New Work on Safety and Security for Connected Cars
In-vehicle detection of targeted CAN bus attacks (ARES 2021)
Attack Surface Assessment for Cybersecurity Engineering in the Automotive Domain (PDP 2021)
Continuous Fields: Enhanced In-Vehicle Anomaly Detection using Machine Learning Models (SIMPAT 2020)
SEPAD - Security Evaluation Platform for Autonomous Driving (PDP 2020)
ECU-Secure: Characteristic Functions for In-Vehicle Intrusion Detection (IDC 2019)

Connected Cars must be Demonstrably Secure!


The connection of automotive systems with other systems such as road-side units, other vehicles, and various servers in the Internet opens up new ways for attackers to remotely access safety relevant subsystems within a connected car. This safety critical technology presents major challenges in the secure design of the involved systems and protocols. Security of vehicular ecosystems is thus of utmost importance for the general acceptance of such systems. Ongoing insights into new threats are constantly revealing new vulnerabilities and it is very likely that attackers will attempt to exploit them. It is thus very important to improve security of in-vehicle networks and as long as there are no effective means to prevent specific attacks, there should be methods in place to automatically detect them and react to the alerts.

Security Requirements for the Internet of Vehicles (IoV)



The security requirements elicitation step in the security engineering process for automotive systems and ecosystems not only provides input to the secure on-board architecture design but also contributes to security compliance verification for testing and runtime monitoring. In the project EVITA we participated in the development of a method which is described in detail in EVITA deliverable D2.3 [D2.3]. This method is referenced in the SAE J3061 Cybersecurity Guidebook for Cyber-Physical Vehicle Systems, an important document on recommended practice for the automotive industry. In new work, we provide an attack surface assessment for cybersecurity engineering in the automotive domain, compliant to ISO/SAE 21434 [PDP2021].

In-vehicle Security Measuring



To enable researchers to develop, implement, and evaluate new security solutions for autonomous vehicles, we propose a new security evaluation platform called SEPAD and a dedicated development process for testing security mechanisms with it [PDP2020]. Machine learning methods such as OCSVM, SVM, Neural Networks, LSTM or Process Mining can be applied to in-vehicle event-streams such as CAN-bus in order to learn "normal" behavior of specific vehicles. Deviations from normal behavior can be utilized for in-vehicle intrusion detection at edge components. Machine learning methods featuring message frequency, payload consistency, and contextual fitting can be applied for adaption of attack classifiers and selection of an appropriate response.

Behavior Conformance Tracking for Automotive Systems

Conformance tracking is the capability to detect deviations of observed events from expected events in the current state.



We analyze the behavior of an automotive system based on monitored messages of electronic control units. The aim is to compare the measured behavior of the system with a model that reflects the expected behavior and to reason about possible attack attempts.
Publications on Security for Connected Cars
[Top]
Florian Fenzl, Roland Rieke, and Andreas Dominik,
In-vehicle detection of targeted CAN bus attacks,
Accepted at ARES2021
Abstract: Most vehicles use the controller area network bus for communication between their components. Attackers who have already penetrated the in-vehicle network often utilize this bus in order to take control of safety-relevant components of the vehicle. Such targeted attack scenarios are often hard to detect by network intrusion detection systems because the specific payload is usually not contained within their training data sets. In this work, we describe an intrusion detection system that uses decision trees that have been modelled through genetic programming. We evaluate the advantages and disadvantages of this approach compared to artificial neural networks and rule-based approaches. For this, we model and simulate specific targeted attacks as well as several types of intrusions described in the literature. The results show that the genetic programming approach is well suited to identify intrusions with respect to complex relationships between sensor values which we consider important for the classification of specific targeted attacks. However, the system is less efficient for the classification of other types of attacks which are better identified by the alternative methods in our evaluation. Further research could thus consider hybrid approaches.
BibTeX:
@INPROCEEDINGS{Fenzl2021,
  author={Florian Fenzl and Roland Rieke and Andreas Dominik},
  booktitle={ARES 2021}, 
  title={In-vehicle detection of targeted CAN bus attacks}, 
  year={2021},
  volume={},
  number={},
  pages={},
  doi={}}
Christian Plappert, Daniel Zelle, Henry Gadacz, Roland Rieke, Dirk Scheuermann, and Christoph Krauß,
Attack Surface Assessment for Cybersecurity Engineering in the Automotive Domain,
PDP2021, Valladolid Spain, March 10-12 2021
Abstract: Connected smart cars enable new attacks which may have serious consequences. Thus, the development of new cars must follow a cybersecurity engineering process as defined for example in ISO/SAE 21434. A central part of such a process is the threat and risk assessment including an attack feasibility rating. We present an attack surface assessment with focus on the attack feasibility rating compliant to ISO/SAE 21434. We introduce a reference architecture with assets constituting the attack surface, the attack feasibility rating for these assets, and the application of this rating on typical use cases. The attack feasibility rating assigns attacks and assets to an evaluation of the attacker dimensions and the feasibility of attacks derived from it. We show on sample use cases how this rating can be used to assess the feasibility of an entire attack path. The attack feasibility rating can be used as a building block in a threat and risk assessment according to ISO/SAE 21434.
BibTeX:
@INPROCEEDINGS{Plappert2021,
  author={Plappert, Christian and Zelle, Daniel and Gadacz, Henry and Rieke, Roland and Scheuermann, Dirk and Krauß, Christoph},
  booktitle={2021 29th Euromicro International Conference on Parallel, Distributed and Network-Based Processing (PDP)}, 
  title={Attack Surface Assessment for Cybersecurity Engineering in the Automotive Domain}, 
  year={2021},
  volume={},
  number={},
  pages={266-275},
  doi={10.1109/PDP52278.2021.00050}}
Florian Fenzl, Roland Rieke, Yannick Chevalier, Andreas Dominik, and Igor Kotenko,
Continuous Fields: Enhanced In-Vehicle Anomaly Detection using Machine Learning Models,
Elsevier Journal: Simulation Modelling Practice and Theory, 2020
Abstract: The attack surface of a modern vehicle increases with its connectivity. A strategy to prevent attacks or at least to identify such attacks and to mitigate their effects is therefore imperative. The detection of indications for intrusive behavior in an in-vehicle network is an important aspect of a holistic security concept. The structure of the payload of in-vehicle messages with respect to the encoded sensor values is in general confidential. Therefore, most researchers consider the structure of the in-vehicle messages to be bit- or byte-fields. However, this may hide anomalies which are characterized by correlations between sensor values transferred by the in-vehicle messages. In this work, we evaluate the influence of accuracy of the model of the payload structure with respect to the actual sensor values on the results of different intrusion detection methods. In particular, we analyze if an improved alignment is helpful to detect anomalies introduced by stealthy intrusions. In order to cover conceptually different modeling and reasoning techniques, we adapted a deep learning approach as well as a characteristic functions based intrusion detection approach to utilize such message streams. An important aspect is that the explainability of the results is better compared to deep learning systems. We further developed a set of test vectors based on log files of a vehicle enriched by different intrusions. In particular, we included simulations of stealthy intrusions which mask certain sensor values within the respective messages. The effectiveness of the developed methods is demonstrated by various experiments.
BibTeX:
@article{Fenzl2020,
author = "Florian Fenzl and Roland Rieke and Yannick Chevalier and Andreas Dominik and Igor Kotenko",
title = "Continuous Fields: Enhanced In-Vehicle Anomaly Detection using Machine Learning Models",
journal = "Simulation Modelling Practice and Theory",
volume = "105",
pages = "102143",
year = "2020",
issn = "1569-190X",
doi = "https://doi.org/10.1016/j.simpat.2020.102143",
url = "http://www.sciencedirect.com/science/article/pii/S1569190X20300824",
keywords = "Controller area network security, Intrusion detection, Anomaly detection, Machine learning, Automotive security, Security monitoring",
}
Daniel Zelle, Roland Rieke,Christian Plappert, Christoph Krauß, Dmitry Levshun, and Andrey Chechulin (2020),
SEPAD - Security Evaluation Platform for Autonomous Driving,
PDP2020, Västerås, Sweden, March 11-13, 2020
Abstract: The development and evaluation of security solutions for autonomous vehicles is a challenging task. Many researchers have no access to real vehicles to implement and test their solutions. In addition, vehicle E/E architectures of different brands or even model series of one car manufacturer differ significantly. Also, vehicles may be the source of physical hazards, e.g., an exploding airbag. To enable researchers to develop, implement, and evaluate new security solutions for autonomous vehicles, we propose a new security evaluation platform called SEPAD and a dedicated development process for testing security mechanisms with it. SEPAD allows to model realistic E/E architectures where the developed security solutions can be integrated and evaluated without causing safety risks for the researcher or other road users.
BibTeX:
@InProceedings{Zelle2020,
author={D. {Zelle} and R. {Rieke} and C. {Plappert} and C. {Krauß} and 
D. {Levshun} and A. {Chechulin}},
booktitle={2020 28th Euromicro International Conference on Parallel, 
Distributed and Network-Based Processing (PDP)},
title={SEPAD - Security Evaluation Platform for Autonomous Driving}, 
year={2020},
volume={},
number={},
pages={413-420},
abstract={The development and evaluation of security solutions for 
autonomous vehicles is a challenging task. Many researchers have no 
access to real vehicles to implement and test their solutions. In 
addition, vehicle E/E architectures of different brands or even model 
series of one car manufacturer differ significantly. Also, vehicles may 
be the source of physical hazards, e.g., an exploding airbag. To enable 
researchers to develop, implement, and evaluate new security solutions 
for autonomous vehicles, we propose a new security evaluation platform 
called SEPAD and a dedicated development process for testing security 
mechanisms with it. SEPAD allows to model realistic E/E architectures 
where the developed security solutions can be integrated and evaluated 
without causing safety risks for the researcher or other road users.},
keywords={Security;Autonomous vehicles;Protocols;Computer 
architecture;Automotive engineering;Sensors;Automobiles;automotive 
security;evaluation platform;autonomous driving;intrusion 
detection;trusted computing;secure in-vehicle protocols},
doi={10.1109/PDP50117.2020.00070},
ISSN={2377-5750},
month={March},
}
Yannick Chevalier, Roland Rieke, Florian Fenzl, Andrey Chechulin, and Igor Kotenko (2019),
ECU-Secure: Characteristic Functions for In-Vehicle Intrusion Detection,
IDC2019, St. Petersburg, Russia, October 7-9, 2019 (Springer SCI, volume 868)
Abstract: Growing connectivity of vehicles induces increasing attack surfaces and thus the demand for a sophisticated security strategy. One part of such a strategy is to accurately detect intrusive behavior in an in-vehicle network. Therefore, we built a log analyzer in C that focused on payload bytes having either a small set of different values or a small set of possible changes. While being an order of magnitude faster, the accuracy of the results obtained is at least comparable with results obtained using standard machine learning techniques. These features make this approach an interesting option for implementation within in-vehicle embedded systems. Another important aspect is that the explainability of the results is better compared to deep learning systems.
BibTeX:
@InProceedings{Chevalier2019,
  author    = {Yannick Chevalier and Roland Rieke and Florian Fenzl and Andrey Chechulin and Igor V. Kotenko},
editor    = {Igor V. Kotenko and Costin Badica and Vasily Desnitsky and Didier El Baz and Mirjana Ivanovic},
title="ECU-Secure: Characteristic Functions for In-Vehicle Intrusion Detection",
booktitle="Intelligent Distributed Computing XIII",
series    = {Studies in Computational Intelligence},
  volume    = {868},
  publisher = {Springer},
  year      = {2020},
address="Cham",
pages={495--504},
doi       = {10.1007/978-3-030-32258-8\_58},
isbn="978-3-030-32258-8"
}
Daniel Zelle, Roland Rieke, and Christoph Krauß (2019),
Security Test Platform for Autonomous Driving,
3. ACM COMPUTER SCIENCE IN CARS SYMPOSIUM (CSCS 2019)
BibTeX:
@techreport{CSCS2019,
    author       = {Daniel Zelle and Roland Rieke and Christoph Krau\ss{}},
    year         = {2019},
    month        = {October},
    title        = {Security Test Platform for Autonomous Driving},
    url          = {https://cscs19.cispa.saarland/files/cscs19_camera_ready/19_TestbedSAD.pdf},
    language     = {english},
    institution = {3. ACM COMPUTER SCIENCE IN CARS SYMPOSIUM (CSCS 2019)}
}
Ivo Berger, Roland Rieke, Maxim Kolomeets, Andrey Chechulin, and Igor Kotenko (2018),
Comparative study of machine learning methods for in-vehicle intrusion detection,
Computer Security. ESORICS 2018 International Workshops, CyberICPS 2018 and SECPRE 2018, Barcelona, Spain, September 6-7, 2018, Revised Selected Papers (Springer LNCS 11387)
Abstract: An increasing amount of cyber-physical systems within modern cars, such as sensors, actuators, and their electronic control units are connected by in-vehicle networks and these in turn are connected to the evolving Internet of vehicles in order to provide ``smart'' features such as automatic driving assistance. The controller area network bus is commonly used to exchange data between different components of the vehicle, including safety critical systems as well as infotainment. As every connected controller broadcasts its data on this bus it is very susceptible to intrusion attacks which are enabled by the high interconnectivity and can be executed remotely using the Internet connection. This paper aims to evaluate relatively simple machine learning methods as well as deep learning methods and develop adaptations to the automotive domain in order to determine the validity of the observed data stream and identify potential security threats.
BibTeX:
@InProceedings{Berger2019,
author="Berger, Ivo
and Rieke, Roland
and Kolomeets, Maxim
and Chechulin, Andrey
and Kotenko, Igor",
editor="Katsikas, Sokratis K.
and Cuppens, Fr{\'e}d{\'e}ric
and Cuppens, Nora
and Lambrinoudakis, Costas
and Ant{\'o}n, Annie
and Gritzalis, Stefanos
and Mylopoulos, John
and Kalloniatis, Christos",
title="Comparative Study of Machine Learning Methods for In-Vehicle Intrusion Detection",
booktitle="Computer Security. ESORICS 2018 International Workshops, CyberICPS 2018 and SECPRE 2018, Barcelona, Spain, September 6-7, 2018, Revised Selected Papers",
year="2019",
publisher="Springer",
address="Cham",
pages="85--101",
abstract="An increasing amount of cyber-physical systems within modern cars, such as sensors, actuators, and their electronic control units are connected by in-vehicle networks and these in turn are connected to the evolving Internet of vehicles in order to provide ``smart'' features such as automatic driving assistance. The controller area network bus is commonly used to exchange data between different components of the vehicle, including safety critical systems as well as infotainment. As every connected controller broadcasts its data on this bus it is very susceptible to intrusion attacks which are enabled by the high interconnectivity and can be executed remotely using the Internet connection. This paper aims to evaluate relatively simple machine learning methods as well as deep learning methods and develop adaptations to the automotive domain in order to determine the validity of the observed data stream and identify potential security threats.",
isbn="978-3-030-12786-2",
series    = {Lecture Notes in Computer Science},
  volume    = {11387},
  doi       = {10.1007/978-3-030-12786-2_6},
}
Roland Rieke, Marc Seidemann, Elise Kengni Talla, Daniel Zelle, and Bernhard Seeger (2017),
Behavior Analysis for Safety and Security in Automotive Systems,
The 25th Euromicro International Conference on Parallel, Distributed and Network-based Computing (PDP 2017)
Abstract: The connection of automotive systems with other systems such as road-side units, other vehicles, and various servers in the Internet opens up new ways for attackers to remotely access safety relevant subsystems within connected cars. The security of connected cars and the whole vehicular ecosystem is thus of utmost importance for consumer trust and acceptance of this emerging technology. This paper describes an approach for on-board detection of unanticipated sequences of events in order to identify suspicious activities. The results show that this approach is fast enough for in-vehicle application at runtime. Several behavior models and synchronization strategies are analyzed in order to narrow down suspicious sequences of events to be sent in a privacy respecting way to a global security operations center for further in-depth analysis.
BibTeX:
@INPROCEEDINGS{pdp2017,
  booktitle={Parallel, Distributed and Network-Based Processing (PDP), 2017 25nd Euromicro International Conference on},
  author={Roland Rieke and Marc Seidemann and Elise Kengni Talla and Daniel Zelle and Bernhard Seeger},
  title={Behavior Analysis for Safety and Security in Automotive Systems},
  year={2017},
  month={Mar},
  pages={381-385},
  keywords={automotive security; connected car; predictive security analysis; 
            security modeling and simulation; security monitoring; 
            complex event processing; process discovery},
  doi={10.1109/PDP.2017.67},
  url={http://ieeexplore.ieee.org/document/7912675/},
  publisher = {IEEE Computer Society},
}
Andreas Fuchs and Roland Rieke (2010),
Identification of Security Requirements in Systems of Systems by Functional Security Analysis,
In Architecting Dependable Systems VII, (Springer LNCS 6420)
Abstract: Cooperating systems typically base decisions on information from their own components as well as on input from other systems. Safety critical decisions based on cooperative reasoning however raise severe concerns to security issues. Here, we address the security requirements elicitation step in the security engineering process for such systems of systems. The method comprises the tracing down of functional dependencies over system component boundaries right onto the origin of information as a functional flow graph. Based on this graph, we systematically deduce comprehensive sets of formally defined authenticity requirements for the given security and dependability objectives. The proposed method thereby avoids premature assumptions on the security architecture's structure as well as the means by which it is realised. Furthermore, a tool-assisted approach that follows the presented methodology is described.
BibTeX:
@incollection{fuchs:rieke:2010,
author = {Andreas Fuchs and Roland Rieke},
title = {{Identification of Security Requirements in Systems of Systems by Functional Security Analysis}},
booktitle = {Architecting Dependable Systems VII},
editor = {Antonio Casimiro and Rogério de Lemos and Cristina Gacek},
publisher = {Springer},
series = {Lecture Notes in Computer Science},
volume = {6420},
year = {2010},
pages = {74--96},
doi={10.1007/978-3-642-17245-8_4},
url={http://dx.doi.org/10.1007/978-3-642-17245-8_4},
isbn = {978-3-642-17244-1}
}
Andreas Fuchs and Roland Rieke (2010),
Identification of Security Requirements for Vehicular Communication Systems,
2010 CAST-Workshop on Mobile Security for Intelligent Cars (EVITA project workshop)
BibTeX:
@inproceedings{talks-CAST:2010,
  editor = {Olaf Henniger},
  booktitle = {Presentation slides from the EVITA project workshop},
  author = {Andreas Fuchs and Roland Rieke},
  title = {Identification of Security Requirements for Vehicular Communication Systems},
  institution = {EVITA European project},
  type = {Deliverable},
  number = {D1.2.5.1},
  year = {2010},
  month= {July},
  note = {CAST-Workshop on Mobile Security for Intelligent Cars, Darmstadt, Germany},
  url = {http://evita-project.org/Publications/EVITAD1.2.5.1.pdf}
}
Alastair Ruddle, David Ward, Benjamin Weyl, Sabir Idrees, Yves Roudier, Michael Friedewald, Timo Leimbach, Andreas Fuchs, Sigrid Gürgens, Olaf Henniger, Roland Rieke, Matthias Ritscher, Henrik Broberg, Ludovic Apvrille, Renaud Pacalet, and Gabriel Pedroza (2009)
Security requirements for automotive on-board networks based on dark-side scenarios,
EVITA Deliverable D2.3
Abstract: The objective of the EVITA project is to design, verify, and prototype an architecture for automotive on-board networks where security-relevant components are protected against tampering and sensitive data are protected against compromise. Thus, EVITA will provide a basis for the secure deployment of electronic safety aids based on vehicle-to-vehicle and vehicle-to-infrastructure communication. A key activity for the EVITA project is the capture of security requirements for the secure system architecture and associated software and hardware components based on a set of use cases and an investigation of security threat scenarios (dark-side scenarios). This document outlines the processes used to identify and evaluate security requirements, and details the results of their application to automotive on-board networks. It provides input to the secure on-board architecture design.
BibTeX:
@techreport{other-evita-d2.3,
  author = {Alastair Ruddle and David Ward and Benjamin Weyl and Sabir Idrees
	and Yves Roudier and Michael Friedewald and Timo Leimbach and Andreas
	Fuchs and Sigrid G\"urgens and Olaf Henniger and Roland Rieke and
	Matthias Ritscher and Henrik Broberg and Ludovic Apvrille and Renaud
	Pacalet and Gabriel Pedroza},
  title = {Security requirements for automotive on-board networks based on dark-side
	scenarios},
  institution = {EVITA project},
  year = {2009},
  type = {{EVITA Deliverable D2.3}},
  url = {http://evita-project.org/deliverables.html}
}
Christophe Jouvray, Antonio Kung, Michel Sall, Andreas Fuchs, Sigrid Gürgens, Roland Rieke (2009)
Security and trust model,
EVITA Deliverable D3.1
Abstract: The objective of the EVITA project is to design, verify, and prototype an architecture for automotive on-board networks where security-relevant components are protected against tampering and sensitive data are protected against compromise. Thus, EVITA will provide a basis for the secure deployment of electronic safety aids based on vehicle-to-vehicle and vehicle-to-infrastructure communication. Designing a system respecting the criteria of security and trust is a complex task. Security will cover various aspects such as dependability, integrity, authenticity, or even privacy. It is thus possible to have confidence in a system where evidence is provided to the user. To do this, taking into account security issues should begin early in the product life cycle. Currently, model driven approaches are used in application design. Model oriented approaches must be adjusted to take into account the security mechanisms. This document analyzes different approaches to security architecture models and specifies a suitable security and trust model for automotive on-board networks. Two main solutions are proposed to adapt model approaches. The first one concerns directly the model driven engineering by introducing all needed concepts into a model. The second solution proposes a formal method for the refinement of security properties. High level properties specified within a platform-independent model can be refined to properties required by certain security mechanisms which in turn reflect the platform-specific architecture chosen.
BibTeX:
@techreport{other-evita-d3.1,
  author = {Christophe Jouvray and Antonio Kung and Michel Sall and Andreas
	Fuchs and Sigrid G\"urgens and Roland Rieke},
  title = {Security and trust model},
  institution = {EVITA project},
  year = {2009},
  type = {{EVITA Deliverable D3.1}},
  url = {http://evita-project.org/deliverables.html}
}
Andreas Fuchs and Roland Rieke (2009),
Identification of authenticity requirements in systems of systems by functional security analysis,
In Workshop on Architecting Dependable Systems (WADS 2009), in Proceedings of the 2009 IEEE/IFIP Conference on Dependable Systems and Networks, Supplemental Volume.
Abstract: Cooperating systems typically base decisions on information from their own components as well as on input from other systems. Safety critical decisions based on cooperative reasoning, such as automatic emergency braking of a vehicle, raise severe concerns to security issues. In this paper we address the security engineering process for such systems of systems. The presented authenticity requirements elicitation method is based on functional dependency analysis. It comprises the tracing down of functional dependencies over system boundaries right onto the origin of information. A dependency graph with a safety critical function as root and the origins of decision relevant information as leaves is used to deduce a set of authenticity requirements. This set is comprehensive and defines the maximal set of authenticity requirements from the given functional dependencies. Furthermore, the proposed method avoids premature assumptions on the architectural structure and mechanisms to implement security measures.
BibTeX:
@inproceedings{fuchs:rieke:2009,
  author = {Andreas Fuchs and Roland Rieke},
  title = {Identification of authenticity requirements in systems of systems by functional security analysis},
  booktitle = {Workshop on Architecting Dependable Systems (WADS 2009), in Proceedings of the 2009 IEEE/IFIP Conference on Dependable Systems and Networks, Supplemental Volume},
  year = {2009},
  pages={E29-E34},
}