AutoSec: Multidimensional Timing-Based Anomaly Detection for Automotive Cybersecurity

In this joint-work between University of Stuttgart and Vector Informatik GmbH, we address the anomaly detection problem in the automotive industry. In general, modern vehicles are envisioned to be interconnected among themselves and the environment. The main motive for such interconnections, referred to as Car2X, is to broadly enhance the safety of passengers and other traffic participants. By sharing the information about the traffic status, road cases, behavior of traffic ahead in real-time, individual vehicles are able to communicate with each another, the reaction times to sudden events can be highly reduced, thus avoiding accidents. An immense need for sharing knowledge between the neighboring vehicles and the roadside infrastructure to improve the safety systems through making optimal decisions in a timely manner.

Despite bringing several advantages, the interconnectivity between modern vehicles and their surroundings may expose the vehicles to external threats. In this regard, several attacks through Bluetooth, OBD, and MP3 have been reported. However, the turning point in automotive cyber-security occurred in 2015 when Miller and Valasek (2015) carried out an experiment to remotely attack a modern vehicle. They were able to completely overtake the control of the vehicle through breaching into the vehicle’s network together with interfering the CAN messages. The primary security concern is their ability to remotely override the driver’s action via the wireless network despite being many kilometers away from the vehicle. In addition to such external threats, the legitimate software components—defined by the car manufactures during the design time—may exhibit abnormal behavior due to software/hardware malfunctioning. Accordingly, a challenge of detecting abnormal behavior of the software components during the run time emerges.

To overcome such a challenge, we propose in this work AutoSec, a novel two-step method for the detection of malicious behavior of the software components. AutoSec mainly relies on monitoring the real-time timing parameters of the software components, including the start-to-start time, the worst-case execution time (WCET), the preemption time, and the number of preemptions. In this manner, AutoSec AutoSec draws a complete picture about the circumstances of each execution, thus making optimal decisions about the abnormal executions. In fact, the main advantage of AutoSec is avoiding the need for pre-knowledge of the function performed by each software component. 

After estimating the most important dimensions, AutoSec generates a timing model, a set of clusters defining the healthy executions. Such a timing model is then employed during the run time to detect possible anomalies caused by external attacks or malfunctioning. To make the detection decision, AutoSec determines the distance between the clusters in the timing model and the new executions. Using a distance threshold, AutoSec classifies the new executions as either strong anomaly (SA), weak anomaly (WA), or no anomaly (NA). 

To generate the timing model, we first defined six requirements, including:

• Supporting unsupervised learning where the abnormal behavior may occur even during the normal execution of the legitimate tasks,
• Requiring no prior knowledge about the number of clusters
• Dealing with unbalanced dataset in which the points are not evenly distributed between the different clusters
• Supporting non-linearly separable dataset
• Dealing with noisy datasets
• Reducing the training time necessary to generate the timing model

To find the optimal clustering method, we examined five clustering methods, including K-Means, Spectral Clustering, Affinity Propagation, Gaussian Mixture, and DBSCAN. The results showed that DBSCAN outperforms the other methods through achieving all our defined requirements. To further improve the performance of our method, AutoSec leverages the K-Means and Silhouette methods to discover possible sub-clusters in case of large set of data points. In order to test The performance of AutoSec, we designed a testbed consisting of a real ECU test board, three-core running at 200MHz, communicating with two virtual ECUs, simulated by CANoe Software Tool. Moreover, a set of different anomalistic components have been injected (cf. the red points in the below figure) in the simulated legitimate code. The injected code is mainly for tampering with the S2S time and the computation time through performing random computations whose length increases over time. The results showed that AutoSec achieves higher recall than the baseline methods. Accordingly, AutoSec generates much less false positives, thus it has higher ability to reduce the false alarms sent to the system/driver.

For interested readers, the architecture of AutoSec and our evaluations are described in more detail in our paper published in the 26th IEEE International Conference on Embedded and Real-time Computing Systems and Applications (RTCSA'20). The paper can be downloaded from the link (https://bit.ly/2S57PpF).