Attacker Identification Using Low-Level Characteristics of Automotive ECUs

Abstract

The Controller Area Network (CAN) is one of the most important In-Vehicle Network (IVN) protocols used for reliable communication between Electrical Control Units (ECUs). ECUs are responsible for critical in-vehicle operations such as transmission, brakes and active safety (e.g., airbag deployment) among others. However, the CAN protocol lacks basic security features such as message authentication and encryption, making it vulnerable to a variety of attacks such as message spoofing, replication, fabrication and denial of service. In order to detect these attacks and proactively protect the ECUs, researchers have proposed intrusion detection systems for vehicles. Since the majority of the IVN traffic is highly regular, most of the proposed solutions aim at detecting anomalies in the vehicle by evaluating incoming in-vehicle messages against potential irregularities. Despite these efforts, there are not many works done on associating a malicious CAN message to its origin and thereby locating the source of an attack. Recently attacker identification methods for IVNs have been introduced. The proposed solutions focus on the low-level characteristics of the ECUs such as voltage, clock-skew or clock-offset to fingerprint ECUs and to identify the attacker ECU. Given that these methods have recently been proposed in the literature, there is a need to investigate and verify the applicability and practicality of the proposed methods and identify the challenges of implementing them. In this work, we study two of the most prominent automotive IDS solutions proposed in the literature recently; CASAD as an IDS and Viden as a fingerprinting-technique based on ECU voltage characteristics. We mainly focus on assessing the performance of Viden with respect to detection accuracy, viability, practicality and efficiency by implementing a proof-of-concept of the proposed method. We replicate the algorithm used by Viden, and as an extended objective of the thesis, we also investigate whether CASAD’s detection engine can be extended to use the ECU voltage behaviour for distinguishing different ECUs from each other, thus detecting the source of an attack. Finally, we propose a unified system where CASAD detects the attack and Viden identifies the source of the attack.