skip to main content
research-article

BTMonitor: Bit-time-based Intrusion Detection and Attacker Identification in Controller Area Network

Published:15 November 2019Publication History
Skip Abstract Section

Abstract

With the rapid growth of connectivity and autonomy for today’s automobiles, their security vulnerabilities are becoming one of the most urgent concerns in the automotive industry. The lack of message authentication in Controller Area Network (CAN), which is the most popular in-vehicle communication protocol, makes it susceptible to cyber attack. It has been demonstrated that the remote attackers can take over the maneuver of vehicles after getting access to CAN, which poses serious safety threats to the public.

To mitigate this issue, we propose a novel intrusion detection system (IDS), called BTMonitor (Bit-time-based CAN Bus Monitor). It utilizes the small but measurable discrepancy of bit time in CAN frames to fingerprint their sender Electronic Control Units (ECUs). To reduce the requirement for high sampling rate, we calculate the bit time of recessive bits and dominant bits, respectively, and extract their statistical features as fingerprint. The generated fingerprint is then used to detect intrusion and pinpoint the attacker. BTMonitor can detect new types of masquerade attack that the state-of-the-art clock-skew-based IDS is unable to identify. We implement a prototype system for BTMonitor using Xilinx Spartan 6 FPGA for data collection. We evaluate our method on both a CAN bus prototype and a real vehicle. The results show that BTMonitor can correctly identify the sender with an average probability of 99.76% on the real vehicle.

References

  1. Christoph Böhm and Maximilian Hofer. 2012. Physical Unclonable Functions in Theory and Practice. Springer Science and Business Media.Google ScholarGoogle Scholar
  2. Christoph Böhm, Maximilian Hofer, and Wolfgang Pribyl. 2011. A microcontroller SRAM-PUF. In Proceedings of the 5th International Conference on Network and System Security. IEEE, 269--273.Google ScholarGoogle ScholarCross RefCross Ref
  3. Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage, Karl Koscher, Alexei Czeskis, Franziska Roesner, and Tadayoshi Kohno. 2011. Comprehensive experimental analyses of automotive attack surfaces. In Proceedings of the USENIX Conference on Security Symposium. 447--462.Google ScholarGoogle Scholar
  4. Kyong-Tak Cho and Kang G. Shin. 2016. Fingerprinting electronic control units for vehicle intrusion detection. In Proceedings of the USENIX Conference on Security Symposium.Google ScholarGoogle Scholar
  5. Kyong-Tak Cho and Kang G. Shin. 2017. Viden: Attacker identification on in-vehicle networks. In Proceedings of the ACM Conference on Computer and Communications Security. 1109--1123.Google ScholarGoogle Scholar
  6. Wonsuk Choi, Hyo Jin Jo, Samuel Woo, Ji Young Chun, Jooyoung Park, and Dong Hoon Lee. 2018. Identifying ECUs using inimitable characteristics of signals in controller area networks. IEEE Trans. Vehic. Technol. 67, 6 (2018), 4757--4770.Google ScholarGoogle ScholarCross RefCross Ref
  7. Wonsuk Choi, Kyungho Joo, Hyo Jin Jo, Moon Chan Park, and Dong Hoon Lee. 2018. Voltageids: Low-level communication characteristics for automotive intrusion detection system. IEEE Trans. Info. Forens. Secur. 13, 8 (2018), 2114--2129.Google ScholarGoogle ScholarCross RefCross Ref
  8. FlexRay Consortium. 2005. FlexRay Communication system protocol specification version 2.1. (2005).Google ScholarGoogle Scholar
  9. Sanorita Dey, Nirupam Roy, Wenyuan Xu, Romit Roy Choudhury, and Srihari Nelakuditi. 2014. AccelPrint: Imperfections of accelerometers make smartphones trackable. In Proceedings of the Annual Network and Distributed System Security Symposium.Google ScholarGoogle ScholarCross RefCross Ref
  10. Marco Di Natale and Haibo Zeng. 2013. Practical issues with the timing analysis of the controller area network. In Proceedings of the IEEE Conference on Emerging Technologies and Factory Automation.Google ScholarGoogle ScholarCross RefCross Ref
  11. Marco Di Natale, Haibo Zeng, Paolo Giusto, and Arkadeb Ghosal. 2012. Understanding and Using the Controller Area Network Communication Protocol: Theory and Practice. Springer Science 8 Business Media.Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. João Gama, Indrė Žliobaitė, Albert Bifet, Mykola Pechenizkiy, and Abdelhamid Bouchachia. 2014. A survey on concept drift adaptation. Comput. Surveys 46, 4 (2014), 44:1--44:37.Google ScholarGoogle Scholar
  13. Bogdan Groza and Pal-Stefan Murvay. 2019. Efficient intrusion detection with bloom filtering in controller area networks. IEEE Trans. Info. Forens. Secur. 14, 4 (2019), 1037--1051.Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Florian Hartwich. 2012. CAN with flexible data-rate. In Proceedings of the International CAN Conference.Google ScholarGoogle Scholar
  15. Tobias Hoppe, Stefan Kiltz, and Jana Dittmann. 2008. Security threats to automotive CAN networks—Practical examples and selected short-term countermeasures. In Proceedings of the Conference on Computer Safety, Reliability, and Security. 235--248.Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. IEEE. 1995. IEEE guide for measurement of environmental sensitivities of standard frequency generators. IEEE Standard 1993--1994 (1995).Google ScholarGoogle Scholar
  17. Infineon. [n.d.]. Microcontroller. Infineon. Retrieved from http://www.infineon.com/microcontrollers.Google ScholarGoogle Scholar
  18. Marcel Kneib and Christopher Huth. 2018. Scission: Signal characteristic-based sender identification and intrusion detection in automotive networks. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 787--800.Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Igor Kononenko. 1994. Estimating attributes: Analysis and extensions of RELIEF. In Proceedings of the European Conference on Machine Learning. Springer, 171--182.Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. K. Koscher, A. Czeskis, F. Roesner, S. Patel, T. Kohno, S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, and S. Savage. 2010. Experimental security analysis of a modern automobile. In Proceedings of the IEEE Symposium on Security and Privacy.Google ScholarGoogle Scholar
  21. Gabriel Leen and Donal Heffernan. 2002. TTCAN: A new time-triggered controller area network. Microprocess. Microsyst. 26, 2 (2002), 77--94.Google ScholarGoogle ScholarCross RefCross Ref
  22. Libxtract. 2012. Libxtract: Feature extraction library documentation. Retrieved from http://jamiebullock.github.io/LibXtract/documentation/.Google ScholarGoogle Scholar
  23. Chung-Wei Lin and Alberto Sangiovanni-Vincentelli. 2012. Cyber-security for the controller area network (CAN) communication protocol. In Proceedings of the IEEE International Conference on Cyber Security. 1--7.Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Weiqiang Liu, Lei Zhang, Zhengran Zhang, Chongyan Gu, Chenghua Wang, Maire O’neill, and Fabrizio Lombardi. 2019. XOR-based low-cost reconfigurable PUFs for IoT security. ACM Trans. Embed. Comput. Syst. 18, 3 (2019), 25.Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Mehrdad Majzoobi, Masoud Rostami, Farinaz Koushanfar, Dan S. Wallach, and Srinivas Devadas. 2012. Slender PUF protocol: A lightweight, robust, and secure authentication by substring matching. In Proceedings of the IEEE Symposium on Security and Privacy Workshops. IEEE, 33--44.Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Charlie Miller and Chris Valasek. 2013. Adventures in automotive networks and control units. SANS Whitepaper 21 (2013), 260--264.Google ScholarGoogle Scholar
  27. Charlie Miller and Chris Valasek. 2015. Remote exploitation of an unaltered passenger vehicle. In Black Hat USA, Vol. 2015. 1--91.Google ScholarGoogle Scholar
  28. David Mills. 1992. Network Time Protocol (Version 3) specification, implementation, and analysis. Technical Report.Google ScholarGoogle Scholar
  29. Michael R. Moore, Robert A. Bridges, Frank L. Combs, Michael S. Starr, and Stacy J. Prowell. 2017. Modeling inter-signal arrival times for accurate detection of CAN bus signal injection attacks: A data-driven approach to in-vehicle intrusion detection. In Proceedings of the ACM Conference on Cyber and Information Security Research. 11.Google ScholarGoogle Scholar
  30. Philipp Mundhenk, Sebastian Steinhorst, Martin Lukasiewycz, Suhaib A. Fahmy, and Samarjit Chakraborty. 2015. Lightweight authentication for secure automotive networks. In Proceedings of the Conference on Design, Automation, and Test in Europe. 285--288.Google ScholarGoogle ScholarCross RefCross Ref
  31. Steven J. Murdoch. 2006. Hot or not: Revealing hidden services by their clock skew. In Proceedings of the 13th ACM Conference on Computer and Communications Security. ACM, 27--36.Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Michael Müter and Naim Asaj. 2011. Entropy-based anomaly detection for in-vehicle networks. In Proceedings of the IEEE Intelligent Vehicles Symposium. 1110--1115.Google ScholarGoogle ScholarCross RefCross Ref
  33. NXP Semiconductor. [n.d.]. NXP Automotive MCUs and MPUs. NXP Semiconductor. Retrieved from www.nxp.com/docs/en/product-selector-guide/BRAUTOPRDCTMAP.pdf.Google ScholarGoogle Scholar
  34. Vern Paxson. 1998. On calibrating measurements of packet transit times. In ACM SIGMETRICS Performance Evaluation Review, Vol. 26. 11--21.Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Sang Uk Sagong, Xuhang Ying, Andrew Clark, Linda Bushnell, and Radha Poovendran. 2018. Cloaking the clock: Emulating clock skew in controller area networks. In Proceedings of the ACM/IEEE International Conference on Cyber-Physical Systems. 32--42.Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Georgios Selimis, Mario Konijnenburg, Maryam Ashouei, Jos Huisken, Harmke de Groot, Vincent van der Leest, Geert-Jan Schrijen, Marten van Hulst, and Pim Tuyls. 2011. Evaluation of 90nm 6T-SRAM as physical unclonable function for secure key generation in wireless sensor nodes. In Proceedings of the IEEE International Symposium of Circuits and Systems. IEEE, 567--570.Google ScholarGoogle Scholar
  37. G. Edward Suh and Srinivas Devadas. 2007. Physical unclonable functions for device authentication and secret key generation. In Proceedings of the 44th ACM/IEEE Design Automation Conference. IEEE, 9--14.Google ScholarGoogle Scholar
  38. Soubhagya Sutar, Arnab Raha, Devadatta Kulkarni, Rajeev Shorey, Jeffrey Tew, and Vijay Raghunathan. 2018. D-PUF: An intrinsically reconfigurable DRAM PUF for device authentication and random number generation. ACM Trans. Embed. Comput. Syst. 17, 1 (2018), 17.Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Anthony Van Herrewege, Dave Singelee, and Ingrid Verbauwhede. 2011. CANAuth-a simple, backward compatible broadcast authentication protocol for CAN bus. In Proceedings of the ECRYPT Workshop on Lightweight Cryptography.Google ScholarGoogle Scholar
  40. Wufei Wu, Renfa Li, Guoqi Xie, Jiyao An, Yang Bai, Jia Zhou, and Keqin Li. 2019. A survey of intrusion detection for in-vehicle networks. IEEE Trans. Intell. Transport. Syst. (2019).Google ScholarGoogle Scholar
  41. Guoqi Xie, Gang Zeng, Ryo Kurachi, Hiroaki Takada, Renfa Li, and Keqin Li. 2018. Exact WCRT analysis for message-processing tasks on gateway-integrated in-vehicle CAN clusters. ACM Trans. Embed. Comput. Syst. 17, 6 (2018), 95.Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. Xuhang Ying, Giuseppe Bernieri, Mauro Conti, and Radha Poovendran. 2019. TACAN: Transmitter authentication through covert channels in controller area networks. In Proceedings of the ACM/IEEE Conference on Cyber-Physical Systems. 23--34.Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Xuhang Ying, Sang Uk Sagong, Andrew Clark, Linda Bushnell, and Radha Poovendran. 2019. Shape of the Cloak: Formal analysis of clock skew-based intrusion detection system in controller area networks. IEEE Trans. Info. Forens. Secur. 14, 9 (2019), 2300--2314.Google ScholarGoogle ScholarCross RefCross Ref
  44. Jiliang Zhang, Yaping Lin, Yongqiang Lyu, and Gang Qu. 2015. A PUF-FSM binding scheme for FPGA IP protection and pay-per-device licensing. IEEE Trans. Info. Forens. Secur. 10, 6 (2015), 1137--1150.Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. Jiliang Zhang, Gang Qu, Yongqiang Lv, and Qiang Zhou. 2014. A survey on silicon PUFs and recent advances in ring oscillator PUFs. J. Comput. Sci. Technol. 29, 4 (2014), 664--678.Google ScholarGoogle ScholarCross RefCross Ref

Index Terms

  1. BTMonitor: Bit-time-based Intrusion Detection and Attacker Identification in Controller Area Network

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    HTML Format

    View this article in HTML Format .

    View HTML Format
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!