本講演は発表者が2017年から2020年に行った研究活動のうち、制御システムの末端装置に対する攻撃の検知およびその検知の結果を含む異常動作を監視する仕組みについて解説します。末端装置に対する攻撃の検知については、自動車内部や工場で利用されるController Area Network (CAN)に接続される装置への攻撃の検知を扱います。CANは攻撃を検知するのが非常に難しいネットワークですが、この攻撃検知をする手法について、発表者が開発手法を含むいくつかの方法について解説します。もう一つの異常動作を監視する仕組みについては、発表者がITU-T SG17(セキュリティ)にて提案し勧告化されたX.1367(X.elf-iot)について解説します。インターネットリーチャビリティを持たない末端装置で発生した問題をセキュリティオペレーションセンター(SOC)までどうやって伝えるのかを解説します。最後にこれらの検知と監視によって作り出されるセキュリティマネジメントのイメージを提示し、課題を説明します。
Smart CAN Cable -- Another proposal of intrusion prevention system (IPS) for ...Mocke Tech
Many ideas of IDS for vehicles were already proposed so far. Most of them can only detect anomaly CAN message. Still, they cannot detect which ECU is compromised because any ECUs cannot identify the ECU that sends illegal messages for the specification of CAN protocol. Now we propose the Smart CAN cable that identifies the ECU that sends malicious messages. The Smart CAN cable has two kinds of functions. One is a CAN-IDS. The CAN-IDS identifies an illegal message, and it broadcasts the hash value of the illegal message to CAN-BUS. Another is an identifying module. The identifying module is to memorize hash values of the messages and its sender ECU. When the identifying module receives the hash value from the CAN-IDS, it broadcasts the sender ECU information to CAN-BUS if it finds the hash value in its own memory. We can cut the sender ECU from CAN BUS, control the stream, or handle other workarounds after identifying the sender ECU that sends illegal messages. This paper shows how the Smart CAN cable works, and its advantages and disadvantages.
The document proposes a "Smart CAN Cable" as a new in-vehicle security measure for connected vehicles. The Smart CAN Cable would identify compromised ECUs on the CAN bus network. Each connector on the cable would record frames from the connected ECU and check for illegal frames. When an IDS detects an illegal frame, it asks the connectors if they have a matching frame. The connector receiving from the ECU that sent the illegal frame is then identified as compromised. The Smart CAN Cable could then cut off communication from that ECU to isolate the threat. This allows compromised ECUs to be identified and addressed, which current security measures cannot do.
The document discusses USBProxy, an open source tool for intercepting USB communication. It describes how USBProxy works by relaying data between a connected host computer and USB device, allowing the traffic to be inspected or modified. The author notes some limitations with USBProxy, including its inability to simulate complex USB devices and reduced transfer speeds. Alternative tools for USB analysis like commercial USB protocol analyzers are also mentioned.
本講演は発表者が2017年から2020年に行った研究活動のうち、制御システムの末端装置に対する攻撃の検知およびその検知の結果を含む異常動作を監視する仕組みについて解説します。末端装置に対する攻撃の検知については、自動車内部や工場で利用されるController Area Network (CAN)に接続される装置への攻撃の検知を扱います。CANは攻撃を検知するのが非常に難しいネットワークですが、この攻撃検知をする手法について、発表者が開発手法を含むいくつかの方法について解説します。もう一つの異常動作を監視する仕組みについては、発表者がITU-T SG17(セキュリティ)にて提案し勧告化されたX.1367(X.elf-iot)について解説します。インターネットリーチャビリティを持たない末端装置で発生した問題をセキュリティオペレーションセンター(SOC)までどうやって伝えるのかを解説します。最後にこれらの検知と監視によって作り出されるセキュリティマネジメントのイメージを提示し、課題を説明します。
Smart CAN Cable -- Another proposal of intrusion prevention system (IPS) for ...Mocke Tech
Many ideas of IDS for vehicles were already proposed so far. Most of them can only detect anomaly CAN message. Still, they cannot detect which ECU is compromised because any ECUs cannot identify the ECU that sends illegal messages for the specification of CAN protocol. Now we propose the Smart CAN cable that identifies the ECU that sends malicious messages. The Smart CAN cable has two kinds of functions. One is a CAN-IDS. The CAN-IDS identifies an illegal message, and it broadcasts the hash value of the illegal message to CAN-BUS. Another is an identifying module. The identifying module is to memorize hash values of the messages and its sender ECU. When the identifying module receives the hash value from the CAN-IDS, it broadcasts the sender ECU information to CAN-BUS if it finds the hash value in its own memory. We can cut the sender ECU from CAN BUS, control the stream, or handle other workarounds after identifying the sender ECU that sends illegal messages. This paper shows how the Smart CAN cable works, and its advantages and disadvantages.
The document proposes a "Smart CAN Cable" as a new in-vehicle security measure for connected vehicles. The Smart CAN Cable would identify compromised ECUs on the CAN bus network. Each connector on the cable would record frames from the connected ECU and check for illegal frames. When an IDS detects an illegal frame, it asks the connectors if they have a matching frame. The connector receiving from the ECU that sent the illegal frame is then identified as compromised. The Smart CAN Cable could then cut off communication from that ECU to isolate the threat. This allows compromised ECUs to be identified and addressed, which current security measures cannot do.
The document discusses USBProxy, an open source tool for intercepting USB communication. It describes how USBProxy works by relaying data between a connected host computer and USB device, allowing the traffic to be inspected or modified. The author notes some limitations with USBProxy, including its inability to simulate complex USB devices and reduced transfer speeds. Alternative tools for USB analysis like commercial USB protocol analyzers are also mentioned.
A trial investigation system for vulnerability on M2M networkMocke Tech
The document proposes a trial investigation system to analyze vulnerabilities in machine-to-machine (M2M) networks. It describes existing approaches that use vulnerability scanners or USB proxies, but notes limitations like inability to dynamically adapt or slow speeds. The proposed system uses a tool called "ka-mitm" that acts as a transparent proxy between targets, intercepting and modifying network traffic based on predefined "meta-scripts". Sample meta-scripts and their results analyzing a VNC handshake protocol are provided as a proof of concept.
A trial investigation system for vulnerability on M2M networkMocke Tech
The document proposes a trial investigation system to analyze vulnerabilities in machine-to-machine (M2M) networks. It describes existing approaches that use vulnerability scanners or USB proxies, but notes limitations like inability to dynamically adapt or slow speeds. The proposed system uses a tool called "ka-mitm" that acts as a transparent proxy between targets, intercepting and modifying network traffic based on predefined "meta-scripts". Sample meta-scripts and their results analyzing a VNC handshake protocol are provided as a proof of concept.