WeepingCAN: A Stealthy CAN Bus-off Attack

Bloom, Gedare

doi:10.14722/autosec.2021.23002

Cited by 24 publications

(8 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Cho and Shin [13] present the bus-off attack, which exploits the error-handling mechanism of the CAN bus to shut down victim ECUs. Bloom [7] present Weeping-CAN, a refinement of the bus-off attack that is more stealthy and can evade detection. Kulandaivel et al [30] present CANnon, which leverages the peripheral clock gating feature to insert arbitrary bits at any time instance.…”

Section: Discussionmentioning

confidence: 99%

CAN Bus Intrusion Detection Based on Auxiliary Classifier GAN and Out-of-distribution Detection

Zhao

Chen

et al. 2022

ACM Trans. Embed. Comput. Syst.

View full text Add to dashboard Cite

The Controller Area Network (CAN) is a ubiquitous bus protocol present in the Electrical/Electronic (E/E) systems of almost all vehicles. It is vulnerable to a range of attacks once the attacker gains access to the bus through the vehicle’s attack surface. We address the problem of Intrusion Detection on the CAN bus, and present a series of methods based on two classifiers trained with Auxiliary Classifier Generative Adversarial Network (ACGAN) to detect and assign fine-grained labels to Known Attacks, and also detect the Unknown Attack class in a dataset containing a mixture of (Normal + Known Attacks + Unknown Attack) messages. The most effective method is a cascaded two-stage classification architecture, with the multi-class Auxiliary Classifier in the first stage for classification of Normal and Known Attacks, passing Out-of-Distribution (OOD) samples to the binary Real-Fake Classifier in the second stage for detection of the Unknown Attack class. Performance evaluation demonstrate that our method achieves both high classification accuracy and low runtime overhead, making it suitable for deployment in the resource-constrained in-vehicle environment.

show abstract

Section: Discussionmentioning

confidence: 99%

CAN Bus Intrusion Detection Based on Auxiliary Classifier GAN and Out-of-distribution Detection

Zhao

Chen

et al. 2022

ACM Trans. Embed. Comput. Syst.

View full text Add to dashboard Cite

show abstract

“…Frequency/Timing-Based: Regards the timing or sequencing of arbitration IDs [17,[19][20][21][22][23] Payload-Based: Considers the data frame (message contents) as a string of bits, without explicitly recovering the signals these bits represent [16,[24][25][26][27][28][29][30] Signal-Based: Requires first decoding raw data field bits into constituent signals, and uses time series' of signal values as inputs [5,17,[31][32][33][34][35][36][37] Physical Side-Channel: Uses physical layer attributes (e.g., voltage) [15,[38][39][40] Other: Includes works that do not fall into the above categories (e.g., using rules to guarantee specific characteristics of the CAN messages are followed [41,42]).…”

Section: The Growth and State Of Can Ids Researchmentioning

confidence: 99%

“…In another example, Cho and Shin cleverly use a strongly compromised ECU in order to weakly compromise a target ECU by causing it to go into bus off mode, at which point they run a masquerade attack [8]. Notably, a very recent paper of Bloom [30] provides stealthier techniques for exhibiting this attack. Interestingly, if an attacker is not careful when mounting a fabrication attack, this same mechanism can result in the attacker's own strongly compromised ECU getting bussed off.…”

Section: Masquerade Attacksmentioning

confidence: 99%

A comprehensive guide to CAN IDS data and introduction of the ROAD dataset

Verma,

Bridges,

Iannacone

et al. 2024

PLoS ONE

View full text Add to dashboard Cite

Although ubiquitous in modern vehicles, Controller Area Networks (CANs) lack basic security properties and are easily exploitable. A rapidly growing field of CAN security research has emerged that seeks to detect intrusions or anomalies on CANs. Producing vehicular CAN data with a variety of intrusions is a difficult task for most researchers as it requires expensive assets and deep expertise. To illuminate this task, we introduce the first comprehensive guide to the existing open CAN intrusion detection system (IDS) datasets. We categorize attacks on CANs including fabrication (adding frames, e.g., flooding or targeting and ID), suspension (removing an ID’s frames), and masquerade attacks (spoofed frames sent in lieu of suspended ones). We provide a quality analysis of each dataset; an enumeration of each datasets’ attacks, benefits, and drawbacks; categorization as real vs. simulated CAN data and real vs. simulated attacks; whether the data is raw CAN data or signal-translated; number of vehicles/CANs; quantity in terms of time; and finally a suggested use case of each dataset. State-of-the-art public CAN IDS datasets are limited to real fabrication (simple message injection) attacks and simulated attacks often in synthetic data, lacking fidelity. In general, the physical effects of attacks on the vehicle are not verified in the available datasets. Only one dataset provides signal-translated data but is missing a corresponding “raw” binary version. This issue pigeon-holes CAN IDS research into testing on limited and often inappropriate data (usually with attacks that are too easily detectable to truly test the method). The scarcity of appropriate data has stymied comparability and reproducibility of results for researchers. As our primary contribution, we present the Real ORNL Automotive Dynamometer (ROAD) CAN IDS dataset, consisting of over 3.5 hours of one vehicle’s CAN data. ROAD contains ambient data recorded during a diverse set of activities, and attacks of increasing stealth with multiple variants and instances of real (i.e. non-simulated) fuzzing, fabrication, unique advanced attacks, and simulated masquerade attacks. To facilitate a benchmark for CAN IDS methods that require signal-translated inputs, we also provide the signal time series format for many of the CAN captures. Our contributions aim to facilitate appropriate benchmarking and needed comparability in the CAN IDS research field.

show abstract

“…Since the voltage profile changes with the environment and operating conditions (e.g., temperature and supply voltage), the machine learning model must get updated and retrained periodically. VIDS is effective against a single-actor based denial of service or spoofing attacks that opt to force the victim into the bus-off mode [34].…”

Section: Related Workmentioning

confidence: 99%

Mitigating voltage fingerprint spoofing attacks on the controller area network bus

2022

View full text Add to dashboard Cite

The Controller Area Network (CAN) bus suffers security vulnerabilities that allow message spoofing and masquerading Electronic Control Units (ECUs). A popular provision for mitigating these vulnerabilities is through the use of machine learning (ML) to derive ECU fingerprints based on the physical properties of bus signals. Particularly, voltage-based intrusion detection systems associate the message transmitter with its voltage fingerprint to detect conflicting logical ECU identifiers in the presence of cyberattacks. However, the signal characteristics depend on the operating conditions and hence the fingerprints need to be adapted overtime by online training of the underlying ML model. An adversary may exploit such a shortcoming to superimpose training data based on its own transmissions and thus bypass the protection mechanism. Such an attack not only allows device impersonation but also leads to rejecting transmissions of a legitimate ECU. This paper proposes an effective approach to thwart these attack scenarios. Our approach introduces unpredictably-scheduled transmissions involving one or multiple ECUs to confuse the adversary and ensure the generation of a legitimate fingerprinting dataset for online training. We validate the robustness of our approach using data collected from a real vehicle and show that it outperforms a prominent competing scheme by over 30% in terms of identifying malicious ECUs when the attacker could overwrite 50% of the retraining transmissions.

show abstract

WeepingCAN: A Stealthy CAN Bus-off Attack

Cited by 24 publications

References 32 publications

CAN Bus Intrusion Detection Based on Auxiliary Classifier GAN and Out-of-distribution Detection

CAN Bus Intrusion Detection Based on Auxiliary Classifier GAN and Out-of-distribution Detection

A comprehensive guide to CAN IDS data and introduction of the ROAD dataset

Mitigating voltage fingerprint spoofing attacks on the controller area network bus

Contact Info

Product

Resources

About