英语原文共 5 页,剩余内容已隐藏,支付完成后下载完整资料
Frequency-Based Anomaly Detection for the Automotive CAN bus
Adrian Taylor
Defence Ramp;D Canada
Nathalie Japkowicz
School of Electrical Engineering and Computer Science,University of Ottawa
Sylvain Leblanc
Electrical and Computer Engineering Department, Royal Military College of Canada
Abstract
The modern automobile is controlled by networked computers. The security of these networks was historically of little concern, but researchers have in recent years demonstrated their many vulnerabilities to attack. As part of a defence against these attacks, we evaluate an anomaly detector for the automotive controller area network (CAN) bus. The majority of attacks are based on inserting extra packets onto the network. But most normal packets arrive at a strict frequency. This motivates an anomaly detector that compares current and historical packet timing. We present an algorithm that measures inter-packet timing over a sliding window. The average times are compared to historical averages to yield an anomaly signal. We evaluate this approach over a range of insertion frequencies and demonstrate the limits of its effectiveness. We also show how a similar measure of the data contents of packets is not effective for identifying anomalies. Finally we show how a one-class support vector machine can use the same information to detect anomalies with high confidence.
Index Terms:Anomaly detection, controller area network, automotive, monitoring
I. INTRODUCTION
Automobiles have evolved from purely mechanical devices to connected computing platforms. Modern cars are controlled by multiple embedded processors that communicate over a controller area network (CAN) bus. The computers in cars were long assumed to be safely isolated from the outside world, and the security of those systems was not considered important. But it has become clear in recent years that this is no longer the case. Devices on the CAN bus are now connected to the outside world over both wired and wireless channels.These channels have been exploited to hack cars and cause a variety of effects [1]-[3]. We propose anomaly detection as a means to identify such attacks. Over time manufacturers will respond to this threat with improved security, but detection will always be an important component of defense.
Anomaly detection is well-suited to this problem because automotive CAN traffic is predictable. Most CAN packets are published to the bus at a fixed frequency. Furthermore
many attacks require high rate packet injections, motivating recommendations to detect such insertions as a first line of defense [l]. Packet frequency monitoring has been proposed by others for attack detection, but not evaluated [4]. Clearly a high rate of packet injects are detectable, but what are the limits of this approach? An anomaly detection system in a car must maintain a very low false alarm rate. For example, consider a system that evaluates traffic every half second. A false alarm rate of 10-4 will produce an alert every hour. A driver will quickly learn to ignore the detector, rendering it useless. We need an understanding of the practical limitations of this approach given these stringent requirements.
Our work evaluates the effectiveness of frequency-based anomaly detection for packet injection attacks. We apply a flow-based method adapted from industrial control system traffic [5] to the CAN bus. Flows measure both frequency and average data content changes for each type of packet, and compare them to historical values to produce an anomaly signal. Our evaluation compares this methods effectiveness over a range of packet insertion types, durations, and frequencies, to determine its limits in detecting both overt and subtle attacks. We also evaluate how a one-class support vector machine (OCSVM) anomaly detector performs using the same information.
The remainder of this paper is structured as follows. In Section II we describe normal and attack traffic. In Section III we explain the flow method in more detail. In Section IV we describe the experimental evaluation and results. In Section V we present our conclusions and suggestions for future work.
II. CAN BUS AND ATTACKS
A. Normal CAN bus traffic
The CAN bus standard is commonly used for internal communication in automobiles. A car typically has two CAN buses. One is high speed (e.g. 500 kbps) and is dedicated to engine functions. The other may be lower speed (e.g. 125 kbps) and is dedicated to entertainment and convenience features. The two buses are usually connected through a gateway. The gateway allows restricted communication between the two domains, for example so the dashboard on the low speed bus can display engine alerts sent from the high speed bus. The buses are populated by electronic control units (ECUs). These ECUs broadcast packets that make up the traffic on the bus.
Packets contain an ID field and data bytes, as well as additional bits for error correction, control, and low-level bus logic. Bus arbitration is handled with a simple system: the lower ID has priority. If two ECUs attempt to transmit at the same time, the one sending a higher ID packet will detect the lower ID packet and wait until the bus is fee before sending its message. Here we assume all messages are well-formed and are thus only concerned with the ID an data fields. The time sequence of these ID and data field pairs is the raw data we are analyzing to identify anomalies. We do not have access to the data dictionary used by the manufacturer of our test vehicle, a
剩余内容已隐藏,支付完成后下载完整资料
资料编号:[246015],资料为PDF文档或Word文档,PDF文档可免费转换为Word
以上是毕业论文外文翻译,课题毕业论文、任务书、文献综述、开题报告、程序设计、图纸设计等资料可联系客服协助查找。
