Viden: Attacker Identification on In-Vehicle Networks (1708.08414v1)

Abstract: Various defense schemes --- which determine the presence of an attack on the in-vehicle network --- have recently been proposed. However, they fail to identify which Electronic Control Unit (ECU) actually mounted the attack. Clearly, pinpointing the attacker ECU is essential for fast/efficient forensic, isolation, security patch, etc. To meet this need, we propose a novel scheme, called Viden (Voltage-based attacker identification), which can identify the attacker ECU by measuring and utilizing voltages on the in-vehicle network. The first phase of Viden, called ACK learning, determines whether or not the measured voltage signals really originate from the genuine message transmitter. Viden then exploits the voltage measurements to construct and update the transmitter ECUs' voltage profiles as their fingerprints. It finally uses the voltage profiles to identify the attacker ECU. Since Viden adapts its profiles to changes inside/outside of the vehicle, it can pinpoint the attacker ECU under various conditions. Moreover, its efficiency and design-compliance with modern in-vehicle network implementations make Viden practical and easily deployable. Our extensive experimental evaluations on both a CAN bus prototype and two real vehicles have shown that Viden can accurately fingerprint ECUs based solely on voltage measurements and thus identify the attacker ECU with a low false identification rate of 0.2%.

• The paper presents Viden, which uses voltage fingerprinting to accurately identify compromised ECUs on in-vehicle networks.
• Its four-phase process—including ACK learning, voltage instance calculation, profile formation, and machine learning classification—ensures precise attacker attribution.
• Experimental results on prototypes and real vehicles demonstrate a low 0.2% false identification rate, highlighting its potential for enhanced automotive cybersecurity.

Voltage-Based Attacker Identification in In-Vehicle Networks: Analyzing Viden

The paper presents Viden, a novel methodology to identify attacker ECUs in in-vehicle networks using voltage fingerprinting. This research, conducted by Kyong-Tak Cho and Kang G. Shin, addresses a significant gap in cybersecurity within automotive environments by providing effective mechanisms for attacker identification once an intrusion has been detected.

Viden operates on the Controller Area Network (CAN) protocol, a ubiquitous network protocol in the automotive industry. Traditional Intrusion Detection Systems (IDS) are primarily designed for detection rather than pinpointing the malicious ECU. This paper proposes a solution that not only detects anomalies but also identifies which ECU is responsible for any detected malicious behavior, an ability imperative for efficient forensic analysis and timely remediation measures such as isolation or security patching.

Mechanisms of Viden

The crux of Viden's approach lies in its use of voltage discrepancies as ECU fingerprints. Viden performs a four-phase process involving the measurement of voltages emitted by ECUs during communication over the CAN bus.

1. ACK Learning Phase: Viden learns the characteristic voltage thresholds that distinguish messages sent by ECUs from those merely echoing ACK responses. This phase delineates clear demarcations between genuine transmission voltages and acknowledgment signals.
2. Voltage Instance Calculation: It generates "voltage instances" representing the typical behavior of ECUs based on newly acquired data. These instances factor in consistent features such as frequently measured voltage levels and the distribution of these voltages (percentiles).
3. Voltage Profile Formation: Utilizing Recursive Least Squares (RLS), Viden updates an ECU's voltage profile in real-time. This profile, a linear model of voltage measurements over time, eliminates transient variations, thereby capturing the ECU's inherent characteristics.
4. Verification via Classification: To counter potential impersonation by sophisticated attackers, Viden employs machine learning classification to analyze these voltage instances complementarily, enhancing its identification accuracy.

Evaluation and Implications

Experiments conducted on a CAN bus prototype and two real vehicles underscore Viden’s efficiency, achieving a false identification rate as low as 0.2%. The results show that voltage profiles across ECUs are distinct and consistent, validating Viden’s capability in practical scenarios.

The implications of Viden are profound. By enabling accurate identification of compromised ECUs, it closes a critical loop in vehicular cybersecurity protocols. This identification mechanism could be integral to a multi-layered defense strategy, significantly enhancing the robustness of emerging autonomous and connected vehicles against persistent threats.

The paper also considers scenarios where attackers exploit hardware behavior, demonstrating Viden’s ability to adaptively handle diverse attack strategies, including those from knowledgeable adversaries who attempt both arbitrary and targeted impersonations.

Future Prospects

Looking ahead, the integration of Viden in the automotive cybersecurity ecosystem posits several lines of inquiry and development. The practical deployment would necessitate considerations of system updates to accommodate evolving vehicular architectures, particularly with the expansion of electric and hybrid vehicles that could influence power and voltage characteristics on the CAN bus.

Furthermore, the development of Viden points toward the broader applicability of voltage-based fingerprinting in other industrial IoT environments where similar bus architectures and communication protocols are employed.

Overall, Viden is poised to make substantial contributions to the security measures entrenched in the vehicular industry, offering a viable and adaptable methodology for robust attacker identification based on intrinsic electrical signatures. This paper not only enriches the cybersecurity infrastructure of modern and future vehicles but also sets a precedent for research into similar novel identification methods across different applications and networks.