CONTROLLER AREA NETWORK (CAN) DEEP PACKET INSPECTION Grkem Batmaz , - PowerPoint PPT Presentation

CONTROLLER AREA NETWORK (CAN) DEEP PACKET INSPECTION Görkem Batmaz , Systems Engineer Ildikó Pete , Systems Engineer 28 th March, 2018

Car Hacking “Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. ” (Andy Greenberg, Wired) 2014 Jeep Cherokee (remote attack) Engage brakes, Take control of steering

Agenda CAN ATTACKS AUTOMOTIVE SECURITY Connectivity in Modern Vehicles ▪ Attack Types ▪ ▪ Controller Area Network (CAN) ▪ Detection & Prevention Vulnerabilities CAN ANOMALY DETECTOR RESULTS & CONCLUSIONS ▪ Data ▪ Discussion of Results ▪ Approach 3

Automotive Security CAN Attacks CAN Anomaly Detector Results & Conclusions Internet Vehicle to Vehicle Communication CAN Attacks 1 Telematics Engine Control Unit Increasing Complexity & Transmission Control functionality Unit Results and Conclusions CAN Anomaly Detector 2 Infotainment Interconnectedness TPMS OBD-II 4 Figure1. Some connections of a modern car

Controller Area Network (CAN) Security

Automotive Security CAN Attacks CAN Anomaly Detector Results & Conclusions CAN Characteristics Message types: Information, Diagnostic Message exchange: Broadcast Message-based protocol, no addressing Arbitration method to resolve priorities 6 Figure2. The CAN network

Automotive Security CAN Attacks CAN Anomaly Detector Results & Conclusions CAN Vulnerabilities Confidentiality Every message sent on CAN is broadcast to every node  Eavesdropping Authenticity Lack of sender authentication  Masquerading Results and Conclusions CAN Anomaly Detector Availability Arbitration rules (high priority messages)  Denial of Service Non Repudiation No mechanisms to prove an ECU sent or received a message 7

Automotive Security CAN Attacks CAN Anomaly Detector Results & Conclusions Most Critical Attack Types on CAN REPLAY INJECTION DOS Replace Inject false messages message Flood the appearing to CAN Anomaly Detector contents network be with some legitimate pre-recorded values 8

Automotive Security CAN Attacks CAN Anomaly Detector Results & Conclusions Detection & Prevention CAN Attacks Device identification C RY P TO G R A P H I C S E RV I C E S ANOMALY DETECTION ANOMALY DETECTION A N T I - M A LWA R E Over-the-air updates detection Tamper Results and Conclusions CAN Anomaly Detector Secure boot ECU software integrity 9

Automotive Security CAN Attacks CAN Anomaly Detector Results & Conclusions CAN Attacks Anomaly Detection Finding unusual patterns in data that do not conform to expected behavior Results and Conclusions E.g. fraud detection 10

Automotive Security CAN Attacks CAN Anomaly Detector Results & Conclusions Types of Anomalies CAN Attacks Contextual Point Collective (Conditional) Anomaly Anomaly Anomaly E. g. vehicle E.g. vehicle E.g. vehicle speed changes speed is 80 CAN Anomaly Detector speed is 500 Results and Conclusions from 50 miles/hour & miles/hour miles/hour to steering wheel 80 miles/hour angle is 90 in less than X degrees seconds 11

Controller Area Network (CAN) Anomaly Detector Controller Area Network (CAN) Security 12

Automotive Security CAN Attacks CAN Anomaly Detector Results & Conclusions Detect security-related CAN network anomalies resulting from malicious activities Attacks: Injection, Replay Anomalies: Contextual 13

Automotive Security CAN Attacks CAN Anomaly Detector Results & Conclusions CAN Frame CAN Attacks CAN Message CAN Anomaly Detector CRC Start CAN ID Control Data ACK End of RTR of Frame Frame 11 or 29 6 bits 1 bit 1 bit 0-64 bits 16 bits 2 bits 7 bits bits 14

Automotive Security CAN Attacks CAN Anomaly Detector Results & Conclusions The Dataset: BB8 CAN flow CAN Attacks PAYLOAD Timestamp MessageID Length BYTE BYTE BYTE BYTE BYTE BYTE BYTE BYTE 0 1 2 3 4 5 6 7 101 8 143 4 140 4 160 4 155 4 574165791302335 W-Speed Results and Conclusions 102 8 3 254 55 254 15 254 15 254 574165791302421 SUSPENSION 103 4 1 0 252 255 0 0 0 0 574165791302432 ROLL&YAW 104 6 223 255 247 255 223 3 0 0 574165791302441 ACCELERATION 15

Automotive Security CAN Attacks CAN Anomaly Detector Results & Conclusions Constraints Solutions CAN Attacks Multiple ECUs on the Message ID Selection CAN BUS Unstructured Data Content Extraction Power/Performance Recurrent Neural Networks (RNNs) 16

Automotive Security CAN Attacks CAN Anomaly Detector Results & Conclusions Security CAN Anomaly Detector Solution Output: Probability Errors of an attack Message ID CAN BUS selector & CAN 1 st NNs 2 nd NN Firewall Content Extractor Policy Handler Contextual Anomaly Stage 2 Detection Detection 17

Automotive Security CAN Attacks CAN Anomaly Detector Results & Conclusions Recurrent Neural Network (RNN) CAN Attacks Hidden Output Input 18

Automotive Security CAN Attacks CAN Anomaly Detector Results & Conclusions Recurrent Neural Network (RNN) CAN Attacks Hidden t3 Hidden t0 Hidden t1 Hidden t2 Output Input t0 Input t2 Input t3 Input t1 19

CAN Attacks Automotive Security CAN Anomaly Detector Results & Conclusions Long Short Term Memory Cell (LSTM) CAN BUS CAN BUS Input (t+1) Input (t) Hidden (t) Hidden (t-1) Forget gate> Sigmoid Input Gate> Sigmoid C Next Input Forget Cell Output Step Output gate> Sigmoid Memory (t-1) Memory (t) 20

Automotive Security CAN Attacks CAN Anomaly Detector Results & Conclusions Dense Layer OUTPUT OUTPUT DENSE DENSE LAYER LAYER LSTM LSTM ………….. CELL CELL 21

Automotive Security CAN Attacks CAN Anomaly Detector Results & Conclusions Contextual Anomaly Detection Work Flow Hyperparameters Training Errors (Titan X) Binary Model Pre- HDF Results and Conclusions Processing Custom error metric Inference Input for Second Stage 22

Automotive Security CAN Attacks CAN Anomaly Detector Results & Conclusions Contextual Anomaly Detection Work Flow-2 nd Stage Hyperparameters Training (Titan X) Errors from 1 st Model NNs HDF Results and Conclusions Probability Inference of an Attack 23

Automotive Security CAN Attacks CAN Anomaly Detector Results & Conclusions Training Architecture DATA SOURCE FRAMEWORKS Model CAN DATA Keras NVIDIA GPU TensorFlow TITAN X Hyperparameters 24

Automotive Security CAN Attacks CAN Anomaly Detector Results & Conclusions Production Architecture DATA SOURCE FRAMEWORK Probability of an Attack CAN FLOW TensorRT NVIDIA DRIVE Model GPU 25

Model Evaluation Using Sensitivity & Specificity True Positives (Anomalies) caught True Negatives allowed

Automotive Security CAN Attacks CAN Anomaly Detector Results & Conclusions X axis: Deviation Y axis: Frequency of errors RESULTS Median of Positives: 7.82 Median of Negatives: 0.04 Figure 3. Histogram – Error values output by the 2 nd NN 27

Automotive Security CAN Attacks CAN Anomaly Detector Results & Conclusions X axis: Deviation Y axis: Frequency of errors RESULTS ➢ Sensitivity: 0.87 ➢ Specificity: 0.94 Figure 4. Histogram – Error values output by the 2 nd NN 28

Automotive Security CAN Attacks CAN Anomaly Detector Results & Conclusions Results Per Attack Type Injection attacks Replay attacks DISCUSSION Total: 37 Total: 42 Detected: 32 Detected: 37 29

Automotive Security CAN Attacks CAN Anomaly Detector Results & Conclusions Conclusion A wall between Autonomous-Driving Software and the unsecured CAN-BUS DISCUSSION Low inference computational cost Fast response Offline training Future Work 30

THANK YOU QUESTIONS?

References [1] Ivan Studnia, Vincent Nicomette, Eric Alata, Yves Deswarte, Mohamed Kaâniche, Youssef Laarouchi Survey on security threats and protection mechanisms in embedded automotive networks Retrieved: https://hal.archives-ouvertes.fr/hal-01176042/document [2] Automotive Security Best Practices Retrieved: http://www.mbedlabs.com/2016/01/automotive-can-bus-system-explained.html [3] Sasan Jafarnejad, Lara Codeca, Walter Bronzi, Raphael Frank, Thomas Engel A Car Hacking Experiment: When Connectivity meets Vulnerability [4] Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, and Stefan Savage Comprehensive Experimental Analyses of Automotive Attack Surfaces Retrieved: http://www.autosec.org/pubs/cars-usenixsec2011.pdf [5] Automtive CAN Bus System Explained Retrieved: http://www.mbedlabs.com/2016/01/automotive-can-bus-system-explained.html [6] Charlie Miller, Chris Valasek. Adventures in Automotive Networks and Control Units Retrieved: http://illmatics.com/car_hacking.pdf [7] Varun Chandola, Arindam Banarjee, Vipin Kumar Anomaly Detection: A Survey Retrieved: http://cucis.ece.northwestern.edu/projects/DMS/publications/AnomalyDetection.pdf [8] Dhruba K. Bhattacharyya, Jugal Kumar Kalita Network Anomaly Detection – A machine learning perspective 32

Images Figure1. Connections of a modern car Figure 2. CAN network Figure 3. Histogram – Error values output by the 2nd NN Figure 4. Histogram – Error values output by the 2nd NN 33

APPENDICES