Behavioral Characteristic-based Intrusion Detection and its Source Identification for Securing In-Vehicle Network
- 주제(키워드) In-vehicle networks (IVNs) , Controller Area Network (CAN) , Intrusion Detection Systems (IDSs) , ECU identification , Electronic Control Units (ECUs) , automotive cybersecurity
- 발행기관 고려대학교 정보보호대학원
- 지도교수 이동훈
- 발행년도 2023
- 학위수여년월 2023. 8
- 학위구분 박사
- 학과 정보보호대학원 정보보호학과
- 원문페이지 127 p
- UCI I804:11009-000000277602
- DOI 10.23186/korea.000000277602.11009.0000123
- 본문언어 영어
초록/요약
Modern vehicles have evolved into intricate cyber-physical systems, integrating numerous electronic control units (ECUs) that communicate through in-vehicle networks (IVNs) to exchange critical vehicle status information and control commands. At the same time, the increased connectivity of vehicles to external communications has expanded potential attack surfaces, leaving IVNs vulnerable to cyber threats. As a result, the need for security measures, such as intrusion detection systems (IDSs), to protect IVNs has gained significant attention. However, numerous studies of automotive IDSs have been conducted, new attacks against IVNs are constantly being developed, and methods to effectively detect intrusions and identify attacking ECUs are still needed. This thesis addresses the challenges associated with intrusion detection and ECU identification in automotive systems. Firstly, to overcome the limitations of existing public datasets for automotive IDSs, two types of masquerade attacks are proposed. These attacks represent sophisticated intrusion techniques that can evade detection by traditional frequency-based or payload-based IDSs. Real vehicle datasets obtained by performing these masquerade attacks on real vehicles are expected to enhance the ability of intrusion detection research. Secondly, a novel IDS approach is proposed to detect sophisticated attacks. This method focuses on identifying when an ECU is suspended and estimating when it will resume transmission. By analyzing messages transmitted during the suspension period, the proposed IDS can accurately determine the point at which a masquerade attack concludes. This enables efficient detection of such attacks, enhancing the overall security of IVNs. Lastly, a novel source identification method called SrcID is introduced to pinpoint the compromised ECU during a cyber attack. Leveraging the error-handling mechanism, SrcID intentionally induces errors on malicious transmissions and analyzes all affected transmissions. Experimental results demonstrate reliable identification without compromising the safety features of the vehicles. Overall, this thesis contributes to the field of in-vehicle network security by proposing two types of masquerade attacks to bypass existing automotive IDSs, presenting a novel IDS approach for enhanced attack detection, and introducing a precise source identification method. Through a comprehensive study, this research aims to enhance in-vehicle network security, ensuring the safety and convenience of drivers and passengers.
more목차
Abstract i
Contents iii
List of Figures vii
List of Tables x
1 Introduction 1
2 Background and Related Work 4
2.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1.1 Controller Area Network (CAN) . . . . . . . . . . . . . . . 4
2.1.2 Electronic Control Units (ECUs) . . . . . . . . . . . . . . . 7
2.1.3 CAN Data Frame . . . . . . . . . . . . . . . . . . . . . . . 7
2.1.4 Error Handling and Fault Confinement . . . . . . . . . . . . 8
2.1.5 Unified Diagnostic Service (UDS) . . . . . . . . . . . . . . 11
2.1.6 Attacks on CAN Bus Communication . . . . . . . . . . . . 12
2.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.2.1 Cryptographic Techniques . . . . . . . . . . . . . . . . . . 16
2.2.2 Automotive IDS and Identification of ECUs . . . . . . . . . 17
2.2.3 Datasets for Automotive IDS . . . . . . . . . . . . . . . . . 20
3 ECU Behavior-Aware Masquerade Attack 24
3.1 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.2 Attack Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3.2.1 Attack Types . . . . . . . . . . . . . . . . . . . . . . . . . 26
3.2.2 Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.3 Anatomy of the Masquerade Attack . . . . . . . . . . . . . . . . . 31
3.3.1 Phase 1: Exploration of UDS Services . . . . . . . . . . . . 31
3.3.2 Phase 2: Target ECU Behavior Analysis . . . . . . . . . . . 33
3.3.3 Phase 3: Masquerade Attack . . . . . . . . . . . . . . . . . 35
3.4 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.4.1 Experimental Setup . . . . . . . . . . . . . . . . . . . . . . 36
3.4.2 Analysis of UDS Service Parameters . . . . . . . . . . . . 36
3.4.3 Preservation of Message Periodicity . . . . . . . . . . . . . 38
3.4.4 Consistency in Data Payload . . . . . . . . . . . . . . . . . 40
3.4.5 CAN Bus Network Mapping . . . . . . . . . . . . . . . . . 42
3.4.6 Real-Time Masquerade Attack Datasets . . . . . . . . . . . 42
3.4.7 Evaluation of ML-based IDSs for Masquerade Attacks . . . 44
3.5 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
4 TTIDS: Transmission-resuming Time-based IDS 46
4.1 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
4.2 System Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
4.2.1 Attack Model . . . . . . . . . . . . . . . . . . . . . . . . . 47
4.2.2 Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . 48
4.3 Transmission-resuming Time-based IDS . . . . . . . . . . . . . . . 49
4.3.1 System Overview . . . . . . . . . . . . . . . . . . . . . . . 49
4.3.2 Suspension Detection . . . . . . . . . . . . . . . . . . . . . 50
4.3.3 Estimation of Transmission-resuming Time . . . . . . . . . 50
4.3.4 Classification between Normal and Malicious Messages . . 58
4.4 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
4.4.1 Experimental Setup . . . . . . . . . . . . . . . . . . . . . . 58
4.4.2 Network Mapping . . . . . . . . . . . . . . . . . . . . . . 59
4.4.3 Detection of Suspended ECUs . . . . . . . . . . . . . . . . 60
4.4.4 Estimation of Transmission-resuming Time . . . . . . . . . 61
4.4.5 Masquerade Attack Detection . . . . . . . . . . . . . . . . 65
4.5 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
5 SrcID: Source Identification 68
5.1 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
5.2 System Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
5.2.1 System Overview . . . . . . . . . . . . . . . . . . . . . . . 70
5.2.2 Attack Type . . . . . . . . . . . . . . . . . . . . . . . . . . 71
5.2.3 Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . 72
5.3 Intentional Error-based Source Identification: SrcID . . . . . . . . . 73
5.3.1 Corruption of Malicious CAN Message . . . . . . . . . . . 75
5.3.2 Verification of CAN Message . . . . . . . . . . . . . . . . 77
5.3.3 Diagnostic Channel Discovery . . . . . . . . . . . . . . . . 78
5.3.4 Against SrcID-Aware Attack . . . . . . . . . . . . . . . . . 80
5.4 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
5.4.1 Experimental Setup . . . . . . . . . . . . . . . . . . . . . . 81
5.4.2 Basic Analysis . . . . . . . . . . . . . . . . . . . . . . . . 83
5.4.3 Consecutive Repetition . . . . . . . . . . . . . . . . . . . . 88
5.4.4 Against Standard Attack . . . . . . . . . . . . . . . . . . . 88
5.4.5 Against SrcID-Aware Attacks . . . . . . . . . . . . . . . . 92
5.5 Safety Concern for SrcID . . . . . . . . . . . . . . . . . . . . . . . 94
5.6 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
6 Conclusion 99
Reference 101
