Smart cars are a promising target for malicious actors, thanks to their connectivity. To protect such cars, the auto industry and related parties have proposed different approaches to prevent potential attacks. Besides promoting the best security practices, device hardening, and more, the ability to identify and prevent (unknown) live attacks makes connected cars much safer. In this post, we will discuss one of the most prominent anomaly detection types in connected vehicles called vehicle communication monitoring.
Threats to vehicle communication
Smart cars often have more than 70 embedded controllers, called electronic control units (ECUs). These ECUs are connected via different in-vehicle networks. To enable different advanced and useful features, such as driver assistance systems, blind spots detectors, remote diagnostic, etc., these ECUs communicate with each other using the controller area network (CAN) protocol to provide and retrieve necessary information. The CAN protocol uses a bus topology with multiple ECUs representing different network nodes. The controller area network messages are then used to send key information, such as vehicle speed, accelerator positions, and steering angle. This is a critical point for the security (and safety) of smart cars as attackers often aim to exploit weaknesses of the CAN protocol to intercept the vehicle’s communication. Specifically, by exploiting vulnerabilities in the car's external connection (e.g., Wi-Fi, Bluetooth, and OBD port), attackers can gain access to the CAN bus of a car and perform different attacks. The following weaknesses of the controller area network protocol make connected vehicles promising targets for attackers:
- CAN message in exchange can be easily analyzed
- Arbitrary CAN messages can be easily inserted (i.e., spoofing attacks)
- CAN protocols are susceptible to a denialof-service attack.
Anomaly detection systems
Anomaly detection systems can detect and prevent a variety of attacks that cannot be automatically identified by conventional firewalls. Anomaly detection systems for connected cars often target vehicle network packages to look for abnormal signals. Different approaches exist for such systems:
Signaturebased: Anomalous behaviors are defined beforehand, and anomaly detectors would look for messages that exhibit similar (or identical) characteristics and flag them as anomalous
- Anomalybased: Normal behaviors are defined, and anomaly detectors would look for behaviors that deviate from the normal ones. This approach can detect unknown attacks on connected vehicles.
For a signature-based approach, a database of known anomalous behaviors must be updated frequently to cope with new attacks. On the other hand, such an approach would likely be advantageous for deployment and performance, especially in terms of understandability (how the detector has made a decision).
For the anomaly-based approach, using machine learning to develop anomaly detection systems is a promising direction. It allows the detector to make sense of (large) data and subsequently derive patterns of normal behaviors. With the recent advancements in deep learning, we see different approaches that rely on deep learning to identify anomalous behavior using a neural network such as AutoEncoder. While machine learning is powerful when we have enough (large) data, it is not always the sole answer to anomaly detection when it comes to deployment on low latency tolerance, resource-constrained hardware such as ECU. Especially how a decision has been made appears to be the output of a black-box (in contrast to rule-based approaches).
Despite possibly integrated security mechanisms (e.g., authentication, encryption, and secure communication) in connected cars, the need for well-designed anomaly detection systems is still crucial to overcome the threats to vehicle communication. We will always need to look for unexpected behavior, especially when it comes to the security and safety of the passenger. At HCL, we provide expertise in anomaly detection systems that are tailored toward connected vehicles. With our products and services, the vehicle communication channels will be protected against (known and novel) cyber-attacks.