Survey of Automotive Controller Area Network Intrusion Detection Systems

Novel attacks continue to appear against in-vehicle networks due to the increasing complexity of heterogeneous software and hardware components used in vehicles. These new components introduce challenges when developing efficient and adaptable security mechanisms. Several intrusion detection systems (IDS) have been proposed to identify and protect in-vehicle networks against malicious activities. We describe the state-of-the-art intrusion detection methods for securing automotive networks, with special focus on the Controller Area Network (CAN). We provide a description of vulnerabilities, highlight threat models, identify known attack vectors present in CAN, and discuss the advantages and disadvantages of suggested solutions

CLort: High Throughput and Low Energy Network Intrusion Detection on IoT Devices with Embedded GPUs

While IoT is becoming widespread, cyber security of its devices is still a limiting factor where recent attacks (e.g., the Mirai bot-net) underline the need for countermeasures. One commonly-used security mechanism is a Network Intrusion Detection System (NIDS), but the processing need of NIDS has been a significant bottleneck for large dedicated machines, and a show-stopper for resource-constrained IoT devices. However, the topologies of IoT are evolving, adding intermediate nodes between the weak devices on the edges and the powerful cloud in the center. Also, the hardware of the devices is maturing, with new CPU instruction sets, caches as well as co-processors. As an example, modern single board computers, such as the Odroid XU4, come with integrated Graphics Processing Units (GPUs) that support general purpose computing. Even though using all available hardware efficiently is still an open issue, it has the promise to run NIDS more efficiently.In this work we introduce CLort, an extension to the well-known NIDS Snort that a) is designed for IoT devices b) alleviates the burden of pattern matching for intrusion detection by offloading it to the GPU. We thoroughly explain how our design is used as part of the latest release of Snort and suggest various optimizations to enable processing on the GPU. We evaluate CLort in regards to throughput, packet drops in Snort, and power consumption using publicly available traffic traces.\ua0CLort achieves up to 52% faster processing throughput than its CPU counterpart. CLort can also analyze up to 12% more packets than its CPU counterpart when sniffing a network.\ua0Finally, the experimental evaluation shows that CLort consumes up to 32% less energy than the CPU counterpart, an important consideration for IoT devices

Techniques for utilizing classification towards securing automotive controller area network and machine learning towards the reverse engineering of CAN messages

The vehicle industry is quickly becoming more connected and growing. This growth is due to advancements in cyber physical systems (CPSs) that enhance the safety and automation in vehicle. The modern automobile consists of more than 70 electronic control units (ECUs) that communicate and interact with each other over automotive bus systems. Passenger comforts, infotainment features, and connectivity continue to progress through the growth and integration of Internet-of-Things (IoT) technologies. Common networks include the Controller Area Network (CAN), Local Interconnect Network (LIN), and FlexRay. However, the benefits of increased connectivity and features comes with the penalty of increased vulnerabilities. Security is lacking in preventing attacks on safety-critical control systems. I will explore the state of the art methods and approaches researchers have taken to identify threats and how to address them with intrusion detection. I discuss the development of a hybrid based intrusion detection approach that combines anomaly and signature based detection methods. Machine learning is a hot topic in security as it is a method of learning and classifying system behavior and can detect intrusions that alter normal behavior. In this paper, we discuss utilizing machine learning algorithms to assist in classifying CAN messages. I present work that focuses on the reverse engineering and classification of CAN messages. The problem is that even though CAN is standardized, the implementation may vary for different manufacturers and vehicle models. These implementations are kept secret, therefore CAN messages for every vehicle needs to be analyzed and reverse engineered in order to get information. Due to the lack of publicly available CAN specifications, attackers and researchers need to reverse engineer messages to pinpoint which messages will have the desired impact. The reverse engineering process is needed by researchers and hackers for all manufacturers and their respective vehicles to understand what the vehicle is doing and what each CAN message means. The knowledge of the specifications of CAN messages can improve the effectiveness of security mechanisms applied to CAN

Explainable IDS for DoS Attacks

RÉSUMÉ : L’internet des objets (Internet of Things, IoT) est un secteur d’activité en plein développe-ment. Cette technologie va permettre de faire communiquer entre eux di˙érents appareils qui pourront alors échanger un nombre important de données. Sécuriser les informations trans-mises est un requis important de l’IoT. Des mécanismes de sécurité utilisés dans les réseaux actuels peuvent être repris (chi˙rement, authentification, etc). Néanmoins, l’augmentation de la surface d’attaque nécessite de développer de nouveaux outils afin d’améliorer la sécurité de ce type de réseau.Le mécanisme étudié dans cette étude est le système de détection d’intrusions (Intrusion Detection System, IDS). Les systèmes de détection d’intrusions analysent un ensemble de données afin de détecter de potentielles intrusions. Le développement de l’apprentissage automatique a permis d’augmenter les performances de ces algorithmes. Néanmoins, les al-gorithmes d’apprentissage automatique sont souvent très diÿcilement interprétables par un humain. Des méthodes, nommées Explainable Artificial Intelligence (XAI), ont été dévelop-pées pour permettre une meilleure interprétation des résultats. La revue de littérature a montré que plusieurs méthodes pouvaient être utilisées afin de réaliser un système de détec-tion. Les contraintes des objets connectés nous ont orientés vers une approche de détection d’anomalie à l’aide de l’analyse de paquets réseau. L’étude de la littérature a mis en avant l’algorithme Suport Vector Machine dans la détection des intrusions et la méthode Partial Dependence Plot (PDP) pour l’interprétation des résultats. Nous proposons une approche combinant ces deux algorithmes dans l’objectif d’obtenir un système de détection d’intrusions performant et ayant une meilleure interprétabilité.----------ABSTRACT : The Internet of Things (IoT) is a rapidly developing sector of activity. This technology will enable di˙erent devices to communicate with each other and exchange a large amount of data. Securing the information transmitted is an important requirement of the IoT. Security mechanisms used in current networks can be used (encryption, authentication, etc.). Nevertheless, the increase of the attack surface requires the development of new tools to improve the security of this type of network.The mechanism studied in this study is the Intrusion Detection System (IDS). Intrusion detection systems analyse a set of information in order to detect potential intrusions. The development of automatic learning has made it possible to increase the performance of these algorithms. Nevertheless, machine learning algorithms are often very diÿcult for a human to interpret. Methods, called Explainable Artificial Intelligence (XAI), have been developed to allow a better interpretation of the results. The literature review showed that several methods could be used to build a detection system. The constraints of the connected objects led us to an anomaly detection approach using network packet analysis. The literature review highlighted the Support Vector Machine algorithm in intrusion detection and the Partial Dependence Plot (PDP) method for the interpretation of the results. We propose an approach combining these two algorithms with the objective of obtaining a high-performance intrusion detection system with better interpretability.The resulting mechanism has been the subject of 3 experiments: an analysis of the errors in the detection algorithm using the PDP method, a comparison with an algorithm attacking the IDS and an implementation in a network simulator

Hardware-Aware Algorithm Designs for Efficient Parallel and Distributed Processing

The introduction and widespread adoption of the Internet of Things, together with emerging new industrial applications, bring new requirements in data processing. Specifically, the need for timely processing of data that arrives at high rates creates a challenge for the traditional cloud computing paradigm, where data collected at various sources is sent to the cloud for processing. As an approach to this challenge, processing algorithms and infrastructure are distributed from the cloud to multiple tiers of computing, closer to the sources of data. This creates a wide range of devices for algorithms to be deployed on and software designs to adapt to.In this thesis, we investigate how hardware-aware algorithm designs on a variety of platforms lead to algorithm implementations that efficiently utilize the underlying resources. We design, implement and evaluate new techniques for representative applications that involve the whole spectrum of devices, from resource-constrained sensors in the field, to highly parallel servers. At each tier of processing capability, we identify key architectural features that are relevant for applications and propose designs that make use of these features to achieve high-rate, timely and energy-efficient processing.In the first part of the thesis, we focus on high-end servers and utilize two main approaches to achieve high throughput processing: vectorization and thread parallelism. We employ vectorization for the case of pattern matching algorithms used in security applications. We show that re-thinking the design of algorithms to better utilize the resources available in the platforms they are deployed on, such as vector processing units, can bring significant speedups in processing throughout. We then show how thread-aware data distribution and proper inter-thread synchronization allow scalability, especially for the problem of high-rate network traffic monitoring. We design a parallelization scheme for sketch-based algorithms that summarize traffic information, which allows them to handle incoming data at high rates and be able to answer queries on that data efficiently, without overheads.In the second part of the thesis, we target the intermediate tier of computing devices and focus on the typical examples of hardware that is found there. We show how single-board computers with embedded accelerators can be used to handle the computationally heavy part of applications and showcase it specifically for pattern matching for security-related processing. We further identify key hardware features that affect the performance of pattern matching algorithms on such devices, present a co-evaluation framework to compare algorithms, and design a new algorithm that efficiently utilizes the hardware features.In the last part of the thesis, we shift the focus to the low-power, resource-constrained tier of processing devices. We target wireless sensor networks and study distributed data processing algorithms where the processing happens on the same devices that generate the data. Specifically, we focus on a continuous monitoring algorithm (geometric monitoring) that aims to minimize communication between nodes. By deploying that algorithm in action, under realistic environments, we demonstrate that the interplay between the network protocol and the application plays an important role in this layer of devices. Based on that observation, we co-design a continuous monitoring application with a modern network stack and augment it further with an in-network aggregation technique. In this way, we show that awareness of the underlying network stack is important to realize the full potential of the continuous monitoring algorithm.The techniques and solutions presented in this thesis contribute to better utilization of hardware characteristics, across a wide spectrum of platforms. We employ these techniques on problems that are representative examples of current and upcoming applications and contribute with an outlook of emerging possibilities that can build on the results of the thesis

Integrating security into real-time cyber-physical systems

Cyber-physical systems (CPS) such as automobiles, power plants, avionics systems, unmanned vehicles, medical devices, manufacturing and home automation systems have distinct cyber and physical components that must work cohesively with each other to ensure correct operation. Many cyber-physical applications have “real-time” constraints, i.e., they must function correctly within predetermined time scales. A failure to protect these systems could result in significant harm to humans, the system or even the environment. While traditionally such systems were isolated from external accesses and used proprietary components and protocols, modern CPS use off-the-shelf components and are increasingly interconnected, often via networks such as the Internet. As a result, they are exposed to additional attack surfaces and have become increasingly vulnerable to cyber attacks. Enhancing security for real-time CPS, however, is not an easy task due to limited resource availability (e.g., processing power, memory, storage, energy) and stringent timing/safety requirements. Security monitoring techniques for cyber-physical platforms (a) must execute with existing real-time tasks, (b) operate without impacting the timing and safety constraints of the control logic and (c) have to be designed and executed in a way that an adversary cannot easily evade it. The objective of my research is to increase security posture of embedded real-time CPS by integrating monitoring/detection techniques that defeat cyber attacks without violating timing/safety constraints of existing tasks. My dissertation work explores the real-time security domain and shows that by employing a combination of multiple scheduling/analysis techniques and interactions between hardware/software-based security extensions, it becomes feasible to integrate security monitoring mechanisms in real-time CPS without compromising timing/safety requirements of existing tasks. In this research, I (a) develop techniques to raise the responsiveness of security monitoring tasks by increasing their frequency of execution, (b) design a hardware-supported framework to prevent falsification of actuation commands — i.e., commands that control the state of the physical system and (c) propose metrics to trade-off security with real-time guarantees. The solutions presented in this dissertation require minimal changes to system components/parameters and thus compatible for legacy systems. My proposed frameworks and results are evaluated through both, simulations and experiments on real off-the-shelf cyber-physical platforms. The development of analysis techniques and design frameworks proposed in this dissertation will inherently make such systems more secure and hence, safer. I believe my dissertation work will bring researchers and system engineers one step closer to understand how to integrate two seemingly diverse yet important fields — real-time CPS and cyber-security — while gaining a better understanding of both areas