WIXLIB

VSCC (Vehicle Safety Communication Consortium)consists of 7 automobile manufacturers: BMW,DaimlerChrysler, Ford, GM, Nissan, Toyota, and VW.They developed vehicle safety service using Vehicleto-Vehicle (V2V) communications and specifiedcommunication requirements of vehicle safetyapplications, including secure V2X communication[13].NoW (Network on Wheels) and CVIS communication protocols for V2X communications.While NoW focused on V2V and data security, CVISfocused on Vehicle-to-Infrastructure (V2I) and varietysecurity issues such as user authentication and dataprivacy [14], [15].C. Intrusion Detection System (IDS) for Vehicle NetworkTraditional vehicles don't need to have a strong securitysystem because they don’t have a network interface tocommunicate with external networks. Therefore, CAN itself islike a closed network for a long time. Many components of thevehicles become computerized, and vehicles become connectedto outside networks.Vehicle security is closely related to safety. To detect andprevent the attacks is important to protect the safety of driversand passengers. There have been several researches to detectattacks targeted on vehicles. Hoppe et al. [16] and Miller andValasek [17] introduced a concept for in-vehicle intrusiondetection based on the analysis of the rate of messages.Because the number of messages on CAN bus is the sum ofnumbers of normal messages and attack messages, theyanalyzed the distribution of rates of messages (messages persecond) to detect anomalous message occurrences. Larson et al.proposed a specification-based attack detection method [18].They detected the traffics not fit the protocol-level securityspecifications and ECU-behavior security specifications.Protocol-level security specifications define the individualfields, dependent fields, and inter-object fields of a message.ECU-behavior security specifications are about messagetransmission, message reception, and rates of messagetransmission and reception of each ECU. Muter and Asajproposed an entropy-based anomaly detection method [19].They defined the notion of entropy on CAN bus and detectedthe intrusion by comparing entropy to a reference set. Muter etal. [20] proposed a structured approach for anomaly detection.They use eight sensors to monitor variety aspects on CAN bus.Their method showed no false positive error. However, ifadversary injects messages that do not violate CANspecification, then this attack cannot be detected by theiralgorithm.Early researches about message rate based intrusiondetection on CAN bus, need to collect enough amount of CANbus messages to compute the distribution of a message. Thus,their detection methods need some time to detect anomalousmessages. However, the current computerized devices invehicles have limited computing power to detect and responsein real-time.To overcome this problem, we suggest a light-weightintrusion detection method. Our goal is simplifying detectionalgorithm to respond faster and to reduce the usage ofcomputing power.III. LIGHT WEIGHT IDSA. Threat modelThe proposed system is a hybrid IDS that can detect both ofknown attack signatures and anomalous events. The number ofknown attack signatures on a vehicle are relatively small; thissignature-based detection module does not require highcomputing power. The proposed system is mainly designed todetect message injection attacks by analyzing traffic anomaliesbased on message frequency. As CAN is a broadcast network,messages sent by one of the nodes do not contain its source ortarget information. Also, these messages cannot bemanipulated or eliminated easily. But, an attacker can stillinject messages into CAN bus to control electronic devicessuch as ECU. Fig. 1 shows the conceptual diagram thatdescribes the difference between the status under the messageinjection attack and a normal status.In normal status, each message ID (0x1, 0x2, ) generatedby ECUs has its own regular frequency or interval. Whenattackers try to inject messages to execute a command to anECU, then this frequency or interval is unexpectedly changed.While messages being injected by attackers, ECUs still sendtheir messages cyclically. Eventually, the rate of messages onthe network can be increased more than two times (typically 20– 100 times higher; it depends on the attacker’s injectionspeed).We select the message rate as a significant feature for theproposed detection method, and that is effective. But, there is agap in time between the time of attack started and the time ofdetection. For example, if we set the time window as onesecond to observe and calculate the rate, there is always onesecond gap at max. Even though attackers begin attacks at 0seconds, we have to receive the attack packets until theminimum time window pass required to calculate the rate.As the other statistical methods, small size of observationaldata can cause an error to make a decision. But attackshappened at anytime; this false-negative error can cause seriousaccident. To solve this problem, we simplify the process ofdetecting message injection to get the fast response whileaccuracy keeps high.There are two forms of CAN injection attacks. The one isinjecting CAN diagnostic messages, and another one isinjecting standard messages to intimate the messages fromECUs. In general, diagnostic messages should not appear whena car is on a road. If this diagnostic message happens on theroad, then that is obviously attack or system malfunction case.We divided message injection attacks into three types forexperiments. Type 1 is injecting messages of single CAN ID,type 2 is injecting random or pre-ordered messages of multipleCAN IDs, and type 3 is massively message injection such asDenial of Service (DoS) attack. These attacks are basicallysimilar but different on their purpose. Details of three types ofinjection attack and countermeasures are following.

Type 1: Injecting specific messages of single CAN IDrepeatedly to make vehicle operrate according toinjected messages. We could detectt the type-1 attackby finding a message that have shorttened time intervalabnormally. Type 2: Injecting random or pre-orddered messages ofmultiple CAN IDs to cause a systemm malfunction on avehicle. A replay attack is one of tyype-2 attack basedon pre-ordered messages injection. WeW could detect thetype-2 attack by finding multiple CAN IDs that haveshortened time interval than normal. Type 3: Injecting massages massively to disrupt CANcommunication. An attacker can eaasily generate thetraffic to surpass the maximum capaacity of CAN bus,only 1 Mbps. Each CAN messagge have 128 bitsmaximally, and there are three 1-bitss called interframespace between messages. Thus, DoSS attack can occurby sending about 8,000 messages perr second. Especially if time interrvals of latest messages in a roware less than 0.2 milliseconds, then DoS attack scoreincreased by 1 per messsage. IDS classifies that event as a DoS attack when thescore is larger than a giiven threshold.The average time interval ofo messages on normal status isabout 0.5 milliseconds and minimummtime interval is about0.14 milliseconds. Because thhere are some normal messagesthat have time intervals less thhan 0.2 milliseconds, a thresholdis used in DoS attack detectioon to reduce the false positiveratio. We described the process of proposed system in Fig. 2.Fig. 2. Diagram of proposed IDS. AfterAanalysis of time interval of eachmessage, there is two part of the deetection module. The one is detectinginjection of messages for controlling oro malfunction. Another one is detectingDoS attack to disturb CAN communicaation.IV. EXPEERIMENTFig. 1. Conceptual diagram about transmitted messages on CAN bus on (a)A shown in the figure,normal status and (b) under message injection attack. Asthere are three CAN IDs, 0x01, 0x02, and 0x03. The tiime interval of 0x01 is20, of 0x02 is 40, and of 0x03 is 100 milliseconds. ThereTare five injectedmessages by attacker in (b) every 20 milliseconds fromm 60 to 140 millisecondThe time interval of 0x02 falls rapidly lesst than 10 milliseconds from 20millisecondsA. DatasetK-car (anonymized for protecting sensitive information) isused as a testing vehicle, and KVASERKCAN interface is usedto connect to CAN bus. Connnecting the laptop computer toOBD-II port is shown as Fig. 3.3 OBD-II port of K-car is underthe steering wheel.B. Intrusion DetectionThere is the unique time interval of eachh CAN ID becauseeach ECU connected to CAN bus sends messagesmregularly.We focused on this fact and designed our IDS based on theanalysis of time intervals of messages. Thee proposed systemdetects message injection attacks with the following procedure. When a new message appears onn CAN bus, IDSchecks the CAN ID and computes the time intervalfrom the arrival time of the latest messsage.If time interval of a new messagge is shorter thannormal, then IDS judges the messaage as an injectedmessage. (In this experiment, we reggard a message asan injected message when the time interval is belowthe half of the normal.)Fig. 3. Photos about connecting to OBD-II port of K-car with a laptopcomputer using KVASER CAN interfaace device.We captured messages froom CAN bus on normal speeddriving for about 40 minutes. We injected messages 30 timesfor 5-10 seconds randomly for each attack. Types of attacks areCID, multiple CAN IDs, andinjecting messages of a single CANmassively for DoS. After that, we performed random samplingto get a hundred 1-minute sampples mixed with the under-attack

and normal status. We divided samples intoo two status whichare containing injected messages (under-attaack status), and theclean (normal status). Details about the dattaset used in eachexperiment are described in the next section.B. Experiment ResultFirst, we injected messages of a randommly selected singleCAN ID with double, quintuple, and decuplee faster than origincycle. Previous research [17] also mentioneed that an attackershould send messages 20-100 times faster than the originalECU to make the target ECU listens to the injjected messages.As described in subsection A, we createdd 43 attack samplesand 57 normal samples in double speed innjection, 39 attacksamples and 61 normal samples in quintuplle speed injection,and 35 attack samples and 65 normal samplees in decuple speedinjection. In all case, our IDS detected messageminjectionattacks with 100% accuracy, and there is no falsefpositive error.Fig. 4 (a) and Fig. 4 (b) show the timme intervals of theselected CAN ID at normal status and messagge injection status,respectively. Messages are injected decuple fasterfthan the owncycle of the CAN ID. Therefore, the time innterval of injectedmessages is less than 10% of the original intterval. We injectedmessage two times. The first injection staarted at 7 secondscontinued for about 3 seconds. The second injectionistarted at16 seconds and ended at 17.6 seconds. There is a clearnstatus anddifference of time intervals between the normalunder-attack status.example, the first message is generatted at 0.05715 seconds and the secondmessage is generated at 0.15717 seconnds. So, the second point in (a) is at (2,0.10002)Second, we injected messages of randomly selected 2-5CAN IDs with double, quintuuple, and decuple than originalspeed. The difference with thhe first experiment is just thenumber of CAN IDs of the injjected messages. We created 39attack samples and 61 normmal samples in double speedinjection, 44 attack sampless and 56 normal samples inquintuple speed injection, and 393 attack samples and 61 normalsamples in decuple speed injecction. Our IDS classifies the allattack status and normal status samples with 100% accuracy aswell as the first experimennt. Table III shows result ofexperiment I and II. As menntioned above, we successfullydetected message injection attaccks in all the cases.TABLE III.InjectionTypeSingleCAN IDMultipleCAN pleDecupleDEETECTION 6165615661Detectionaccuracy100 %100 %100 %100 %100 %100 %At last, we tested DoS atttacks on CAN bus by injectingmessages massively. There area about 2,000 messages persecond at the normal status; attackersacan do DoS attack onCAN bus by sending about 6,0000 messages more per second.We set the cutoff of the time interval to 0.2 milliseconds fordetecting DoS message. As mentionedmin section 3, there aremessages that have time intervval less than 0.2 milliseconds atthe normal status but not oftenn. We removed the false positiveerror by using a scoring methhod. We increased DoS attackscore by 1 per message whenn the latest messages in a rowwhich have time interval less than 0.2 milliseconds. Then wereset the score when the time interval of the latest message islarger than 0.2 milliseconds.sand 64 normal samples.We created 36 DoS attack samplesWe used 1, 2, 3 and five as thee threshold value to measure thedetection accuracy for each case.cFig. 5 shows the resultsaccording to the threshold valuee. When the threshold value is 1,detection accuracy is only 363 percent. Because there aremessages with time interval less than 0.2 milliseconds eventhough there was no DoS attaack, so all samples regarded asattack sample. However, deteection accuracy is increased asthreshold becomes larger, especcially at 3 to 93 percent and 100percent over 3. Our IDS just reequires less than one millisecondto detect the DoS attack since DoS attack begins. It is fastenough to avoid an accident cauused by DoS attack.Fig. 4. Time intervals of messages of a certain CANCID. Each pointrepresents an order and time interval of a message. TheT X-axis is messagegeneration number, and the Y-axis is a time intervval of a message. For

[2][3][4][5][6]Fig. 5. Detection accuracy of DoS attacks accordingg as threshold values.Only 36 percent when the threshold value was 1. Inccreased to 100 percentusing threshold value over 4.V. CONCLUSIONWe showed that there was a clear differeence between timeintervals of messages in the normal statuss and under-attackstatus in section 4. Time intervals of speecific CAN ID innormal were about 0.1 seconds. In contraast, time intervalsunder injection attack status became short (aalmost 10% of thenormal time interval).Therefore, we propose the light-weighht IDS based onanalysis of time intervals of CAN messagges for in-vehiclenetworks. This system can successfullyy detect messageinjection attacks in a millisecond.In spite of simplicity of detection algorithhm, our IDS showsthe improved performance than previous intrusionidetectionmethods such as message rate based IDS. We significantlyreduce the delay of detection that can cauuse a big accidentwhen a vehicle is driving on a road with highh speed. Also, theproposed IDS shows 100 percent detection accuracy withoutminjectionfalse positive errors in three kinds of messageexperiment.ais simpleThe strength of the proposed detection algorithmand efficient to use. So, our IDS is well fit the most vehiclesthat have limitations of computing power.A. Limitations and Future WorksIn future work, we will analyze the CAN message sequenceto detect irregular message incomings. This sequence analysisrequires more computing power, but it can improve themsequencedetection accuracy by using the known messagepatterns as a 7][18][19][20]ACKNOWLEDGMENTThis work was supported by Samsung Research FundingCenter of Samsung Electronics under Projecct Number SRFCTB1403-00.REFERENCES[1]S. Kamal, OwnStar: Locates, Unlocks, Remote Sttarts GM/OnStar Cars.2015.[21][22]Remote exploitation of an unalteredC. Miller and C. Valasek, “Rpassenger vehicle” in BlackHat USA,U2015.C. Miller and C. Valasek, “Demmo: Adventures in automotive networksand control units,” in DEFCON, 2013.K. Koscher, A. Czeskis, F. Roesner, S. Patel, T. Kohno, S. Checkoway,D. McCoy, B. Kantor, D. Annderson, H. Shacham, and S. Savage,"Experimental Security Analysiss of a Modern Automobile," in Proc. ofthe 31st IEEE Symposium on Seccurity and Privacy, 2010, pp. 447-462.S. Checkoway , D. McCoy , B. KantorK, D. Anderson , H. Shacham , S.Savage , K. Koscher , A. CzeskisC, F. Roesner and T. Kohno"Comprehensive experimental analysesaof automotive attacksurfaces",Proc. 20th USENIX SEC, pp.6 -6 2011Roel Verdult, Flavio D. Garciia, and Josep Balasch. Gone in 360seconds: Hijacking with Hitag2. In 21st USENIX Security SymposiumNIX Association, 2012.(USENIX Security 2012). USENI. Rouf, R. Miller, H. Mustafa, T. Taylor, S. Oh, W. Xu, M. Gruteser, W.Trappe, and I. Seskar, "Securityy and Privacy Vulnerabilities of In-CarWireless Networks: A Tire Presssure Monitoring System Case Study," inProc. of the 19th USENIX Securiity Symposium, Aug. 2010.Sevecom.org, ‘Secure of futurre vehicle communication networks',[Online]. Available: http://wwww.sevecom.org/. Accessed on: Sep 12,2015.Evita-project.org, 'EVITA', 2008. [Online]. Available: http://www.evitaproject.org/. Accessed on: Sep 122, //www.preciosaproject.org/. Accessed on: Sep 122, able:https://www.oversee-project.comm/. Accessed on: Sep 12, 2015.Preserve-project.eu, ‘Preparing SecureSV2X Communication Systems'.[Online]. Available: https://wwww.preserve-project.eu/. Accessed on: Sep12, 2015.CProject Vehicle SafetyH. Krishnan, Vehicle Safety .pdf. Accessed on: Sep 12, 2015.A. Festag , G. Noecker , M. Strasssberger , A. Lübke , B. Bochow ,M. Torrent-Moreno , S. Schnauufer , R. Eigner , C. Catrinescu and J.Kunisch "‘NoW—Network on Wheels’:WProject objectives, technologyand achievements", Proc. WIT, pp.123 -128 2008 [online] ject.org. [Online]. Available:Ahttp://www.cvisproject.org/.Accessed on: Sep 12, 2015.T. Hoppe, S. Kiltz, and J. Dittmaann. Security threats to automotive CANnetworks - practical examples annd selected short-term countermeasures.In SAFECOMP, 2008.Charlie Miller and Chris Valassek, A Survey of Remote AutomotiveAttack Surfaces, BlactHat USA, 2014.2U. E. Larson, D. K. Nilsson,, and E. Jonsson, "An Approach toSpecification-based Attack Detecction for In-Vehicle Networks," in Proc.of the IEEE Intelligent Vehicles Symposium,S2008, pp. 220-225.M. Muter and N. Asaj, "Entropy-based anomaly detection for in-vehiclenetworks, " in Intelligent Vehiicles Symposium (IV). Baden Baden,Germany: IEEE, 2011, pp. 1110--1115.M. Muter, A. Groll, and F. C.C Freiling, "A structured approach toanomaly detection for in-vehiicle networks, " in 6th Int, Conf.Information Assurance and Secuurity (lAS). Atlanta, GA: IEEE, 2010,pp. 92-98.FSafety”, [Online]. Available:ISO 26262, “Road Vehicles – Functionalhttp://www.iso.org/iso/catalogue detail?csnumber 43464. Accessed on:Sep 12, 2015.AUTOSAR, [Online]. Availablee: http://www.autosar.org. Accessed on:Sep 12, 2015.

Intrusion Detection System Based on the Analysis of Time Intervals of CAN Messages for In-Vehicle Network Hyun Min Song, Ha Rang Kim and Huy Kang Kim Center for Information Security Technologies (CIST), Graduate School of Information Security Korea University Seoul, Republic of Korea signos@korea.ac.kr, rang0708@korea.ac.kr, cenda@korea.ac.kr