SLIDE 1
Görkem Batmaz, Systems Engineer Ildikó Pete, Systems Engineer 28th March, 2018
Car Hacking
2014 Jeep Cherokee (remote attack)
Engage brakes, Take control of steering
CONTROLLER AREA NETWORK (CAN) DEEP PACKET INSPECTION Grkem Batmaz , - - PowerPoint PPT Presentation
CONTROLLER AREA NETWORK (CAN) DEEP PACKET INSPECTION Grkem Batmaz , - - PowerPoint PPT Presentation
CONTROLLER AREA NETWORK (CAN) DEEP PACKET INSPECTION Grkem Batmaz , Systems Engineer Ildik Pete , Systems Engineer 28 th March, 2018 Car Hacking Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the
SLIDE 2
SLIDE 3
3
▪ Connectivity in Modern Vehicles ▪ Controller Area Network (CAN) Vulnerabilities
AUTOMOTIVE SECURITY
CAN ATTACKS
▪ Data ▪ Approach
CAN ANOMALY DETECTOR
▪ Discussion of Results
RESULTS & CONCLUSIONS
▪ Attack Types ▪ Detection & Prevention
Agenda
SLIDE 4
4
CAN Attacks Automotive Security
CAN Attacks CAN Anomaly Detector
Results and Conclusions
CAN Anomaly Detector Results & Conclusions
Increasing Complexity & functionality
- Figure1. Some connections of a modern car
1 2
Interconnectedness
Vehicle to Vehicle Communication
Engine Control Unit Transmission Control Unit Infotainment TPMS OBD-II Telematics
Internet
SLIDE 5
Controller Area Network (CAN) Security
SLIDE 6
6
CAN Attacks Automotive Security CAN Anomaly Detector Results & Conclusions
Message types: Information, Diagnostic Message exchange: Broadcast Message-based protocol, no addressing Arbitration method to resolve priorities
CAN Characteristics
- Figure2. The CAN network
SLIDE 7
7
CAN Attacks
CAN Vulnerabilities
Automotive Security
CAN Anomaly Detector
Results and Conclusions
CAN Anomaly Detector Results & Conclusions
Authenticity
Lack of sender authentication Masquerading
Availability
Arbitration rules (high priority messages) Denial of Service
Non Repudiation
No mechanisms to prove an ECU sent or received a message
Confidentiality
Every message sent on CAN is broadcast to every node Eavesdropping
SLIDE 8
8
CAN Attacks
Automotive Security
CAN Anomaly Detector
CAN Anomaly Detector Results & Conclusions
Most Critical Attack Types on CAN
REPLAY
Replace message contents with some pre-recorded values
INJECTION
Inject false messages appearing to be legitimate
DOS
Flood the network
SLIDE 9
9
CAN Attacks
Detection & Prevention
Automotive Security
CAN Attacks CAN Anomaly Detector
Results and Conclusions
CAN Anomaly Detector Results & Conclusions
ANOMALY DETECTION ANOMALY DETECTION
Over-the-air updates A N T I - M A LWA R E Tamper detection Secure boot Device identification C RY P TO G R A P H I C S E RV I C E S ECU software integrity
SLIDE 10
10
CAN Attacks
Automotive Security
CAN Attacks
Results and Conclusions
CAN Anomaly Detector Results & Conclusions
Anomaly Detection
Finding unusual patterns in data that do not conform to expected behavior
E.g. fraud detection
SLIDE 11
11
CAN Attacks
Automotive Security
CAN Attacks CAN Anomaly Detector
Results and Conclusions
CAN Anomaly Detector Results & Conclusions
Point Anomaly Collective Anomaly Contextual (Conditional) Anomaly
E.g. vehicle speed is 500 miles/hour E.g. vehicle speed is 80 miles/hour & steering wheel angle is 90 degrees E.g. vehicle speed changes from 50 miles/hour to 80 miles/hour in less than X seconds
Types of Anomalies
SLIDE 12
12
Controller Area Network (CAN) Security Controller Area Network (CAN) Anomaly Detector
SLIDE 13
13
Detect security-related CAN network anomalies resulting from malicious activities
Attacks: Injection, Replay Anomalies: Contextual
CAN Attacks
Automotive Security
CAN Anomaly Detector
Results & Conclusions
SLIDE 14
14
CAN Attacks Automotive Security
CAN Attacks CAN Anomaly Detector
CAN Anomaly Detector
Results & Conclusions
CAN Frame
Data Start
- f
Frame CAN ID RTR End of Frame Control CRC ACK 1 bit 11 or 29 bits 1 bit 6 bits 0-64 bits 16 bits 2 bits 7 bits
CAN Message
SLIDE 15
15
CAN Attacks Automotive Security
CAN Attacks
Results and Conclusions
CAN Anomaly Detector
Results & Conclusions
The Dataset: BB8 CAN flow
Timestamp
MessageID Length
PAYLOAD
BYTE BYTE 1 BYTE 2 BYTE 3 BYTE 4 BYTE 5 BYTE 6 BYTE 7
574165791302335
101 8 143 4 140 4 160 4 155 4
W-Speed 574165791302421
102 8 3 254 55 254 15 254 15 254
SUSPENSION 574165791302432
103 4 1 252 255
ROLL&YAW 574165791302441
104 6 223 255 247 255 223 3
ACCELERATION
SLIDE 16
16
CAN Attacks
Constraints
Automotive Security
CAN Attacks
CAN Anomaly Detector
Results & Conclusions
Solutions
Power/Performance Recurrent Neural Networks (RNNs) Multiple ECUs on the CAN BUS Message ID Selection Unstructured Data
Content Extraction
SLIDE 17
17
CAN Attacks Automotive Security
CAN Anomaly Detector
Results & Conclusions
Security Solution
2nd NN
Message ID selector & Content Extractor
CAN Anomaly Detector
Policy Handler
1st NNs
Contextual Anomaly Detection Stage 2 Detection Output: Probability
- f
an attack Errors CAN BUS CAN Firewall
SLIDE 18
18
CAN Attacks Automotive Security
CAN Attacks
CAN Anomaly Detector
Results & Conclusions
Recurrent Neural Network (RNN)
Input Output Hidden
SLIDE 19
19
CAN Attacks Automotive Security
CAN Attacks
CAN Anomaly Detector
Results & Conclusions
Input t0 Input t1 Input t2 Input t3 Hidden t1 Hidden t2 Hidden t3
Hidden t0
Recurrent Neural Network (RNN)
Output
SLIDE 20
20
Long Short Term Memory Cell (LSTM)
Forget gate> Sigmoid Input Gate> Sigmoid Output gate> Sigmoid C
CAN Attacks Automotive Security
CAN Anomaly Detector
Results & Conclusions
Memory (t-1)
Forget Input Cell Output
CAN BUS Input (t) Hidden (t-1) Hidden(t) CAN BUS Input (t+1) Memory (t)
Next Step
SLIDE 21
21
CAN Attacks Automotive Security
CAN Anomaly Detector
Results & Conclusions
LSTM CELL DENSE LAYER OUTPUT LSTM CELL OUTPUT DENSE LAYER
…………..
Dense Layer
SLIDE 22
22
CAN Attacks Automotive Security
Results and Conclusions
CAN Anomaly Detector
Results & Conclusions
Contextual Anomaly Detection Work Flow
Inference Training (Titan X)
Custom error metric
Model HDF
Hyperparameters
Pre- Processing
Binary
Errors Input for Second Stage
SLIDE 23
23
CAN Attacks Automotive Security
Results and Conclusions
CAN Anomaly Detector
Results & Conclusions
Contextual Anomaly Detection Work Flow-2nd Stage
Inference Training (Titan X)
Model HDF
Hyperparameters
Probability
- f an Attack
Errors from 1st NNs
SLIDE 24
24
CAN Attacks Automotive Security
CAN Anomaly Detector
Results & Conclusions
NVIDIA GPU TITAN X
Hyperparameters
DATA SOURCE
CAN DATA
FRAMEWORKS Keras TensorFlow
Training Architecture
Model
SLIDE 25
25
CAN Attacks Automotive Security
CAN Anomaly Detector
Results & Conclusions
Model DATA SOURCE
CAN FLOW
FRAMEWORK
Production Architecture
Probability of an Attack
TensorRT
NVIDIA DRIVE GPU
SLIDE 26
Model Evaluation
Using Sensitivity & Specificity
True Positives (Anomalies) caught True Negatives allowed
SLIDE 27
27
RESULTS
X axis: Deviation Y axis: Frequency of errors Median of Positives: 7.82 Median of Negatives: 0.04
Figure 3. Histogram – Error values output by the 2nd NN
CAN Attacks Automotive Security CAN Anomaly Detector
Results & Conclusions
SLIDE 28
28
RESULTS
➢ Sensitivity: 0.87 ➢ Specificity: 0.94 X axis: Deviation Y axis: Frequency of errors
CAN Attacks Automotive Security CAN Anomaly Detector
Results & Conclusions
Figure 4. Histogram – Error values output by the 2nd NN
SLIDE 29
29
DISCUSSION
Injection attacks
Total: 37 Detected: 32
Replay attacks
Total: 42 Detected: 37
CAN Attacks Automotive Security CAN Anomaly Detector
Results & Conclusions
Results Per Attack Type
SLIDE 30
30
DISCUSSION
A wall between Autonomous-Driving Software and the unsecured CAN-BUS
Low inference computational cost Fast response Offline training Future Work
CAN Attacks Automotive Security CAN Anomaly Detector
Results & Conclusions
Conclusion
SLIDE 31
THANK YOU QUESTIONS?
SLIDE 32
32
References
[1] Ivan Studnia, Vincent Nicomette, Eric Alata, Yves Deswarte, Mohamed Kaâniche, Youssef Laarouchi Survey on security threats and protection mechanisms in embedded automotive networks Retrieved: https://hal.archives-ouvertes.fr/hal-01176042/document [2] Automotive Security Best Practices Retrieved: http://www.mbedlabs.com/2016/01/automotive-can-bus-system-explained.html [3] Sasan Jafarnejad, Lara Codeca, Walter Bronzi, Raphael Frank, Thomas Engel A Car Hacking Experiment: When Connectivity meets Vulnerability [4] Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, and Stefan Savage Comprehensive Experimental Analyses of Automotive Attack Surfaces Retrieved: http://www.autosec.org/pubs/cars-usenixsec2011.pdf [5] Automtive CAN Bus System Explained Retrieved: http://www.mbedlabs.com/2016/01/automotive-can-bus-system-explained.html [6] Charlie Miller, Chris Valasek. Adventures in Automotive Networks and Control Units Retrieved: http://illmatics.com/car_hacking.pdf [7] Varun Chandola, Arindam Banarjee, Vipin Kumar Anomaly Detection: A Survey Retrieved: http://cucis.ece.northwestern.edu/projects/DMS/publications/AnomalyDetection.pdf [8] Dhruba K. Bhattacharyya, Jugal Kumar Kalita Network Anomaly Detection – A machine learning perspective
SLIDE 33
33
Images
- Figure1. Connections of a modern car
Figure 2. CAN network Figure 3. Histogram – Error values output by the 2nd NN Figure 4. Histogram – Error values output by the 2nd NN
SLIDE 34
APPENDICES
SLIDE 35