Modeling inter-signal arrival times for accurate detection of CAN bus signal injection attacks

Moore, Michael R.; Bridges, Robert A.; Combs, Frank L.; Starr, Michael S.; Prowell, Stacy

doi:10.1145/3064814.3064816

Cited by 116 publications

(61 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Third, the unsupervised detection results display the quantitative gain in the false detection rate of the ensemble over any of the constituent members with no expense to the true positive rate. This shows that the ensemble directly addresses the base rate fallacy and supports a growing body of literature in this area [9], [10], [11], [12], [13], [14], [15], [16]. Finally, our anomaly detection ensemble outperforms the supervised algorithms-perhaps surprising given that the latter is privy to other known malware profiles during training.…”

Section: A Contributionssupporting

confidence: 77%

Towards Malware Detection via CPU Power Consumption: Data Collection Design and Analytics

Bridges

Jiménez

Nichols

et al. 2018

2018 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications/ 12th IEEE International

View full text Add to dashboard Cite

This paper presents an experimental design and data analytics approach aimed at power-based malware detection on general-purpose computers. Leveraging the fact that malware executions must consume power, we explore the postulate that malware can be accurately detected via power data analytics. Our experimental design and implementation allow for programmatic collection of CPU power profiles for fixed tasks during uninfected and infected states using five different rootkits. To characterize the power consumption profiles, we use both simple statistical and novel, sophisticated features. We test a one-class anomaly detection ensemble (that baselines non-infected power profiles) and several kernel-based SVM classifiers (that train on both uninfected and infected profiles) in detecting previously unseen malware and clean profiles. The anomaly detection system exhibits perfect detection when using all features and tasks, with smaller false detection rate than the supervised classifiers. The primary contribution is the proof of concept that baselining power of fixed tasks can provide accurate detection of rootkits. Moreover, our treatment presents engineering hurdles needed for experimentation and allows analysis of each statistical feature individually. This work appears to be the first step towards a viable power-based detection capability for general-purpose computers, and presents next steps toward this goal.

show abstract

Section: A Contributionssupporting

confidence: 77%

Towards Malware Detection via CPU Power Consumption: Data Collection Design and Analytics

Bridges

Jiménez

Nichols

et al. 2018

2018 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications/ 12th IEEE International

View full text Add to dashboard Cite

show abstract

“…The increasing attack area of vehicles exposes the control network to life-threatening attacks. A method [15] is proposed to detect the abnormal flow pattern by detecting the abnormal refresh rate of some commands, so as to meet the need of protecting the CAN bus.…”

Section: Anomaly Detection Based On Traditional Methodsmentioning

confidence: 99%

Anomaly Detection of CAN Bus Messages Using A Deep Neural Network for Autonomous Vehicles

Zhou

Shen

2019

Applied Sciences

View full text Add to dashboard Cite

The in-vehicle controller area network (CAN) bus is one of the essential components for autonomous vehicles, and its safety will be one of the greatest challenges in the field of intelligent vehicles in the future. In this paper, we propose a novel system that uses a deep neural network (DNN) to detect anomalous CAN bus messages. We treat anomaly detection as a cross-domain modelling problem, in which three CAN bus data packets as a group are directly imported into the DNN architecture for parallel training with shared weights. After that, three data packets are represented as three independent feature vectors, which corresponds to three different types of data sequences, namely anchor, positive and negative. The proposed DNN architecture is an embedded triplet loss network that optimizes the distance between the anchor example and the positive example, makes it smaller than the distance between the anchor example and the negative example, and realizes the similarity calculation of samples, which were originally used in face detection. Compared to traditional anomaly detection methods, the proposed method to learn the parameters with shared-weight could improve detection efficiency and detection accuracy. The whole detection system is composed of the front-end and the back-end, which correspond to deep network and triplet loss network, respectively, and are trainable in an end-to-end fashion. Experimental results demonstrate that the proposed technology can make real-time responses to anomalies and attacks to the CAN bus, and significantly improve the detection ratio. To the best of our knowledge, the proposed method is the first used for anomaly detection in the in-vehicle CAN bus.Appl. Sci. 2019, 9, 3174 2 of 12 start-stop, parking, Accessory system, and information entertainment systems that can be connected with smart devices such as mobile phones. These systems will obtain data from the CAN bus network on the vehicle. From the perspective of intelligent development, it is inevitable for automobiles to connect to the Internet, and these electronic devices and intelligent information systems may become a way for hackers to intrude into the automobile network system. Once hackers invade these systems and successfully connect to the car CAN bus network, the driver may lose control of the vehicle [3]. At the Black Hat conference in 2014, researchers released a report on the network security of more than 20 models on the market, assessing the ability of different car manufacturers to withstand malicious attacks on different models [4]. In addition, the (Identity Document) ID in the CAN bus protocol only represents the priority of the message, and there is no original address information in the protocol. The receiving electronic control unit (ECU) cannot confirm whether the received data is the original data or not; that is, the authenticity of the received message cannot be confirmed under the existing mechanism, which easily leads to forgery and tampering of the CAN bus message by injecting false information. Wha...

show abstract

“…The next trend in the CAN IDS research literature is to exploit the regular frequency of important CAN messages. Frequency anomalies have been explored to detect and prevent signal-injection attacks and potentially ECU reprogramming [9,16,17]. 3) ECU-fingerprinting IDS: After publication of the Jeep hack [2], in which some ECUs were silenced and others controlled to send spoofed messages in lieu of the silenced ECUs, CAN IDS research transitioned to more sophisticated methods all focused on automatic ECU identification as a stepping stone to IDS.…”

Section: A Related Can Ids Workmentioning

confidence: 99%

“…In short, even though packets are observable, there is no existing way to automatically know what mechanisms they control. This is a primary roadblock to defending CANs and calls for data analytics approaches to pioneer vehicle-agnostic detection and prevention capabilities [8][9][10][11].…”

Section: Introductionmentioning

confidence: 99%

Exploiting the Shape of CAN Data for In-Vehicle Intrusion Detection

Tyree

Bridges

Combs

et al. 2018

2018 IEEE 88th Vehicular Technology Conference (VTC-Fall)

Self Cite

View full text Add to dashboard Cite

Modern vehicles rely on scores of electronic control units (ECUs) broadcasting messages over a few controller area networks (CANs). Bereft of security features, in-vehicle CANs are exposed to cyber manipulation and multiple researches have proved viable, life-threatening cyber attacks. Complicating the issue, CAN messages lack a common mapping of functions to commands, so packets are observable but not easily decipherable. We present a transformational approach to CAN IDS that exploits the geometric properties of CAN data to inform two novel detectors-one based on distance from a learned, lower dimensional manifold and the other on discontinuities of the manifold over time. Proof-of-concept tests are presented by implementing a potential attack approach on a driving vehicle. The initial results suggest that (1) the first detector requires additional refinement but does hold promise; (2) the second detector gives a clear, strong indicator of the attack; and (3) the algorithms keep pace with high-speed CAN messages. As our approach is data-driven it provides a vehicle-agnostic IDS that eliminates the need to reverse engineer CAN messages and can be ported to an after-market plugin.

show abstract

Modeling inter-signal arrival times for accurate detection of CAN bus signal injection attacks

Cited by 116 publications

References 10 publications

Towards Malware Detection via CPU Power Consumption: Data Collection Design and Analytics

Towards Malware Detection via CPU Power Consumption: Data Collection Design and Analytics

Anomaly Detection of CAN Bus Messages Using A Deep Neural Network for Autonomous Vehicles

Exploiting the Shape of CAN Data for In-Vehicle Intrusion Detection

Contact Info

Product

Resources

About