TY - GEN
T1 - Simple
T2 - 35th Annual Computer Security Applications Conference, ACSAC 2019
AU - Foruhandeh, Mahsa
AU - Man, Yanmao
AU - Gerdes, Ryan
AU - Li, Ming
AU - Chantem, Thidapat
N1 - Funding Information:
This work was supported in part by NSF under grant numbers CNS-1410000, CNS-1801402, CPS-1658225, and by ARO under the grant number W911NF-19-1-0050. M. Foruhandeh is primarily responsible for the defence solution, while Y. Man is solely responsible for the attack design.
Publisher Copyright:
© 2019 Association for Computing Machinery.
PY - 2019/12/9
Y1 - 2019/12/9
N2 - The Controller Area Network (CAN) is a bus standard commonly used in the automotive industry for connecting Electronic Control Units (ECUs) within a vehicle. The broadcast nature of this protocol, along with the lack of authentication or strong integrity guarantees for frames, allows for arbitrary data injection/modification and impersonation of the ECUs. While mitigation strategies have been proposed to counter these attacks, high implementation costs or violation of backward compatibility hinder their deployment. In this work, we first examine the shortcomings of state-of-the-art CAN intrusion detection and identification systems that rely on multiple frames to detect misbehavior and attribute it to a particular ECU, and show that they are vulnerable to a Hill-Climbing-style attack. Then we propose SIMPLE, a real-time intrusion detection and identification system that exploits physical layer features of ECUs, which would not only allow an attack to be detected using a single frame but also be effectively nullified. SIMPLE has low computational and data acquisition costs, and its efficacy is demonstrated by both in-lab experiments with automotive-grade CAN transceivers as well as in-vehicle experiments, where average equal error rates of close to 0% and 0.8985% are achieved, respectively.
AB - The Controller Area Network (CAN) is a bus standard commonly used in the automotive industry for connecting Electronic Control Units (ECUs) within a vehicle. The broadcast nature of this protocol, along with the lack of authentication or strong integrity guarantees for frames, allows for arbitrary data injection/modification and impersonation of the ECUs. While mitigation strategies have been proposed to counter these attacks, high implementation costs or violation of backward compatibility hinder their deployment. In this work, we first examine the shortcomings of state-of-the-art CAN intrusion detection and identification systems that rely on multiple frames to detect misbehavior and attribute it to a particular ECU, and show that they are vulnerable to a Hill-Climbing-style attack. Then we propose SIMPLE, a real-time intrusion detection and identification system that exploits physical layer features of ECUs, which would not only allow an attack to be detected using a single frame but also be effectively nullified. SIMPLE has low computational and data acquisition costs, and its efficacy is demonstrated by both in-lab experiments with automotive-grade CAN transceivers as well as in-vehicle experiments, where average equal error rates of close to 0% and 0.8985% are achieved, respectively.
KW - Controller Area Networks
KW - Electronic Control Units
KW - Hill-climbing Attacks
KW - Physical Layer Identification
UR - http://www.scopus.com/inward/record.url?scp=85077814527&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85077814527&partnerID=8YFLogxK
U2 - 10.1145/3359789.3359834
DO - 10.1145/3359789.3359834
M3 - Conference contribution
AN - SCOPUS:85077814527
T3 - ACM International Conference Proceeding Series
SP - 229
EP - 244
BT - Proceedings - 35th Annual Computer Security Applications Conference, ACSAC 2019
PB - Association for Computing Machinery
Y2 - 9 December 2019 through 13 December 2019
ER -