-
A Lightweight FPGA-based IDS-ECU Architecture for Automotive CAN
Authors:
Shashwat Khandelwal,
Shreejith Shanker
Abstract:
Recent years have seen an exponential rise in complex software-driven functionality in vehicles, leading to a rising number of electronic control units (ECUs), network capabilities, and interfaces. These expanded capabilities also bring-in new planes of vulnerabilities making intrusion detection and management a critical capability; however, this can often result in more ECUs and network elements…
▽ More
Recent years have seen an exponential rise in complex software-driven functionality in vehicles, leading to a rising number of electronic control units (ECUs), network capabilities, and interfaces. These expanded capabilities also bring-in new planes of vulnerabilities making intrusion detection and management a critical capability; however, this can often result in more ECUs and network elements due to the high computational overheads. In this paper, we present a consolidated ECU architecture incorporating an Intrusion Detection System (IDS) for Automotive Controller Area Network (CAN) along with traditional ECU functionality on an off-the-shelf hybrid FPGA device, with near-zero overhead for the ECU functionality. We propose two quantised multi-layer perceptrons (QMLP's) as isolated IDSs for detecting a range of attack vectors including Denial-of-Service, Fuzzing and Spoofing, which are accelerated using off-the-shelf deep-learning processing unit (DPU) IP block from Xilinx, operating fully transparently to the software on the ECU. The proposed models achieve the state-of-the-art classification accuracy for all the attacks, while we observed a 15x reduction in power consumption when compared against the GPU-based implementation of the same models quantised using Nvidia libraries. We also achieved a 2.3x speed up in per-message processing latency (at 0.24 ms from the arrival of a CAN message) to meet the strict end-to-end latency on critical CAN nodes and a 2.6x reduction in power consumption for inference when compared to the state-of-the-art IDS models on embedded IDS and loosely coupled IDS accelerators (GPUs) discussed in the literature.
△ Less
Submitted 19 January, 2024;
originally announced January 2024.
-
Exploring Highly Quantised Neural Networks for Intrusion Detection in Automotive CAN
Authors:
Shashwat Khandelwal,
Shreejith Shanker
Abstract:
Vehicles today comprise intelligent systems like connected autonomous driving and advanced driving assistance systems (ADAS) to enhance the driving experience, which is enabled through increased connectivity to infrastructure and fusion of information from different sensing modes. However, the rising connectivity coupled with the legacy network architecture within vehicles can be exploited for lau…
▽ More
Vehicles today comprise intelligent systems like connected autonomous driving and advanced driving assistance systems (ADAS) to enhance the driving experience, which is enabled through increased connectivity to infrastructure and fusion of information from different sensing modes. However, the rising connectivity coupled with the legacy network architecture within vehicles can be exploited for launching active and passive attacks on critical vehicle systems and directly affecting the safety of passengers. Machine learning-based intrusion detection models have been shown to successfully detect multiple targeted attack vectors in recent literature, whose deployments are enabled through quantised neural networks targeting low-power platforms. Multiple models are often required to simultaneously detect multiple attack vectors, increasing the area, (resource) cost, and energy consumption. In this paper, we present a case for utilising custom-quantised MLP's (CQMLP) as a multi-class classification model, capable of detecting multiple attacks from the benign flow of controller area network (CAN) messages. The specific quantisation and neural architecture are determined through a joint design space exploration, resulting in our choice of the 2-bit precision and the n-layer MLP. Our 2-bit version is trained using Brevitas and optimised as a dataflow hardware model through the FINN toolflow from AMD/Xilinx, targeting an XCZU7EV device. We show that the 2-bit CQMLP model, when integrated as the IDS, can detect malicious attack messages (DoS, fuzzing, and spoofing attack) with a very high accuracy of 99.9%, on par with the state-of-the-art methods in the literature. Furthermore, the dataflow model can perform line rate detection at a latency of 0.11 ms from message reception while consuming 0.23 mJ/inference, making it ideally suited for integration with an ECU in critical CAN networks.
△ Less
Submitted 19 January, 2024;
originally announced January 2024.
-
Real-Time Zero-Day Intrusion Detection System for Automotive Controller Area Network on FPGAs
Authors:
Shashwat Khandelwal,
Shreejith Shanker
Abstract:
Increasing automation in vehicles enabled by increased connectivity to the outside world has exposed vulnerabilities in previously siloed automotive networks like controller area networks (CAN). Attributes of CAN such as broadcast-based communication among electronic control units (ECUs) that lowered deployment costs are now being exploited to carry out active injection attacks like denial of serv…
▽ More
Increasing automation in vehicles enabled by increased connectivity to the outside world has exposed vulnerabilities in previously siloed automotive networks like controller area networks (CAN). Attributes of CAN such as broadcast-based communication among electronic control units (ECUs) that lowered deployment costs are now being exploited to carry out active injection attacks like denial of service (DoS), fuzzing, and spoofing attacks. Research literature has proposed multiple supervised machine learning models deployed as Intrusion detection systems (IDSs) to detect such malicious activity; however, these are largely limited to identifying previously known attack vectors. With the ever-increasing complexity of active injection attacks, detecting zero-day (novel) attacks in these networks in real-time (to prevent propagation) becomes a problem of particular interest. This paper presents an unsupervised-learning-based convolutional autoencoder architecture for detecting zero-day attacks, which is trained only on benign (attack-free) CAN messages. We quantise the model using Vitis-AI tools from AMD/** IDS operation on a window of CAN messages with the reception, the model is able to meet line-rate detection (0.43 ms per window) of high-speed CAN, which when coupled with the low energy consumption per inference, makes this architecture ideally suited for detecting zero-day attacks on critical CAN networks.
△ Less
Submitted 19 January, 2024;
originally announced January 2024.
-
A Lightweight Multi-Attack CAN Intrusion Detection System on Hybrid FPGAs
Authors:
Shashwat Khandelwal,
Shreejith Shanker
Abstract:
Rising connectivity in vehicles is enabling new capabilities like connected autonomous driving and advanced driver assistance systems (ADAS) for improving the safety and reliability of next-generation vehicles. This increased access to in-vehicle functions compromises critical capabilities that use legacy invehicle networks like Controller Area Network (CAN), which has no inherent security or auth…
▽ More
Rising connectivity in vehicles is enabling new capabilities like connected autonomous driving and advanced driver assistance systems (ADAS) for improving the safety and reliability of next-generation vehicles. This increased access to in-vehicle functions compromises critical capabilities that use legacy invehicle networks like Controller Area Network (CAN), which has no inherent security or authentication mechanism. Intrusion detection and mitigation approaches, particularly using machine learning models, have shown promising results in detecting multiple attack vectors in CAN through their ability to generalise to new vectors. However, most deployments require dedicated computing units like GPUs to perform line-rate detection, consuming much higher power. In this paper, we present a lightweight multi-attack quantised machine learning model that is deployed using Xilinx's Deep Learning Processing Unit IP on a Zynq Ultrascale+ (XCZU3EG) FPGA, which is trained and validated using the public CAN Intrusion Detection dataset. The quantised model detects denial of service and fuzzing attacks with an accuracy of above 99 % and a false positive rate of 0.07%, which are comparable to the state-of-the-art techniques in the literature. The Intrusion Detection System (IDS) execution consumes just 2.0 W with software tasks running on the ECU and achieves a 25 % reduction in per-message processing latency over the state-of-the-art implementations. This deployment allows the ECU function to coexist with the IDS with minimal changes to the tasks, making it ideal for real-time IDS in in-vehicle systems.
△ Less
Submitted 19 January, 2024;
originally announced January 2024.
-
Deep Learning-based Embedded Intrusion Detection System for Automotive CAN
Authors:
Shashwat Khandelwal,
Eashan Wadhwa,
Shreejith Shanker
Abstract:
Rising complexity of in-vehicle electronics is enabling new capabilities like autonomous driving and active safety. However, rising automation also increases risk of security threats which is compounded by lack of in-built security measures in legacy networks like CAN, allowing attackers to observe, tamper and modify information shared over such broadcast networks. Various intrusion detection appr…
▽ More
Rising complexity of in-vehicle electronics is enabling new capabilities like autonomous driving and active safety. However, rising automation also increases risk of security threats which is compounded by lack of in-built security measures in legacy networks like CAN, allowing attackers to observe, tamper and modify information shared over such broadcast networks. Various intrusion detection approaches have been proposed to detect and tackle such threats, with machine learning models proving highly effective. However, deploying machine learning models will require high processing power through high-end processors or GPUs to perform them close to line rate. In this paper, we propose a hybrid FPGA-based ECU approach that can transparently integrate IDS functionality through a dedicated off-the-shelf hardware accelerator that implements a deep-CNN intrusion detection model. Our results show that the proposed approach provides an average accuracy of over 99% across multiple attack datasets with 0.64% false detection rates while consuming 94% less energy and achieving 51.8% reduction in per-message processing latency when compared to IDS implementations on GPUs.
△ Less
Submitted 19 January, 2024;
originally announced January 2024.
-
The...Tinderverse?: Opportunities and Challenges for User Safety in Extended Reality (XR) Dating Apps
Authors:
Sarath S. Shanker,
Douglas Zytko
Abstract:
Dating apps such as Tinder have announced plans for a dating metaverse: the incorporation of XR technologies into the online dating process to augment interactions between potential sexual partners across virtual and physical worlds. While the dating metaverse is still in conceptual stages we can forecast significant harms that it may expose daters to given prior research into the frequency and se…
▽ More
Dating apps such as Tinder have announced plans for a dating metaverse: the incorporation of XR technologies into the online dating process to augment interactions between potential sexual partners across virtual and physical worlds. While the dating metaverse is still in conceptual stages we can forecast significant harms that it may expose daters to given prior research into the frequency and severity of sexual harms facilitated by dating apps as well as harms within social VR environments. In this workshop paper we envision how XR could enrich virtual-to-physical interaction between potential sexual partners and outline harms that it will likely perpetuate as well. We then introduce our ongoing research to preempt such harms: a participatory design study with sexual violence experts and demographics at disproportionate risk of sexual violence to produce mitigative solutions to sexual violence perpetuated by XR-enabled dating apps.
△ Less
Submitted 6 May, 2022; v1 submitted 28 March, 2022;
originally announced March 2022.
-
DeCoRIC: Decentralized Connected Resilient IoT Clustering
Authors:
Nitin Shivaraman,
Saravanan Ramanathan,
Shreejith Shanker,
Arvind Easwaran,
Sebastian Steinhorst
Abstract:
Maintaining peer-to-peer connectivity with low energy overhead is a key requirement for several emerging Internet of Things (IoT) applications. It is also desirable to develop such connectivity solutions for non-static network topologies, so that resilience to device failures can be fully realized. Decentralized clustering has emerged as a promising technique to address this critical challenge. Cl…
▽ More
Maintaining peer-to-peer connectivity with low energy overhead is a key requirement for several emerging Internet of Things (IoT) applications. It is also desirable to develop such connectivity solutions for non-static network topologies, so that resilience to device failures can be fully realized. Decentralized clustering has emerged as a promising technique to address this critical challenge. Clustering of nodes around cluster heads (CHs) provides an energy-efficient two-tier framework for peer-to-peer communication. At the same time, decentralization ensures that the framework can quickly adapt to a dynamically changing network topology. Although some decentralized clustering solutions have been proposed in the literature, they either lack guarantees on connectivity or incur significant energy overhead to maintain the clusters. In this paper, we present Decentralized Connected Resilient IoT Clustering (DeCoRIC), an energy-efficient clustering scheme that is self-organizing and resilient to network changes while guaranteeing connectivity. Using experiments implemented on the Contiki simulator, we show that our clustering scheme adapts itself to node faults in a time-bound manner. Our experiments show that DeCoRIC achieves 100% connectivity among all nodes while improving the power efficiency of nodes in the system compared to the state-of-the-art techniques BEEM and LEACH by up to 110% and 70%, respectively. The improved power efficiency also translates to longer lifetime before first node death with a best-case of 109% longer than BEEM and 42% longer than LEACH.
△ Less
Submitted 29 April, 2020;
originally announced April 2020.
