制动还是破坏：CAN总线上的入侵、检测和规避博弈.pdf

《制动还是破坏：CAN总线上的入侵、检测和规避博弈.pdf》由会员分享，可在线阅读，更多相关《制动还是破坏：CAN总线上的入侵、检测和规避博弈.pdf（65页珍藏版）》请在三个皮匠报告上搜索。

1、To Brake or to Break?The Game of Intrusion,Detection and Evasion on CANStefano ZaneroPolitecnico di Milano2Automotive Attacks3The automotive ecosystem4On-Board Networks5Controller Area Network1980s protocolDeveloped with focus on safetyBaud rate of 1Mbps maxMulti-master bus topologyData-Link and phy

2、sical layers6Controller Area Network7Controller Area NetworkCAN Data Frames:IDs are“owned”by an ECUMost packets are periodicPayload depends on the ID8Whats the idea?(CAN is broken pt.1)KeylessIgnitionModuleEngine Control ModuleBody Control ModuleCANLCANH120120BroadcastUnauthenticatedFrame Injection

3、9What about countermeasures?10What about countermeasures?Industrial secret,however we can make an educated guess at some methodsFrequency basedCAN messages are usually periodicSpecification basedFocus on protocol specifications/physical characteristicsPayload basedEvaluate the content of the data fi

4、eld of the packetOur Approach(CANova)CANnoloLSTM autoencoder based IDSOur Approach(CANova)Simple frequency analysis and basic rules,hence low computation timesNo False PositivesScrub simple attacks and lower the burden on more complex modulesCANnolo(CANovas Module)s(t)xtxt+1.xt+n-1y(t)ytyt+1.yt+n-1R

5、econst.ErrorAnomaly Signal ProcessingAnomaly ScoreAutoencoderExperimentsShow that ML-based IDS are less effective in detecting simple attacks:Injection AttackDRFPRAUCF1MCCTTPCANnolo0.69010.02770.87160.38260.41500.4715msFlow-based1.00.00004-0.99850.99850.0050msDrop AttackDRFPRAUCF1MCCTTPCANnolo0.2300

6、0.02380.62620.34740.33460.4714msFlow-based0.99980.00004-0.99980.99970.0056msExperimentsCANova vs CANnolo(1)Masquerade Atk.DRFPRF1MCCTTPCANova0.88050.01610.91430.88680.2660msCANnolo0.90660.02650.91490.88540.4560msChange AttackDRFPRF1MCCTTPCANova0.84860.01560.89440.86520.2688msCANnolo0.88500.02630.899