Jiwoo Shin and Hyunghoon Kim, Soongsil University; Seyoung Lee, Wonsuk Choi, and Dong Hoon Lee, Korea University; Hyo Jin Jo, Soongsil University
Researchers have responded to various cyber attacks on controller area network (CAN) by studying technologies for identifying the source of an attack. However, existing attack source identification technologies have significantly lower accuracy depending on changes in vehicle environment (temperature, humidity, battery level, etc.), or have proven to be circumvented by identification-aware attackers, or do not provide real-time identification. A real-time attack node identification technology that cannot be bypassed by an attacker while not being affected by changes in the vehicle environment is an essential for developing cyber attack response technologies such as node isolation, security patch, digital forensics, etc. To meet this need, we propose a novel real-time attack node identification method, called RIDAS, which can identify the attack source by using the error handling rule of CAN. RIDAS injects bit errors into the abnormal message that have been detected by an existing intrusion detection system (IDS). The source that sent the abnormal message become the error passive state defined in CAN standard in which it cannot send consecutive messages. RIDAS then sequentially inspects all electronic control units (ECU) in the vehicle, and identifies the node in the error passive state by checking the priority reduction phenomenon that occurs in that state. Moreover, RIDAS deals with two issues, identification robustness and identification errors. Our experimental results on both a CAN bus prototype and one real vehicle have demonstrated that RIDAS can accurately identify an attack source without being affected by a vehicle's environmental change and can deal with both false positives of intrusion detection systems and RIDAS-aware attackers.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Jiwoo Shin and Hyunghoon Kim and Seyoung Lee and Wonsuk Choi and Dong Hoon Lee and Hyo Jin Jo},
title = {{RIDAS}: Real-time identification of attack sources on controller area networks},
booktitle = {32nd USENIX Security Symposium (USENIX Security 23)},
year = {2023},
isbn = {978-1-939133-37-3},
address = {Anaheim, CA},
pages = {6911--6928},
url = {https://www.usenix.org/conference/usenixsecurity23/presentation/shin},
publisher = {USENIX Association},
month = aug
}