Attack Traffic Generation for Network-based Intrusion Detection System

Abstract

The automotive industry is constantly coming up with technological advances making automotive vehicles a complex system consisting of a multitude of electronic, mechanical, and software components. A critical part of such systems is the electronic control unit (ECU) which is responsible for controlling specific functions. Nowadays, automotive vehicles are equipped with more than 100 ECUs that control a wide range of functions, from essential (engine and power steering control) to comfort (windows, seats, etc) to critical (airbags). The Controller Area Network (CAN) helps the ECUs communicate with one another using a common bus. The CAN bus is a message-based protocol that offers reliable, priority-driven communication of essential control data. The CAN bus, despite its reliability and efficiency, is prone to a variety of cyber attacks. The vulnerabilities of CAN towards cyber attacks can be reduced by the deployment of an Intrusion Detection System (IDS). IDS detects intrusions by observing the events or by validating the range of different parameters in an attempt to identify malicious content that could potentially be an attack. This acts as a line of defence against cyber attacks and can play a huge role in safeguarding CAN based systems. In order to check the efficiency and reliability of security mechanisms like IDSs, they must be tested against malicious data to assess their ability to detect various types of attacks. However, the availability of malicious data is not ubiquitous. The objective of this thesis is to investigate a methodology and develop a software that can manipulate and add known attack traffic into already existing data sets. The abilities and effectiveness of this attack traffic generating (ATG) software in mimicking real-life cyber attacks is evaluated through a series of experiments while highlighting its strengths and weaknesses. The experiments reveal that the developed software succeeds in introducing malicious traffic into benign traffic in a random fashion, which mimics real-life attack traffic. The time in which the software introduces these attacks is a function of O(n2).