design and implementation of an intrusion detection system
TRANSCRIPT
![Page 1: Design and implementation of an intrusion detection system](https://reader033.vdocument.in/reader033/viewer/2022050407/627065e437a91301e952cc6d/html5/thumbnails/1.jpg)
Design and implementation of an intrusion
detection system (IDS) for in-vehicle networks
Presented by: Noräs Salman
Credits to my thesis partner: Marco Bresch
![Page 2: Design and implementation of an intrusion detection system](https://reader033.vdocument.in/reader033/viewer/2022050407/627065e437a91301e952cc6d/html5/thumbnails/2.jpg)
Brief background: in-vehicle networks
● Controller Area Network (CAN)
● MOST
● FlexRay
● LIN
● Ethernet
2
![Page 3: Design and implementation of an intrusion detection system](https://reader033.vdocument.in/reader033/viewer/2022050407/627065e437a91301e952cc6d/html5/thumbnails/3.jpg)
Brief background: CAN (frames & signals)
● Very well defined frame that carries multiple signals.
3
![Page 4: Design and implementation of an intrusion detection system](https://reader033.vdocument.in/reader033/viewer/2022050407/627065e437a91301e952cc6d/html5/thumbnails/4.jpg)
Brief background: CAN (signal database)
4
![Page 5: Design and implementation of an intrusion detection system](https://reader033.vdocument.in/reader033/viewer/2022050407/627065e437a91301e952cc6d/html5/thumbnails/5.jpg)
Brief background: CAN security
5
Sniffing Dropping
Tampering of legitimate frames Injecting of arbitrary frames + DoS
Sending Node
Receiving NodeReceiving Node
Broadcasting
Collision Avoidance
![Page 6: Design and implementation of an intrusion detection system](https://reader033.vdocument.in/reader033/viewer/2022050407/627065e437a91301e952cc6d/html5/thumbnails/6.jpg)
Mission briefing
Scientific Questions:
- How is an in-vehicle network IDS designed?
- How to design its rules?
- Limitations and challenges?
→ Implementation of an prototype IDS which can detect attacks on the network
Scope:
No prevention and no alarming of attacks, focused on the Controller Area Network
6
![Page 7: Design and implementation of an intrusion detection system](https://reader033.vdocument.in/reader033/viewer/2022050407/627065e437a91301e952cc6d/html5/thumbnails/7.jpg)
Preceding ideas, efforts and research (defense)
How to defend against in-vehicle networks attacks?
- Encryption of communication
- Cryptographic signatures / certificates
- Intrusion Detection Systems
- Machine learning approaches
- Specification-based
- Anomaly-based
Previous research is dominated by anomaly-based solutions
7
![Page 8: Design and implementation of an intrusion detection system](https://reader033.vdocument.in/reader033/viewer/2022050407/627065e437a91301e952cc6d/html5/thumbnails/8.jpg)
Setup (Simulated network)
● Safer to start with.
● Easy to add nodes
● Can overwrite ECU code.
8
Nodes we add:
AttackerIDS
![Page 9: Design and implementation of an intrusion detection system](https://reader033.vdocument.in/reader033/viewer/2022050407/627065e437a91301e952cc6d/html5/thumbnails/9.jpg)
Setup (Box car)
● More complicated topology
9
![Page 10: Design and implementation of an intrusion detection system](https://reader033.vdocument.in/reader033/viewer/2022050407/627065e437a91301e952cc6d/html5/thumbnails/10.jpg)
Setup (Box car)
- Can’t overwrite the code for any ECU
- Connected to only one domain at a time.
- We can add more (virtual) nodes.
10
Virtual nodes we add:
AttackerIDS
![Page 11: Design and implementation of an intrusion detection system](https://reader033.vdocument.in/reader033/viewer/2022050407/627065e437a91301e952cc6d/html5/thumbnails/11.jpg)
Design
11
Snort
(Computer System)
Our design
(in-vehicle IDS)
![Page 12: Design and implementation of an intrusion detection system](https://reader033.vdocument.in/reader033/viewer/2022050407/627065e437a91301e952cc6d/html5/thumbnails/12.jpg)
Implementation
- Specification-based rules
- Malformed frame detection
- Unauthorized message detection
- Anomaly-based algorithms
- Plausibility detection (Detect sudden shifts in speed signal values)
- Frequency change detection (Generic way to detect message injection)
12
![Page 13: Design and implementation of an intrusion detection system](https://reader033.vdocument.in/reader033/viewer/2022050407/627065e437a91301e952cc6d/html5/thumbnails/13.jpg)
Specification-based detection
● Malformed frame detection
○ Rules extracted from signal database and compared directly.
● Unauthorized message detection
○ White-list extracted from the signal database.
13
White-list
![Page 14: Design and implementation of an intrusion detection system](https://reader033.vdocument.in/reader033/viewer/2022050407/627065e437a91301e952cc6d/html5/thumbnails/14.jpg)
Results (Specification-based detection)
● Performed attacks on different domains for evaluation
● The results were as expected → 100% Detection rate
14
Test 2
Virtual attacker
node
+
Virtual IDS node
Test 1
Virtual attacker
node
+
Virtual IDS node
![Page 15: Design and implementation of an intrusion detection system](https://reader033.vdocument.in/reader033/viewer/2022050407/627065e437a91301e952cc6d/html5/thumbnails/15.jpg)
Anomaly based detection (plausibility detection)
- We focused on speed signals
- It's not normal to see the speedometer jump from 30 km/h to 200 km/h in one
second.
- Change in value between two consecutive messages has a threshold that
depends on the acceleration capabilities and the driver’s behaviour.
15
![Page 16: Design and implementation of an intrusion detection system](https://reader033.vdocument.in/reader033/viewer/2022050407/627065e437a91301e952cc6d/html5/thumbnails/16.jpg)
Anomaly based detection (plausibility detection)
Extracting a threshold (Use case)
- Acceleration simulation.
- 4000 messages (20 seconds)
- Speed difference between (t) and (t-1)
16
Threshold = 20 (raw) ≈ 16 (km/h)
Algorithm simplified
x = abs( speed(t)-speed(t-1) )
if (x >= threshold)
→ raise an alarm
![Page 17: Design and implementation of an intrusion detection system](https://reader033.vdocument.in/reader033/viewer/2022050407/627065e437a91301e952cc6d/html5/thumbnails/17.jpg)
Results (plausibility detection)
Two tests
● Constant speed injection
○ Injected speed value is constant during the attack
● Stealth speed injection
○ Injected speed value is changing during the attack
We can detect the start and the end of the attack
17
![Page 18: Design and implementation of an intrusion detection system](https://reader033.vdocument.in/reader033/viewer/2022050407/627065e437a91301e952cc6d/html5/thumbnails/18.jpg)
Anomaly based detection (frequency detection)
● The cycle time is defined in the signal database.
● This was not enough because it resulted in false detections.
● Solution: (Double check)
18The message here has 2 ms as cycle time
Irregular shifts
(clock skew)
Algorithm simplified
attack = false
if( (T(mt)-T(mt-1) < cycle_time){
attack =true
attack_count++
if (attack_count > 1)
→ raise an alarm
}
if(!attack && count>0){
attack_count=0
}
First
check
Second
check
![Page 19: Design and implementation of an intrusion detection system](https://reader033.vdocument.in/reader033/viewer/2022050407/627065e437a91301e952cc6d/html5/thumbnails/19.jpg)
Results (Frequency change detection)
Two tests
● Cycle time effect
● Aggressive injection (Dos)
19Aggressive injection
Smaller cycle time
Identical cycle time
![Page 20: Design and implementation of an intrusion detection system](https://reader033.vdocument.in/reader033/viewer/2022050407/627065e437a91301e952cc6d/html5/thumbnails/20.jpg)
Challenges and limitations
● Hardware constraints
○ ECUs have limited capabilities, but we didn’t have a problem with that.
● IDS node placement = cost
○ We suggest placing an IDS node in each domain for full coverage and lower load.
● Data selection
○ Plausibility detection should depend on acceleration capabilities, we only used a simulation
● Log storage? rule update?
20
![Page 21: Design and implementation of an intrusion detection system](https://reader033.vdocument.in/reader033/viewer/2022050407/627065e437a91301e952cc6d/html5/thumbnails/21.jpg)
Summary
- Security is a problem in modern vehicles.
- We designed and implement an IDS system using distributed IDS nodes
(ECUs) around the different domains.
- Each IDS node has a combination of :
- Specification based rules
- Anomaly based algorithms
- No false positives
- Challenges for future research.21
![Page 22: Design and implementation of an intrusion detection system](https://reader033.vdocument.in/reader033/viewer/2022050407/627065e437a91301e952cc6d/html5/thumbnails/22.jpg)
Thank you for listening
22
![Page 23: Design and implementation of an intrusion detection system](https://reader033.vdocument.in/reader033/viewer/2022050407/627065e437a91301e952cc6d/html5/thumbnails/23.jpg)
Frequency detection vs plausibility detection
23
Monitors the signal’s value
Detects the beginning and the end of an attack
Monitors the message frequency
Detects the whole attack