David R. Crow

Date of Award

3-26-2020

Document Type

Thesis

Degree Name

Master of Science in Computer Science

Department

Department of Electrical and Computer Engineering

First Advisor

Scott R. Graham, PhD

Abstract

Today's vehicle manufacturers do not tend to publish proprietary packet formats for the controller area network (CAN), a network protocol regularly used in automobiles and manufacturing. This is a form of security through obscurity -it makes reverse engineering efforts more difficult for would-be intruders -but obfuscating the CAN data in this way does not adequately hide the vehicle's unique signature, even if these data are unprocessed or limited in scope. To prove this, we train two distinct deep learning models on data from 11 different vehicles. Our results clearly indicate that one can determine which vehicle generated a given sample of CAN data. This erodes consumer safety: a sophisticated attacker who establishes a presence on an unknown vehicle can use similar techniques to identify the vehicle and better format attacks. To protect critical cyber-physical systems (CPSs) against attacks like those enabled by this CAN vulnerability, system administrators often develop and employ intrusion detection systems (IDSs). Before developing an IDS, one requires an understanding of the behavior of the CPS and of the causality of its constituent parts. Such an understanding allows one to characterize normal behavior and, in turn, identify and report anomalous behavior. This research explores two different time series analysis techniques, Granger causality and empirical dynamic modeling (EDM), which may contribute to this understanding of a system. Our findings indicate that Granger causality is not a suitable approach to IDS development but that EDM may enable the understanding of a system required of an IDS architect. We thus encourage further research into EDM applications to IDSs for CPSs.

AFIT Designator

AFIT-ENG-MS-20-M-012

DTIC Accession Number

AD1102913

Download

Share

COinS