TY - GEN
T1 - Cloaking the Clock
T2 - 9th ACM/IEEE International Conference on Cyber-Physical Systems, ICCPS 2018
AU - Sagong, Sang Uk
AU - Ying, Xuhang
AU - Clark, Andrew
AU - Bushnell, Linda
AU - Poovendran, Radha
N1 - Publisher Copyright:
© 2018 IEEE.
PY - 2018/8/21
Y1 - 2018/8/21
N2 - Automobiles are equipped with Electronic Control Units (ECUs) that communicate via in-vehicle network protocol standards such as the Controller Area Network (CAN). These protocols were designed under the assumption that separating in-vehicle communications from external networks is sufficient for protection against cyber attacks. This assumption, however, has been shown to be invalid by recent attacks in which adversaries were able to infiltrate the in-vehicle network. Motivated by these attacks, intrusion detection systems (IDSs) have been proposed for in-vehicle networks that attempt to detect attacks by exploiting physical properties such as clock skew of an ECU. In this paper, we propose the cloaking attack, an intelligent masquerade attack in which an adversary modifies the timing of transmitted messages to match the clock skew of a targeted ECU. The attack leverages the fact that, while the clock skew is a physical property of each ECU that cannot be changed by the adversary, the estimation of the clock skew by other ECUs is based on the timing of network traffic, which, being a cyber component only, can be modified by an adversary. We implement the proposed cloaking attack and test it on two IDSs, namely, the current state-of-the-art IDS and its adaptation to the widely-used Network Time Protocol (NTP). We implement the cloaking attack on two hardware testbeds, a prototype and a real vehicle, and show that it is able to deceive both IDSs. We also introduce a new metric called the Maximum Slackness Index to quantify the effectiveness of a clock skew-based IDS in detecting masquerade attacks when the adversary is unable to precisely match the clock skew of the targeted ECU.
AB - Automobiles are equipped with Electronic Control Units (ECUs) that communicate via in-vehicle network protocol standards such as the Controller Area Network (CAN). These protocols were designed under the assumption that separating in-vehicle communications from external networks is sufficient for protection against cyber attacks. This assumption, however, has been shown to be invalid by recent attacks in which adversaries were able to infiltrate the in-vehicle network. Motivated by these attacks, intrusion detection systems (IDSs) have been proposed for in-vehicle networks that attempt to detect attacks by exploiting physical properties such as clock skew of an ECU. In this paper, we propose the cloaking attack, an intelligent masquerade attack in which an adversary modifies the timing of transmitted messages to match the clock skew of a targeted ECU. The attack leverages the fact that, while the clock skew is a physical property of each ECU that cannot be changed by the adversary, the estimation of the clock skew by other ECUs is based on the timing of network traffic, which, being a cyber component only, can be modified by an adversary. We implement the proposed cloaking attack and test it on two IDSs, namely, the current state-of-the-art IDS and its adaptation to the widely-used Network Time Protocol (NTP). We implement the cloaking attack on two hardware testbeds, a prototype and a real vehicle, and show that it is able to deceive both IDSs. We also introduce a new metric called the Maximum Slackness Index to quantify the effectiveness of a clock skew-based IDS in detecting masquerade attacks when the adversary is unable to precisely match the clock skew of the targeted ECU.
KW - Clock Skew
KW - Controller Area Network
KW - CPS Security
KW - Intrusion Detection System
KW - Masquerade Attack
UR - https://www.scopus.com/pages/publications/85053535037
U2 - 10.1109/ICCPS.2018.00012
DO - 10.1109/ICCPS.2018.00012
M3 - Conference contribution
AN - SCOPUS:85053535037
SN - 9781538653012
T3 - Proceedings - 9th ACM/IEEE International Conference on Cyber-Physical Systems, ICCPS 2018
SP - 32
EP - 42
BT - Proceedings - 9th ACM/IEEE International Conference on Cyber-Physical Systems, ICCPS 2018
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 11 April 2018 through 13 April 2018
ER -