2024
Supporting CAN Bus Anomaly Detection With Correlation Data
B. Koltai and A. Gazdag and G. Ács
Proceedings of the 10th International Conference on Information Systems Security and Privacy - ICISSP, 2024.
Bibtex
| Abstract
| PDF
| Link
@inproceedings {
author = {Beatrix Koltai and András Gazdag and Gergely Ács},
title = {Supporting CAN Bus Anomaly Detection With Correlation Data},
booktitle = {Proceedings of the 10th International Conference on Information Systems Security and Privacy - ICISSP},
year = {2024},
howpublished = "\url{https://www.scitepress.org/PublicationsDetail.aspx?ID=Tk17bfTiwAg=}"
}
Keywords
CAN, Anomaly Detection, TCN, Correlation
Abstract
Communication on the Controller Area Network (CAN) in vehicles is notably lacking in security measures, rendering it susceptible to remote attacks. These cyberattacks can potentially compromise safety-critical vehicle subsystems, and therefore endanger passengers and others around them. Identifying these intrusions could be done by monitoring the CAN traffic and detecting abnormalities in sensor measurements. To achieve this, we propose integrating time-series forecasting and signal correlation analysis to improve the detection accuracy of an onboard intrusion detection system (IDS). We predict sets of correlated signals collectively and report anomaly if their combined prediction error surpasses a predefined threshold. We show that this integrated approach enables the identification of a broader spectrum of attacks and significantly outperforms existing state-of-the-art solutions.
2023
Anomaly detection in CAN with TCN
B. Koltai and A. Gazdag
Hungarian Machine Learning Workshop, 2023.
Bibtex
| PDF
@conference {
author = {Beatrix Koltai and András Gazdag},
title = {Anomaly detection in CAN with TCN},
publisher = {Hungarian Machine Learning Workshop},
year = {2023}
}
Abstract
CrySyS dataset of CAN traffic logs containing fabrication and masquerade attacks
A. Gazdag and R. Ferenc and L. Buttyán
Nature: Scientific Data, 2023.
Bibtex
| Abstract
| PDF
| Link
@article {
author = {András Gazdag and Rudolf Ferenc and Levente Buttyán},
title = {CrySyS dataset of CAN traffic logs containing fabrication and masquerade attacks},
journal = {Nature: Scientific Data},
year = {2023},
howpublished = "\url{https://www.nature.com/articles/s41597-023-02716-9}"
}
Abstract
Despite their known security shortcomings, Controller Area Networks are widely used in modern vehicles. Research in the field has already proposed several solutions to increase the security of CAN networks, such as using anomaly detection methods to identify attacks. Modern anomaly detection procedures typically use machine learning solutions that require a large amount of data to be trained. This paper presents a novel CAN dataset specifically collected and generated to support the development of machine learning based anomaly detection systems. Our dataset contains 26 recordings of benign network traffic, amounting to more than 2.5 hours of traffic. We performed two types of attack on the benign data to create an attacked dataset representing most of the attacks previously proposed in the academic literature. As a novelty, we performed all attacks in two versions, modifying either one or two signals simultaneously. Along with the raw data, we also publish the source code used to generate the attacks to allow easy customization and extension of the dataset.
Improving CAN anomaly detection with correlation-based signal clustering
B. Koltai and A. Gazdag and G. Ács
Infocommunications Journal, Vol. XV, No. 4., 2023.
Bibtex
| Abstract
| PDF
| Link
@article {
author = {Beatrix Koltai and András Gazdag and Gergely Ács},
title = {Improving CAN anomaly detection with correlation-based signal clustering},
journal = {Infocommunications Journal, Vol. XV, No. 4.},
year = {2023},
howpublished = "\url{https://www.infocommunications.hu/2023_4_3}"
}
Keywords
CAN, Anomaly Detection, TCN, Correlation
Abstract
Communication on the Controller Area Network (CAN) in vehicles is notably lacking in security measures, rendering it susceptible to remote attacks. These cyberattacks can potentially compromise safety-critical vehicle subsystems, and therefore endanger passengers and others around them. Identifying these intrusions could be done by monitoring the CAN traffic and detecting abnormalities in sensor measurements. To achieve this, we propose integrating time-series forecasting and signal correlation analysis to improve the detection accuracy of an onboard intrusion detection system (IDS). We predict sets of correlated signals collectively and report anomaly if their combined prediction error surpasses a predefined threshold. We show that this integrated approach enables the identification of a broader spectrum of attacks and significantly outperforms existing state-of-the-art solutions.
Privacy pitfalls of releasing in-vehicle network data
A. Gazdag and Sz. Lestyán and M. Remeli and G. Ács and T. Holczer and G. Biczók
Vehicular Communications, 2023.
Bibtex
| Abstract
| PDF
| Link
@article {
author = {András Gazdag and Szilvia Lestyan and Mina Remeli and Gergely Ács and Tamas Holczer and Gergely Biczók},
title = {Privacy pitfalls of releasing in-vehicle network data},
journal = {Vehicular Communications},
year = {2023},
howpublished = "\url{https://www.sciencedirect.com/science/article/pii/S2214209622001127?via%3Dihub}"
}
Keywords
In-vehicle network data; Privacy attacks; Driver re-identification; Trajectory reconstruction; Anonymization; Differential privacy
Abstract
The ever-increasing volume of vehicular data has enabled different service providers to access and monetize in-vehicle network data of millions of drivers. However, such data often carry personal or even potentially sensitive information, and therefore service providers either need to ask for drivers\' consent or anonymize such data in order to comply with data protection regulations. In this paper, we show that both fine-grained consent control as well as the adequate anonymization of in-network vehicular data are very challenging. First, by exploiting that in-vehicle sensor measurements are inherently interdependent, we are able to effectively i) re-identify a driver even from the raw, unprocessed CAN data with 97% accuracy, and ii) reconstruct the vehicle's complete location trajectory knowing only its speed and steering wheel position. Since such signal interdependencies are hard to identify even for data controllers, drivers' consent will arguably not be informed and hence may become invalid. Second, we show that the non-systematic application of different standard anonymization techniques (e.g., aggregation, suppression, signal distortion) often results in volatile, empirical privacy guarantees to the population as a whole but fails to provide a strong, worst-case privacy guarantee to every single individual. Therefore, we advocate the application of principled privacy models (such as Differential Privacy) to anonymize data with strong worst-case guarantee.
SECREDAS: Safe and (Cyber-)Secure Cooperative and Automated Mobility
C. Ploeg and J. Sluis and S. Gerres and Sz. Novaczki and A. Wippelhauser and E. Nassor and J. Sevin and A. Gazdag and G. Biczók
Proceedings of IFAC World Congress, 2023.
Bibtex
| Abstract
| PDF
@inproceedings {
author = {Chris van der Ploeg and Jacco van de Sluis and Sebastian Gerres and Szabolcs Novaczki and András Wippelhauser and Eric Nassor and Julien Sevin and András Gazdag and Gergely Biczók},
title = {SECREDAS: Safe and (Cyber-)Secure Cooperative and Automated Mobility},
booktitle = {Proceedings of IFAC World Congress},
year = {2023}
}
Abstract
Infrastructure-to-Vehicle (I2V) and Vehicle-to-Infrastructure (V2I) communication is likely to be a key-enabling technology for automated driving in the future. Using externally placed sensors, the digital infrastructure can support the vehicle in perceiving surroundings that would otherwise be difficult to perceive due to, for example, high traffic density or bad weather. Conversely, by communicating on-board vehicle measurements, the environment can more accurately be perceived in locations which are not (sufficiently) covered by digital infrastructure. The security of such communication channels is an important topic, since malicious information on these channels could potentially lead to a reduction in overall safety. Collective perception contributes to raising awareness levels and an improved traffic safety. In this work, a demonstrator is introduced, where a variety of novel techniques have been deployed to showcase an overall architecture for improving vehicle and vulnerable road user safety in a connected environment. The developed concepts have been deployed at the Automotive Campus intersection in Helmond (NL), in a field testing setting.
2021
Correlation-based Anomaly Detection for the CAN Bus
A. Gazdag and Gy. Lupták and L. Buttyán
Euro-CYBERSEC, Nice, France, 2021.
Bibtex
| Abstract
| PDF
@conference {
author = {András Gazdag and György Lupták and Levente Buttyán},
title = {Correlation-based Anomaly Detection for the CAN Bus},
booktitle = {Euro-CYBERSEC, Nice, France},
year = {2021}
}
Keywords
Controller Area Network, Anomaly Detection, Correlation
Abstract
Previous attacks have shown that in-vehicle networks have vulnerabilities and a successful attack could lead to significant financial loss and danger to life. In this paper, we propose a Pearson correlation based anomaly detection algorithm to detect CAN message modification attacks. The algorithm does not need a priori information about the com- munication: it identifies signals based on statistical properties, finds the important correlation coefficients for the correlating signals, and detects attacks as deviations from a previously learned normal state.
Detecting Message Modification Attacks on the CAN Bus with Temporal Convolutional Networks
I. Chiscop and A. Gazdag and J. Bosman and G. Biczók
Proceedings of the
7th International Conference on
Vehicle Technology and Intelligent Transport Systems, 2021.
Bibtex
| Abstract
| PDF
@inproceedings {
author = {Irina Chiscop and András Gazdag and Joost Bosman and Gergely Biczók},
title = {Detecting Message Modification Attacks on the CAN Bus with Temporal Convolutional Networks},
booktitle = {Proceedings of the
7th International Conference on
Vehicle Technology and Intelligent Transport Systems},
year = {2021}
}
Keywords
Vehicle Security, Intrusion Detection, Controller Area Network, Machine Learning, Temporal Convolutional Networks.
Abstract
Multiple attacks have shown that in-vehicle networks have vulnerabilities which can be exploited. Securing the Controller Area Network (CAN) for modern vehicles has become a necessary task for car manufacturers. Some attacks inject potentially large amount of fake messages into the CAN network; however, such attacks are relatively easy to detect. In more sophisticated attacks, the original messages are modified, making the de- tection a more complex problem. In this paper, we present a novel machine learning based intrusion detection method for CAN networks. We focus on detecting message modification attacks, which do not change the timing patterns of communications. Our proposed temporal convolutional network-based solution can learn the normal behavior of CAN signals and differentiate them from malicious ones. The method is evaluated on multiple CAN-bus message IDs from two public datasets including different types of attacks. Performance results show that our lightweight approach compares favorably to the state-of-the-art unsupervised learning approach, achieving similar or better accuracy for a wide range of scenarios with a significantly lower false positive rate.
2020
Development of a Man-in-the-Middle Attack Device for the CAN Bus
A. Gazdag and Cs. Ferenczi and L. Buttyán
Proceedings of the 1st Conference on Information Technology and Data Science, 2020, pp. 115-130.
Bibtex
| Abstract
| PDF
@inproceedings {
author = {András Gazdag and Csongor Ferenczi and Levente Buttyán},
title = {Development of a Man-in-the-Middle Attack Device for the CAN Bus},
booktitle = {Proceedings of the 1st Conference on Information Technology and Data Science},
year = {2020},
pages = {115-130}
}
Keywords
Vehicle Security, CAN, ISO 11898, Man-in-the-Middle attack
Abstract
Modern vehicles are full of embedded controllers called ECUs (Electronic Control Units). They are responsible for different functionalities involving processing information from sensors and controlling actuators. To perform their functions, ECUs also need to communicate with each other. Most ve- hicles use a Controller Area Network (CAN) for ECU communication. The original design of the CAN bus was focusing on safety and reliability prop- erties. Security was not an issue because these networks were considered to be isolated systems. These assumptions were correct for a long time, but they no longer hold. Modern vehicles have many interfaces towards the outside world, which renders the internal network accessible to an attacker. Bluetooth, Wifi, wireless Tire Pressure Monitoring System (TPMS), or the On-Board Diagnostics (OBD) port are all options for attackers to either di- rectly access the CAN network or compromise a component attached to it.
It is possible to inject fake messages, or potentially, to modify messages on the CAN, and hence, forcing some ECUs to act upon these fake messages, which may influence the overall behaviour of the vehicle.
Modification attacks are complex both to carry out and to detect. The main difficulty of modification attacks is that the sender checks whether the transmitted bits correctly appear on the bus or not for safety reasons. The only network level way to circumvent this protection is to physically separate the sender and the attacked ECU on the CAN bus. This can be achieved with a physical layer Man-in-the-Middle attack. We built a proof-of-concept hard- ware device capable of modifying the CAN traffic in real-time to demonstrate that this attack is possible. It has two CAN interfaces to read messages from the original CAN bus and either just forward or modify-and-forward traffic to the attacked CAN bus. We showed with measurements that we can perform a message modification attack while keeping the introduced delay within what is allowed by the CAN specification.
2018
Detection of Injection Attacks in Compressed CAN Traffic Logs
A. Gazdag and D. Neubrandt and L. Buttyán and Zs. Szalay
International Workshop on Cyber Security for Intelligent Transportation Systems, Held in Conjunction with ESORICS 2018, Springer, 2018.
Bibtex
| Abstract
| PDF
@inproceedings {
author = {András Gazdag and Dóra Neubrandt and Levente Buttyán and Zsolt Szalay},
title = {Detection of Injection Attacks in Compressed CAN Traffic Logs},
booktitle = {International Workshop on Cyber Security for Intelligent Transportation Systems, Held in Conjunction with ESORICS 2018},
publisher = {Springer},
year = {2018}
}
Keywords
Intrusion Detection, CAN Networks
Abstract
Prior research has demonstrated that modern cars are vulnerable to cyber attacks. As such attacks may cause physical accidents, forensic investigations must be extended into the cyber domain. In order to support this, CAN traffic in vehicles must be logged continuously, stored efficiently, and analyzed later to detect signs of cyber attacks. Efficient storage of CAN logs requires compressing them. Usually, this compressed logs must be decompressed for analysis purposes, leading to waste of time due to the decompression operation itself and most importantly due to the fact that the analysis must be carried out on a much larger amount of decompressed data. In this paper, we propose an anomaly detection method that works on the compressed CAN log itself. For compression, we use a lossless semantic compression algorithm that we proposed earlier. This compression algorithm achieves a higher compression ratio than traditional syntactic compression methods do such as gzip. Besides this advantage, in this paper, we show that it also supports the detection of injection attacks without decompression. Moreover, with this approach we can detect attacks with low injection frequency that were not detected reliably in previous works.
Vehicular Can Traffic Based Microtracking for Accident Reconstruction
A. Gazdag and T. Holczer and L. Buttyán and Zs. Szalay
Vehicle and Automotive Engineering 2, Lecture Notes in Mechanical Engineering, University of Miskolc, Miskolc, Hungary, 2018.
Bibtex
| Abstract
| PDF
@inproceedings {
author = {András Gazdag and Tamas Holczer and Levente Buttyán and Zsolt Szalay},
title = {Vehicular Can Traffic Based Microtracking for Accident Reconstruction},
booktitle = {Vehicle and Automotive Engineering 2, Lecture Notes in Mechanical Engineering},
publisher = {University of Miskolc, Miskolc, Hungary},
year = {2018}
}
Keywords
Digital forensics, CAN network
Abstract
Accident reconstruction is the process of reliably discovering what has happened before a serious event. We show how the most widely used intra vehicular network (namely the Controller Area Network, CAN) can be used in this process. We show how the actual velocity and steering wheel position transmitted on the CAN network can be used to reconstruct the trajectory of a vehicle. This trajectory is an essential input in the reconstruction process. In this paper, we show how the CAN traffic of an actual vehicle can be used to recon- struct the trajectory of the vehicle, and we evaluate our approach in several real life experiments including normal and pre-accident situations.
2017
CAN compression based IDS
A. Gazdag
IT-SECX 2017, FH St. Pölten, 2017.
Bibtex
| Abstract
@conference {
author = {András Gazdag},
title = {CAN compression based IDS},
booktitle = {IT-SECX 2017},
publisher = {FH St. Pölten},
year = {2017}
}
Abstract
Modern vehicles are mainly controlled by ECUs (Electric Control Units). They are small programmable computers responsible for single tasks. New smart features of vehicles showed demand for Internet connectivity rendering these previously isolated computer networks reachable for malicious attacks. Detecting cyber-attacks requires a continuous network traffic logging for online and offline analysis. This generates a huge amount of data which is a challenge to store and to analyze, as well.
In this presentation, we show a proposed semantic compression mechanism that is capable of representing the original data in a lossless form while using a fraction of the space. The introduced algorithm understands properties of the CAN traffic log. This is a powerful foundation for compression and for intrusion detection. The compressed traffic log can be directly used as an input for a machine learning based IDS, which is then capable to effectively recognize malicious attack patterns.
Efficient Lossless Compression of CAN Traffic Logs
A. Gazdag and L. Buttyán and Zs. Szalay
IEEE Conference on Software, Telecommunications and Computer Networks (SoftCom), IEEE, 2017.
Bibtex
| Abstract
| PDF
@inproceedings {
author = {András Gazdag and Levente Buttyán and Zsolt Szalay},
title = {Efficient Lossless Compression of CAN Traffic Logs},
booktitle = {IEEE Conference on Software, Telecommunications and Computer Networks (SoftCom)},
publisher = {IEEE},
year = {2017}
}
Abstract
In this paper, we propose a compression method that allows for the efficient storage of large amounts of CAN traffic data, which is needed for the forensic investigations of accidents caused by cyber attacks on vehicles. Compression of recorded CAN traffic also reduces the time (or bandwidth) needed to off-load that data from the vehicle. In addition, our compression method allows analysts to perform log analysis on the compressed data, therefore, it contributes to reduced analysis time and effort. We achieve this by performing semantic compression on the CAN traffic logs, rather than simple syntactic compression. Our compression method is lossless, thus preserving all information for later analysis. Besides all the above advantages, the compression ratio that we achieve is better than the compression ratio of state-of-the-art syntactic compression methods, such as gzip.
Forensics aware lossless compression of CAN traffic logs
A. Gazdag and L. Buttyán and Zs. Szalay
Scientific Letters of the University of Zilina, 2017.
Bibtex
| Abstract
| PDF
@article {
author = {András Gazdag and Levente Buttyán and Zsolt Szalay},
title = {Forensics aware lossless compression of CAN traffic logs},
journal = {Scientific Letters of the University of Zilina},
year = {2017}
}
Keywords
CAN, network traffic capture, semantic compression, forensic analysis
Abstract
In this paper, we propose a compression method that allows for the efficient storage of large amounts of CAN traffic data, which is needed for the forensic investigations of accidents caused by the cyber-attacks on vehicles. Compression of recorded CAN traffic also reduces the time (or bandwidth) needed to off-load that data from the vehicle. In addition, our compression method allows analysts to perform log analysis on the compressed data. It is shown that the proposed compression format is a powerful tool to find traces of a cyber-attack. We achieve this by performing semantic compression on the CAN traffic logs, rather than the simple syntactic compression. Our compression method is lossless, thus preserving all information for later analysis. Besides all the above advantages, the compression ratio that we achieve is better than the compression ratio of the state-of-the-art syntactic compression methods, such as zip.
Towards Efficient Compression of CAN Traffic Logs
A. Gazdag and L. Buttyán and Zs. Szalay
34th International Colloquium on Advanced Manufacturing and Repairing Technologies in Vehicle Industry, 2017.
Bibtex
| Abstract
| PDF
@inproceedings {
author = {András Gazdag and Levente Buttyán and Zsolt Szalay},
title = {Towards Efficient Compression of CAN Traffic Logs},
booktitle = {34th International Colloquium on Advanced Manufacturing and Repairing Technologies in Vehicle Industry},
year = {2017}
}
Keywords
CAN, network traffic capture, semantic compression, forensic analysis
Abstract
In this paper, we propose a compression method that allows for the efficient storage of large amounts of CAN traffic data, which is needed for the forensic investigations of accidents caused by cyber attacks on vehicles. Compression of recorded CAN traffic also reduces the time (or bandwidth) needed to off-load that data from the vehicle. In addition, our compression method allows analysts to perform log analysis on the compressed data, therefore, it contributes to reduced analysis time and effort. We achieve this by performing semantic compression on the CAN traffic logs, rather than simple syntactic compression. Our compression method is lossless, thus preserving all information for later analysis. Besides all the above advantages, the compression ratio that we achieve is better than the compression ratio of state-of-the-art syntactic compression methods, such as zip.
2016
Intrusion detection in Cyber Physical Systems Based on Process Modelling
A. Gazdag and T. Holczer and Gy. Miru
Proceedings of 16th European Conference on Cyber Warfare & Security, Academic conferences, 2016.
Bibtex
| Abstract
@inproceedings {
author = {András Gazdag and Tamas Holczer and Gyorgy Miru},
title = {Intrusion detection in Cyber Physical Systems Based on Process Modelling},
booktitle = {Proceedings of 16th European Conference on Cyber Warfare & Security},
publisher = {Academic conferences},
year = {2016}
}
Abstract
Cyber physical systems (CPS) are used to control chemical processes, and can be found in manufacturing, civil infrastructure, energy industry, transportation and in many more places. There is one common characteristic in these areas, their operation is critical as a malfunction can potential be life-threatening. In the past, an attack against the cyber part of the systems can lead to physical consequences. The first well known attack against a CPS was Stuxnet in 2010. It is challenging to develop countermeasures in this field without endangering the normal operation of the underlying system. In our research, our goal was to detect attacks without interfering with the cyber physical systems in any way. This can be realized by an anomaly detection system using passive network monitoring. Our approach is based on analysing the state of the physical process by interpreting the communication between the control system and the supervisory system. This state can be compared to a model based prediction of the system, which can serve as a solid base for intrusion detection. In order to realize our intrusion detection system, a testbed was built based on widely used Siemens PLCs. Our implementation consists of three main parts. The first task is to understand the network communication in order to gain information about the controlled process. This was realized by analysing and deeply understanding the publicly undocumented Siemens management protocol. The resulting protocol parser was integrated into the widely-used Bro network security monitoring framework. Gathering information about the process state for a prolonged time creates time series. With these time series, as the second step, statistical models of the physical process can be built to predict future states. As the final step, the new states of the physical process can be compared with the predicted states. Significant differences can be considered as an indicator of compromise.
2014
Android Malware Analysis Based On Memory Forensics
A. Gazdag and L. Buttyán
Annual Scientific Conference of the Hungarian National Coordinating Center for Infocommunications (NIKK), Springer, 2014.
Bibtex
@inproceedings {
author = {András Gazdag and Levente Buttyán},
title = {Android Malware Analysis Based On Memory Forensics},
booktitle = {Annual Scientific Conference of the Hungarian National Coordinating Center for Infocommunications (NIKK)},
publisher = {Springer},
year = {2014}
}
Abstract
Android Memory Forensics Hello Workshop
A. Gazdag
Hacktivity 2014., 2014.
Bibtex
| Abstract
@conference {
author = {András Gazdag},
title = {Android Memory Forensics Hello Workshop},
booktitle = {Hacktivity 2014.},
year = {2014}
}
Abstract
Szakértõk kezében a sérülékeny memóriatartalmak vizsgálata már jó ideje hatékony fegyvernek bizonyult. Az új technológiák robbanásszerû elterjedése szükségessé teszi a megbízható technológiák átalakítását, hogy azok az új kihívásoknak is eleget tudjanak ezáltal tenni. Erre az egyik legkézenfekvõbb példa az Android platform. Az utóbbi években látható jelentõs térhódítása ennek a platformnak elkerülhetetlenné tette – többek között – a memória vizsgálati módszerek kifejlesztését is.
A workshop célja a résztvevõk megismertetése a jelenleg elérhetõ technológiákkal, gyakorlati példákon keresztül. A lehetséges megközelítések rövid összefoglalása után a résztvevõk megtanulhatják, hogy hogyan lehetséges memória tartalmat rögzíteni Android-ot futtató eszközökrõl, ezután pedig a minták elemzésére kerül sor a széles körben elterjedt Volatility framework segítségével.