research-article

CANOA: CAN Origin Authentication through Power Side-channel Monitoring

Authors:

Shailja Thakur,

Carlos Moreno, Sebastian FischmeisterAuthors Info & Claims

ACM Transactions on Cyber-Physical Systems, Volume 8, Issue 2

Article No.: 13, Pages 1 - 30

https://doi.org/10.1145/3571288

Published: 14 May 2024 Publication History

Get Access

Abstract

The lack of any sender authentication mechanism in place makes Controller Area Network (CAN) vulnerable to security threats. For instance, an attacker can impersonate an Electronic Control Unit (ECU) on the bus and send spoofed messages unobtrusively with the identifier of the impersonated ECU. To address this problem, we propose a novel source authentication technique that uses power consumption measurements of the ECU to authenticate the source of a message. A transmission of an ECU affects the power consumption and a characteristic pattern will appear. Our technique exploits the power consumption of each ECU during the transmission of a message to determine whether the message actually originated from the purported sender. We evaluate our approach in both a lab setup and a real vehicle. We also evaluate our approach against factors that can impact the power consumption measurement of the ECUs. The results of the evaluation show that the proposed technique is applicable in a broad range of operating conditions with reasonable computational power requirements and attaining good accuracy.

Appendix

A CANOA Evaluatoin in Real-vehicle with Multiple ECUs

We evaluate our approach in a truck with access to the power source of more than one ECU. We were able to capture power consumption measurements from the Engine (ECM), the Transmission (TCM), and the brake (ABS) from a truck parked in the open for a period of 24 hours. We also obtained the mapping between the ECUs and source address using hardware configuration: (ECU, 0), (TCM, 11), and (ABS, 3). For the evaluation, we captured a total of 100k CAN transmissions from the vehicle in a stationary position. The only difference observed in the power consumption measurements of the stationary vehicle from the moving vehicle is the change in the noise floor, which the model learned to ignore over training iterations. Out of the 100k transmissions, 35k transmissions each triggered from the Engine and ABS, and the remaining 30k from the Transmission. Using the same technique described in the data description of the evaluation section, we constructed 100k instances of power traces of transmission and non-transmission for all the three ECUs. For the Engine and ABS, 35k transmissions belong to the periods of transmissions with source address 0, which are triggered by Engine, and the remaining belong to the period of non-transmission. Similarly, for Transmission, 30k power traces belong to the periods of transmissions with source address 11 and the remaining to the periods of non-transmission. For the ABS, 35 k transmissions were triggered with source address three and form the features of transmission, and the remaining belong to the period of non-transmissions. We split the labeled power traces of the ECUs randomly into three chunks: train, cross-validate, and test at a ratio of 6:3:1, and a random forest-based classifier for each of the ECUs. Figure 10 shows the pictorial representation of the kernel density estimate of the five modes of the statistics of the power traces of transmissions from the three ECUs. The density estimates indicate their distinct characteristics.

Fig. 10.

We evaluated the trained models using the test set of transmissions. For each test transmission, we looked up the power trace for each of the ECUs and obtained the model’s classification score. We use the classification scores to fill a matrix, where the number of rows is the number of the test set of transmissions, and the number of columns is the number of ECUs and source address mappings available for the vehicle. The rows for every transmission are filled with the highest scores of the probability of transmissions obtained from each of the three models. We use this matrix to calculate a confusion matrix, as shown in Table 8 for the sender authentication from the model for (ECU, 0), (TCM, 11), and (ABS, 3). Our method detects 99% of transmissions each from ECM and ABS, and 94% of transmissions from TCM. The observed drop in the accuracy of the (TCM,11) was found to be associated with the presence of noise in the captured power traces. However, we observed that the noise floor is reduced if the model is trained over a longer duration. This way, the model will be able to capture the subtle variations that were left untracked with the training over a shorter duration. We also observed the response time of the models in the online setting (real-time \(E_{p}\) authentication using the stream of transmissions observed on the bus), and it is noted to be an average of 0.8 ms, which makes the technique feasible for application in real-time settings.

Table 8.

	(ECM, 0)	(TCM, 11)	(ABS, 3)
(ECM, 0)	\({\bf 0.99} \pm {\bf 0.001}\)	\(0.01 \pm 0.05\)	\(0.00 \pm 0.001\)
(TCM, 11)	\(0.06 \pm 0.3\)	\({\bf 0.94} \pm {\bf 0.01}\)	\(0.00 \pm 0.1\)
(ABS, 3)	\(0.00 \pm 0.05\)	\(0.00 \pm 0.4\)	\({\bf 0.99} \pm {\bf 0.3}\)

Table 8. Confusion Matrix Obtained Using Mahalanobis Distance-based Sender Classification in a Real Vehicle

A.1 CANOA Evaluation with No Prior Knowledge of Source Address and ECU Mapping

An ECU can send messages with many source addresses (or IDs). In an authentic (non-attack scenario), an ECU can send messages with a set of source addresses (or IDs), which do not overlap with that of the other ECUs on the bus. That is, in properly configured hardware, a source address is unique to an ECU. However, in the case of malformed hardware, messages with the same source address may be observed from multiple ECUs, and is not a reliable source of information for locating the source of transmission. Therefore, to evaluate our approach, we use the mapping between all the combinations of ECUs and source addresses that are available on the bus. In our case, we obtained the combinations using all the source addresses on the bus and the ECUs — ECM, TCM, and ABS, for which we could capture the power source. That is, we prepared training sets of labeled power traces for the following combinations of source addresses and ECUs: (ECU, 0), (ECU, 3), (ECU, 11), (TCM, 11), (TCM, 0), (TCM, 3), (ABS, 3), (ABS, 0), and (ABS, 11). Figure 11 shows a pictorial representation of the kernel density estimate of the five modes of the statistics of the power traces of transmissions. The power traces are categorized according to the source address of the transmissions. The subtle distinction between the modes across the source addresses aids the models in learning to distinguish between the two states.

Fig. 11.

Later, during testing, for every transmission, we looked up the power trace corresponding to the ECUs and queried the models for transmission scores. As per the CAN protocol, only one ECU transmits at a time. Therefore, the model whose estimate of transmission characteristics is closest to that of the new transmission is the most likely source of the transmission. Finally, we condensed the vector of scores obtained from the models into a single score by applying softmax on the vector, and returning the model with the highest probability score of transmission as the predicted source of transmission. Based on our analysis, we found that 97.8% of transmissions from the Engine were correctly detected, 98% of transmissions from ABs were detected, and 95.5% from the Transmission. Most of the false positives were observed due to the confusion between the models from the same ECU but with different address, which will improve with large training traces.

A.2 Model Convergence

We evaluate the convergence of the trained models for each ECU and source address mapping by plotting the models’ learning curves. The learning curve shows the loss (inversely proportional to the accuracy) of a model during training over many iterations. A model is said to have converged if the loss decreases at first over the iterations and then asymptotically approaches a minimum such that training any further has a negligible improvement on the performance of the model. In particular, we evaluate the learning curve of all the models with the source addresses 0, 11, and 3 from real-vehicle settings. From Figure 12, it is evident that the models begin to converge after 500 iterations across all the source addresses. In particular, the learning curve for source addresses 0 and 11 has a steep curve. This is also reflective in the accuracy of the corresponding model from the confusion matrix, which reports 99% of the correct classifications. From the figure, we notice that models trained with more instances of the input power traces can minimize their loss and performs better at correctly determining the states of ECUs from unseen noisy input power traces.

Fig. 12.

References

[1]

Shabbir Ahmed, Marcio Juliato, Christopher Gutierrez, and Manoj Sastry. 2021. Two-point voltage fingerprinting: Increasing detectability of ECU masquerading attacks. CoRR abs/2102.10128 (2021). https://arxiv.org/abs/2102.10128.

Abstract

A CANOA Evaluatoin in Real-vehicle with Multiple ECUs

A.1 CANOA Evaluation with No Prior Knowledge of Source Address and ECU Mapping

A.2 Model Convergence

References

Cited By

Index Terms

Recommendations

VulCAN: Efficient Component Authentication and Software Isolation for Automotive Control Networks

Securing Memory Encryption and Authentication Against Side-Channel Attacks Using Unprotected Primitives

Using ID-Hopping to Defend Against Targeted DoS on CAN

Comments

Information

Published In

Publisher

Journal Family

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Get Access

Login options

Full Access

View options

PDF

eReader

Full Text

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations