Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

From ECU to VSOC: UDS Security Monitoring Strategies

Ali Recai Yekta, Nicolas Loza, Jens Gramm, Michael Peter Schneider, Stefan Katzenbeisser

TL;DR

The paper tackles the challenge of securing the widely used UDS protocol by proposing an end-to-end security monitoring approach that combines in-vehicle logging with a VSOC to detect attack scenarios. It introduces three logging strategies (Invalid Request, Function Execution, Message Flow Inconsistency), a log context data framework, and three detection strategies (Suspicious Log Patterns, Contextualized Log Checks, Product Threat Intelligence), all mapped to a comprehensive UDS attack taxonomy. The study evaluates coverage against AUTOSAR Security Events and demonstrates detection of representative attacks, while highlighting gaps where backend VSOC correlation and threat intelligence are essential. The work provides concrete guidelines for implementing UDS monitoring and serves as a blueprint for broader automotive security monitoring efforts, with future work including real-vehicle validation and extensions to other domains like rail systems.

Abstract

Increasing complexity and connectivity of modern vehicles have heightened their vulnerability to cyberattacks. This paper addresses security challenges associated with the Unified Diagnostic Services (UDS) protocol, a critical communication framework for vehicle diagnostics in the automotive industry. We present security monitoring strategies for the UDS protocol that leverage in-vehicle logging and remote analysis through a Vehicle Security Operations Center (VSOC). Our approach involves specifying security event logging requirements, contextual data collection, and the development of detection strategies aimed at identifying UDS attack scenarios. By applying these strategies to a comprehensive taxonomy of UDS attack techniques, we demonstrate that our detection methods cover a wide range of potential attack vectors. Furthermore, we assess the adequacy of current AUTOSAR standardized security events in supporting UDS attack detection, identifying gaps in the current standard. This work enhances the understanding of vehicle security monitoring and provides an example for developing robust cybersecurity measures in automotive communication protocols.

From ECU to VSOC: UDS Security Monitoring Strategies

TL;DR

The paper tackles the challenge of securing the widely used UDS protocol by proposing an end-to-end security monitoring approach that combines in-vehicle logging with a VSOC to detect attack scenarios. It introduces three logging strategies (Invalid Request, Function Execution, Message Flow Inconsistency), a log context data framework, and three detection strategies (Suspicious Log Patterns, Contextualized Log Checks, Product Threat Intelligence), all mapped to a comprehensive UDS attack taxonomy. The study evaluates coverage against AUTOSAR Security Events and demonstrates detection of representative attacks, while highlighting gaps where backend VSOC correlation and threat intelligence are essential. The work provides concrete guidelines for implementing UDS monitoring and serves as a blueprint for broader automotive security monitoring efforts, with future work including real-vehicle validation and extensions to other domains like rail systems.

Abstract

Increasing complexity and connectivity of modern vehicles have heightened their vulnerability to cyberattacks. This paper addresses security challenges associated with the Unified Diagnostic Services (UDS) protocol, a critical communication framework for vehicle diagnostics in the automotive industry. We present security monitoring strategies for the UDS protocol that leverage in-vehicle logging and remote analysis through a Vehicle Security Operations Center (VSOC). Our approach involves specifying security event logging requirements, contextual data collection, and the development of detection strategies aimed at identifying UDS attack scenarios. By applying these strategies to a comprehensive taxonomy of UDS attack techniques, we demonstrate that our detection methods cover a wide range of potential attack vectors. Furthermore, we assess the adequacy of current AUTOSAR standardized security events in supporting UDS attack detection, identifying gaps in the current standard. This work enhances the understanding of vehicle security monitoring and provides an example for developing robust cybersecurity measures in automotive communication protocols.

Paper Structure

This paper contains 17 sections, 1 figure, 3 tables.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. Methodology
  4. Logging Strategies
  5. Invalid Request (IR)
  6. Function Execution (FE)
  7. Message Flow Inconsistency (MFI)
  8. Log Context Data Strategy
  9. Detection Strategies
  10. Suspicious Log Patterns (SLP)
  11. Contextualized Log Checks (CLC)
  12. Product Threat Intelligence (PTI)
  13. Evaluation
  14. AUTOSAR Logging Coverage
  15. UDS attack detection - examples
  16. ...and 2 more sections

Figures (1)

  • Figure 1: Detection process, including in-vehicle detection and VSOC-based detection. The numbers refer to the examples from Section \ref{['sec:evaluation:detection']}