Paper name: Evading Voltage-Based Intrusion Detection on Automotive CAN
Table of contents
Propose a new type of attack DUET
Part One: INTRODUCTION (Introduction)
Article overview
background
CAN networks are now widely used in modern automobiles to achieve communication between different electronic control units (ECUs). However, CAN is currently vulnerable to ECU masquerading attacks, that is, the attacked ECU (attacker) pretends to be an unattacked ECU (victim) and deceives the victim's CAN messages. The most effective method against this masquerading attack is a CAN bus voltage-based intrusion detection system (VIDS), which uses voltage fingerprints on the bus to identify the source of the message. Because the voltage fingerprint is a hardware characteristic of the ECU, and the attacker's ECU has no way to control the modification of the hardware characteristics, VIDS has been proven to be effective in detecting each disguised attack involving a single attacker.
This article works
Propose a new type of attack DUET
First, this paper proposes a new voltage destruction strategy, namely: exploiting the ability of two compromised ECUs ( attack ECU and accomplice ECU ) to destroy the bus voltage recorded by VIDS. Combined with the basic flaws of the CAN protocol, a new masquerading attack can be proposed , called DUET . This attack can avoid all existing VIDS and does not need to consider the characteristics and classification algorithms involved in VIDS. DUET adopts a two-stage attack strategy, first manipulating the voltage fingerprint of the victim ECU in the retraining mode of VIDS, and then simulating the manipulated fingerprint in the VIDS operating mode. The DUET simulation success rate is verified to be 90% in real bus experiments.
Proposed defense system RAID
To effectively deal with DUET, this paper proposes a cost-effective, lightweight defense system RAID that allows each ECU to make protocol-compatible modifications in its frame format, generating a unique "dialect". In other words, RAID can prevent ECU voltage fingerprint damage and re-enable VIDS to detect all ECU masquerading attacks.
Part One: INTRODUCTION (Introduction)
CAN is a wired broadcast network that realizes communication between electronic control units (ECUs) in the car. However, with the development of the Internet of Things, there are more and more ECUs in the car, and the interfaces involved such as Bluetooth, WIFI, and USB are also increasing. more, and therefore more vulnerable to attack. An attacker can penetrate the CAN system by invading one ECU, and can launch a variety of attacks on other ECUs. In particular, the ECU controlled by the attacker can impersonate another ECU that the attacker cannot remotely destroy, and forge the messages sent by the latter. CAN message, thus destroying key functions of the car. This is a disguised attack .
In order to deal with masquerading attacks, a variety of intrusion detection systems IDS were born, the most effective of which is VIDS, which can measure the bus voltage during each CAN message transmission and calculate the voltage fingerprint, which is the characteristic vector of the measured voltage sample. The voltage fingerprint of the ECU and the messages sent will fluctuate with factors such as environmental time, so VIDS often switches to retraining mode to learn the supervision model by mapping the voltage fingerprint to its sending ECU. Then in operational mode , VIDS uses the learned model to infer the origin of each message on the bus. In this case, VIDS equipped with high-frequency voltage sampling has high-resolution monitoring and attack detection capabilities, which is equivalent to putting traffic changes on the CAN network under a "microscope."
With VIDS having such capabilities, attackers face two main challenges if they want to invade the system:
- Although the ECU can be hacked remotely, its physical characteristics and voltage fingerprint cannot be changed.
- Errors in the training set of VIDS can easily affect the entire defense capability, so VIDS uses state-of-the-art adversarial methods such as message verification code (MAC) to record voltage fingerprints during its training.
Voltage destruction and DUET
So in order to deal with the first challenge, this article came up with a method for the attacker, called voltage corruption.
To put it simply, if an attacker wants to invade an ECU that is not easily attacked (also called a victim ), he needs to invade two ECUs that are easier to be attacked, one as the attacker and the other as an accomplice (also called an accomplice). With the help of a co-conspirator, the perpetrator conducts synchronous transmission with the victim and superimposes his voltage sample on the victim's voltage sample (equivalent to poisoning ) . VIDS uses such "poisonous" samples to train the supervision model, which will inevitably affect Its construction of the voltage fingerprint achieves the purpose of destroying the voltage fingerprint of the victim measured by VIDS. Then using this voltage destruction strategy, a new camouflage attack can be formed, called DUET . DUET is launched by attackers and co-conspirators against victims, following a two-stage "poisoning" attack strategy on the training set. These two stages are respectively called: voltage fingerprint operation (stage one) and voltage fingerprint simulation (stage two) .
DUET allows VIDS to learn the distorted sample data of "victim + attacker" voltage samples stacked together and serve as the victim's voltage fingerprint, which also successfully solves the second challenge mentioned above.
So with the previous foundation, whenever the attacker and co-conspirator of DUET want to deceive the victim's message, they will perform a simulation based on voltage fingerprint. At this time, the co-conspirator sends the deceived message, and the attacker uses the voltage destruction strategy To destroy the voltage fingerprint of the co-conspirator, in this case VIDS will observe a distorted fingerprint of "co-conspirator + attacker" . VIDS has been deceived in the retraining mode. There is a distorted fingerprint of "victim + attacker" in the system. Then in its operating mode, distorted fingerprints such as "conspirator + attacker" will be attributed. resemble the victim's fingerprints.
DUET can successfully attack any car using the CAN network and avoid detection by any VIDS. It also needs to take advantage of the basic mechanisms of the CAN protocol (bus arbitration and error handling), the controller function of CAN (one-time transmission) and CAN communication. common characteristics (cyclicality of messages and predictability of message content). This article verifies the ability of DUET through experiments, using two typical VIDS, Scission, which analyzes voltage fingerprints for each message, and Viden, which accumulates eight messages and analyzes voltage fingerprints once. The results prove that the success rates are both above 90% (attacking Viden installed car success rate is 100%).
RAID
Since this article thinks of DUET for attackers in order to attack existing VIDS, it is natural to think of countermeasures against this attack.
So since DUET makes the victim's voltage unreal, it is natural to modify VIDS so that it can detect DUET by discovering the distortion of the voltage fingerprint. Then the improved VIDS is called RAID, which uses a method orthogonal to VIDS to randomize part of the victim's CAN message identifier . The unique information generated by this randomization can be regarded as a "dialect" , that is, only VIDS Only in retraining mode does the ECU speak this "dialect". This method allows the attacker to either succeed or fail in arbitration on the bus when trying to transmit at the same time as the victim. In short, it does not give it the opportunity to transmit messages at the same time. This makes it impossible to implement voltage destruction strategies. Experiments show that DUET can be prevented in the first stage at low consumption.
Article contribution
- Invention of voltage sabotage strategies whereby attackers and co-conspirators can sabotage voltage samples measured by VIDS
- Proposed new camouflage attack DUET via voltage destruction strategy
- Prove that DUET is effective for all advanced VIDS
- Propose an effective defense method RAID against DUET
Next article: http://t.csdn.cn/wKg1u