6T-SRAM as physical unclonable function for secure key generation in wireless sensor nodes. In Proceedings of the IEEE International Symposium of Circuits and Systems. IEEE, 567--570.Google Scholar
- G. Edward Suh and Srinivas Devadas. 2007. Physical unclonable functions for device authentication and secret key generation. In Proceedings of the 44th ACM/IEEE Design Automation Conference. IEEE, 9--14.Google Scholar
- Soubhagya Sutar, Arnab Raha, Devadatta Kulkarni, Rajeev Shorey, Jeffrey Tew, and Vijay Raghunathan. 2018. D-PUF: An intrinsically reconfigurable DRAM PUF for device authentication and random number generation. ACM Trans. Embed. Comput. Syst. 17, 1 (2018), 17.Google Scholar
Digital Library
- Anthony Van Herrewege, Dave Singelee, and Ingrid Verbauwhede. 2011. CANAuth-a simple, backward compatible broadcast authentication protocol for CAN bus. In Proceedings of the ECRYPT Workshop on Lightweight Cryptography.Google Scholar
- Wufei Wu, Renfa Li, Guoqi Xie, Jiyao An, Yang Bai, Jia Zhou, and Keqin Li. 2019. A survey of intrusion detection for in-vehicle networks. IEEE Trans. Intell. Transport. Syst. (2019).Google Scholar
- Guoqi Xie, Gang Zeng, Ryo Kurachi, Hiroaki Takada, Renfa Li, and Keqin Li. 2018. Exact WCRT analysis for message-processing tasks on gateway-integrated in-vehicle CAN clusters. ACM Trans. Embed. Comput. Syst. 17, 6 (2018), 95.Google Scholar
Digital Library
- Xuhang Ying, Giuseppe Bernieri, Mauro Conti, and Radha Poovendran. 2019. TACAN: Transmitter authentication through covert channels in controller area networks. In Proceedings of the ACM/IEEE Conference on Cyber-Physical Systems. 23--34.Google Scholar
Digital Library
- Xuhang Ying, Sang Uk Sagong, Andrew Clark, Linda Bushnell, and Radha Poovendran. 2019. Shape of the Cloak: Formal analysis of clock skew-based intrusion detection system in controller area networks. IEEE Trans. Info. Forens. Secur. 14, 9 (2019), 2300--2314.Google Scholar
Cross Ref
- Jiliang Zhang, Yaping Lin, Yongqiang Lyu, and Gang Qu. 2015. A PUF-FSM binding scheme for FPGA IP protection and pay-per-device licensing. IEEE Trans. Info. Forens. Secur. 10, 6 (2015), 1137--1150.Google Scholar
Digital Library
- Jiliang Zhang, Gang Qu, Yongqiang Lv, and Qiang Zhou. 2014. A survey on silicon PUFs and recent advances in ring oscillator PUFs. J. Comput. Sci. Technol. 29, 4 (2014), 664--678.Google Scholar
Cross Ref
Index Terms
BTMonitor: Bit-time-based Intrusion Detection and Attacker Identification in Controller Area Network
Recommendations
Viden: Attacker Identification on In-Vehicle Networks
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications SecurityVarious defense schemes --- which determine the presence of an attack on the in-vehicle network --- have recently been proposed. However, they fail to identify which Electronic Control Unit (ECU) actually mounted the attack. Clearly, pinpointing the ...
Scission: Signal Characteristic-Based Sender Identification and Intrusion Detection in Automotive Networks
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications SecurityIncreased connectivity increases the attack vector. This also applies to connected vehicles in which vulnerabilities not only threaten digital values but also humans and the environment. Typically, attackers try to exploit the Controller Area Network (...
CAN Bus Intrusion Detection Based on Auxiliary Classifier GAN and Out-of-distribution Detection
The Controller Area Network (CAN) is a ubiquitous bus protocol present in the Electrical/Electronic (E/E) systems of almost all vehicles. It is vulnerable to a range of attacks once the attacker gains access to the bus through the vehicle’s attack ...






Comments