Network anomaly detection in cars: A case for time-sensitive stream filtering and policing

IF 4.4 2区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

Computer Networks Pub Date : 2024-10-15 DOI:10.1016/j.comnet.2024.110855

Philipp Meyer, Timo Häckel, Sandra Reider, Franz Korf, Thomas C. Schmidt

{"title":"Network anomaly detection in cars: A case for time-sensitive stream filtering and policing","authors":"Philipp Meyer, Timo Häckel, Sandra Reider, Franz Korf, Thomas C. Schmidt","doi":"10.1016/j.comnet.2024.110855","DOIUrl":null,"url":null,"abstract":"<div><div>Connected vehicles are threatened by cyber-attacks as in-vehicle networks technologically approach (mobile) LANs with several wireless interconnects to the outside world. Malware that infiltrates a car today faces potential victims of constrained, barely shielded Electronic Control Units (ECUs). Many ECUs perform critical driving functions, which stresses the need for hardening security and resilience of in-vehicle networks in a multifaceted way. Future vehicles will comprise Ethernet backbones that differentiate services via Time-Sensitive Networking (TSN). The well-known vehicular control flows will follow predefined schedules and TSN traffic classifications. In this paper, we exploit this traffic classification to build a network anomaly detection system. We show how filters and policies of TSN can identify misbehaving traffic and thereby serve as distributed guards on the data link layer. On this lowest possible layer, our approach derives a highly efficient network protection directly from TSN. We classify link layer anomalies and micro-benchmark the detection accuracy in each class. Based on a topology derived from a real-world car and its traffic definitions we evaluate the detection system in realistic macro-benchmarks based on recorded attack traces. Our results show that the detection accuracy depends on how exact the specifications of in-vehicle communication are configured. Most notably for a fully specified communication matrix, our anomaly detection remains free of false-positive alarms, which is a significant benefit for implementing automated countermeasures in future vehicles.</div></div>","PeriodicalId":50637,"journal":{"name":"Computer Networks","volume":"255 ","pages":"Article 110855"},"PeriodicalIF":4.4000,"publicationDate":"2024-10-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Networks","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S138912862400687X","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

Abstract

Connected vehicles are threatened by cyber-attacks as in-vehicle networks technologically approach (mobile) LANs with several wireless interconnects to the outside world. Malware that infiltrates a car today faces potential victims of constrained, barely shielded Electronic Control Units (ECUs). Many ECUs perform critical driving functions, which stresses the need for hardening security and resilience of in-vehicle networks in a multifaceted way. Future vehicles will comprise Ethernet backbones that differentiate services via Time-Sensitive Networking (TSN). The well-known vehicular control flows will follow predefined schedules and TSN traffic classifications. In this paper, we exploit this traffic classification to build a network anomaly detection system. We show how filters and policies of TSN can identify misbehaving traffic and thereby serve as distributed guards on the data link layer. On this lowest possible layer, our approach derives a highly efficient network protection directly from TSN. We classify link layer anomalies and micro-benchmark the detection accuracy in each class. Based on a topology derived from a real-world car and its traffic definitions we evaluate the detection system in realistic macro-benchmarks based on recorded attack traces. Our results show that the detection accuracy depends on how exact the specifications of in-vehicle communication are configured. Most notably for a fully specified communication matrix, our anomaly detection remains free of false-positive alarms, which is a significant benefit for implementing automated countermeasures in future vehicles.

查看原文本刊更多论文

汽车网络异常检测：时间敏感流过滤和监控案例

随着车载网络在技术上接近于（移动）局域网，并与外部世界建立了多个无线互联，互联汽车正面临着网络攻击的威胁。如今，渗透到汽车中的恶意软件面临着电子控制单元（ECU）受限、几乎没有屏蔽的潜在受害者。许多 ECU 执行关键的驾驶功能，这就强调需要从多方面加强车载网络的安全性和弹性。未来的车辆将由以太网骨干网组成，通过时间敏感网络（TSN）提供不同的服务。众所周知，车辆控制流将遵循预定义的时间表和 TSN 流量分类。在本文中，我们利用这种流量分类建立了一个网络异常检测系统。我们展示了 TSN 的过滤器和策略如何识别行为不端的流量，从而在数据链路层起到分布式防护的作用。在这个尽可能低的层上，我们的方法直接从 TSN 中获得了高效的网络保护。我们对链路层异常情况进行分类，并对每类异常情况的检测精度进行微基准测试。基于从真实世界的汽车及其流量定义中得出的拓扑结构，我们根据记录的攻击轨迹，在现实的宏观基准中对检测系统进行了评估。我们的结果表明，检测精度取决于车载通信规格配置的精确程度。最值得注意的是，对于完全指定的通信矩阵，我们的异常检测系统不会出现假阳性报警，这对在未来车辆中实施自动反制措施大有裨益。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computer Networks 工程技术-电信学

CiteScore

10.80

自引率

3.60%

发文量

434

审稿时长

8.6 months

期刊介绍： Computer Networks is an international, archival journal providing a publication vehicle for complete coverage of all topics of interest to those involved in the computer communications networking area. The audience includes researchers, managers and operators of networks as well as designers and implementors. The Editorial Board will consider any material for publication that is of interest to those groups.