Table of Contents
Fetching ...

Network Anomaly Detection in Cars: A Case for Time-Sensitive Stream Filtering and Policing

Philipp Meyer, Timo Häckel, Sandra Reider, Franz Korf, Thomas C. Schmidt

TL;DR

This paper shows how filters and policies of TSN can identify misbehaving traffic and thereby serve as distributed guards on the data link layer on this lowest possible layer, and derives a highly efficient network protection directly from TSN.

Abstract

Connected vehicles are threatened by cyber-attacks as in-vehicle networks technologically approach (mobile) LANs with several wireless interconnects to the outside world. Malware that infiltrates a car today faces potential victims of constrained, barely shielded Electronic Control Units (ECUs). Many ECUs perform critical driving functions, which stresses the need for hardening security and resilience of in-vehicle networks in a multifaceted way. Future vehicles will comprise Ethernet backbones that differentiate services via Time-Sensitive Networking (TSN). The well-known vehicular control flows will follow predefined schedules and TSN traffic classifications. In this paper, we exploit this traffic classification to build a network anomaly detection system. We show how filters and policies of TSN can identify misbehaving traffic and thereby serve as distributed guards on the data link layer. On this lowest possible layer, our approach derives a highly efficient network protection directly from TSN. We classify link layer anomalies and micro-benchmark the detection accuracy in each class. Based on a topology derived from a real-world car and its traffic definitions we evaluate the detection system in realistic macro-benchmarks based on recorded attack traces. Our results show that the detection accuracy depends on how exact the specifications of in-vehicle communication are configured. Most notably for a fully specified communication matrix, our anomaly detection remains free of false-positive alarms, which is a significant benefit for implementing automated countermeasures in future vehicles.

Network Anomaly Detection in Cars: A Case for Time-Sensitive Stream Filtering and Policing

TL;DR

This paper shows how filters and policies of TSN can identify misbehaving traffic and thereby serve as distributed guards on the data link layer on this lowest possible layer, and derives a highly efficient network protection directly from TSN.

Abstract

Connected vehicles are threatened by cyber-attacks as in-vehicle networks technologically approach (mobile) LANs with several wireless interconnects to the outside world. Malware that infiltrates a car today faces potential victims of constrained, barely shielded Electronic Control Units (ECUs). Many ECUs perform critical driving functions, which stresses the need for hardening security and resilience of in-vehicle networks in a multifaceted way. Future vehicles will comprise Ethernet backbones that differentiate services via Time-Sensitive Networking (TSN). The well-known vehicular control flows will follow predefined schedules and TSN traffic classifications. In this paper, we exploit this traffic classification to build a network anomaly detection system. We show how filters and policies of TSN can identify misbehaving traffic and thereby serve as distributed guards on the data link layer. On this lowest possible layer, our approach derives a highly efficient network protection directly from TSN. We classify link layer anomalies and micro-benchmark the detection accuracy in each class. Based on a topology derived from a real-world car and its traffic definitions we evaluate the detection system in realistic macro-benchmarks based on recorded attack traces. Our results show that the detection accuracy depends on how exact the specifications of in-vehicle communication are configured. Most notably for a fully specified communication matrix, our anomaly detection remains free of false-positive alarms, which is a significant benefit for implementing automated countermeasures in future vehicles.
Paper Structure (37 sections, 3 equations, 15 figures, 6 tables)

This paper contains 37 sections, 3 equations, 15 figures, 6 tables.

Figures (15)

  • Figure 1: IEEE 802.1Qci PSFP
  • Figure 2: Example of a PSFP based NADS by combination with SDN
  • Figure 3: A stream traversing a network without impairment
  • Figure 4: A traversing stream is impaired by eliminated frames
  • Figure 5: A traversing stream is impaired by injected new frames
  • ...and 10 more figures