-
Develo** and Deploying Security Applications for In-Vehicle Networks
Authors:
Samuel C Hollifield,
Pablo Moriano,
William L Lambert,
Joel Asiamah,
Isaac Sikkema,
Michael D Iannacone
Abstract:
Radiological material transportation is primarily facilitated by heavy-duty on-road vehicles. Modern vehicles have dozens of electronic control units or ECUs, which are small, embedded computers that communicate with sensors and each other for vehicle functionality. ECUs use a standardized network architecture--Controller Area Network or CAN--which presents grave security concerns that have been e…
▽ More
Radiological material transportation is primarily facilitated by heavy-duty on-road vehicles. Modern vehicles have dozens of electronic control units or ECUs, which are small, embedded computers that communicate with sensors and each other for vehicle functionality. ECUs use a standardized network architecture--Controller Area Network or CAN--which presents grave security concerns that have been exploited by researchers and hackers alike. For instance, ECUs can be impersonated by adversaries who have infiltrated an automotive CAN and disable or invoke unintended vehicle functions such as brakes, acceleration, or safety mechanisms. Further, the quality of security approaches varies wildly between manufacturers. Thus, research and development of after-market security solutions have grown remarkably in recent years. Many researchers are exploring deployable intrusion detection and prevention mechanisms using machine learning and data science techniques. However, there is a gap between develo** security system algorithms and deploying prototype security appliances in-vehicle. In this paper, we, a research team at Oak Ridge National Laboratory working in this space, highlight challenges in the development pipeline, and provide techniques to standardize methodology and overcome technological hurdles.
△ Less
Submitted 27 June, 2023;
originally announced June 2023.
-
Testing SOAR Tools in Use
Authors:
Robert A. Bridges,
Ashley E. Rice,
Sean Oesch,
Jeff A. Nichols,
Cory Watson,
Kevin Spakes,
Savannah Norem,
Mike Huettel,
Brian Jewell,
Brian Weber,
Connor Gannon,
Olivia Bizovi,
Samuel C Hollifield,
Samantha Erwin
Abstract:
Modern security operation centers (SOCs) rely on operators and a tapestry of logging and alerting tools with large scale collection and query abilities. SOC investigations are tedious as they rely on manual efforts to query diverse data sources, overlay related logs, and correlate the data into information and then document results in a ticketing system. Security orchestration, automation, and res…
▽ More
Modern security operation centers (SOCs) rely on operators and a tapestry of logging and alerting tools with large scale collection and query abilities. SOC investigations are tedious as they rely on manual efforts to query diverse data sources, overlay related logs, and correlate the data into information and then document results in a ticketing system. Security orchestration, automation, and response (SOAR) tools are a new technology that promise to collect, filter, and display needed data; automate common tasks that require SOC analysts' time; facilitate SOC collaboration; and, improve both efficiency and consistency of SOCs. SOAR tools have never been tested in practice to evaluate their effect and understand them in use. In this paper, we design and administer the first hands-on user study of SOAR tools, involving 24 participants and 6 commercial SOAR tools. Our contributions include the experimental design, itemizing six characteristics of SOAR tools and a methodology for testing them. We describe configuration of the test environment in a cyber range, including network, user, and threat emulation; a full SOC tool suite; and creation of artifacts allowing multiple representative investigation scenarios to permit testing. We present the first research results on SOAR tools. We found that SOAR configuration is critical, as it involves creative design for data display and automation. We found that SOAR tools increased efficiency and reduced context switching during investigations, although ticket accuracy and completeness (indicating investigation quality) decreased with SOAR use. Our findings indicated that user preferences are slightly negatively correlated with their performance with the tool; overautomation was a concern of senior analysts, and SOAR tools that balanced automation with assisting a user to make decisions were preferred.
△ Less
Submitted 14 February, 2023; v1 submitted 11 August, 2022;
originally announced August 2022.
-
Time-Based CAN Intrusion Detection Benchmark
Authors:
Deborah H. Blevins,
Pablo Moriano,
Robert A. Bridges,
Miki E. Verma,
Michael D. Iannacone,
Samuel C Hollifield
Abstract:
Modern vehicles are complex cyber-physical systems made of hundreds of electronic control units (ECUs) that communicate over controller area networks (CANs). This inherited complexity has expanded the CAN attack surface which is vulnerable to message injection attacks. These injections change the overall timing characteristics of messages on the bus, and thus, to detect these malicious messages, t…
▽ More
Modern vehicles are complex cyber-physical systems made of hundreds of electronic control units (ECUs) that communicate over controller area networks (CANs). This inherited complexity has expanded the CAN attack surface which is vulnerable to message injection attacks. These injections change the overall timing characteristics of messages on the bus, and thus, to detect these malicious messages, time-based intrusion detection systems (IDSs) have been proposed. However, time-based IDSs are usually trained and tested on low-fidelity datasets with unrealistic, labeled attacks. This makes difficult the task of evaluating, comparing, and validating IDSs. Here we detail and benchmark four time-based IDSs against the newly published ROAD dataset, the first open CAN IDS dataset with real (non-simulated) stealthy attacks with physically verified effects. We found that methods that perform hypothesis testing by explicitly estimating message timing distributions have lower performance than methods that seek anomalies in a distribution-related statistic. In particular, these "distribution-agnostic" based methods outperform "distribution-based" methods by at least 55% in area under the precision-recall curve (AUC-PR). Our results expand the body of knowledge of CAN time-based IDSs by providing details of these methods and reporting their results when tested on datasets with real advanced attacks. Finally, we develop an after-market plug-in detector using lightweight hardware, which can be used to deploy the best performing IDS method on nearly any vehicle.
△ Less
Submitted 14 January, 2021;
originally announced January 2021.
-
A Comprehensive Guide to CAN IDS Data & Introduction of the ROAD Dataset
Authors:
Miki E. Verma,
Robert A. Bridges,
Michael D. Iannacone,
Samuel C. Hollifield,
Pablo Moriano,
Steven C. Hespeler,
Bill Kay,
Frank L. Combs
Abstract:
Although ubiquitous in modern vehicles, Controller Area Networks (CANs) lack basic security properties and are easily exploitable. A rapidly growing field of CAN security research has emerged that seeks to detect intrusions on CANs. Producing vehicular CAN data with a variety of intrusions is out of reach for most researchers as it requires expensive assets and expertise. To assist researchers, we…
▽ More
Although ubiquitous in modern vehicles, Controller Area Networks (CANs) lack basic security properties and are easily exploitable. A rapidly growing field of CAN security research has emerged that seeks to detect intrusions on CANs. Producing vehicular CAN data with a variety of intrusions is out of reach for most researchers as it requires expensive assets and expertise. To assist researchers, we present the first comprehensive guide to the existing open CAN intrusion datasets, including a quality analysis of each dataset and an enumeration of each's benefits, drawbacks, and suggested use case. Current public CAN IDS datasets are limited to real fabrication (simple message injection) attacks and simulated attacks often in synthetic data, which lack fidelity. In general, the physical effects of attacks on the vehicle are not verified in the available datasets. Only one dataset provides signal-translated data but not a corresponding raw binary version. Overall, the available data pigeon-holes CAN IDS works into testing on limited, often inappropriate data (usually with attacks that are too easily detectable to truly test the method), and this lack data has stymied comparability and reproducibility of results. As our primary contribution, we present the ROAD (Real ORNL Automotive Dynamometer) CAN Intrusion Dataset, consisting of over 3.5 hours of one vehicle's CAN data. ROAD contains ambient data recorded during a diverse set of activities, and attacks of increasing stealth with multiple variants and instances of real fuzzing, fabrication, and unique advanced attacks, as well as simulated masquerade attacks. To facilitate benchmarking CAN IDS methods that require signal-translated inputs, we also provide the signal time series format for many of the CAN captures. Our contributions aim to facilitate appropriate benchmarking and needed comparability in the CAN IDS field.
△ Less
Submitted 7 February, 2024; v1 submitted 28 December, 2020;
originally announced December 2020.
-
CAN-D: A Modular Four-Step Pipeline for Comprehensively Decoding Controller Area Network Data
Authors:
Miki E. Verma,
Robert A. Bridges,
Jordan J. Sosnowski,
Samuel C. Hollifield,
Michael D. Iannacone
Abstract:
CANs are a broadcast protocol for real-time communication of critical vehicle subsystems. Original equipment manufacturers of passenger vehicles hold secret their map**s of CAN data to vehicle signals, and these definitions vary according to make, model, and year. Without these map**s, the wealth of real-time vehicle information hidden in the CAN packets is uninterpretable, impeding vehicle-re…
▽ More
CANs are a broadcast protocol for real-time communication of critical vehicle subsystems. Original equipment manufacturers of passenger vehicles hold secret their map**s of CAN data to vehicle signals, and these definitions vary according to make, model, and year. Without these map**s, the wealth of real-time vehicle information hidden in the CAN packets is uninterpretable, impeding vehicle-related research. Guided by the 4-part CAN signal definition, we present CAN-D (CAN-Decoder), a modular, 4-step pipeline for identifying each signal's boundaries (start bit, length), endianness (byte order), signedness (bit-to-integer encoding), and by leveraging diagnostic standards, augmenting a subset of the extracted signals with physical interpretation. We provide a comprehensive review of the CAN signal reverse engineering research. Previous methods ignore endianness and signedness, rendering them incapable of decoding many standard CAN signal definitions. Incorporating endianness grows the search space from 128 to 4.72E21 signal tokenizations and introduces a web of changing dependencies. We formulate, formally analyze, and provide an efficient solution to an optimization problem, allowing identification of the optimal set of signal boundaries and byte orderings. We provide two novel, state-of-the-art signal boundary classifiers-both superior to previous approaches in precision and recall in three different test scenarios-and the first signedness classification algorithm which exhibits a $>$97\% F-score. CAN-D is the only solution with the potential to extract any CAN signal. In evaluation on 10 vehicles, CAN-D's average $\ell^1$ error is 5x better than all previous methods and exhibits lower ave. error, even when considering only signals that meet prior methods' assumptions. CAN-D is implemented in lightweight hardware, allowing for an OBD-II plugin for real-time in-vehicle CAN decoding.
△ Less
Submitted 22 June, 2021; v1 submitted 9 June, 2020;
originally announced June 2020.
-
ACTT: Automotive CAN Tokenization and Translation
Authors:
Miki E. Verma,
Robert A. Bridges,
Samuel C. Hollifield
Abstract:
Modern vehicles contain scores of Electrical Control Units (ECUs) that broadcast messages over a Controller Area Network (CAN). Vehicle manufacturers rely on security through obscurity by concealing their unique map** of CAN messages to vehicle functions which differs for each make, model, year, and even trim. This poses a major obstacle for after-market modifications notably performance tuning…
▽ More
Modern vehicles contain scores of Electrical Control Units (ECUs) that broadcast messages over a Controller Area Network (CAN). Vehicle manufacturers rely on security through obscurity by concealing their unique map** of CAN messages to vehicle functions which differs for each make, model, year, and even trim. This poses a major obstacle for after-market modifications notably performance tuning and in-vehicle network security measures. We present ACTT: Automotive CAN Tokenization and Translation, a novel, vehicle-agnostic, algorithm that leverages available diagnostic information to parse CAN data into meaningful messages, simultaneously cutting binary messages into tokens, and learning the translation to map these contiguous bits to the value of the vehicle function communicated.
△ Less
Submitted 19 November, 2018;
originally announced November 2018.