TY - GEN
T1 - COIDS
T2 - 21st International Conference on Distributed Computing and Networking, ICDCN 2020
AU - Halder, Subir
AU - Conti, Mauro
AU - Das, Sajal K.
N1 - Publisher Copyright:
© 2020 ACM.
PY - 2020
Y1 - 2020
N2 - Controller Area Network (CAN) is an in-vehicle communication protocol which provides an efficient and reliable communication link between Electronic Control Units (ECUs) in real-time. Recent studies have shown that attackers can take remote control of the targeted car by exploiting the vulnerabilities of the CAN protocol. Motivated by this fact, we propose Clock Offset-based Intrusion Detection System (COIDS) to monitor in-vehicle network and detect any intrusion. Precisely, we first measure and then exploit the clock offset of transmitter ECU's clock for fingerprinting ECU. We next leverage the derived fingerprints to construct a baseline of ECU's normal clock behaviour using an active learning technique. Based on the baseline of normal behaviour, we use Cumulative Sum method to detect any abnormal deviation in clock offset. Particularly, if the deviation in clock offset exceeds an unexpected positive or negative value, COIDS declares this change as an intrusion. Further, we use sequential change-point detection technique to determine the exact time of intrusion. We perform exhaustive experiments on real-world publicly available datasets primarily to assess the effectiveness of COIDS against three most potential attacks on CAN, i.e., DoS, impersonation and fuzzy attacks. The results show that COIDS is highly effective in defending all these three attacks. Further, the results show that COIDS considerably faster in detecting intrusion compared to a state-of-the-art solution.
AB - Controller Area Network (CAN) is an in-vehicle communication protocol which provides an efficient and reliable communication link between Electronic Control Units (ECUs) in real-time. Recent studies have shown that attackers can take remote control of the targeted car by exploiting the vulnerabilities of the CAN protocol. Motivated by this fact, we propose Clock Offset-based Intrusion Detection System (COIDS) to monitor in-vehicle network and detect any intrusion. Precisely, we first measure and then exploit the clock offset of transmitter ECU's clock for fingerprinting ECU. We next leverage the derived fingerprints to construct a baseline of ECU's normal clock behaviour using an active learning technique. Based on the baseline of normal behaviour, we use Cumulative Sum method to detect any abnormal deviation in clock offset. Particularly, if the deviation in clock offset exceeds an unexpected positive or negative value, COIDS declares this change as an intrusion. Further, we use sequential change-point detection technique to determine the exact time of intrusion. We perform exhaustive experiments on real-world publicly available datasets primarily to assess the effectiveness of COIDS against three most potential attacks on CAN, i.e., DoS, impersonation and fuzzy attacks. The results show that COIDS is highly effective in defending all these three attacks. Further, the results show that COIDS considerably faster in detecting intrusion compared to a state-of-the-art solution.
KW - Clock Offset
KW - Clock Skew
KW - Controller Area Network
KW - Cumulative Sum method
KW - Intrusion Detection Systems
UR - http://www.scopus.com/inward/record.url?scp=85087273078&partnerID=8YFLogxK
U2 - 10.1145/3369740.3369787
DO - 10.1145/3369740.3369787
M3 - Conference contribution
AN - SCOPUS:85087273078
SN - 9781450377515
T3 - ACM International Conference Proceeding Series
BT - ACM International Conference Proceeding Series
PB - Association for Computing Machinery
Y2 - 4 January 2020 through 7 January 2020
ER -