WO2021107822A1

WO2021107822A1 - Method for protecting vehicle control systems from intrusions

Info

Publication number: WO2021107822A1
Application number: PCT/RU2020/050348
Authority: WO
Inventors: Дмитрий Михайлович МИХАЙЛОВ; Артем Дмитриевич ДОЛГИХ; Алексей Сергеевич ПРОНИЧКИН; Сергей Валерьевич БАГРОВ; Владимир Александрович ПЕДАНОВ
Original assignee: Дмитрий Михайлович МИХАЙЛОВ
Priority date: 2019-11-25
Filing date: 2020-11-24
Publication date: 2021-06-03
Also published as: RU2737229C1

Abstract

The present invention relates to the field of information technology, more specifically to information security, and can be used to analyse and detect anomalies in traffic behaviour within information networks for transmitting data of vehicle control systems. During the implementation of the method, all the nodes/devices in the control information systems are identified, the traffic in the information networks for transmitting data within a vehicle control system is collected and analysed, and, following this, a machine learning method is used to determine a normal traffic state for the system and detect anomalous changes in the traffic state in comparison to the normal state, wherein the system used is able to merely inform a user of the traffic state and to block anomalous traffic, and the system used is also able to be implemented as an independent system or as a subsystem.

Description

METHOD FOR PROTECTING TRANSPORT CONTROL SYSTEMS

INTRUSION FUNDS

The present invention relates to the field of information technology, in particular to information security, and can be used to analyze and identify anomalies in the behavior of traffic within information networks for data transmission of vehicle control systems.

Hereinafter, a vehicle should be understood as any type of vehicle (shipping, surface, underground, underwater, etc.) in which there is a control system.

The developed method can be used both in conjunction with IPS / IDS systems (i.e., be an integral part), and separately. It is based on Extreme Learning Machines models.

In the modern world, the number of cyberattacks on control systems, including vehicles, is increasing every year. The number of attacks, as well as various malicious programs, is increasing exponentially. For this reason, it is important to develop and use better systems for detecting intrusions into vehicle management systems. This circumstance contributes to an increase in the speed of reaction and the efficiency of incident handling. That, in turn, directly affects the increase in the fault tolerance of such systems.

It is known (RU, patent 2583703, publ. 05/10/2016) a method for characterizing the malicious activity of an attacker in an intelligent network of engineering services, executed by a computer having at least one processor and at least one memory device, comprising the steps of: intelligent network system, using the specified at least one processor, information technology (IT) data, including IT-related activity; receive, using the at least one processor, non-IT data including location event data from a plurality of electronic sources, network analog measurement data containing phase vector measurement data, and a list targets with their corresponding geographic locations; performing preprocessing using the at least one non-IT data processor, including a sub-step of: ignoring non-IT data that does not meet a predetermined compliance level with one of a plurality of risk events; applying, using said at least one processor, a plurality of rules to preprocessed non-IT data, said application step comprising sub-steps in which: associating an undesirable event with IT-related activity; determine the likelihood that an undesirable event indicates malicious activity, while the determination sub-stage involves comparing a given criterion with non-IT data to generate one of a plurality of probability levels as the sum of the product of the probability of an intentional malicious attack and the probability of a vulnerability the specified deliberate malicious attack; and the product of the probability of occurrence of an unexpected failure and the probability of existence of a vulnerability associated with the specified unforeseen failure, while the specified intentional malicious attack and the specified unexpected failure contain mutually independent events; and applying to the undesirable event, by means of said at least one processor, a risk characterization based on the specified level of likelihood and IT-related activity. The disadvantages of the known method can be recognized that, on the one hand, it characterizes the structure of the system, which is designed to ensure information security (cybersecurity), with a deep degree of detail; on the other hand, a specific use case for ICS power generation and distribution is characterized. There are calculations of probabilistic characteristics to determine the weight of the internal components of the system when solving cybersecurity problems.

Also known (US, patent 9881165, publ. 01/30/2018) a system and method for ensuring the protection of electronic systems of vehicles. This system includes a device. This device is installed between the data bus and the electronic control unit (ECU). The device includes the following functional blocks: message receiving unit (monitoring messages between the bus and the ECU electronic control unit), message analysis unit (determining the fact of unauthorized commands, based on the established rules), message transmission unit (sending legitimate commands to the ECU electronic control unit ).

This system is a device that is designed to implement some of the functions of the hardware Firewall. This technical solution has the following disadvantages:

- the fact of unauthorized influence can be determined only at the moment of placing commands;

- requires the manufacturer to constantly improve algorithms and embedded software; one device of the system is used to ensure the cybersecurity of only one electronic control unit of the ECU; - does not allow to determine the facts of substitution of standard electronic devices on the information bus, including the installation of new ones.

The method described in US patent 9881165 does not provide for the use of machineleaming technologies to detect the presence of unauthorized interference. The claimed method is based only on the filtering method, which is not an intelligent method for detecting the facts of unauthorized interference in the operation of the system.

It is also known (RU, patent 2704720, publ. 10/30/2019) a system for detecting unauthorized connected devices in a vehicle, containing at least one electronic device of a vehicle connected via an electric bus to a module for detecting unauthorized devices, consisting of a measurement unit, an analog-to-digital converter, a digital signal processing unit, a buffer unit, a comparator unit, a control unit and a communication interface driver unit, while the measurement unit and the analog-to-digital converter are configured to obtain the parameters of the electrical signal of the busbar in the first and second time intervals, in the digital signal processing unit, processing and construction of the signal spectrum is carried out, the buffer unit is designed to store the received signal data, the control unit, through commands, executes all transfer and arbitration algorithms, the communication interface driver unit provides interpretation of the field learned data in the corresponding standard or data protocol and their delivery to the communication channel, and in the comparator block, the comparison of the signal spectra obtained in the first and in the second time intervals is performed by analyzing the spectral components of electrical signals, and the identification of unauthorized devices installed on the electric bus of the vehicle by the results of comparison of the spectra of the signals obtained in the first and in the second time intervals. The disadvantages of the known technical solution can be recognized that the described method is aimed at identifying the facts of unauthorized connection to the information bus (electric bus) of the vehicle by means of physical methods of fixing parameters without analyzing the directly transmitted data on it. In the considered information systems, the main element for an attack is data. The method described in RU 2704720 analyzes the physical transmission medium of such data, and not the data itself. Thus, the conclusion about unauthorized connection / intrusion is made on the basis of secondary signs.

During the search for scientific, technical and patent literature, no source of information was found that could be used as the closest analogue.

The technical problem solved by the implementation of the developed technical solution consists in the development of a method for detecting unauthorized intrusion into the information bus of data transmission on a vehicle, and the developed method will allow the most reliable determination of the presence of an intrusion.

The technical result achieved by the implementation of the developed method consists in leveling the facts of unauthorized access to the information bus of vehicle control systems, which in turn prevents possible losses (material, image), death of people, etc., ensuring the possibility of creating on the basis of developed method of ips / ids (Intrusion detection, prevention system) level systems and their components.

To achieve the specified technical result, it is proposed to use the developed method of protecting information buses of vehicle control systems from intrusions. When implementing the developed method, all nodes / devices in the control network are identified, the traffic of information networks for data transmission inside the vehicle management system is collected and analyzed using the machine learning method, the normal state of the system traffic is determined, the change in the traffic state from normal to abnormal is detected, when In this case, the system used is made with the possibility, after detecting a change in traffic, only to inform the user about the traffic state and with the possibility of blocking abnormal traffic.

In some implementations of the developed method for detecting abnormal traffic behavior, network traffic analysis is carried out according to static characteristics and dynamic characteristics.

Preferably, the traffic in the network is collected in a passive mode, after which the traffic is forwarded to a data preprocessing module from the network, in which features are extracted for further processing to compose a general structure, which is a structured dataset, for processing by the neural network.

In some variants of the developed method, the collection and analysis of traffic is carried out using a system of modules made on the basis of industrial computers.

The developed method has a more detailed description of the technology itself, which allows you to record the facts of unauthorized connection / intrusion into various vehicle control networks. The developed method, in contrast to the known ones, shows the use of machineleaming technologies to identify these threats. The developed method is more versatile from the point of view of its application, since it can be used as an independent system, as well as as separate components of an integrated system, in contrast from that described in RU, 2583703, where a description of the general architecture of the system for ensuring its application is presented.

A study of the ways and methods of unauthorized intrusions or attacks by intruders shows that basically it all comes down to using the same vulnerability, but in different ways of interpreting it. This circumstance gives grounds to assert that most cyberattacks are homogeneous, polymorphic. And, therefore, it is not possible to describe with one set of signatures. In this regard, the main task of the described method is behavioral network analysis. The main criteria for such an analysis is the identification of the system or the assignment of one of the status indicators at the current moment:

• normal behavior;

• abnormal behavior.

It is proposed to solve this problem, namely, to determine the state of the system using machine learning algorithms, namely, by means of a machine learning algorithm, specifically OS-ELM One-Class Classification with Extreme Learning Machine.

The developed method of protecting vehicle control systems from intrusions allows collecting and analyzing the traffic of information networks for data transmission within the system in real time in order to determine the current state. After detecting a change in state from normal to abnormal, the system can only inform the user, and the functionality of blocking abnormal traffic (for example, blocking abnormal data packets) can also be implemented.

One of the main tasks solved by the developed method is to ensure the security of data exchange between nodes in information networks of vehicle control systems. The rules by which the process takes place exchange of data (packets) within information networks depend on the protocols and standards used.

The most vulnerable parts of such systems can be identified, as shown in Fig. 1, where sensors, data acquisition modules, and actuators are represented as nodes 101. The number of such units in a vehicle is not limited. Data from such nodes enter the data collection and processing devices (node 102) (for example, for cars, ECUs can act as such nodes). The transmission of processed data from nodes 102 occurs to information collection centers (node 103). The main vulnerable elements in these control systems are data transmission buses (nodes 201). These nodes can represent various options for interfaces or standards (CAN, Ethernet, NMEA, Seatalk, RS485, etc.). The interface type is irrelevant to the implementation of the developed method.

It is worth noting that any threat that remains unnoticed due to the impossibility of fully monitoring the network can lead to economic, physical, reputational and other types of damage. Therefore, providing protection, and in particular the detection and blocking of anomalous behaviors within protocols or standards describing the rules for transferring data between nodes / devices, is an important task.

This is mainly due to the following two aspects:

• Implementation of communications using protocols within the vehicle control system itself carries security risks;

• lack of effective detection methods to address these risks.

Based on the above problems, the use of the described method in vehicle control systems is highly desirable. In a preferred embodiment of the invention, the OS-ELM machine learning method is used, which can be effectively used to detecting abnormal behavior that could be caused by an external attack or malfunction.

The learning process is to get an idea of the normal state of the system. For this purpose, the traffic that takes place during the normal operation of the vehicle control system is recorded. Network traffic is analyzed for static characteristics and dynamic characteristics to identify its abnormal behavior. So, in the event of a malicious effect on the network, it will be detected due to a deviation from normal behavior. So, for example, in the standard case, an exploit involves several attack options. Attackers send packets containing overloaded data, which is a clear deviation from the normal behavior of devices, as a result of which this can lead to a denial of service (DDoS) implementation on the receiving device. Implementation of such attacks was evaluated experimentally on a test bench and proved to be effective. When implementing the developed method, the network detection of such anomalies is realized due to the knowledge of the initial normal state of the network. The test results show that the false positive rate and the false negative rate are 0.19% and 0.42%, respectively, when anomalies are detected. The result shows that the developed behavioral solution can effectively identify the change in the normal state in a given experiment. By analyzing the captured industrial protocol packet, you can classify it according to specific fields. For each protocol, the fields are selected depending on its specification, since not all fields are significant in this case, however, in the general case, the processing of packets and their transformation to the general data stream remains at the low-level API modules.

The state detection process is shown in FIG. 2. The figure graphically displays the difference between the predicted data at ideal signal (solid line), and tamper / attack (dashed line). These differences in signals are due to the introduced unpredictable deviations from the ideal signal in the presence of an attack.

The traffic processing algorithm is shown in FIG. 3.

All traffic in the network was recorded in a passive mode, after which the registered information goes to the module for preprocessing data from the network, then after the preprocessing module extracts features for further processing, after which they form a general structure, which is a structured a dataset to be processed by a neural network. The next intrusion detection module receives as input the intrusion detection input structure prepared at the preliminary stage. The basis of this module is an improved trained neural network model, which, based on the data obtained, determines the state of the network at a given time. For the subsequent processing of the incident, if the state of the network deviates from normal, we use the intrusion processing module.

The data collection module performs the task of sniffing and filtering data across the entire network segment.

Incoming network traffic is a sequence of Ethemet frames. Ethemet packet consists of MAC header, data and CRC sum. The MAC header, in turn, consists of three components: the MAC address of the data source, the MAC address of the data receiver, EtherType, which is used to identify the type of protocol used in payload. CRC - the sum is used to check the integrity of the data when receiving data. FIG. 4 shows the Ethernet protocol frame format.

To capture network traffic and further analyze it, use the open source library - libpcap. Libpcap provides a wide range of analysis of incoming traffic, in particular, determination of data integrity, data type, MAC - addresses of the source and destination of data, as well as receive data.

If necessary, at the stage of processing incoming traffic by the libpcap library, packets are filtered by data type, source and destination MAC addresses, and data format.

The data collection module is implemented using libpcap. Libpcap is a powerful library for capturing network packets. Libpcap can monitor and collect data packets across an entire network segment. After receiving the headers of network packets, this step determines the correctness of the packet, as well as its type. Depending on the type of packets, the data of protocols differing in semantic analysis will be sent to the data processing module.

The data processing module performs the task of preparing input data for the OS - ELM.

At the stage of data collection, a sequence of Ethernet frames was obtained, which corresponds to the time interval from t_i to t_ (i + l), and t_ (i + l) - t_i = window size, where window size is the size of the considered time interval.

At the stage of data preprocessing, data is extracted from packets with the subsequent vectorization of a sequence of Ethernet packets into a multidimensional time series of size (n, t), where n is the number of features, m is the number of points within the considered time interval window size. After the vectorization operation, data normalization is applied so that at the stages of OS training - ELM and inference, each separate time series makes the same contribution to the processing of the OS - ELM model. The resulting normalized multidimensional time series is used as a featuremap of the intrusion detection module. FIG. 5 shows the dependences of network traffic on time.

FIG. 6 shows a block diagram of the work of the Data Processing Module. The data processing module is implemented primarily for converting raw packets into data that can be recognized by the intrusion detection module. This module implements the functions of fast data extraction from the package. After the applied normalization algorithms, as well as the search for dimensional features, they can be used as input to the intrusion detection module.

One of the prerequisites for the intrusion detection engine is a high processing speed for detecting attacks in real time. One of the main problems solved by this module, in addition to intrusion detection itself, is the solution of scalability problems, including in the absence of malicious traffic (for the training process). An improved OS-ELM is used to solve these problems. The advantage of this system is the high learning rate for classifying one class. Unlike existing neural networks, ELM randomly generates weights between input layers and hidden layers. In addition, ELM trains these weights by solving a least squares optimization problem instead of backpropagating the operation error. Because of the aforementioned advantages, ELM can usually achieve high learning rates and good generalizability.

In this case, a training set Ch ^c d is given containing n data points with d dimensions and L hidden nodes.

B = H ^L T (1 / C + H * H ^l T) ^l -1 * T where C and T are the regularization coefficient and the target result. The prediction of the input data point x is defined as: f (x) = g (x) B = g (x) H ^A T = h (x) * H ^A T (1 / C + H * H ^L T) ^L -1 * T where g (x) is a random mapping x; С and Т regularization coefficients and target result.

OS-ELM directly maps all hidden layer outputs to one target output value. Considering the output data of the OS-ELM of the given training set y = [yl, ..., yn], the error of mapping the training set xi to the target value yi is | di - yi |. The dT threshold can be selected, to exclude a small fraction (p) of the farthest learning points (di> dT).

The intrusion handling module is designed to:

• Informing about intrusion (display on human-machine interface devices);

• Providing information about incidents that have occurred;

• Additionally, the module can block the transmitted data according to preset conditions.

FIG. 7 shows a diagram of the operation of the Intrusion Handling Module. The scheme describes the basic principle of the construction of the algorithm; a set of parameters is fed to the input (input Node), on the basis of which the detection and classification of incidents occurs.

During the training process, weights are distributed between the Nods of the hidden layers. The Output Node value indicates the presence or absence of an intrusion

The end-user interaction module provides an interface for displaying current information as well as managing the system. Of the control functions, it is worth highlighting the ability to enter tuning parameters, make configurations for the operation of the system, etc.

In the future, the essence of the developed method will be disclosed by example.

For example, there is some local area network of the object. Depending on the time of day, day of the week, various standard situations, traffic in the network can behave in different ways, and all these will be correct situations.

There is also a great variety of attacks, which also affects the behavior of the network in completely different ways.

The tasks of the system are reduced to studying all possible situations of the system's behavior and identifying hidden dependencies of the mutual influence of network parameters and predicting the behavior of the system in normal mode. The first stage is training the system, for this on the basis of the module data collection is performed by sniffing and filtering data across the entire network segment. The received data should cover as much as possible all possible situations of network behavior in normal mode.

Further, this data is processed using a data processing module and a featuremap is extracted, which in a specialized way describes the state of the system and allows you to predict how the system would behave during normal operation.

At the second stage, the system is integrated into the object and, on the basis of regularly received data on the current state of the system (from the data collection module), predicts the parameters of the system's behavior during normal operation.

The intrusion detection module analyzes the real data received from the data collection module and compares it with the expected traffic parameters for normal operation. If there is a discrepancy between the parameters of the expected and actual network traffic, alerts are generated to the user.

The received warning can be interpreted in different ways by the user, depending on the type of applied system to which it is sent.

If the described method is implemented in the IPS (Intrusion Detection System), generated alerts are sent to the user in the SIEM / SOC module. Messages of this kind are filtered, and the user takes appropriate action as appropriate. The measures should be of an organizational nature: stopping the vehicle, disconnecting individual modules from the general information management of the vehicle, physical examination of individual modules for defect or operability, etc.

If the described method is implemented in the IPS (Intrusion Prevention System), then the warnings transmitted to higher hierarchical levels can be markers for making a decision on blocking separate data packages. Each individual scenario is configured depending on the purpose of the system, equipment used, structure, etc. In this case, the system can automatically respond to unauthorized intrusions into vehicle management information systems and eliminate them.

The described methods ensure information security of information control systems in vehicles.

Claims

CLAIM

1. A method of protecting vehicle control systems from intrusions, characterized by the fact that they identify all nodes / devices in information control systems, collect and analyze the traffic of information networks for data transmission within the vehicle control system, and then, using the machine learning method, determine the normal state of the traffic of the system, as well as the detection of abnormal changes in the state of the traffic in comparison with the normal one, while the used system is made with the ability to only inform the user about the state of the traffic and with the ability to block abnormal traffic as a subsystem.

2. The method according to claim 1, characterized in that in order to detect abnormal traffic behavior, network traffic is analyzed according to static characteristics and dynamic characteristics.

3. The method according to claim 1, characterized in that the traffic in the information network is collected in a passive mode, after which the traffic is transmitted to the module for preprocessing data from the network, in which features are extracted for further processing to compose a general structure, which is a structured set data for processing by a neural network.

4. The method according to claim 1, characterized in that the collection and analysis of traffic is carried out using a system of modules based on industrial computers.