Security, Edge and Cloud Lab

Abstract

This work presents an experimental evaluation of the detection performance of eight different algorithms for anomaly detection on the Controller Area Network (CAN) bus of modern vehicles based on the analysis of the timing or frequency of CAN messages. This work solves the current limitations of related scientific literature, which is based on a private dataset and lacks open implementations and a detailed description of the detection algorithms. These drawbacks prevent the reproducibility of published results, making it impossible to compare a novel proposal against related work, thus hindering the advancement of science. This article solves these issues by publicly releasing implementations and labeled datasets and by describing unbiased experimental comparisons.

Year: 2024 | Pages: 1 - 24

ISSN: 2378-962X | DOI: 10.1145/3604913

Abstract

Recent research showcased several cyber-attacks against unmodified licensed vehicles, demonstrating the vulnerability of their internal networks. Many solutions have already been proposed by industry and academia, aiming to detect and prevent cyber-attacks targeting in-vehicle networks. The majority of these proposals borrow security algorithms and techniques from the classical ICT domain, and in many cases they do not consider the inherent limitations of legacy automotive protocols and resource-constrained microcontrollers. This paper proposes DAGA, an anomaly detection algorithm for in-vehicle networks exploiting n-gram analysis. DAGA only uses sequences of CAN message IDs for the definition of the n-grams used in the detection process, without requiring the content of the payload or other CAN message fields. The DAGA framework allows the creation of detection models characterized by different memory footprints, allowing their deployment on microcontrollers with different hardware constraints. Experimental results based on three prototype implementations of DAGA showcase the trade off between hardware requirements and detection performance. DAGA outperforms the state-of-the-art detectors on the most performing microcontrollers, and can execute with lower performance on simple microcontrollers that cannot support the vast majority of IDS approaches proposed in literature. As additional contributions, we publicly release the full dataset and our reference DAGA implementations.

Year: 2022 | Pages: 11540 - 11554

ISSN: 0018-9545 | DOI: 10.1109/TVT.2022.3190721

Abstract

Cooperative Intelligent Transportation Systems (C-ITS) improve driving experience and safety through secure Vehicular Ad-hoc NETworks (VANETs) that satisfy strict security and performance constraints. Relevant standards, such as the IEEE 1609.2, prescribe network-efficient cryptographic protocols to reduce communication latencies through a combination of the Elliptic Curve Qu-Vanstone (ECQV) implicit certificate scheme and the Elliptic Curve Digital Signature Algorithm (ECDSA). However, literature lacks open implementations and performance evaluations for vehicular systems. This paper assesses the applicability of IEEE 1609.2 and of ECQV and ECDSA schemes to C-ITSs. We release an open implementation of the standard ECQV scheme to benchmark its execution time on automotive-grade hardware. Moreover, we evaluate its performance in real road and traffic scenarios and show that compliance with strict latency requirements defined for C-ITS requires computational resources that are not met by many automotive-grade embedded hardware platforms. As a final contribution, we propose and evaluate novel heuristics to reduce the number of signatures to be verified in real C-ITS scenarios.

Year: 2021 | Pages: 12946 - 12959

ISSN: 0018-9545 | DOI: 10.1109/TVT.2021.3122333

Abstract

This article describes both a concept and an implementation of vehicle safe-mode (VSM) - a mechanism that may help reduce the damage of an identified cyberattack to the vehicle, its driver, the passengers, and its surroundings. Unlike other defense mechanisms that try to block the attack or simply notify of its existence, the VSM mechanism responds to a detected intrusion by limiting the vehicle’s functionality to safe operations and optionally activating additional security countermeasures. This is done by adopting ideas from the existing mechanism of Limp-mode that was originally designed to limit the damage of a mechanical, or an electrical, malfunction and let the vehicle “limp back home” in safety. Like Limp-mode, the purpose of safe-mode is to limit the vehicle from performing certain functions when conditions arise that could render full operation dangerous: Detecting a malfunction in the Limp-mode case is analogous to detecting an active cybersecurity breach in the safe-mode case, and the reactions should be analogous as well. The authors demonstrate that the VSM can be implemented, possibly even as an aftermarket add-on: to do so the authors developed a proof-of-concept (PoC) system and actively tested it in real time on an operating vehicle. Once activated, the authors' VSM system restricts the vehicle to Limp-mode behavior by guiding it to remain in low gear, taking into account the vehicle’s speed and the driver’s actions. The authors' system does not require any changes to the electronic control units (ECUs), or to any other part of the vehicle, beyond connecting the safe-mode manager (SMManager) to the correct bus. The authors note that their system can rely upon any deployed anomaly-detection system to identify the potential attack. The authors point out that restricting the vehicle to Limp-mode-like behavior by an aftermarket system is just an example. If a car manufacturer would integrate such a system into a vehicle, they would have many more options, and the resulting system would probably be safer and with a better human-machine interface.

Year: 2020 | Pages: 19 - 39

ISSN: 2572-1046 | DOI: 10.4271/11-02-02-0006

Abstract

Security analytics and forensics applied to in-vehicle networks are growing research areas that gained relevance after recent reports of cyber-attacks against unmodified licensed vehicles. However, the application of security analytics algorithms and tools to the automotive domain is hindered by the lack of public specifications about proprietary data exchanged over in-vehicle networks. Since the controller area network (CAN) bus is the de-facto standard for the interconnection of automotive electronic control units, the lack of public specifications for CAN messages is a key issue. This paper strives to solve this problem by proposing READ: A novel algorithm for the automatic Reverse Engineering of Automotive Data frames. READ has been designed to analyze traffic traces containing unknown CAN bus messages in order to automatically identify and label different types of signals encoded in the payload of their data frames. Experimental results based on CAN traffic gathered from a licensed unmodified vehicle and validated against its complete formal specifications demonstrate that the proposed algorithm can extract and classify more than twice the signals with respect to the previous related work. Moreover, the execution time of signal extraction and classification is reduced by two orders of magnitude. Applications of READ to CAN messages generated by real vehicles demonstrate its usefulness in the analysis of CAN traffic.

Year: 2019 | Pages: 1083 - 1097

ISSN: 1556-6013 | DOI: 10.1109/TIFS.2018.2870826

Abstract

Consumer IP cameras are now the most widely adopted solution for remote monitoring in various contexts, such as private homes or small offices. While the security of these devices has been scrutinized, most approaches are limited to relatively shallow network-based analyses. In this paper, we discuss a methodology for the security analysis and identification of remotely exploitable vulnerabilities in IP cameras, which includes static and dynamic analyses of executables extracted from IP camera firmware. Compared to existing methodologies, our approach leverages the context of the target device to focus on the identification of malicious invocation sequences that could lead to exploitable vulnerabilities. We demonstrate the application of our methodology by using the Tenda CP3 IP camera as a case study. We identified five novel CVEs, with CVSS scores ranging from 7.5 to 9.8. To partially automate our analysis, we also developed a custom tool based on Ghidra and rhabdo-mancer.

Year: 2024 | Pages: 195 - 210

ISSN: 0302-9743 | DOI: 10.1007/978-981-97-7737-2_11

Abstract

Modern Network Intrusion Detection Systems (NIDS) involve Machine Learning (ML) algorithms to automate the detection process. Although this integration has significantly enhanced their efficiency, ML models have been found vulnerable to adversarial attacks, which alter the input data to fool the detectors into producing a misclassification. Among the proposed countermeasures, adversarial training appears to be the most promising technique; however, it demands a large number of adversarial samples, which typically have to be manually produced. We overcome this limitation by introducing a novel methodology that employs a Graph AutoEncoder (GAE) to generate synthetic traffic records automatically. By design, the generated samples exhibit alterations in the attributes compared to the original netflows, making them suitable for use as adversarial samples during the adversarial training procedure. By injecting the generated samples into the training set, we obtain hardened detectors with better resilience to adversarial attacks. Our experimental campaign based on a public dataset of real enterprise network traffic also demonstrates that the proposed method even improves the detection rates of the hardened detectors in non-adversarial settings.

Year: 2024 | Pages: n/a - n/a

ISSN: 1613-0073 | DOI: n/a

Abstract

In this paper we present RealCAN, a real-time capable extension of the canplayer tool available in can-utils, a collection of utilities for interacting with Controller Area Network bus systems on Linux-based operating systems. In particular, RealCAN addresses the main limitation of working with fixed time intervals while replaying previously collected CAN traces with the canplayer tool, allowing developers, engineers and researchers to replay CAN traffic data by maintaining the original time difference between consecutive messages. Performance benchmarks of RealCAN demonstrate its effectiveness in meeting strict timing requirements for critical applications in both simulated environment and real CAN test setups.

Year: 2024 | Pages: n/a - n/a

ISSN: 1550-2252 | DOI: 10.1109/VTC2024-Fall63153.2024.10757619

Abstract

With the increasing adoption of Vehicular Ad Hoc Networks (VANETs) for the development of Cooperative Intelligent Transportation Systems (C-ITS) many concerns regarding privacy and anonymity in VANETs have been raised by security researchers and practitioners, highlighting the need for effective mechanisms to protect sensitive information exchanged by connected vehicles. One of the first concerns is related to the vehicle's identifier, a field contained in the messages sent from the vehicle and that can be used to track the vehicle across the infrastructure, with consequent severe implications on the privacy of the driver. Consequently, VANET communications leverage short-lived pseudonyms instead of persistent vehicle's identifiers, aiming to enhance the privacy of the vehicle. Pseudonym change schemes proposed in the literature are effective in masking the real sender of a given message, but they do not guarantee privacy against attackers that can monitor and correlate multiple messages among themselves. This paper evaluates 5 different pseudonym change mechanisms against a realistic threat model. Our results demonstrate that it is possible for a realistic attacker to reliably track multiple vehicles, with minor differences across different pseudonym change schemes.

Year: 2023 | Pages: 1 - 6

ISSN: 1550-2252 | DOI: 10.1109/VTC2023-Fall60731.2023.10333561

Abstract

This paper proposes SixPack v2, an enhanced version of the SixPack attack that allows to evade even state-of-the-art misbehavior detection systems. As the original SixPack, SixPack v2 is a dynamic attack targeting other C-ITS entities by simulating the sudden activation of the braking system with consequent activation of the Anti-lock Braking System. SixPack v2 achieves better evasion by improving the main phases of the attack (FakeBrake, Recovery, and Rejoin) through a novel path-reconstruction algorithm that generates a more realistic representation of the real vehicle trajectory. We experimentally evaluate the evasion capabilities of SixPack v2 using the F2MD framework on the LuSTMini city scenario, and we compared the detection performance of the F2MD framework on both versions of SixPack. Results show that SixPack v2 evades detection with a significantly higher likelihood with respect to the initial version of the attack, even against the latest version of F2MD.

Year: 2022 | Pages: 243 - 249

ISBN: 979-8-3503-9730-7 | DOI: 10.1109/NCA57778.2022.10013565

Abstract

Cyber-physical systems (CPS) are highly integrated mechanisms in which one or more subsystems are monitored and controlled by software, possibly with a high degree of autonomy and minimal external inputs coming from users. A prominent example of widespread cyber-physical systems are modern passenger vehicles, that are composed by many mechanical parts controlled by Electronic Control Units (ECUs), which are programmed to perform different tasks in the automotive system. Mechanisms controlled through ECUs range from simple tasks activated by drivers, such as windshield wipers or power windows, to completely automated, complex and real-time systems, such as engine control, power steering, Electronic Stability Program (ESP) or the Anti-lock Braking System (ABS). These software-driven safety-relevant features are extremely effective in reducing the overall number of car accidents and fatalities. However, they also open new avenue for cyber-attackers, that can now explore (and possibly exploit) a wide range of software-based attacks against the control logic implemented by ECUs. These threats are also magnified by the current trend toward an increasing connectivity of modern vehicles. It is now common even for low-tier vehicles to integrate Bluetooth connectivity with smartphones (hence an indirect connection to the Internet) or direct Internet connectivity through cellular networks. Similar threats are not only theoretical. Recent research and media reports showcased several cyber-attacks against recent, unmodified licensed vehicles, which exploited cellular connections to penetrate the automotive network and obtain remote control over the engine, brakes and power steering systems. These recent works exposed different vulnerabilities of the networking protocols and communication buses enabling communication among safety-relevant ECUs. These systems are based on outdated standards, that have been designed for simpler ECUs and completely isolated networks, and do not provide any security guarantee. This thesis proposes many solutions for improving the cyber-security of the internal network communications of modern vehicles, and addresses the whole cyber-security lifecycle ranging from the prevention of cyber-attacks to their detection in operational vehicles and up to the proposal of automatic countermeasure that can mitigate the physical consequences of cyber-attacks. Prevention of cyber-attacks requires the adoption of secure protocols that include integrity and authentication guarantees for safety-relevant in-vehicle communications. In this field this thesis explores the trade-offs among different strategies for the management and distribution of cryptographic material, taking into consideration the full lifecycle of a modern vehicle. Attack detection represents the main focus of this thesis, that proposes several novel intrusion detection algorithms specifically designed for the detection of realistic cyber-attacks against modern internal vehicle networks. All the proposed intrusion detection algorithms have been validated through experiments carried out over real communications among ECUs, gathered from modern unmodified vehicles. The proposed algorithms meet the hard computational and memory constraints of common automotive ECUs. To overcome the limitations caused by the lack of public specifications of internal communications in real vehicles, this thesis also proposes a novel algorithm for automatic reverse-engineering of automotive data-frames that allows to apply more fine-grained intrusion detection algorithms. Finally, the thesis proposes a novel strategy for reacting to a detected cyber-attack by leveraging the limp-home mode (a protection mechanism already implemented by ECUs) in the service of cybersecurity.

Year: 2020 | Pages: n/a - n/a

DOI: n/a