Clock-Based Sender Identification and Attack Detection for Automotive CAN Network

Abstract

Read online

Building the security mechanism for Controller Area Network (CAN) to defend against attack has drawn substantial attention recently. Fingerprinting ECUs to provide the ability of authentication based on the physical characteristics can protect the CAN network effectively. The clock skew which is unique and stable can be exploited to pinpoint the attacker and detect intrusion. However, a common downside of existing clock-skew-based approaches is that the estimation process can be affected by the message scheduling or arbitration. In our work, a novel intrusion detection system (IDS) that exploits the inherent difference in the clock of devices for automotive CAN network is designed. The estimation process of clock skew in our approach relies only on the time measurement of a single CAN frame. Thus, the disturbance from the data-link layer can be avoided. Since the performance of our IDS depends heavily on the accuracy of estimated clock skew, our approach is evaluated on CAN networks with different settings to simulate cases in which the sampling rate is sufficient or not. The feasibility as well as the limitation of our approach are presented in our work. The evaluation shows that our IDS can identify the sender and detect attacks with an average identification rate of more than 99.7% when the sampling rate is sufficient. Besides, the performance degradation as low sampling accuracy is shown and feasible measures for improvement are also discussed.

Keywords

• Attack identification
• automotive security
• controller area network
• intrusion detection