Analyzing Attacks on Cooperative Adaptive Cruise Control (CACC)

Cooperative Adaptive Cruise Control (CACC) is one of the driving applications of vehicular ad-hoc networks (VANETs) and promises to bring more efficient and faster transportation through cooperative behavior between vehicles. In CACC, vehicles exchange information, which is relied on to partially automate driving; however, this reliance on cooperation requires resilience against attacks and other forms of misbehavior. In this paper, we propose a rigorous attacker model and an evaluation framework for this resilience by quantifying the attack impact, providing the necessary tools to compare controller resilience and attack effectiveness simultaneously. Although there are significant differences between the resilience of the three analyzed controllers, we show that each can be attacked effectively and easily through either jamming or data injection. Our results suggest a combination of misbehavior detection and resilient control algorithms with graceful degradation are necessary ingredients for secure and safe platoons.Comment: 8 pages (author version), 5 Figures, Accepted at 2017 IEEE Vehicular Networking Conference (VNC

Blackchain: Scalability for Resource-Constrained Accountable Vehicle-to-X Communication

In this paper, we propose a new Blockchain-based message and revocation accountability system called Blackchain. Combining a distributed ledger with existing mechanisms for security in V2X communication systems, we design a distributed event data recorder (EDR) that satisfies traditional accountability requirements by providing a compressed global state. Unlike previous approaches, our distributed ledger solution provides an accountable revocation mechanism without requiring trust in a single misbehavior authority, instead allowing a collaborative and transparent decision making process through Blackchain. This makes Blackchain an attractive alternative to existing solutions for revocation in a Security Credential Management System (SCMS), which suffer from the traditional disadvantages of PKIs, notably including centralized trust. Our proposal becomes scalable through the use of hierarchical consensus: individual vehicles dynamically create clusters, which then provide their consensus decisions as input for road-side units (RSUs), which in turn publish their results to misbehavior authorities. This authority, which is traditionally a single entity in the SCMS, responsible for the integrity of the entire V2X network, is now a set of authorities that transparently perform a revocation, whose result is then published in a global Blackchain state. This state can be used to prevent the issuance of certificates to previously malicious users, and also prevents the authority from misbehaving through the transparency implied by a global system state.Comment: 5 pages, 2 figures, SERIAL '17 Worksho

Multi-Source Fusion Operations in Subjective Logic

The purpose of multi-source fusion is to combine information from more than two evidence sources, or subjective opinions from multiple actors. For subjective logic, a number of different fusion operators have been proposed, each matching a fusion scenario with different assumptions. However, not all of these operators are associative, and therefore multi-source fusion is not well-defined for these settings. In this paper, we address this challenge, and define multi-source fusion for weighted belief fusion (WBF) and consensus & compromise fusion (CCF). For WBF, we show the definition to be equivalent to the intuitive formulation under the bijective mapping between subjective logic and Dirichlet evidence PDFs. For CCF, since there is no independent generalization, we show that the resulting multi-source fusion produces valid opinions, and explain why our generalization is sound. For completeness, we also provide corrections to previous results for averaging and cumulative belief fusion (ABF and CBF), as well as belief constraint fusion (BCF), which is an extension of Dempster's rule. With our generalizations of fusion operators, fusing information from multiple sources is now well-defined for all different fusion types defined in subjective logic. This enables wider applicability of subjective logic in applications where multiple actors interact.Comment: 8 pages, Pre-Print of accepted paper for FUSION 201

Message Type Identification of Binary Network Protocols using Continuous Segment Similarity

Protocol reverse engineering based on traffic traces infers the behavior of unknown network protocols by analyzing observable network messages. To perform correct deduction of message semantics or behavior analysis, accurate message type identification is an essential first step. However, identifying message types is particularly difficult for binary protocols, whose structural features are hidden in their densely packed data representation. We leverage the intrinsic structural features of binary protocols and propose an accurate method for discriminating message types. Our approach uses a similarity measure with continuous value range by comparing feature vectors where vector elements correspond to the fields in a message, rather than discrete byte values. This enables a better recognition of structural patterns, which remain hidden when only exact value matches are considered. We combine Hirschberg alignment with DBSCAN as cluster algorithm to yield a novel inference mechanism. By applying novel autoconfiguration schemes, we do not require manually configured parameters for the analysis of an unknown protocol, as required by earlier approaches. Results of our evaluations show that our approach has considerable advantages in message type identification result quality and also execution performance over previous approaches.Comment: 11 pages, 4 figures, to be published in IEEE International Conference on Computer Communications. INFOCOM. Beijing, China, 202

Misbehavior detection in cooperative intelligent transport systems

Automobile accidents are one of the major causes of death in the Western world. In previous decades, automobile manufacturers and researchers have investigated a broad spectrum of solutions to this challenge. Within this solution space, communication between vehicles has long been a promising direction that enables highly advanced driver assistance systems. Current generation assistance systems operate through the use of automotive sensors, which have limited range; to provide the vehicle with a more complete picture of its surroundings, various standards have been proposed to enable information exchange between vehicles. Recent developments in this field, which integrate more components into this communication architecture, give rise to cooperative intelligent transport systems (C-ITS). Most C-ITS applications, in particular including safety applications, make decisions based on both information received from local sensors and messages received from others. One aspect of C-ITS that is essential for successful deployment is its security against invalid behavior and malicious attacks. Without such protection, the validity of the information received from other vehicles cannot be guaranteed, and thus the reliability of all C-ITS applications is affected. Research has invested significant effort in the development of basic security services, such as pseudonymization and sender authentication. One area that has received limited attention in standardization is that of misbehavior by authentic entities in the network. For example, a malicious vehicle may transmit false messages, triggering an emergency response and causing a collision between other vehicles. This cannot be prevented through standard security services, such as cryptographic signatures, because a malicious vehicle is an authentic sender. In general the detection of such invalid application data is termed misbehavior detection. Because different attacks are typically detected through different misbehavior detection mechanisms, the combination of these outputs (i.e., fusion) for decision making is an essential component. This thesis addresses this topic by designing Maat, a generic misbehavior detection framework that ensures the validity of received data. The contributions of this thesis include (a) a detailed survey of existing misbehavior detection mechanisms, (b) Maat, a proposal for a generic fusion framework for misbehavior detection in C-ITS, (c) multi-source fusion operations for subjective logic, which forms the mathematical foundation of our framework, (d) several novel detection mechanisms, (e) a detailed review of evaluation methodologies and proposals for novel metrics, (f) a new, public dataset that serves as a baseline for comparison of misbehavior detection mechanisms, (g) a detailed evaluation of the proposed mechanisms and fusion operations, and (h) an outlook discussing how these results can be applied to other cyber-physical systems. The survey in this thesis provides an overview and classification of existing misbehavior detection mechanisms along various axes, including the scope of detection, type of data used and susceptibility to attacks. Not only does this provide a solid foundation for the requirements on Maat, it also supports the development of attacks and misbehavior detection mechanisms in the wider field. Within this thesis, we build a framework, called Maat, to fuse misbehavior detection results through subjective logic. Subjective logic is a mathematical framework that enables the expression of uncertainty on data through objects called subjective opinions. Maat applies this logic to build a flexible data management and fusion system, which determines the trustworthiness of data whenever it is accessed by applications. To support this data management, Maat uses a directed graph to store the data and the associated detection results. By recording both the data and the associated detection results separately, a wide range of potential new detectors can be explored. In addition, it enables the verifiable exchange of detection results for revocation. Subjective logic provides a variety of fusion operators to fuse subjective opinions. However, for some of these operators, fusion of multiple opinions (multi-source fusion) is not well-defined due to non-commutativity. In order to implement Maat, these operators were generalized to the multi-source fusion setting: we provide this generalization for weighted belief fusion (WBF) and consensus \& compromise fusion (CCF). We also discuss how transitive trust relations can be applied within our framework. Maat contains a set of new detection mechanisms that exploit properties of subjective logic to more accurately model the detection results. We use these mechanisms to show that fusion can increase detection performance compared to individual detection mechanisms. As part of our survey of related work, we found that there are significant methodological differences and evaluation criteria. In this thesis, we provide an overview of those differences, and propose a new evaluation methodology that goes significantly beyond the rigor exhibited by existing work. This methodology includes a set of application-centric metrics for cooperative adaptive cruise control, one of the primary C-ITS applications, as well as metrics to assess overall detection performance in a widely deployed system. One issue we encountered in reproducing the work of others is the fact that there are no publicly available benchmarks against which misbehavior detection mechanisms can be tested. In this thesis, we present a public dataset that can serve as a baseline for such benchmarks. Based on this new methodology and the presented dataset, we provide a detailed evaluation of Maat's features. This includes a study of detection performance by different detection mechanisms, a comparison of fusion operations, and the analysis of weighing between detectors. We also revisit the idea of exponential weighted averaging (EWA) of detection output to protect against accidental faults. Our results show that Maat can provide an overall improvement in detection performance, while the EWA reduces performance even when attacks are persistently executed. We attribute this failure of EWA to the types of attacks executed in our experiments, whose detection depends on the spatial relationship between attacker and observer. This evidence suggests that EWA is not suitable in these specific scenarios. In summary, this thesis studies the topic of misbehavior detection in cooperative intelligent transport systems. Misbehavior detection exploits knowledge of physical processes to determine the trustworthiness of data and entities in a cyber-physical system. Through our developed fusion framework for misbehavior detection mechanisms, the safety and security of such systems can be improved significantly. Future work in this field could includes the integration of misbehavior detection with sensor fusion processes to validate sensor data and protect against attacks on such systems, as well as extensions that enable reliable reporting and sharing of parts of Maat's world model

Message type identification of binary network protocols using continuous segment similarity

Protocol reverse engineering based on traffic traces infers the behavior of unknown network protocols by analyzing observable network messages. To perform correct deduction of message semantics or behavior analysis, accurate message type identification is an essential first step. However, identifying message types is particularly difficult for binary protocols, whose structural features are hidden in their densely packed data representation. In this paper, we leverage the intrinsic structural features of binary protocols and propose an accurate method for discriminating message types. Our approach uses a continuous similarity measure by comparing feature vectors where vector elements correspond to the fields in a message, rather than discrete byte values. This enables a better recognition of structural patterns, which remain hidden when only exact value matches are considered. We combine Hirschberg alignment with DBSCAN as cluster algorithm to yield a novel inference mechanism. By applying novel autoconfiguration schemes, we do not require manually configured parameters for the analysis of an unknown protocol, as required by earlier approaches. Results of our evaluations show that our approach has considerable advantages in message type identification result quality but also execution performance over previous approaches

Multi-source fusion operations in subjective logic

The purpose of multi-source fusion is to combine information from more than two evidence sources, or subjective opinions from multiple actors. For subjective logic, a number of different fusion operators have been proposed, each matching a fusion scenario with different assumptions. However, not all of these operators are associative, and therefore multi-source fusion is not well-defined for these settings. In this paper, we address this challenge, and define multi-source fusion for weighted belief fusion (WBF) and consensus & compromise fusion (CCF). For WBF, we show the definition to be equivalent to the intuitive formulation under the bijective mapping between subjective logic and Dirichlet evidence PDFs. For CCF, since there is no independent generalization, we show that the resulting multi-source fusion produces valid opinions, and explain why our generalization is sound. For completeness, we also provide corrections to previous results for averaging and cumulative belief fusion (ABF and CBF), as well as belief constraint fusion (BCF), which is an extension of Dempster's rule. With our generalizations of fusion operators, fusing information from multiple sources is now well-defined for all different fusion types defined in subjective logic. This enables wider applicability of subjective logic in applications where multiple actors interact

Multi-source fusion operations in subjective logic

This is the presentation of our paper, multi-source fusion operations in subjective logic

VeReMi: a dataset for comparable evaluation of misbehavior detection in VANETs

Vehicular networks are networks of communicating vehicles, a major enabling technology for future cooperative and autonomous driving technologies. The most important messages in these networks are broadcast-authenticated periodic one-hop beacons, used for safety and traffic efficiency applications such as collision avoidance and traffic jam detection. However, broadcast authenticity is not sufficient to guarantee message correctness. The goal of misbehavior detection is to analyze application data and knowledge about physical processes in these cyber-physical systems to detect incorrect messages, enabling local revocation of vehicles transmitting malicious messages. Comparative studies between detection mechanisms are rare due to the lack of a reference dataset. We take the first steps to address this challenge by introducing the Vehicular Reference Misbehavior Dataset (VeReMi) and a discussion of valid metrics for such an assessment. VeReMi is the first public extensible dataset, allowing anyone to reproduce the generation process, as well as contribute attacks and use the data to compare new detection mechanisms against existing ones. The result of our analysis shows that the acceptance range threshold and the simple speed check are complementary mechanisms that detect different attacks. This supports the intuitive notion that fusion can lead to better results with data, and we suggest that future work should focus on effective fusion with VeReMi as an evaluation baseline