LUP Student Papers

A Concept for an Intrusion Detection System over Automotive Ethernet

• Mark

Abstract

A modern automotive vehicle is a complex technical system, containing many electronic, mechanical, and software parts. Typically, a high-end vehicle contains 70 or more electronic control units (ECUs) on average. These are controlling a large number of distributed functions, of which many are safety-critical, and adding complexity, which is surpassing 100 million lines of code. Furthermore, the communication link in the automotive architecture is also being upgraded from the traditional controller area network (CAN) bus to Automotive Ethernet, in order to enable higher communication bandwidth and handle the increasing complexity. However, introducing Ethernet opens up for new attacks and loopholes to be exploited by hackers. Attacks on... (More)

A modern automotive vehicle is a complex technical system, containing many electronic, mechanical, and software parts. Typically, a high-end vehicle contains 70 or more electronic control units (ECUs) on average. These are controlling a large number of distributed functions, of which many are safety-critical, and adding complexity, which is surpassing 100 million lines of code. Furthermore, the communication link in the automotive architecture is also being upgraded from the traditional controller area network (CAN) bus to Automotive Ethernet, in order to enable higher communication bandwidth and handle the increasing complexity. However, introducing Ethernet opens up for new attacks and loopholes to be exploited by hackers. Attacks on ECUs are even more dangerous than web attacks, as these involve the safety of the persons inside the vehicle. To secure the in-vehicle communication the automotive industry needs to look into traditional cybersecurity protection techniques from an automotive perspective. One security solution gaining more and more attention regarding in-vehicle security is the concept of an intrusion detection system (IDS).In this thesis, we propose a concept for a host-based IDS relying on two different detection methods. We suggest a combination of specification-based, focusing on message sequencing and allowed elapsed time in between a request and its respective response, and anomaly-based detection, evaluating the frequency, payload length and timeout for request-response pairs. To evaluate our IDS we execute five different attack scenarios, where we calculate binary classification metrics and measure its classification speed. Our evaluation shows that the proposed IDS successfully detects malicious events such as delay, packet injection, exhaustion and two different flooding attacks. Based on our experience designing an in-vehicle IDS, we describe potential difficulties, limitations and future improvements that engineers can use to implement or improve their adaptation of an in-vehicle IDS system. We believe the results of this master’s thesis can be applied in more advanced research, especially in the field of IDS for in-vehicle networks, and can hopefully contribute to a safer driving experience. (Less)

Popular Abstract

With the transition to automotive Ethernet as a standard network bus, the faster network speeds and additional bandwidth benefits will be the main advantages for internal vehicle networks. However, there are also inevitable security risks by introducing Ethernet in vehicles and this is the main problem we are trying to address in our master's thesis.

The automotive industry has to investigate traditional cybersecurity solutions used to secure traditional networks, in order to reach the goal of securing in-vehicle automotive Ethernet networks. Today, firewalls are commonly used as a first layer of protection, but as attacks have become increasingly sophisticated, a firewall's detection mechanisms can easily be bypassed. Therefore, the... (More)

With the transition to automotive Ethernet as a standard network bus, the faster network speeds and additional bandwidth benefits will be the main advantages for internal vehicle networks. However, there are also inevitable security risks by introducing Ethernet in vehicles and this is the main problem we are trying to address in our master's thesis.

The automotive industry has to investigate traditional cybersecurity solutions used to secure traditional networks, in order to reach the goal of securing in-vehicle automotive Ethernet networks. Today, firewalls are commonly used as a first layer of protection, but as attacks have become increasingly sophisticated, a firewall's detection mechanisms can easily be bypassed. Therefore, the automotive industry has started to look into proactive security solutions that can detect new threats, which have not been made public or discovered yet. One solution is implementing an intrusion detection system (IDS), which has been practiced in various industries since the early days of network security and is now being applied for automotive use cases. An IDS monitors and detects attacks or other threats present inside the network. Compared to a firewall, the IDS takes a more proactive position by reporting, alerting and logging detected threats against a system. An IDS often relies on extensive deep packet inspection to inspect deeper into a packet and can, therefore, screen packets on an application-level basis. Common functionalities of IDS include, for example, updating the system for future attacks, analysis of potential attack patterns on the network, alerting other security mechanisms in place or generating warnings for network administrators.

In this master's thesis we propose a concept for a host-based in-vehicle IDS. We then implement and test its capabilities by launching a series of attacks against the IDS and measure its detection performance. To detect threats we incorporated two different detection methods: specification-based and anomaly-based detection.

The specification-based detection focuses on deviations from specified behavior in a protocol. We chose to focus on the ISO 15118 specification, which describes a protocol for performing Vehicle-to-Grid charging sessions. In our implementation, we mainly focus on deviations in message sequences and timeouts outlined in the protocol.

After further research, it became apparent that the specification-based detection did not have full detection coverage. For this reason, we decided on integrating an anomaly-based detection method into our IDS. Anomaly-based detection is also a method for detecting anomalous behavior and relies on a statistical approach. In our IDS, we collect data from different examples of charging sessions and based on this data the IDS classifies the incoming packet either as a threat or a normal packet. The anomaly-based detection method evaluates the expected frequency, payload length and the time elapsed between a message request and its respective response.

The IDS overall performed very well for the five attack scenarios we deployed and shows that an IDS with this hybrid approach is a promising security solution for in-vehicle automotive Ethernet networks. (Less)