WIXLIB

Intrusion Detection using Bit Timing Characteristics forCAN BusChitvan K. PatelThesis submitted to the Faculty of theVirginia Polytechnic Institute and State Universityin partial fulfillment of the requirements for the degree ofMaster of ScienceinMechanical EngineeringAlfred L. Wicks, ChairSteve C. SouthwardAlan T. AsbeckJune 17, 2019Blacksburg, VirginiaKeywords: Intrusion Detection, CAN Bus, TDC, Machine Learning, KNN, NeuralNetworksCopyright 2019, Chitvan K. Patel

Intrusion Detection using Bit Timing Characteristics forCAN BusChitvan K. PatelAcademic AbstractIn today’s world, most automobiles use Controller Area Network (CAN) bus for communicationbetween various Electronic Control Units (ECUs), also called nodes on the CAN bus. Each ECUon the CAN bus is a microcontroller that sends a unique identifier used for node identification. Itis possible to spoof node A by sending the same identifier through node B and thereby controlnode A. Thus, a hacker can control the steering using the car’s internal lights and render itineffective or misuse them. In order to combat this, we try to fingerprint each node by identifyingits identifier’s unique bit timing characteristics. To that extent, bit timing characteristics used arethe Time of Flight (TOF) intervals between successive rising edges of identifier bits, for an ECU.Similarly, other characteristics such as TOF between successive falling edges of the CAN bus nodeidentifier can also be used for node classification.In order to measure these TOFs, we use a device called Time-to-Digital Convertor, whichessentially triggers a ring oscillator to measure time values between rising/falling edges of a signal,to the order of picosecond accuracy. These timing values are used as features into the K-nearestneighbors (KNN) classifier algorithm. Once the classifier is trained, it can be used to predict anew timing value into a particular node category, which if different from the expected category is

a sign of compromise or intrusion. It is seen that we achieve 95% accuracy of correctly predictingthe compromised node under simulation tests. Thereafter, the thesis deals with experimentallypredicting an intrusion in the CAN bus system utilizing EPOS Studio CAN bus position controllerfor Maxon motors. The clock timings being extremely accurate leads to the conclusion thatemployment of better statistical techniques for node characterization is needed for intrusiondetection, which is outside the scope of this work.

Intrusion Detection using Bit Timing Characteristics forCAN BusChitvan K. PatelGeneral Audience AbstractIn today’s world, most automobiles use Controller Area Network (CAN) bus for communicationbetween various Electronic Control Units (ECUs), also called nodes on the CAN bus. These nodescan range from car headlights, radio, doors, internal lights to brakes, steering, throttle and muchmore. Each node on the CAN bus is a microcontroller which controls its proper operation. Thisalso means that if a node is compromised using external hardware or a piece of software, it couldbe quite risky. Thus, a hacker can control the steering using the car’s internal lights and render itineffective or misuse them. In order to combat this, we try to fingerprint each node by identifyingits unique time domain characteristics. These characteristics can be the Time of Flight (TOF)measurement values between successive rising or falling edges of a node’s unique identifier, usingan instrument called a Time-to-Digital convertor. Furthermore, these TOF values are used asfeatures for the K-nearest neighbor (KNN) classifier machine learning algorithm, which uniquelyidentifies signals coming from any of the fingerprinted nodes, thereby raising a flag if a messagecomes from an unidentified node. In addition, experimental data is obtained for node identifierson the CAN bus, in digital form, and passed into a neural network (NN) for training the classifier.We achieve an 95% and 70% prediction accuracy for the KNN and NN classifiers respectively.

AcknowledgmentsTransforming from a core mechanical engineer to an engineer i.e. problem solver, has been a roughride, only aided by some supportive people and a great institute. To this point I would like to thankall the factors who have contributed in transforming my personality to only become better andmore responsible each day at VT. I would like to thank Dr. Wicks for all his guidance and patience,bearing with me throughout the 2 years that I have been associated with the Mechatronics Lab. Hehas always challenged me to take up tasks outside my comfort zone and dig deeper to strengthenmy knowledge in new areas of engineering. He has been a major factor in making me an engineerand channeling my thought process towards problem solving. His efforts towards discussingvarious topics even outside engineering and continuous motivation has boosted my intellect.Without his continuous support my time at Virginia Tech would not have been so great and eyeopening.I am very thankful to my committee members Dr. Southward, who has been very helpful with hisconceptual suggestions for TDC and review of the research proposal, along with Dr. Asbeck, whosupported the inception of this thesis as part of the mechatronics project. A special shout-out toall my lab members namely Matt Spicer, Joshua Moser, Clinton Burns, Bhavi Bharat, PhilRepisky, Adam Lowery for their constant support, motivation, guidance while bearing with all mystupid questions be it technical or non-technical, and especially Tim Pierce, without whoseelectrical knowledge it wouldn’t have been possible to debug the experimental apparatus. Inaddition, I would like to thank my parents, who gave me the confidence that life is all about facingthe challenges and surviving through thick and thin. Last but not the least, I am very grateful toGod because of whom I made it so far in life and hopefully continue to progress and prosper ahead.v

ContentsChapter 1 . 11.1 Introduction . 11.2 Motivation . 11.3 Hacking a CAN bus. 21.4 Types of Attacks. 51.5 Existing Intrusion Detection Systems . 51.6 Approach . 101.7 Thesis layout . 11Chapter 2 . 12. 122.2 CAN2.1 TheoryBus Theory. 122.2.1 Introduction . 122.2.2 Applications . 132.2.3 Advantages and Bus Design . 142.2.4 Example CAN messages with PCAN Viewer: . 212.3 Time to Digital Convertors . 212.3.1 Introduction . 212.3.2 Application . 222.3.3 TDC architecture . 232.3.4 Errors in TDC . 272.3.5 Survey of available TDCs. 272.3.6 Choice of TDC. 282.3.7 TDC 7201 . 292.3.8 TDC7201-ZAX-EVM . 392.4 Machine Learning Techniques . 422.4.1 K-Nearest Neighbor Algorithm . 422.4.2 Neural Networks . 46Chapter 3 . 503.1 Process . 503.2 What is meant by intrusion in CAN bus? (revisited) . 503.3 Equipment . 53vi

3.4 Wiring Diagram and Data Acquisition. 553.5 Thesis goal revisited: (Process description) . 62Chapter 4 . 644.1 Experimental Design . 644.2 Functionality of TDC to be verified . 644.3 Simulating CAN identifier signal using microcontroller and checking for differences inrelative timing values for fingerprinting nodes . 684.4 Collecting actual CAN bus identifier bit timing data with the TDC EVM . 724.5 Neural Network trained on the Identifier data from Picoscope . 784.6 Modifications to the TDC EVM. 80Chapter 5 . 845.1 Results and Discussions . 845.2 Verification of TDC functionality . 845.3 CAN identifier signal simulated on MSP432 using TimerA module . 855.4 KNN applied to CAN bus identifier bit timing data . 885.5 Neural Network Results for model trained on raw identifier data . 905.6 Actual CAN bus identifier bit timings . 96Chapter 6 . 976.1 Conclusions and Future Work . 976.2 Intrusion detection based on timing measurement . 976.3 Fingerprinting applied to CAN bus setup . 986.4 Future Work . 996.5 Final Remarks . 101References . 103Appendix A . 112vii

List of FiguresFigure 1-1: Hacking attacks possible in CAN bus namely Fabrication attack, Suspension attackand Masquerade attack . 5Figure 2-1: DB9 CAN Connector . 16Figure 2-2: DB9 Connector Pin Out Diagram . 16Figure 2-3: CAN node consisting of CAN controller and CAN transceiver on the CAN bus withterminating resistance at the ends . 17Figure 2-4: Signal from CAN controller (TTL) converted by the CAN transceiver to match CANbus protocol . 17Figure 2-5: CAN frame transmitted by any node on the CAN bus . 18Figure 2-6: Bit stuffing in CAN bus frame for bit rate synchronization of CAN transceivers . 19Figure 2-7: Bit arbitration phase showing node 3 to be transmitting its identifier, gaining priorityover nodes 1 and 2 based on their CAN IDs . 20Figure 2-8: PCAN view showing CAN bus nodes’ identifiers and corresponding messages . 22Figure 2-9: Time to digital convertor realization with counter mechanism . 23Figure 2-10: Tapped Delay line having propagation delay of every flip-flop to measure timeinterval between start and stop pulse . 24Figure 2-11: Delayed start signal from tapped delay line mechanism . 25Figure 2-12: TDC using a Vernier oscillator mechanism . 26Figure 2-13: TDC 7201 Block Diagram showing internal circuit elements . 29Figure 2-14:TDC 7201 Pin Layout . 30Figure 2-15: Standard Deviation in time measurements vs reference clock frequency . 31Figure 2-16: Measurement mode 1 working to calculate TOFs . 31Figure 2-17: Measurement mode 2 working to calculate TOFs . 32Figure 2-18: Multi-cycle Averaging for measuring time values from 250ps under very low powerconsumption mode and noise reduction . 34Figure 2-19: Result of multi-cycle averaging for time of flight values . 34Figure 2-20: Example of clock jitter accumulating with increase in number of clock cycles passed. 37viii

Figure 2-21: Minimum signal parameters for correct working of TDC7201 . 38Figure 2-22: TDC evaluation module . 39Figure 2-23: TDC EVM GUI configuration window . 40Figure 2-24: TDC EVM one shot measurement values for time of flight recording . 40Figure 2-25: TDC EVM graph window displaying the Start-Stop1 timing values captured. 41Figure 2-26: TDC EVM schematic for board . 41Figure 2-27: Classification example for data point(green) using 3 neighbors and 5 neighbors . 43Figure 2-28: Training error for KNN algorithm vs ‘k’ value . 44Figure 2-29: Validation error for KNN algorithm vs ‘k’ value . 45Figure 2-30: Multi-layer perceptron network with an input layer, 2 hidden layers and an outputlayer. 47Figure 2-31: Simplest example of neural network with 3 input neurons and 1 output neuron whosevalue is between 0 and 1 . 47Figure 2-32: Single class neural network with 1 hidden layer. 48Figure 3-1: Node identifiers before intrusion . 50Figure 3-2: Node identifiers after intrusion . 51Figure 3-3: Expected histogram for bit timing values from 2 nodes A and B sending CAN messageswith same identifier. 52Figure 3-4: Actual test setup . 53Figure 3-5: CAN bus setup wiring diagram showing 3 nodes and TDC connected to acquire thedifferential data from the system for each node active at a given time . 54Figure 3-6: Molex 4-pin CAN connector for tapping into the bus . 55Figure 3-7: Wiring diagram for full setup. 56Figure 3-8: Initial setup of TDC using GUI. 57Figure 3-9: Configurations for edge polarity and number of stops for TDC . 58Figure 3-10: TDC measuring 19873 ns with a resolution of picoseconds . 59Figure 3-11: Example CAN signal from EPOS controller using Picoscope confirming to theCANopen protocol . 61Figure 3-12: Edge polarity depiction from CAN signal for TDC start and stop pulses and expectedbit timing . 63Figure 4-1: Physical connections to the TDC for start, stop and trigger pulses . 65ix