Cloaking the Clock: Emulating Clock Skew in Controller Area Networks

Automobiles are equipped with Electronic Control Units (ECU) that communicate via in-vehicle network protocol standards such as Controller Area Network (CAN). These protocols are designed under the assumption that separating in-vehicle communications from external networks is sufficient for protection against cyber attacks. This assumption, however, has been shown to be invalid by recent attacks in which adversaries were able to infiltrate the in-vehicle network. Motivated by these attacks, intrusion detection systems (IDSs) have been proposed for in-vehicle networks that attempt to detect attacks by making use of device fingerprinting using properties such as clock skew of an ECU. In this paper, we propose the cloaking attack, an intelligent masquerade attack in which an adversary modifies the timing of transmitted messages in order to match the clock skew of a targeted ECU. The attack leverages the fact that, while the clock skew is a physical property of each ECU that cannot be changed by the adversary, the estimation of the clock skew by other ECUs is based on network traffic, which, being a cyber component only, can be modified by an adversary. We implement the proposed cloaking attack and test it on two IDSs, namely, the current state-of-the-art IDS and a new IDS that we develop based on the widely-used Network Time Protocol (NTP). We implement the cloaking attack on two hardware testbeds, a prototype and a real connected vehicle, and show that it can always deceive both IDSs. We also introduce a new metric called the Maximum Slackness Index to quantify the effectiveness of the cloaking attack even when the adversary is unable to precisely match the clock skew of the targeted ECU.Comment: 11 pages, 13 figures, This work has been accepted to the 9th ACM/IEEE International Conference on Cyber-Physical Systems (ICCPS

Detecting ADS-B Spoofing Attacks using Deep Neural Networks

The Automatic Dependent Surveillance-Broadcast (ADS-B) system is a key component of the Next Generation Air Transportation System (NextGen) that manages the increasingly congested airspace. It provides accurate aircraft localization and efficient air traffic management and also improves the safety of billions of current and future passengers. While the benefits of ADS-B are well known, the lack of basic security measures like encryption and authentication introduces various exploitable security vulnerabilities. One practical threat is the ADS-B spoofing attack that targets the ADS-B ground station, in which the ground-based or aircraft-based attacker manipulates the International Civil Aviation Organization (ICAO) address (a unique identifier for each aircraft) in the ADS-B messages to fake the appearance of non-existent aircraft or masquerade as a trusted aircraft. As a result, this attack can confuse the pilots or the air traffic control personnel and cause dangerous maneuvers. In this paper, we introduce SODA - a two-stage Deep Neural Network (DNN)-based spoofing detector for ADS-B that consists of a message classifier and an aircraft classifier. It allows a ground station to examine each incoming message based on the PHY-layer features (e.g., IQ samples and phases) and flag suspicious messages. Our experimental results show that SODA detects ground-based spoofing attacks with a probability of 99.34%, while having a very small false alarm rate (i.e., 0.43%). It outperforms other machine learning techniques such as XGBoost, Logistic Regression, and Support Vector Machine. It further identifies individual aircraft with an average F-score of 96.68% and an accuracy of 96.66%, with a significant improvement over the state-of-the-art detector.Comment: Accepted to IEEE CNS 201

Crowdsensing and Resource Allocation in Shared Spectrum

Thesis (Ph.D.)--University of Washington, 2018The exponential growth of mobile data services has translated into a proportionate surge in demand for greater wireless broadband capacity. Within today's xed spectrum allocation regime, exclusive spectrum access rights are granted to federal and commericial users, but a signicant portion of the licensed spectrum has been underutilized by primary users (PUs). To alleviate articial spectrum scarcity, spectrum sharing has been proposed to allow secondary users (SUs) to opportunistically access the locally unoccupied spectrum, called White Spaces (WS), so long as they do not cause harmful interference to PUs. To this end, the FCC is actively pursuing policy innovations to create shared spectrum, including WS in TV bands (TVWS) and the 3.5 GHz Citizens Broadcast Radio Service (CBRS) band, which often relies on a spectrum manager that manages the shared spectrum access, such as the database administrator (DBA) in TVWS and the Spectrum Access System (SAS) in CBRS. Our work begins by showing that the empirical DBA models for TV coverage estimation are locally inaccurate, since they do not explicitly account for local obstructions. Therefore, we propose augmenting the DBA approach with spatial-statistics-based radio mapping using Kriging and show that it achieves more accurate coverage boundary estimation, which leads to fewer missing WS opportunities (type-I errors) while keeping misclassications (type-II errors) under a certain limit. Scaling spatial-statistics-based radio mapping to larger areas inevitably meets cost limitations. An economically viable alternative is crowdsensing, that is, outsourcing sensing tasks to spatially distributed users with mobile devices that are outtted with spectrum sensors. In order to attract user participation for crowdsensing, we propose an auction-based incentive mechanism, in which each user submits a bid (the minimum acceptable payment) for providing spectrum data and receives a payment when selected. We show that the proposed scheme is truthful, computationally ecient, individually rational, and budget feasible. We also consider the design of a pricing-based incentive mechanism, in which the platform who constructs radio maps makes one-time oers (the incentive for participation) to selected users (either sequentially or in batches) and collects data from those who accept the offers. We formulate pricing mechanism design as expected utility maximization, where the expected utility captures the tradeo between radio mapping performance (location and data quality), crowdsensing cost, and uncertainty in oer outcomes (possible expiration and rejection). We show that the proposed user selection algorithm provides a provable performance guarantee and the proposed mechanism outperforms the baseline mechanisms. After WS opportunities are identied, it is crucial to eciently allocate resources (e.g., available channels) to SUs. To this end, we study SAS-assisted dynamic channel assignment in the CBRS. We propose a novel graph representation to capture spatially varying channel availability, channel contiguity, and coexistence opportunities, which allows us to employ or develop ecient algorithms with provable performance guarantees. As the last piece of this thesis, we study the problem of monitoring whether Wi-Fi and duty cycled LTE Unlicensed (LTE-U) are sharing channel access time in a fair manner. We propose a scheme that allows the spectrum manager to estimate the duty cycle of a target LTE-U system and detect duty cycling misbehaviors with a high probability of detection, while keeping the false alarm probability under a certain limit

Exploring Indoor White Spaces in Metropolises

It is a promising vision to utilize white spaces, i.e., vacant VHF and UHF TV channels, to satisfy skyrocketing wireless data demand in both outdoor and indoor scenarios. While most prior works have focused on exploring outdoor white spaces, the indoor story is largely open for investigation. Motivated by this observation and that 70 % of the spectrum demand comes from indoor environments, we carry out a comprehensive study of exploring indoor white spaces. We first present a large-scale measurement of outdoor and indoor TV spectrum occupancy in 30+ diverse locations in a typical metropolis Hong Kong. Our measurement results confirm abundant white spaces available for exploration in a wide range of areas in metropolises. In particular, more than 50 % and 70 % of the TV spectrum are white spaces in outdoor and indoor scenarios, respectively. While there are substantially more white space