Attacker Identification Using Low-Level Characteristics of Automotive ECUs
Typ
Examensarbete för masterexamen
Program
Publicerad
2020
Författare
DESAI, DEEPAK
GÜNKE, BURKIN
Modellbyggare
Tidskriftstitel
ISSN
Volymtitel
Utgivare
Sammanfattning
The Controller Area Network (CAN) is one of the most important In-Vehicle Network (IVN) protocols used for reliable communication between Electrical Control
Units (ECUs). ECUs are responsible for critical in-vehicle operations such as transmission, brakes and active safety (e.g., airbag deployment) among others. However,
the CAN protocol lacks basic security features such as message authentication and
encryption, making it vulnerable to a variety of attacks such as message spoofing,
replication, fabrication and denial of service.
In order to detect these attacks and proactively protect the ECUs, researchers have
proposed intrusion detection systems for vehicles. Since the majority of the IVN
traffic is highly regular, most of the proposed solutions aim at detecting anomalies
in the vehicle by evaluating incoming in-vehicle messages against potential irregularities. Despite these efforts, there are not many works done on associating a
malicious CAN message to its origin and thereby locating the source of an attack.
Recently attacker identification methods for IVNs have been introduced. The proposed solutions focus on the low-level characteristics of the ECUs such as voltage,
clock-skew or clock-offset to fingerprint ECUs and to identify the attacker ECU.
Given that these methods have recently been proposed in the literature, there is
a need to investigate and verify the applicability and practicality of the proposed
methods and identify the challenges of implementing them.
In this work, we study two of the most prominent automotive IDS solutions proposed
in the literature recently; CASAD as an IDS and Viden as a fingerprinting-technique
based on ECU voltage characteristics. We mainly focus on assessing the performance
of Viden with respect to detection accuracy, viability, practicality and efficiency by
implementing a proof-of-concept of the proposed method. We replicate the algorithm used by Viden, and as an extended objective of the thesis, we also investigate
whether CASAD’s detection engine can be extended to use the ECU voltage behaviour for distinguishing different ECUs from each other, thus detecting the source
of an attack. Finally, we propose a unified system where CASAD detects the attack
and Viden identifies the source of the attack.
Beskrivning
Ämne/nyckelord
Vehicle-cybersecurity , Controller Area Network , CAN , Bus , Attacker Identification , Engine Control Unit , ECU , In-Vehicle Networks