Skip to content
/ CAN-SkewIDS Public

Implementation of a CAN protocol Intrusion Detection System which detects intrusions based on the skew induced by the quartz clock.

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

GiovanniMenon/CAN-SkewIDS

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

34 Commits
graph
graph
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
main.py
main.py
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

Note

The code for these projects may not be the best or the cleanest, as it was written as project and sometimes in an experimental way. Some aspects could definitely be improved and optimized.

CAN-SkewIDS

CAN-SkewIDS is an implementation of the proof-of-concept (PoC) described in the referenced paper. It serves as an Intrusion Detection System (IDS) for the Controller Area Network (CAN) protocol, is designed to detect malicious activity by analyzing clock skew to fingerprint Electronic Control Units (ECUs). The approach is based on the model presented in the paper, referred in their work as a Clock-based Intrusion Detection System (CIDS).

Reference

Fingerprinting Electronic Control Units for Vehicle Intrusion Detection

Experiments & Results

Warning

Since the tests are performed on one physical device, thus with the same (or extremely similar) quartz clock, we felt the need to introduce an artificial clock skew to our custom CAN device implementations, which adds clock drift to each of the virtual can bus devices that are transmitting messages.

Experiment 1: CIDS stability

This experiment is designed to test the overall stability of the CIDS, by having just two devices running on the CAN bus. This experiment is aimed at measuring how stable the algorithm is in regards to False Positives in a perfect scenario.

Message Count Period Skew per Period False Positives % Correctly Classified Messages
1000 2s 10ms 3 99.7%

It is worth noting that 1 to 2 False Positives occur very early in the lifespan of the CIDS. This is most likely because of the lack of refined skew data collected at the very beginning of the algorithm (usually up to 5 skew estimations are done, which may produce a larger error).

Experiment 2: Accumulated Clock Offset (from the paper)

This experiment is designed to demonstrate that all the derived accumulated clock offsets were found to be linear in time, furthermore demonstrating that messages sent from the same device have the same constant clock skew and can be used to fingerprint the transmitter ECUs.
Figure 1: Our Results Figure 2: Paper Results

As it can be seen, the messages sent from a device with the same clock skew, but different arbitration Ids correlate, are almost linear.

Experiment 3: Fabrication Attack Detection (from the paper)

The goal of this experiment is to use the accumulated clock skews—previously gathered for ECU fingerprinting—to calculate the deviation of incoming messages. By comparing these deviations, the system can detect intrusions.
Figure 3: Our Results Figure 4: Paper Results

The experiment resulting graph shows a massive increase in accumulated clock offset values once a fabricated message is sent from another device. Thus indicating an intrusion.

Set Up

All packages required are in requirements.txt.

To run:

pip install -r requirements.txt
python run main.py

Authors

Tautvydas Jackevičius
Giovanni Menon
Ugnius Petryla

About

Implementation of a CAN protocol Intrusion Detection System which detects intrusions based on the skew induced by the quartz clock.

Topics

cybersecurity ids can-bus ids-algorithm

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages