21 research outputs found
Cloaking the Clock: Emulating Clock Skew in Controller Area Networks
Automobiles are equipped with Electronic Control Units (ECU) that communicate
via in-vehicle network protocol standards such as Controller Area Network
(CAN). These protocols are designed under the assumption that separating
in-vehicle communications from external networks is sufficient for protection
against cyber attacks. This assumption, however, has been shown to be invalid
by recent attacks in which adversaries were able to infiltrate the in-vehicle
network. Motivated by these attacks, intrusion detection systems (IDSs) have
been proposed for in-vehicle networks that attempt to detect attacks by making
use of device fingerprinting using properties such as clock skew of an ECU. In
this paper, we propose the cloaking attack, an intelligent masquerade attack in
which an adversary modifies the timing of transmitted messages in order to
match the clock skew of a targeted ECU. The attack leverages the fact that,
while the clock skew is a physical property of each ECU that cannot be changed
by the adversary, the estimation of the clock skew by other ECUs is based on
network traffic, which, being a cyber component only, can be modified by an
adversary. We implement the proposed cloaking attack and test it on two IDSs,
namely, the current state-of-the-art IDS and a new IDS that we develop based on
the widely-used Network Time Protocol (NTP). We implement the cloaking attack
on two hardware testbeds, a prototype and a real connected vehicle, and show
that it can always deceive both IDSs. We also introduce a new metric called the
Maximum Slackness Index to quantify the effectiveness of the cloaking attack
even when the adversary is unable to precisely match the clock skew of the
targeted ECU.Comment: 11 pages, 13 figures, This work has been accepted to the 9th ACM/IEEE
International Conference on Cyber-Physical Systems (ICCPS
Detecting ADS-B Spoofing Attacks using Deep Neural Networks
The Automatic Dependent Surveillance-Broadcast (ADS-B) system is a key
component of the Next Generation Air Transportation System (NextGen) that
manages the increasingly congested airspace. It provides accurate aircraft
localization and efficient air traffic management and also improves the safety
of billions of current and future passengers. While the benefits of ADS-B are
well known, the lack of basic security measures like encryption and
authentication introduces various exploitable security vulnerabilities. One
practical threat is the ADS-B spoofing attack that targets the ADS-B ground
station, in which the ground-based or aircraft-based attacker manipulates the
International Civil Aviation Organization (ICAO) address (a unique identifier
for each aircraft) in the ADS-B messages to fake the appearance of non-existent
aircraft or masquerade as a trusted aircraft. As a result, this attack can
confuse the pilots or the air traffic control personnel and cause dangerous
maneuvers. In this paper, we introduce SODA - a two-stage Deep Neural Network
(DNN)-based spoofing detector for ADS-B that consists of a message classifier
and an aircraft classifier. It allows a ground station to examine each incoming
message based on the PHY-layer features (e.g., IQ samples and phases) and flag
suspicious messages. Our experimental results show that SODA detects
ground-based spoofing attacks with a probability of 99.34%, while having a very
small false alarm rate (i.e., 0.43%). It outperforms other machine learning
techniques such as XGBoost, Logistic Regression, and Support Vector Machine. It
further identifies individual aircraft with an average F-score of 96.68% and an
accuracy of 96.66%, with a significant improvement over the state-of-the-art
detector.Comment: Accepted to IEEE CNS 201
Crowdsensing and Resource Allocation in Shared Spectrum
Thesis (Ph.D.)--University of Washington, 2018The exponential growth of mobile data services has translated into a proportionate surge in demand for greater wireless broadband capacity. Within today's xed spectrum allocation regime, exclusive spectrum access rights are granted to federal and commericial users, but a signicant portion of the licensed spectrum has been underutilized by primary users (PUs). To alleviate articial spectrum scarcity, spectrum sharing has been proposed to allow secondary users (SUs) to opportunistically access the locally unoccupied spectrum, called White Spaces (WS), so long as they do not cause harmful interference to PUs. To this end, the FCC is actively pursuing policy innovations to create shared spectrum, including WS in TV bands (TVWS) and the 3.5 GHz Citizens Broadcast Radio Service (CBRS) band, which often relies on a spectrum manager that manages the shared spectrum access, such as the database administrator (DBA) in TVWS and the Spectrum Access System (SAS) in CBRS. Our work begins by showing that the empirical DBA models for TV coverage estimation are locally inaccurate, since they do not explicitly account for local obstructions. Therefore, we propose augmenting the DBA approach with spatial-statistics-based radio mapping using Kriging and show that it achieves more accurate coverage boundary estimation, which leads to fewer missing WS opportunities (type-I errors) while keeping misclassications (type-II errors) under a certain limit. Scaling spatial-statistics-based radio mapping to larger areas inevitably meets cost limitations. An economically viable alternative is crowdsensing, that is, outsourcing sensing tasks to spatially distributed users with mobile devices that are outtted with spectrum sensors. In order to attract user participation for crowdsensing, we propose an auction-based incentive mechanism, in which each user submits a bid (the minimum acceptable payment) for providing spectrum data and receives a payment when selected. We show that the proposed scheme is truthful, computationally ecient, individually rational, and budget feasible. We also consider the design of a pricing-based incentive mechanism, in which the platform who constructs radio maps makes one-time oers (the incentive for participation) to selected users (either sequentially or in batches) and collects data from those who accept the offers. We formulate pricing mechanism design as expected utility maximization, where the expected utility captures the tradeo between radio mapping performance (location and data quality), crowdsensing cost, and uncertainty in oer outcomes (possible expiration and rejection). We show that the proposed user selection algorithm provides a provable performance guarantee and the proposed mechanism outperforms the baseline mechanisms. After WS opportunities are identied, it is crucial to eciently allocate resources (e.g., available channels) to SUs. To this end, we study SAS-assisted dynamic channel assignment in the CBRS. We propose a novel graph representation to capture spatially varying channel availability, channel contiguity, and coexistence opportunities, which allows us to employ or develop ecient algorithms with provable performance guarantees. As the last piece of this thesis, we study the problem of monitoring whether Wi-Fi and duty cycled LTE Unlicensed (LTE-U) are sharing channel access time in a fair manner. We propose a scheme that allows the spectrum manager to estimate the duty cycle of a target LTE-U system and detect duty cycling misbehaviors with a high probability of detection, while keeping the false alarm probability under a certain limit
Exploring Indoor White Spaces in Metropolises
It is a promising vision to utilize white spaces, i.e., vacant VHF and UHF TV channels, to satisfy skyrocketing wireless data demand in both outdoor and indoor scenarios. While most prior works have focused on exploring outdoor white spaces, the indoor story is largely open for investigation. Motivated by this observation and that 70 % of the spectrum demand comes from indoor environments, we carry out a comprehensive study of exploring indoor white spaces. We first present a large-scale measurement of outdoor and indoor TV spectrum occupancy in 30+ diverse locations in a typical metropolis Hong Kong. Our measurement results confirm abundant white spaces available for exploration in a wide range of areas in metropolises. In particular, more than 50 % and 70 % of the TV spectrum are white spaces in outdoor and indoor scenarios, respectively. While there are substantially more white space