SAID笔记
SAID笔记
What is “SAID”?
SAID全称State-aware Defense Against Injection Attacks on In-vehicle Network,意为车载注入攻击状态感知防御
Abstract
In this paper, we propose a new state-aware abnormal message injection attack defense approach, named SAID. It detects the abnormal data to be injected into IVN by considering the data semantics and the vehicle dynamics and prevents the MIAs launched from devices connected to the vehicles, such as the compromised diagnostic tools and T-boxes.
这篇论文中,提出了一种新型的——异常消息注入攻击的状态感知防御方法,名为SAID。这个方法的工作机制为:通过分析数据变化的意义(或者称为数据的语义)和车辆的动态变化,并预防从连接到汽车的ECUs(例如被损坏的诊断工具和无限网关)发出的消息注入攻击
Introduction
- existing IDS (Intrusion Detection System) approaches have the following limitations and thus cannot effectively defend against MIAs
- First, they focus on CAN frames at low IVN layer (e.g., bus-off attack [34]) and therefore miss the attack messages exploiting higher layer diagnostic services because such messages are usually transmitted by normal CAN frames
- Second, they capture the abnormal data according to statistic characteristics without semantic and context information, and hence can be easily evaded
- Third, since the existing solutions do not consider vehicle states, they cannot detect the attack messages injected during particular vehicle states, such as turning off turn signals while cornering
- SAID scrutinizes the incoming messages at three layers due to the multi-layer model adopted by IVN data transmission.
- SAID decides whether a well-formed incoming message is benign according to the safety consequence it causes in the current message context and vehicle states, and thus SAID takes into account both the message context and the vehicle states
- 现存的IDS有以下几个缺陷:
- 首先,它们注重于底层的CAN帧,因此会错过利用更高层的诊断服务注入攻击消息的CAN数据帧(这些数据帧通常看起来是很正常的)
- 第二,它们仅仅停留在数据/统计学特征上去分析不正常的CAN数据帧的内容,而忽略了CAN数据帧原有的语义和可提供的文本信息,因此常常检测不准确
- 第三,现存的解决方案都没有考虑车辆状态,因此这些IDS无法检测出汽车在某些特定状态下的异常(如在转弯时关闭转弯信号灯)
- SAID仔细检查基于车载网络数据传输采用的多层模型的三层收集到的消息
- SAID根据一个符合协议结构的车载网络消息在最近车载网络接受的一些消息和汽车状态的基础上(类似于循环神经网络RNN和LSTM的概念)产生的对汽车的影响来判断这个消息是否有益/无害,因此SAID兼顾了消息的内容和汽车的状态
- SAID是轻量级(lightweight)的,可在多层工作(cross-layer)的模型
Background
略
Overview
This section first presents our threat model and then gives an overview of our new defense approach against MIAs
Threat Model
- We focus on the MIA launched from out-vehicle entities with two goals
- Functional Attacks(MIA1⃣️)
- State Attacks(MIA2⃣️)
- Assumption
- Defense Scenario
-
两种目的的MIA
-
Functional Attacks(MIA1⃣️):功能性攻击,旨在让车辆原有的正常功能不正常运作
通常攻击者并不需要很了解车载网络的各个协议
-
State Attacks(MIA2⃣️):状态攻击,旨在让车辆的运动状态发生改变(如:侧翻,侧滑,转弯不打灯等等)
通常攻击者并很了解车载网络的各个协议
-
-
基于的假设
- SAID配备了特定的硬件(位于汽车的重心,且汽车只发生平动),如陀螺仪,加速度计等等
- 车载网络的DBC文件——可用于解析车载网络报文的文件——是可获得的
-
虽然只是检测外部设备的消息注入,但是对于内部消息错误或异常也可以检测
Defense Approach
SAID inspects all incoming data at three layers (i.e., network layer, service layer, and state layer) because IVN adopts a multi-layer model with diverse protocols at each layer
-
在network layer和service layer,SAID通过分别检测CAN数据帧和诊断消息防御MIA1⃣️
-
在state layer,SAID通过评价汽车运动状态和解析收集到的数据帧的语义防御MIA2⃣️
-
对network layer、service layer和state layer的说明(以CAN总线为例)
-
network layer:SAID通过已有的协议文件、文献研究和科研汇报中的标准去检测是否有异常数据帧
更精确地来说,SAID可以判断一个数据包是否符合CAN的格式,是否是在CAN规定的标准下进行传输,如果是,则SAID进一步检测是否有恶意消息注入。如果CAN数据帧通过了所有network layer的规则检查,则将其合并到诊断消息(服从单帧或多帧的传输体系),送至service layer进一步检测
-
service layer:SAID基于协议的规定制定异常检测的标准
通过了service layer的数据帧将进一步送至state layer检测
-
state layer:SAID通过车辆状态确定算法(既考虑数据帧语义,也考虑车辆当前运动状态)来制定异常检测的标准
-
Vehicle Dynamics Model
This section presents three vehicle dynamics models, including roll dynamics (RD), steering/yaw dynamics (SD), and accelerating/braking dynam- ics (BD), as well as the criteria for anomaly detection.
Roll Dynamics(RD):
-
我们通过汽车左右轮胎垂直方向上的负荷差来符合计算翻车指数,这个负荷差也被称为垂直负荷转移率(LTR)
\[LTR = \frac{F_{zl} - F_{zr}}{F_{zl} + F_{zr}},\space LTR \in [-1, 1]……Eq.1 \]
-
上图符号说明
- \(a_x, a_y, a_z\):汽车在x轴、y轴、z轴方向上的加速度
- \(h\):翻转中心与地面的距离
- \(l_w\):轮胎间距
- \(\phi\):翻转角度
-
同时在图中也有等式(力矩平衡)
\[F_{zr}\cdot l_w + ma_y \cdot h \cdot \cos\phi + ma_z \cdot \frac{l_w}{2} \cdot \cos \phi = 0……Eq.2 \\ F_{zl}\cdot l_w - ma_y \cdot h \cdot \cos\phi + ma_z \cdot \frac{l_w}{2} \cdot \cos \phi = 0……Eq.3 \] -
联立\(Eq.1、Eq.2、Eq.3\)可得
\[LTR = \frac{F_{zl} - F_{zr}}{F_{zl} + F_{zr}} = \frac{2a_y\cdot h}{a_z\cdot l_w} \] -
Criterion:LTR有阈值\(LTR_{r0}\),根据研究,其默认值为0.6,并且需要满足以下不等式车辆才能算是安全
\[|\frac{a_y}{a_x}| < \frac{l_w}{2h}LTR_{r0} \]
Steering (Yaw) Dynamics (SD)
在转弯的时候,过度转弯和过少转弯都会导致驾驶者有一种失控的感觉,导致事故
-
由于一些小角度近似规则,\(Eq.4和Eq.5\)可以近似简化一下,并且得到\(\delta_{neutral}\)车辆正中间转弯角
\[\delta_i \approx \frac{L}{r-\frac{l_w}{2}}\\ \delta_o \approx \frac{L}{r+\frac{l_w}{2}}\\ \delta_{neutral} = \frac{\delta_i + \delta_o}{2} \approx \frac{L}{r}……Eq.6 \] -
又有y方向上的加速度\(a_y\)的计算方法
\[a_y = \frac{V_x^2}{r}……Eq.7 \] -
结合\(Eq.6,Eq.7\)可得
\[\delta_{neutral} \approx \frac{L}{r} = \frac{L\cdot a_y}{V_x^2} \] -
Criterion:车辆转弯角度\(\delta\)和车辆正中间转弯角\(\delta_{neutral}\)需要满足以下条件才不会认为是严重的过度/过少转弯
\[0.8|\delta_{neutral}| \le \delta \le 1.2|\delta_{neutral}| \]
Accelerating/braking Dynamics (BD)
-
轮胎滑行的距离可以用\(S\)来表示,它可以分解为纵向滑行和侧向滑行\(S = \sqrt{S_x^2 + S_y^2}\)
-
我们也可以计算一个滑行率\(\sigma\),它可以分解为纵向滑行率和侧向滑行率\(\sigma = \sqrt{\sigma_x^2 + \sigma_y^2}\),其中\(\sigma_x\)定义如下
\[\sigma_x = \left\{ \begin{array}{c} &\frac{r_{eff}\omega_w - V_x}{V_x}&\space accelerating\\ &\frac{r_{eff}\omega_w - V_x}{r_{eff}\omega_w}&\space breaking \end{array} \right. \]
- \(\sigma_y\)定义如下\[\sigma_y = \frac{V_x}{r_{eff}\omega_w} \tan\alpha \]
ABBRs
ECU:Electronic Control Unit,电子控制单元
IVN:In-Vehicle Network,车载网络
MIA:Message Injection Attacks,消息注入攻击
OSI:Open System Interconnection,开放系统互联
DoS:Denial of Service,拒绝服务
LTR:vertical load transfer ratio,垂直负荷转移率
浙公网安备 33010602011771号