research-article

COIDS: A Clock Offset Based Intrusion Detection System for Controller Area Networks

Authors:

Sajal K. DasAuthors Info & Claims

ICDCN '20: Proceedings of the 21st International Conference on Distributed Computing and Networking

Article No.: 22, Pages 1 - 10

https://doi.org/10.1145/3369740.3369787

Published: 19 February 2020 Publication History

Abstract

Controller Area Network (CAN) is an in-vehicle communication protocol which provides an efficient and reliable communication link between Electronic Control Units (ECUs) in real-time. Recent studies have shown that attackers can take remote control of the targeted car by exploiting the vulnerabilities of the CAN protocol. Motivated by this fact, we propose Clock Offset-based Intrusion Detection System (COIDS) to monitor in-vehicle network and detect any intrusion. Precisely, we first measure and then exploit the clock offset of transmitter ECU's clock for fingerprinting ECU. We next leverage the derived fingerprints to construct a baseline of ECU's normal clock behaviour using an active learning technique. Based on the baseline of normal behaviour, we use Cumulative Sum method to detect any abnormal deviation in clock offset. Particularly, if the deviation in clock offset exceeds an unexpected positive or negative value, COIDS declares this change as an intrusion. Further, we use sequential change-point detection technique to determine the exact time of intrusion. We perform exhaustive experiments on real-world publicly available datasets primarily to assess the effectiveness of COIDS against three most potential attacks on CAN, i.e., DoS, impersonation and fuzzy attacks. The results show that COIDS is highly effective in defending all these three attacks. Further, the results show that COIDS considerably faster in detecting intrusion compared to a state-of-the-art solution.

References

[1]

M. Basseville, I. V. Nikiforov, et al. 1993. Detection of abrupt changes: theory and application. Vol. 104. Prentice Hall Englewood Cliffs.

[2]

S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, S. Savage, K. Koscher, A. Czeskis, F. Roesner, and T. Kohno. 2011. Comprehensive Experimental Analyses of Automotive Attack Surfaces. In Proc. of USENIX Security Symposium. 77--92.

[3]

K. T. Cho and K. G. Shin. 2016. Finger printing Electronic Control Units for Vehicle Intrusion Detection. In Proc. of USENIX Security Symposium. 911--927.

[4]

K. T. Cho and K. G. Shin. 2017. Viden: Attacker identification on in-vehicle networks. In Proc. of ACM SIGSAC Conference on Computer and Communications Security. 1109--1123.

[5]

W. Choi, K. Joo, H. J. Jo, M. C. Park, and D. H. Lee. 2018. VoltageIDS: Low-Level Communication Characteristics for Automotive Intrusion Detection System. IEEE Trans. on Information Forensics and Security 13, 8 (2018), 2114--2129.

[6]

E. Weise. 2018. Chinese group hacks a Tesla for the second year in a row. [Online] Accessed on October 15. (2018). [Online]: https://eu.usatoday.com/story/tech/2017/07/28/chinese-group-hacks-tesla-second-year-row/518430001/.

[7]

I. D. Foster, A. Prudhomme, K. Koscher, and S. Savage. 2015. Fast and Vulnerable: A Story of Telematic Failures. In Proc. of 9th USENIX Workshop on Offensive Technologies. 1--9.

[8]

B. Groza and P. S. Murvay. 2019. Efficient Intrusion Detection with Bloom Filtering in Controller Area Networks. IEEE Trans. on Information Forensics and Security 14, 4 (2019), 1037--1051.

Digital Library

[9]

B. Groza, S. Murvay, A. V. Herrewege, and I. Verbauwhede. 2017. Libra-can: Lightweight broadcast authentication for controller area networks. ACM Trans. on Embedded Computing Systems 16, 3 (2017), 1--25.

Digital Library

[10]

H. Lee, S. H. Jeong and H. K. Kim. 2018. CAN Dataset for intrusion detection (OTIDS). [Online]: http://ocslab.hksecurity.net/Dataset/CAN-intrusion-dataset. (2018). Accessed on October 15, 2018.

[11]

M. L. Han, B. I. Kwak, and H. K. Kim. 2018. Anomaly intrusion detection method for vehicular networks based on survival analysis. Vehicular communications 14 (2018), 52--63.

[12]

T. Hoppe, S. Kiltz, and J. Dittmann. 2008. Security threats to automotive CAN networks--practical examples and selected short-term countermeasures. In Proc. of International Conference on Computer Safety, Reliability, and Security. 235--248.

[13]

K. Huang, Q. Zhang, C. Zhou, N. Xiong, and Y. Qin. 2017. An efficient intrusion detection approach for visual sensor networks based on traffic pattern learning. IEEE Trans. on Systems, Man, and Cybernetics: Systems 47, 10 (2017), 2704--2713.

[14]

M. Kneib and C. Huth. 2018. Scission: Signal Characteristic-Based Sender Identification and Intrusion Detection in Automotive Networks. In Proc. of ACM SIGSAC Conference on Computer and Communications Security. 787--800.

[15]

L. Constantin. 2018. Researchers hack Tesla Model S with remote attack. Accessed on October 15. (2018). [Online]: http://www.pcworld.com/article/3121999/security/researchers-demonstrate-remote-attack-against-tesla-models.html.

[16]

V. H. Le, J. D. Hartog, and Z. Zannone. 2018. Security and Privacy for Innovative Automotive Applications: A Survey. Computer Communications 132 (2018), 17--41.

[17]

H. Lee, S. H. Jeong, and H. K. Kim. 2017. OTIDS: A novel intrusion detection system for in-vehicle network by using remote frame. In Proc. of 15th Annual Conference on Privacy, Security and Trust (PST). 57--5709.

[18]

J. Liu, S. Zhang, W. Sun, and Y. Shi. 2017. In-vehicle network attacks and countermeasures: Challenges and future directions. IEEE Network 31, 5 (2017), 50--58.

Digital Library

[19]

M. Marchetti and D. Stabili. 2017. Anomaly detection of CAN bus messages through analysis of ID sequences. In Proc. of IEEE Intelligent Vehicles Symposium (IV). 1577--1583.

[20]

J. Matsumura, Y. Matsubara, H. Takada, M. Oi, M. Toyoshima, and A. Iwai. 2013. A simulation environment based on omnet++ for automotive can--ethernet networks. Analysis Tools and Methodologies for Embedded and Real-time Systems (2013), 1--44.

[21]

S. Mazloom, M. Rezaeirad, A. Hunter, and D. McCoy. 2016. A Security Analysis of an In-Vehicle Infotainment and App Platform. In Proc. of 10th USENIX Workshop on Offensive Technologies. 1--12.

[22]

C. Miller and C. Valasek. 2015. Remote exploitation of an unaltered passenger vehicle. In Black Hat USA. 1--91.

[23]

D. Mills. 1992. Network Time Protocol (Version 3) specification, implementation and analysis. Internet Request For Comments 1305 (1992).

[24]

S. Nie, L. Liu, and Y. Du. 2017. Free-Fall: Hacking Tesla from Wireless to Can Bus. In Black Hat USA. 1--16.

[25]

H. Olufowobi, U. Ezeobi, E. Muhati, G. Robinson, C. Young, J. Zambreno, and G. Bloom. 2019. Anomaly Detection Approach Using Adaptive Cumulative Sum Algorithm for Controller Area Network. In Proc. of ACM Workshop on Automotive Cybersecurity (AutoSec). 25--30.

[26]

A. I. Radu and F. D. Garcia. 2016. LeiA: A lightweight authentication protocol for CAN. In Proc. of European Symposium on Research in Computer Security (ESORICS), Vol. 9879 of LNCS. 283--300.

[27]

S. U.Sagong, X. Ying, A. Clark, L. Bushnell, and R. Poovendran. 2018. Cloaking the clock: emulating clock skew in controller area networks. In Proc. of 9th ACM/IEEE International Conference on Cyber-Physical Systems. 32--42.

[28]

S. U. Sagong, X. Ying, R. Poovendran, and L. Bushnell. 2018. Exploring attack surfaces of voltage-based intrusion detection systems in controller area networks. ESCAR Europe (2018), 1--13.

[29]

A. G. Tartakovsky, A. S. Polunchenko, and G. Sokolov. 2012. Efficient computer network anomaly detection by change-point detection methods. IEEE Journal of Selected Topics in Signal Processing 7, 1 (2012), 4--11.

[30]

A. G. Tartakovsky, B. L. Rozovskii, R. B. Blazek, and H. Kim. 2006. A novel approach to detection of intrusions in computer networks via adaptive sequential and batch-sequential change-point detection methods. IEEE Trans. on Signal Processing 54, 9 (2006), 3372--3382.

Digital Library

[31]

W. Wu, R. Li, G. Xie, J. An, Y. Bai, J. Zhou, and K. Li. 2019. A Survey of Intrusion Detection for In-Vehicle Networks. IEEE Trans. on Intelligent Transportation Systems (2019), 1--15.

[32]

X. Ying, S. U. Sagong, A. Clark, L. Bushnell, and R. Poovendran. 2019. Shape of the Cloak: Formal Analysis of Clock Skew-Based Intrusion Detection System in Controller Area Networks. IEEE Trans. on Information Forensics and Security 14, 9 (2019), 2300--2314.

Cited By

Oladimeji DJinad RRasheed ABaza M(2025)CANGuard: An Enhanced Approach to the Detection of Anomalies in CAN-Enabled VehiclesSensors10.3390/s2501027825:1(278)Online publication date: 6-Jan-2025
https://doi.org/10.3390/s25010278
Maliha MBhattacharjee SVilela JSchulmann HLi N(2024)A Unified Time Series Analytics based Intrusion Detection Framework for CAN BUS AttacksProceedings of the Fourteenth ACM Conference on Data and Application Security and Privacy10.1145/3626232.3653249(19-30)Online publication date: 19-Jun-2024
https://dl.acm.org/doi/10.1145/3626232.3653249
Sun HSu HWeng JLiu ZLi MLiu YZhong YSun W(2024)MTDCAP: Moving Target Defense-Based CAN Authentication ProtocolIEEE Transactions on Intelligent Transportation Systems10.1109/TITS.2024.338405425:9(12800-12817)Online publication date: Sep-2024
https://doi.org/10.1109/TITS.2024.3384054
Show More Cited By

Index Terms

COIDS: A Clock Offset Based Intrusion Detection System for Controller Area Networks
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Intrusion detection systems

Recommendations

Cloaking the clock: emulating clock skew in controller area networks
ICCPS '18: Proceedings of the 9th ACM/IEEE International Conference on Cyber-Physical Systems

Automobiles are equipped with Electronic Control Units (ECUs) that communicate via in-vehicle network protocol standards such as the Controller Area Network (CAN). These protocols were designed under the assumption that separating in-vehicle ...
Tracking low-precision clocks with time-varying drifts using kalman filtering

Clock synchronization is essential for a large number of applications ranging from performance measurements in wired networks to data fusion in sensor networks. Existing techniques are either limited to undesirable accuracy or rely on specific hardware ...
ACES: adaptive clock estimation and synchronization using Kalman filtering
MobiCom '08: Proceedings of the 14th ACM international conference on Mobile computing and networking

Clock synchronization across a network is essential for a large number of applications ranging from wired network measurements to data fusion in sensor networks. Earlier techniques are either limited to undesirable accuracy or rely on specific hardware ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ICDCN '20: Proceedings of the 21st International Conference on Distributed Computing and Networking

January 2020

460 pages

ISBN:9781450377515

DOI:10.1145/3369740

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

ACM: Association for Computing Machinery
Jadavpur University: Jadavpur University

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 19 February 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ICDCN 2020

ICDCN 2020: 21st International Conference on Distributed Computing and Networking

January 4 - 7, 2020

Kolkata, India

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

17
Total Citations
View Citations
349
Total Downloads

Downloads (Last 12 months)34
Downloads (Last 6 weeks)2

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Oladimeji DJinad RRasheed ABaza M(2025)CANGuard: An Enhanced Approach to the Detection of Anomalies in CAN-Enabled VehiclesSensors10.3390/s2501027825:1(278)Online publication date: 6-Jan-2025
https://doi.org/10.3390/s25010278
Maliha MBhattacharjee SVilela JSchulmann HLi N(2024)A Unified Time Series Analytics based Intrusion Detection Framework for CAN BUS AttacksProceedings of the Fourteenth ACM Conference on Data and Application Security and Privacy10.1145/3626232.3653249(19-30)Online publication date: 19-Jun-2024
https://dl.acm.org/doi/10.1145/3626232.3653249
Sun HSu HWeng JLiu ZLi MLiu YZhong YSun W(2024)MTDCAP: Moving Target Defense-Based CAN Authentication ProtocolIEEE Transactions on Intelligent Transportation Systems10.1109/TITS.2024.338405425:9(12800-12817)Online publication date: Sep-2024
https://doi.org/10.1109/TITS.2024.3384054
Agbaje POlufowobi HHounsinou SBloom G(2024)From Weeping to Wailing: A Transitive Stealthy Bus-Off AttackIEEE Transactions on Intelligent Transportation Systems10.1109/TITS.2024.337717925:9(12066-12080)Online publication date: 27-Mar-2024
https://dl.acm.org/doi/10.1109/TITS.2024.3377179
Qin JXun YLiu J(2024)CVMIDS: Cloud–Vehicle Collaborative Intrusion Detection System for Internet of VehiclesIEEE Internet of Things Journal10.1109/JIOT.2023.331818111:1(321-332)Online publication date: 1-Jan-2024
https://doi.org/10.1109/JIOT.2023.3318181
Zheng HYin HLi H(2024)FE-DIoT: IoT Device Classification Through Dynamic Feature Selection and Adaptive Cross-Network ModelIEEE Access10.1109/ACCESS.2024.347613612(149099-149114)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3476136
Lee JWoo SLee Y(2024)A Practical Method for Identifying ECUs Using Differential VoltageIEEE Access10.1109/ACCESS.2024.341652212(135028-135039)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3416522
Lee SChoi WJo HLee D(2023)ErrIDS: An Enhanced Cumulative Timing Error-Based Automotive Intrusion Detection SystemIEEE Transactions on Intelligent Transportation Systems10.1109/TITS.2023.329351724:11(12406-12421)Online publication date: Nov-2023
https://doi.org/10.1109/TITS.2023.3293517
Wei HAi QZhao WZhang Y(2023)Real-Time Security Warning and ECU Identification for In-Vehicle NetworksIEEE Sensors Journal10.1109/JSEN.2023.324924023:17(20258-20266)Online publication date: 1-Sep-2023
https://doi.org/10.1109/JSEN.2023.3249240
Shahriar MXiao YMoriano PLou WHou Y(2023)CANShield: Deep-Learning-Based Intrusion Detection Framework for Controller Area Networks at the Signal LevelIEEE Internet of Things Journal10.1109/JIOT.2023.330327110:24(22111-22127)Online publication date: 15-Dec-2023
https://doi.org/10.1109/JIOT.2023.3303271
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten