Intrusion Detection using Bit Timing Characteristics for CAN Bus
Patel, Chitvan Kirit
MetadataShow full item record
In today's world, most automobiles use Controller Area Network (CAN) bus for communication between various Electronic Control Units (ECUs), also called nodes on the CAN bus. Each ECU on the CAN bus is a microcontroller that sends a unique identifier used for node identification. It is possible to spoof node A by sending the same identifier through node B and thereby control node A. Thus, a hacker can control the steering using the car's internal lights and render it ineffective or misuse them. In order to combat this, we try to fingerprint each node by identifying its identifier's unique bit timing characteristics. To that extent, bit timing characteristics used are the Time of Flight (TOF) intervals between successive rising edges of identifier bits, for an ECU. Similarly, other characteristics such as TOF between successive falling edges of the CAN bus node identifier can also be used for node classification. In order to measure these TOFs, we use a device called Time-to-Digital Convertor, which essentially triggers a ring oscillator to measure time values between rising/falling edges of a signal, to the order of picosecond accuracy. These timing values are used as features into the K-nearest neighbors (KNN) classifier algorithm. Once the classifier is trained, it can be used to predict a new timing value into a particular node category, which if different from the expected category is a sign of compromise or intrusion. It is seen that we achieve 95% accuracy of correctly predicting the compromised node under simulation tests. Thereafter, the thesis deals with experimentally predicting an intrusion in the CAN bus system utilizing EPOS Studio CAN bus position controller for Maxon motors. The clock timings being extremely accurate leads to the conclusion that employment of better statistical techniques for node characterization is needed for intrusion detection, which is outside the scope of this work.
General Audience Abstract
In today’s world, most automobiles use Controller Area Network (CAN) bus for communication between various Electronic Control Units (ECUs), also called nodes on the CAN bus. These nodes can range from car headlights, radio, doors, internal lights to brakes, steering, throttle and much more. Each node on the CAN bus is a microcontroller which controls its proper operation. This also means that if a node is compromised using external hardware or a piece of software, it could be quite risky. Thus, a hacker can control the steering using the car’s internal lights and render it ineffective or misuse them. In order to combat this, we try to fingerprint each node by identifying its unique time domain characteristics. These characteristics can be the Time of Flight (TOF) measurement values between successive rising or falling edges of a node’s unique identifier, using an instrument called a Time-to-Digital convertor. Furthermore, these TOF values are used as features for the K-nearest neighbor (KNN) classifier machine learning algorithm, which uniquely identifies signals coming from any of the fingerprinted nodes, thereby raising a flag if a message comes from an unidentified node. In addition, experimental data is obtained for node identifiers on the CAN bus, in digital form, and passed into a neural network (NN) for training the classifier. We achieve an 95% and 70% prediction accuracy for the KNN and NN classifiers respectively.
- Masters Theses