Abstract
Controller Area Network (CAN) is significantly deployed in various industrial applications (including current in-vehicle network) due to its high performance and reliability. Controller area network with flexible data rate (CAN-FD) is supposed to be the next generation of in-vehicle network to dispose of CAN limitations of data payload size and bandwidth. The paper explores for the first time Electronic Control Unit (ECU) identification on in-vehicle CAN-FD network from bus signaling and the contributions are four-fold.
-
Technically, we discuss the factors that might affect ECU recognition (e.g., CAN-FD controller, CAN-FD transceiver, and voltage regulator) and look into the signal ringing and its intensity where dominant states along with rising edges (from recessive to dominant states) suffice to fingerprint the ECUs. We can thereby design ECU identification scheme on in-vehicle CAN-FD network.
-
For a given network topology (in terms of the stub length and the number of ECUs), we execute CAN-FD and CAN separately and one can expect considerable performance for the two kinds of protocols by using any signal characteristics (rising edges, dominant states, falling edges, and recessive states). In particular, the recognition rates by dominant states and rising edges of signals outperform significantly those by any other combinations of signal characteristics.
-
As a respond to the possible transition mechanism from CAN to CAN-FD, we also allow a hybrid topology of CAN and CAN-FD, namely, there exist on the network ECUs sending purely CAN frames, ECUs sending purely CAN-FD frames, and ECUs sending both CAN and CAN-FD frames, and our suggestion on dominant states and rising edges shows robustness to source identification as expected. This shows convincing evidence on the universal applicability of our approach to forthcoming real vehicles set up by CAN-FD network.
-
The proposed approach can be easily extended to intrusion detection against attacks not only initiated by external devices but also internal devices.
We hope our results could be used as a step forward and a guidance on securing the commercialization and batch production of in-vehicle CAN-FD network in the near future.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
As a slight abuse of terms, we use hereafter node and ECU indiscriminately.
- 2.
The paper focuses on signaling based IDS.
- 3.
The OBD-II port is near the dashboard interface, and the staff can understand the status of the vehicle in real time through the port.
- 4.
It is already reported [8, 9] that for CAN-FD protocol, high-speed data phase and low-speed arbitration phase challenge the same ringing surrounds (as ringing does not depend on the transmission rate), and ring of some recessive bit might not converge until criterion and interfere with the next dominant bit.
References
Agrawal, M., Huang, T., Zhou, J., Chang, D.: CAN-FD-Sec: improving security of CAN-FD protocol. In: Hamid, B., Gallina, B., Shabtai, A., Elovici, Y., Garcia-Alfaro, J. (eds.) CSITS/ISSA -2018. LNCS, vol. 11552, pp. 77–93. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-16874-2_6
Cho, K., Shin, K.G.: Error handling of in-vehicle networks makes them vulnerable. In: Proceedings of ACM CCS, pp. 1044–1055 (2016)
Cho, K., Shin, K.G.: Fingerprinting electronic control units for vehicle intrusion detection. In: 25th USENIX Security Symposium, pp. 911–927 (2016)
Cho, K., Shin, K.G.: Viden: attacker identification on in-vehicle networks. In: Proceedings of 2017 ACM CCS, pp. 1109–1123. ACM (2017)
Choi, W., Jo, H.J., et al.: Identifying ECUs using inimitable characteristics of signals in controller area networks. IEEE Trans. Veh. Technol. 67(6), 4757–4770 (2018)
GmbH, R.B.: CAN Specifcation Version 2.0 (1991)
GmbH, R.B.: CAN with Flexible Data-Rate (2012)
H. Mori, Y.S., et al.: Novel ringing suppression circuit to increase the number of connectable ECUs in a linear passive star CAN. In: International Symposium on Electromagnetic Compatibility - EMC EUROPE, pp. 1–6 (2012)
Islinger, T., Mori, Y.: Ringing suppression in can fd networks. CAN Newsletter (2016)
Karl, K., Alexei, C., et al.: Experimental security analysis of a modern automobile. In: IEEE Symposium on Security and Privacy, pp. 447–462 (2010)
Kim, G., Lim, H.: Ringing suppression in a controller area network with flexible data rate using impedance switching and a limiter. IEEE Trans. Veh. Technol. 68(11), 10679–10686 (2019)
Kononenko, I.: Estimating attributes: analysis and extensions of RELIEF. In: Bergadano, F., De Raedt, L. (eds.) ECML 1994. LNCS, vol. 784, pp. 171–182. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-57868-4_57
Lim, H., Kim, G., et al.: Quantitative analysis of ringing in a controller area network with flexible data rate for reliable physical layer designs. IEEE Trans. Veh. Technol. 68(9), 8906–8915 (2019)
Lin, C., Sangiovanni-Vincentelli, A.L.: Cyber-security for the controller area network (CAN) communication protocol. In: 2012 ASE International Conference on Cyber Security, pp. 1–7. IEEE Computer Society (2012)
Marcel, K., Christopher, H.: Scission: signal characteristic-based sender identification and intrusion detection in automotive networks. In: Proceedings of the 2018 ACM Conference on Computer and Communications Security, pp. 787–800 (2018)
Microchip-Corporation: Stand-Alone CAN Controller With SPI Interface (2005)
Microchip-Corporation: MCP2551 High-Speed CAN Transceiver (2007)
Microchip-Corporation: Externa CAN FD Controller with SPI Infertface (2017)
Miller, C., Valasek, C.: Adventures in automotive networks and control units. Def Con 21(260–264), 15–31 (2013)
Miller, C., Valasek, C.: Remote exploitation of an unaltered passenger vehicle. Black Hat USA 2015(S 91) (2015)
Pal-Stefan, M., Bogdan, G.: Source identification using signal characteristics in controller area networks. IEEE Signal Process. Lett. 21(4), 395–399 (2014)
Schweppe, H., Roudier, Y., et al.: Car2x communication: securing the last meter-a cost-effective approach for ensuring trust in car2x applications using in-vehicle symmetric cryptography. In: 2011 IEEE VTC Fall, pp. 1–5 (2011)
Tobias, H., Jana, D.: Sniffing/replay attacks on can buses: A simulated attack on the electric window lift classified using an adapted cert taxonomy. In: Proceedings of the 2nd workshop on embedded systems security (WESS), pp. 1–6 (2007)
Woo, S., Jo, Hyo Jin, A.O.: A practical security architecture for in-vehicle CAN-FD. IEEE Trans. Intell. Transp. Syst. 17(8), 2248–2261 (2016)
Woo, S., Jo, H.J., et al.: A practical wireless attack on the connected car and security protocol for in-vehicle CAN. IEEE Trans. Intell. Transp. Syst. 16(2), 993–1006 (2015)
Yu, T., Wang, X.: Topology verification enabled intrusion detection for in-vehicle CAN-FD networks. IEEE Commun. Lett. 24(1), 227–230 (2020)
Acknowledgement
The work was supported by Shanghai Municipal Education Commission (2021-01-07-00-08-E00101), the National Natural Science Foundation of China (Grant No. 61971192), and the National Cryptography Development Fund (Grant No. MMJJ20180106).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Source Identification on Type B and Recessive States-Falling Edges
As depicted in Sect. 3.2, ringing intensity of falling edges of signals is higher than that of rising edges. Thus recognition rate would be affected when the falling edges are used. Table 12 show the results for Type B (and Table 8 for Type A) and we can see really low recognition rates.
B Detecting Known ECUs
For Type C (Fig. 5(c)), we assume that ECU 1 is normal and the attackers can use other ECUs to send messages with the same identifier as ECU 1. We collect a total of 500 frames, of which 300 are used as attack frames and the rest as normal frames. As shown in Table 13, we achieve a detection rate of 99.01%. For Type A (Fig. 5(a)), we use the same assumptions and operations as for Type C and achieve a detection rate of 98.5% (see Table 13). For Type B (see Fig. 5(b)), we regard ECU 7, ECU 8 and ECU 9 as attackers (equipped with the ability of sending both CAN and CAN-FD frames). We collect 1000 frames, of which 600 are used as attack frames and the rest are normal. Table 14 shows the results with comparable performance to Type A and Type C.
C Detecting Unknown ECUs
Error rates at varying thresholds.
For unknown ECUs, we adopt a threshold-based method to extend our model. For Type A, we first remove ECU 5 and obtain about 500 frames from the remaining ECUs. These data are used to train a new model. Then we plug ECU 5 back to the network and sample a total of 600 frames now. The obtained model is used to classify the newly collected data and Fig. 6(a) shows the False Positive (FP) and False Negative (FN) rates for different threshold values. The recognition rate can be up to 99.36% at threshold = 0.8. For Type B, we remove ECU 8, use the remaining ECUs to train a new model, and then plug ECU 8 back to the network. We collect now a total of 1,000 data which will be classified by the obtained model. Figure 6(b) shows FP and FN vs threshold, and the recognition rate is 99% at threshold = 0.7. For Type C, we use similar method and Fig. 6(c) shows FP and FN vs threshold. We see the 99.1% recognition rate at threshold = 0.83.
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Liu, Y., Li, X. (2021). Source Identification from In-Vehicle CAN-FD Signaling: What Can We Expect?. In: Gao, D., Li, Q., Guan, X., Liao, X. (eds) Information and Communications Security. ICICS 2021. Lecture Notes in Computer Science(), vol 12918. Springer, Cham. https://doi.org/10.1007/978-3-030-86890-1_12
Download citation
DOI: https://doi.org/10.1007/978-3-030-86890-1_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-86889-5
Online ISBN: 978-3-030-86890-1
eBook Packages: Computer ScienceComputer Science (R0)