RIDAS: Real-time identification of attack sources on controller area networks

Researchers have responded to various cyber attacks on controller area network (CAN) by studying technologies for identifying the source of an attack. However, existing attack source identification technologies have significantly lower accuracy depending on changes in vehicle environment (temperature, humidity, battery level, etc.), or have proven to be circumvented by identification-aware attackers, or do not provide real-time identification. A real-time attack node identification technology that cannot be bypassed by an attacker while not being affected by changes in the vehicle environment is an essential for developing cyber attack response technologies such as node isolation, security patch, digital forensics, etc. To meet this need, we propose a novel real-time attack node identification method, called RIDAS, which can identify the attack source by using the error handling rule of CAN. RIDAS injects bit errors into the abnormal message that have been detected by an existing intrusion detection system (IDS). The source that sent the abnormal message become the error passive state defined in CAN standard in which it cannot send consecutive messages. RIDAS then sequentially inspects all electronic control units (ECU) in the vehicle, and identifies the node in the error passive state by checking the priority reduction phenomenon that occurs in that state. Moreover, RIDAS deals with two issues, identification robustness and identification errors. Our experimental results on both a CAN bus prototype and one real vehicle have demonstrated that RIDAS can accurately identify an attack source without being affected by a vehicle's environmental change and can deal with both false positives of intrusion detection systems and RIDAS-aware attackers.