anomaly detection for some/ip using complex event processing · anomaly detection for some/ip using...
TRANSCRIPT
![Page 1: Anomaly Detection for SOME/IP using Complex Event Processing · Anomaly Detection for SOME/IP using Complex Event Processing Chair of Network Architectures and Services TUM Department](https://reader033.vdocuments.us/reader033/viewer/2022041517/5e2be20ddc17374dd3200207/html5/thumbnails/1.jpg)
Anomaly Detection for SOME/IP using ComplexEvent Processing
Chair of Network Architectures and ServicesTUM Department of InformaticsTechnical University of Munich (TUM)
Nadine Herold, Stephan-A. Posselt, Oliver Hanka, Georg CarleIstanbul, Turkey, April 29, 2016
![Page 2: Anomaly Detection for SOME/IP using Complex Event Processing · Anomaly Detection for SOME/IP using Complex Event Processing Chair of Network Architectures and Services TUM Department](https://reader033.vdocuments.us/reader033/viewer/2022041517/5e2be20ddc17374dd3200207/html5/thumbnails/2.jpg)
MotivationChanges in automotive and the aerospace domain
• More convenience at lower costs in the automotive and the aerospace domain lead to usage ofcommon protocols, e.g. TCP/IP suite.
• New protocols used upon IP are designed and implemented.
• They offer a large attack surface, and cars and airplanes are valuable targets.
• The rapid development of such protocols accompany various security related challenges.
• The correct behavior of all components depends on the correctness of the implementation.
We propose a system for:
• offline-testing new protocol implementations in a convenient way and
• live detection of attacks in a running system.
Nadine Herold (TUM) | DISSECT 2016 | Anomaly Detection for SOME/IP using Complex Event Processing 2
![Page 3: Anomaly Detection for SOME/IP using Complex Event Processing · Anomaly Detection for SOME/IP using Complex Event Processing Chair of Network Architectures and Services TUM Department](https://reader033.vdocuments.us/reader033/viewer/2022041517/5e2be20ddc17374dd3200207/html5/thumbnails/3.jpg)
Some-IPScalable Service-Oriented Middleware for IP
• Standardized by AUTOSAR project
• Remote procedure calls (RPC) on top of the TCP/IP protocol stack
• No built-in security measures
Possible misuse cases or attacks:
• Malformed packets
• Protocol violations
• System- or use case specific violations
• Timing issues
Nadine Herold (TUM) | DISSECT 2016 | Anomaly Detection for SOME/IP using Complex Event Processing 3
![Page 4: Anomaly Detection for SOME/IP using Complex Event Processing · Anomaly Detection for SOME/IP using Complex Event Processing Chair of Network Architectures and Services TUM Department](https://reader033.vdocuments.us/reader033/viewer/2022041517/5e2be20ddc17374dd3200207/html5/thumbnails/4.jpg)
Use-Case: Cabin Data NetworkSimplified Airbus Mock-Up
1F
1E
1D
1C
1B
1A
2F
2E
2D
2C
2B
2A
3F
3E
3D
3C
3B
3A
Lights,Flight Entertainment,Passenger Call, ...
Main Switch
...
Line Switch
Central Servers
MAC, IP and IDof Clients
MAC, IP and IDof Server
s1 s2
Available Servicesand Methods
Allowed Access
3FCompromise andImpersonate DeviceEavesdrop
IDS
Nadine Herold (TUM) | DISSECT 2016 | Anomaly Detection for SOME/IP using Complex Event Processing 4
![Page 5: Anomaly Detection for SOME/IP using Complex Event Processing · Anomaly Detection for SOME/IP using Complex Event Processing Chair of Network Architectures and Services TUM Department](https://reader033.vdocuments.us/reader033/viewer/2022041517/5e2be20ddc17374dd3200207/html5/thumbnails/5.jpg)
Use-Case: Cabin Data NetworkSimplified Airbus Mock-Up
1F
1E
1D
1C
1B
1A
2F
2E
2D
2C
2B
2A
3F
3E
3D
3C
3B
3A
Lights,Flight Entertainment,Passenger Call, ...
Main Switch
...
Line Switch
Central Servers
MAC, IP and IDof Clients
MAC, IP and IDof Server
s1 s2
Available Servicesand Methods
Allowed Access
3FCompromise andImpersonate DeviceEavesdrop
IDS
Nadine Herold (TUM) | DISSECT 2016 | Anomaly Detection for SOME/IP using Complex Event Processing 4
![Page 6: Anomaly Detection for SOME/IP using Complex Event Processing · Anomaly Detection for SOME/IP using Complex Event Processing Chair of Network Architectures and Services TUM Department](https://reader033.vdocuments.us/reader033/viewer/2022041517/5e2be20ddc17374dd3200207/html5/thumbnails/6.jpg)
Use-Case: Cabin Data NetworkSimplified Airbus Mock-Up
1F
1E
1D
1C
1B
1A
2F
2E
2D
2C
2B
2A
3F
3E
3D
3C
3B
3A
Lights,Flight Entertainment,Passenger Call, ...
Main Switch
...
Line Switch
Central Servers
MAC, IP and IDof Clients
MAC, IP and IDof Server
s1 s2
Available Servicesand Methods
Allowed Access
3FCompromise andImpersonate DeviceEavesdrop
IDS
Nadine Herold (TUM) | DISSECT 2016 | Anomaly Detection for SOME/IP using Complex Event Processing 4
![Page 7: Anomaly Detection for SOME/IP using Complex Event Processing · Anomaly Detection for SOME/IP using Complex Event Processing Chair of Network Architectures and Services TUM Department](https://reader033.vdocuments.us/reader033/viewer/2022041517/5e2be20ddc17374dd3200207/html5/thumbnails/7.jpg)
Use-Case: Cabin Data NetworkSimplified Airbus Mock-Up
1F
1E
1D
1C
1B
1A
2F
2E
2D
2C
2B
2A
3F
3E
3D
3C
3B
3A
Lights,Flight Entertainment,Passenger Call, ...
Main Switch
...
Line Switch
Central Servers
MAC, IP and IDof Clients
MAC, IP and IDof Server
s1 s2
Available Servicesand Methods
Allowed Access
3FCompromise andImpersonate DeviceEavesdrop
IDS
Nadine Herold (TUM) | DISSECT 2016 | Anomaly Detection for SOME/IP using Complex Event Processing 4
![Page 8: Anomaly Detection for SOME/IP using Complex Event Processing · Anomaly Detection for SOME/IP using Complex Event Processing Chair of Network Architectures and Services TUM Department](https://reader033.vdocuments.us/reader033/viewer/2022041517/5e2be20ddc17374dd3200207/html5/thumbnails/8.jpg)
Use-Case: Cabin Data NetworkSimplified Airbus Mock-Up
1F
1E
1D
1C
1B
1A
2F
2E
2D
2C
2B
2A
3F
3E
3D
3C
3B
3A
Lights,Flight Entertainment,Passenger Call, ...
Main Switch
...
Line Switch
Central Servers
MAC, IP and IDof Clients
MAC, IP and IDof Server
s1 s2
Available Servicesand Methods
Allowed Access
3FCompromise andImpersonate DeviceEavesdrop
IDS
Nadine Herold (TUM) | DISSECT 2016 | Anomaly Detection for SOME/IP using Complex Event Processing 4
![Page 9: Anomaly Detection for SOME/IP using Complex Event Processing · Anomaly Detection for SOME/IP using Complex Event Processing Chair of Network Architectures and Services TUM Department](https://reader033.vdocuments.us/reader033/viewer/2022041517/5e2be20ddc17374dd3200207/html5/thumbnails/9.jpg)
Use-Case: Cabin Data NetworkSimplified Airbus Mock-Up
1F
1E
1D
1C
1B
1A
2F
2E
2D
2C
2B
2A
3F
3E
3D
3C
3B
3A
Lights,Flight Entertainment,Passenger Call, ...
Main Switch
...
Line Switch
Central Servers
MAC, IP and IDof Clients
MAC, IP and IDof Server
s1 s2
Available Servicesand Methods
Allowed Access
3FCompromise andImpersonate DeviceEavesdrop
IDS
Nadine Herold (TUM) | DISSECT 2016 | Anomaly Detection for SOME/IP using Complex Event Processing 4
![Page 10: Anomaly Detection for SOME/IP using Complex Event Processing · Anomaly Detection for SOME/IP using Complex Event Processing Chair of Network Architectures and Services TUM Department](https://reader033.vdocuments.us/reader033/viewer/2022041517/5e2be20ddc17374dd3200207/html5/thumbnails/10.jpg)
Use-Case: Cabin Data NetworkSystem Information known Before-Hand
1F
1E
1D
1C
1B
1A
2F
2E
2D
2C
2B
2A
3F
3E
3D
3C
3B
3A
Lights,Flight Entertainment,Passenger Call, ...
Main Switch
...
Line Switch
Central Servers
MAC, IP and IDof Clients
MAC, IP and IDof Server
s1 s2
Available Servicesand Methods
Allowed Access
3FCompromise andImpersonate DeviceEavesdrop
IDS
Nadine Herold (TUM) | DISSECT 2016 | Anomaly Detection for SOME/IP using Complex Event Processing 4
![Page 11: Anomaly Detection for SOME/IP using Complex Event Processing · Anomaly Detection for SOME/IP using Complex Event Processing Chair of Network Architectures and Services TUM Department](https://reader033.vdocuments.us/reader033/viewer/2022041517/5e2be20ddc17374dd3200207/html5/thumbnails/11.jpg)
Use-Case: Cabin Data NetworkSystem Information known Before-Hand
1F
1E
1D
1C
1B
1A
2F
2E
2D
2C
2B
2A
3F
3E
3D
3C
3B
3A
Lights,Flight Entertainment,Passenger Call, ...
Main Switch
...
Line Switch
Central Servers
MAC, IP and IDof Clients
MAC, IP and IDof Server
s1 s2
Available Servicesand Methods
Allowed Access
3FCompromise andImpersonate DeviceEavesdrop
IDS
Nadine Herold (TUM) | DISSECT 2016 | Anomaly Detection for SOME/IP using Complex Event Processing 4
![Page 12: Anomaly Detection for SOME/IP using Complex Event Processing · Anomaly Detection for SOME/IP using Complex Event Processing Chair of Network Architectures and Services TUM Department](https://reader033.vdocuments.us/reader033/viewer/2022041517/5e2be20ddc17374dd3200207/html5/thumbnails/12.jpg)
Use-Case: Cabin Data NetworkAttacker Model p
1F
1E
1D
1C
1B
1A
2F
2E
2D
2C
2B
2A
3F
3E
3D
3C
3B
3A
Lights,Flight Entertainment,Passenger Call, ...
Main Switch
...
Line Switch
Central Servers
MAC, IP and IDof Clients
MAC, IP and IDof Server
s1 s2
Available Servicesand Methods
Allowed Access
3FCompromise andImpersonate DeviceEavesdrop
IDS
Nadine Herold (TUM) | DISSECT 2016 | Anomaly Detection for SOME/IP using Complex Event Processing 4
![Page 13: Anomaly Detection for SOME/IP using Complex Event Processing · Anomaly Detection for SOME/IP using Complex Event Processing Chair of Network Architectures and Services TUM Department](https://reader033.vdocuments.us/reader033/viewer/2022041517/5e2be20ddc17374dd3200207/html5/thumbnails/13.jpg)
Use-Case: Cabin Data NetworkProposed System Placement p
1F
1E
1D
1C
1B
1A
2F
2E
2D
2C
2B
2A
3F
3E
3D
3C
3B
3A
Lights,Flight Entertainment,Passenger Call, ...
Main Switch
...
Line Switch
Central Servers
MAC, IP and IDof Clients
MAC, IP and IDof Server
s1 s2
Available Servicesand Methods
Allowed Access
3FCompromise andImpersonate DeviceEavesdrop
IDS
Nadine Herold (TUM) | DISSECT 2016 | Anomaly Detection for SOME/IP using Complex Event Processing 4
![Page 14: Anomaly Detection for SOME/IP using Complex Event Processing · Anomaly Detection for SOME/IP using Complex Event Processing Chair of Network Architectures and Services TUM Department](https://reader033.vdocuments.us/reader033/viewer/2022041517/5e2be20ddc17374dd3200207/html5/thumbnails/14.jpg)
Esper: A Complex Event Processing EngineBasic Event Flow
e1e2e3e4
R1
e5e6e7e8
R1 and R2
Event Window (size : 5)
R1: Event is red.R2: Two events are red.
Event WindowEvent WindowEvent Window
e1e2e3
Nadine Herold (TUM) | DISSECT 2016 | Anomaly Detection for SOME/IP using Complex Event Processing 5
![Page 15: Anomaly Detection for SOME/IP using Complex Event Processing · Anomaly Detection for SOME/IP using Complex Event Processing Chair of Network Architectures and Services TUM Department](https://reader033.vdocuments.us/reader033/viewer/2022041517/5e2be20ddc17374dd3200207/html5/thumbnails/15.jpg)
Esper: A Complex Event Processing EngineBasic Event Flow
e1
e2e3e4
R1
e5e6e7e8
R1 and R2
Event Window (size : 5)
R1: Event is red.R2: Two events are red.
Event WindowEvent WindowEvent Window
e1e2e3
Nadine Herold (TUM) | DISSECT 2016 | Anomaly Detection for SOME/IP using Complex Event Processing 5
![Page 16: Anomaly Detection for SOME/IP using Complex Event Processing · Anomaly Detection for SOME/IP using Complex Event Processing Chair of Network Architectures and Services TUM Department](https://reader033.vdocuments.us/reader033/viewer/2022041517/5e2be20ddc17374dd3200207/html5/thumbnails/16.jpg)
Esper: A Complex Event Processing EngineBasic Event Flow
e1e2
e3e4
R1
e5e6e7e8
R1 and R2
Event Window (size : 5)
R1: Event is red.R2: Two events are red.
Event WindowEvent WindowEvent Window
e1e2e3
Nadine Herold (TUM) | DISSECT 2016 | Anomaly Detection for SOME/IP using Complex Event Processing 5
![Page 17: Anomaly Detection for SOME/IP using Complex Event Processing · Anomaly Detection for SOME/IP using Complex Event Processing Chair of Network Architectures and Services TUM Department](https://reader033.vdocuments.us/reader033/viewer/2022041517/5e2be20ddc17374dd3200207/html5/thumbnails/17.jpg)
Esper: A Complex Event Processing EngineBasic Event Flow
e1e2e3
e4
R1
e5e6e7e8
R1 and R2
Event Window (size : 5)
R1: Event is red.R2: Two events are red.
Event WindowEvent WindowEvent Window
e1e2e3
Nadine Herold (TUM) | DISSECT 2016 | Anomaly Detection for SOME/IP using Complex Event Processing 5
![Page 18: Anomaly Detection for SOME/IP using Complex Event Processing · Anomaly Detection for SOME/IP using Complex Event Processing Chair of Network Architectures and Services TUM Department](https://reader033.vdocuments.us/reader033/viewer/2022041517/5e2be20ddc17374dd3200207/html5/thumbnails/18.jpg)
Esper: A Complex Event Processing EngineBasic Event Flow
e1e2e3e4
R1
e5e6e7e8
R1 and R2
Event Window (size : 5)
R1: Event is red.R2: Two events are red.
Event WindowEvent WindowEvent Window
e1e2e3
Nadine Herold (TUM) | DISSECT 2016 | Anomaly Detection for SOME/IP using Complex Event Processing 5
![Page 19: Anomaly Detection for SOME/IP using Complex Event Processing · Anomaly Detection for SOME/IP using Complex Event Processing Chair of Network Architectures and Services TUM Department](https://reader033.vdocuments.us/reader033/viewer/2022041517/5e2be20ddc17374dd3200207/html5/thumbnails/19.jpg)
Esper: A Complex Event Processing EngineBasic Event Flow
e1e2e3e4
R1
e5
e6e7e8
R1 and R2
Event Window (size : 5)
R1: Event is red.R2: Two events are red.
Event WindowEvent WindowEvent Window
e1e2e3
Nadine Herold (TUM) | DISSECT 2016 | Anomaly Detection for SOME/IP using Complex Event Processing 5
![Page 20: Anomaly Detection for SOME/IP using Complex Event Processing · Anomaly Detection for SOME/IP using Complex Event Processing Chair of Network Architectures and Services TUM Department](https://reader033.vdocuments.us/reader033/viewer/2022041517/5e2be20ddc17374dd3200207/html5/thumbnails/20.jpg)
Esper: A Complex Event Processing EngineBasic Event Flow
e1
e2e3e4
R1
e5e6
e7e8
R1 and R2
Event Window (size : 5)
R1: Event is red.R2: Two events are red.
Event Window
Event WindowEvent Window
e1
e2e3
Nadine Herold (TUM) | DISSECT 2016 | Anomaly Detection for SOME/IP using Complex Event Processing 5
![Page 21: Anomaly Detection for SOME/IP using Complex Event Processing · Anomaly Detection for SOME/IP using Complex Event Processing Chair of Network Architectures and Services TUM Department](https://reader033.vdocuments.us/reader033/viewer/2022041517/5e2be20ddc17374dd3200207/html5/thumbnails/21.jpg)
Esper: A Complex Event Processing EngineBasic Event Flow
e1e2
e3e4
R1
e5e6e7
e8
R1 and R2
Event Window (size : 5)
R1: Event is red.R2: Two events are red.
Event Window
Event Window
Event Window
e1e2
e3
Nadine Herold (TUM) | DISSECT 2016 | Anomaly Detection for SOME/IP using Complex Event Processing 5
![Page 22: Anomaly Detection for SOME/IP using Complex Event Processing · Anomaly Detection for SOME/IP using Complex Event Processing Chair of Network Architectures and Services TUM Department](https://reader033.vdocuments.us/reader033/viewer/2022041517/5e2be20ddc17374dd3200207/html5/thumbnails/22.jpg)
Esper: A Complex Event Processing EngineBasic Event Flow
e1e2e3
e4
R1
e5e6e7e8
R1 and R2
Event Window (size : 5)
R1: Event is red.R2: Two events are red.
Event WindowEvent Window
Event Window
e1e2e3
Nadine Herold (TUM) | DISSECT 2016 | Anomaly Detection for SOME/IP using Complex Event Processing 5
![Page 23: Anomaly Detection for SOME/IP using Complex Event Processing · Anomaly Detection for SOME/IP using Complex Event Processing Chair of Network Architectures and Services TUM Department](https://reader033.vdocuments.us/reader033/viewer/2022041517/5e2be20ddc17374dd3200207/html5/thumbnails/23.jpg)
EPLEvent Processing Language
Check for Timing Constraints:
1 SELECT ∗ FROM SomeIPPacket ( c l i e n t I D = id , methodID = x , se rv ice ID = y ) . win : leng th
( 1 ) as s1
2 WHERE NOT EXISTS
3 (SELECT ∗ FROM SomeIPPacket ( c l i e n t I D = id , methodID = x , se rv ice ID = y ) . win :
leng th ( 2 ) as s2
4 WHERE s2 . timestamp < s1 . timestamp − δ )
Nadine Herold (TUM) | DISSECT 2016 | Anomaly Detection for SOME/IP using Complex Event Processing 6
![Page 24: Anomaly Detection for SOME/IP using Complex Event Processing · Anomaly Detection for SOME/IP using Complex Event Processing Chair of Network Architectures and Services TUM Department](https://reader033.vdocuments.us/reader033/viewer/2022041517/5e2be20ddc17374dd3200207/html5/thumbnails/24.jpg)
EPLEvent Processing Language
Check for correct error behavior (no error is sent on a previous error):
1 SELECT ∗ FROM SomeIPPacket ( type = ERROR) . win : leng th ( 1 ) s1
2 WHERE NOT EXISTS
3 (SELECT ∗ FROM SomeIPPacket ( type = REQUEST OR type = NOTIFICATION OR . type =
REQUEST_NO_RETURN) . win : leng th (100) s2
4 WHERE s1 . serv ice ID = s2 . serv ice ID
5 AND s1 . methodID = s2 . methodID
6 AND s1 . request ID = s2 . request ID
7 AND s1 . s rc IP = s2 . ds t IP
8 AND s1 . ds t IP = s2 . s rc IP
9 AND s1 . srcMAC = s2 . dstMAC
10 AND s1 . dstMAC = s2 . srcMAC
11 AND s1 . s rcPor t = s2 . ds tPor t
12 AND s1 . ds tPor t = s2 . s rcPor t
13 AND s1 . timestamp > s2 . timestamp
14 AND s2 . timestamp < s1 . timestamp + δ )
Nadine Herold (TUM) | DISSECT 2016 | Anomaly Detection for SOME/IP using Complex Event Processing 7
![Page 25: Anomaly Detection for SOME/IP using Complex Event Processing · Anomaly Detection for SOME/IP using Complex Event Processing Chair of Network Architectures and Services TUM Department](https://reader033.vdocuments.us/reader033/viewer/2022041517/5e2be20ddc17374dd3200207/html5/thumbnails/25.jpg)
ResultsImplemented and Tested Rules
• Correct Error Behavior− No error is sent on another error− No error is sent on event type NOTIFICATION• Check for missing messages− No response is missing− No request is missing
• Disturbed Timing (given times for notification intervals)
• Malformed packets (wrong interface)
• No spoofed Client ID
Nadine Herold (TUM) | DISSECT 2016 | Anomaly Detection for SOME/IP using Complex Event Processing 8
![Page 26: Anomaly Detection for SOME/IP using Complex Event Processing · Anomaly Detection for SOME/IP using Complex Event Processing Chair of Network Architectures and Services TUM Department](https://reader033.vdocuments.us/reader033/viewer/2022041517/5e2be20ddc17374dd3200207/html5/thumbnails/26.jpg)
ResultsTime Comparison in Seconds - Single Rules
For evaluation, we generated a libpcap dump file containing 12.000 attacks, with a size of 122.4MBand containing around 1.49 million packets. The pure deserialization time is 4.18 seconds.
Nadine Herold (TUM) | DISSECT 2016 | Anomaly Detection for SOME/IP using Complex Event Processing 9
![Page 27: Anomaly Detection for SOME/IP using Complex Event Processing · Anomaly Detection for SOME/IP using Complex Event Processing Chair of Network Architectures and Services TUM Department](https://reader033.vdocuments.us/reader033/viewer/2022041517/5e2be20ddc17374dd3200207/html5/thumbnails/27.jpg)
ResultsTime Comparison in Seconds - Single Rules
0 5 10 15 20 25 30 35 40 45
Error On Error
Error On Event
Missing Response
Missing Request
Disturbed Timing
Wrong Interface
Spoofed Client-ID
Time in Seconds (s)
Error On Error Error On EventMissing
ResponseMissingRequest
DisturbedTiming
WrongInterface
Spoofed Client-ID
Total 5,54 5,41 38,43 9,98 4,67 4,45 6,21
Analysis 1,36 1,23 34,25 5,8 0,49 0,27 2,03
Total Analysis
Nadine Herold (TUM) | DISSECT 2016 | Anomaly Detection for SOME/IP using Complex Event Processing 9
![Page 28: Anomaly Detection for SOME/IP using Complex Event Processing · Anomaly Detection for SOME/IP using Complex Event Processing Chair of Network Architectures and Services TUM Department](https://reader033.vdocuments.us/reader033/viewer/2022041517/5e2be20ddc17374dd3200207/html5/thumbnails/28.jpg)
ResultsTime Comparison in 1000 Packets per Second - Single Rules
0 1000 2000 3000 4000 5000 6000
Error On Error
Error On Event
Missing Response
Missing Request
Disturbed Timing
Wrong Interface
Spoofed Client-ID
1000 Packtes per Second
Error On Error Error On EventMissing
ResponseMissingRequest
DisturbedTiming
WrongInterface
SpoofedClient-ID
kp/s Total 269 275 39 149 319 335 240
kp/s Analysis 1096 1211 44 257 3041 5519 734
kp/s Total kp/s Analysis
Nadine Herold (TUM) | DISSECT 2016 | Anomaly Detection for SOME/IP using Complex Event Processing 10
![Page 29: Anomaly Detection for SOME/IP using Complex Event Processing · Anomaly Detection for SOME/IP using Complex Event Processing Chair of Network Architectures and Services TUM Department](https://reader033.vdocuments.us/reader033/viewer/2022041517/5e2be20ddc17374dd3200207/html5/thumbnails/29.jpg)
ResultsTime Comparison in Second - Multiple Rules
0 10 20 30 40 50 60
Without Missing Response and Request
Without Missing Response
Without Missing Request
All Rules (measured)
All Rules (sum)
Time in Seonds
Without MissingResponse and
Request
Without MissingResponse
Without MissingRequest
All Rules (measured) All Rules (sum)
Total 9,77 16,29 47,05 57,13 49,61
Analysis 5,59 12,11 42,87 52,95 45,43
Total Analysis
Nadine Herold (TUM) | DISSECT 2016 | Anomaly Detection for SOME/IP using Complex Event Processing 11
![Page 30: Anomaly Detection for SOME/IP using Complex Event Processing · Anomaly Detection for SOME/IP using Complex Event Processing Chair of Network Architectures and Services TUM Department](https://reader033.vdocuments.us/reader033/viewer/2022041517/5e2be20ddc17374dd3200207/html5/thumbnails/30.jpg)
ResultsTime Comparison in 1000 Packets per Second - Multiple Rules
0 50 100 150 200 250 300
Without Missing Response and Request
Without Missing Response
Without Missing Request
All Rules (measured)
All Rules (sum)
1000 Packets per Seond
Without MissingResponse and
Request
Without MissingResponse
Without MissingRequest
All Rules (measured) All Rules (sum)
kp/s Total 153 91 32 26 30
kp/s Analysis 267 123 35 28 33
kp/s Total kp/s Analysis
Nadine Herold (TUM) | DISSECT 2016 | Anomaly Detection for SOME/IP using Complex Event Processing 12
![Page 31: Anomaly Detection for SOME/IP using Complex Event Processing · Anomaly Detection for SOME/IP using Complex Event Processing Chair of Network Architectures and Services TUM Department](https://reader033.vdocuments.us/reader033/viewer/2022041517/5e2be20ddc17374dd3200207/html5/thumbnails/31.jpg)
Conclusion• Identified possible attacks on SOME/IP
• Demonstrated that the simple, SQL-like language EPL can be used to express non-trivial checkson a stream of network packets
• Showed that the system is usable for testing implementations for rapid prototyping.
• Showed that the implemented system can only run a sub-set of rules for the aircraft cabin networkat line rate
Nadine Herold (TUM) | DISSECT 2016 | Anomaly Detection for SOME/IP using Complex Event Processing 13
![Page 32: Anomaly Detection for SOME/IP using Complex Event Processing · Anomaly Detection for SOME/IP using Complex Event Processing Chair of Network Architectures and Services TUM Department](https://reader033.vdocuments.us/reader033/viewer/2022041517/5e2be20ddc17374dd3200207/html5/thumbnails/32.jpg)
Questions?
Nadine Herold <[email protected]>
Source Code Available:
https://github.com/Egomania/SOME-IP_Generator
https://github.com/Egomania/SOME-IP_Analyzer
Feedback, experiences and improvements are welcome!
Acknowledgments: This work has been supported by the German Federal Ministry of Education and Research (BMBF)under support code 16KIS0145, project SURF.
Nadine Herold (TUM) | DISSECT 2016 | Anomaly Detection for SOME/IP using Complex Event Processing 14
![Page 33: Anomaly Detection for SOME/IP using Complex Event Processing · Anomaly Detection for SOME/IP using Complex Event Processing Chair of Network Architectures and Services TUM Department](https://reader033.vdocuments.us/reader033/viewer/2022041517/5e2be20ddc17374dd3200207/html5/thumbnails/33.jpg)
Back-Up
Nadine Herold (TUM) | DISSECT 2016 | Anomaly Detection for SOME/IP using Complex Event Processing 15
![Page 34: Anomaly Detection for SOME/IP using Complex Event Processing · Anomaly Detection for SOME/IP using Complex Event Processing Chair of Network Architectures and Services TUM Department](https://reader033.vdocuments.us/reader033/viewer/2022041517/5e2be20ddc17374dd3200207/html5/thumbnails/34.jpg)
Malformed Packets1 SELECT ∗ FROM SomeIPPacket . win : leng th ( 1 )
2 WHERE i n t e r f a c eV e rs i o n != INTERFACE
Nadine Herold (TUM) | DISSECT 2016 | Anomaly Detection for SOME/IP using Complex Event Processing 16
![Page 35: Anomaly Detection for SOME/IP using Complex Event Processing · Anomaly Detection for SOME/IP using Complex Event Processing Chair of Network Architectures and Services TUM Department](https://reader033.vdocuments.us/reader033/viewer/2022041517/5e2be20ddc17374dd3200207/html5/thumbnails/35.jpg)
Check of changed Client ID/IP assignment1 ON SomeIPPacket s MERGE cl ien tMapp ingIP cm
2 WHERE ( s . s rc IP in ( select c l i e n t _ i p from c l ien tMapp ingIP )
3 AND ( s . s rc IP in ( c l i e n t I P s ) )
4 AND ( s . s rc IP = cm. c l i e n t _ i p AND s . c l i e n t I D != cm. c l i e n t _ i d ) )
5 WHEN MATCHED THEN
6 UPDATE SET cm. c l i e n t _ i d = s e t C l i e n t I D ( s )
7 WHEN NOT MATCHED
8 AND s . s rc IP not in ( select c l i e n t _ i p from c l ien tMapp ingIP )
9 AND s . s rc IP in ( c l i e n t I P s ) THEN
10 INSERT into c l ien tMapp ingIP select s . s rc IP as c l i e n t _ i p , s . c l i e n t I D as
c l i e n t _ i d
Nadine Herold (TUM) | DISSECT 2016 | Anomaly Detection for SOME/IP using Complex Event Processing 17
![Page 36: Anomaly Detection for SOME/IP using Complex Event Processing · Anomaly Detection for SOME/IP using Complex Event Processing Chair of Network Architectures and Services TUM Department](https://reader033.vdocuments.us/reader033/viewer/2022041517/5e2be20ddc17374dd3200207/html5/thumbnails/36.jpg)
Check for correct error behavior1 SELECT ∗ FROM SomeIPPacket ( type = ERROR) . win : leng th ( 1 ) s1
2 WHERE NOT EXISTS
3 (SELECT ∗ FROM SomeIPPacket ( type = REQUEST OR type = NOTIFICATION OR . type =
REQUEST_NO_RETURN) . win : leng th (100) s2
4 WHERE s1 . serv ice ID = s2 . serv ice ID
5 AND s1 . methodID = s2 . methodID
6 AND s1 . request ID = s2 . request ID
7 AND s1 . s rc IP = s2 . ds t IP
8 AND s1 . ds t IP = s2 . s rc IP
9 AND s1 . srcMAC = s2 . dstMAC
10 AND s1 . dstMAC = s2 . srcMAC
11 AND s1 . s rcPor t = s2 . ds tPor t
12 AND s1 . ds tPor t = s2 . s rcPor t
13 AND s1 . timestamp > s2 . timestamp
14 AND s2 . timestamp < s1 . timestamp + δ )
Nadine Herold (TUM) | DISSECT 2016 | Anomaly Detection for SOME/IP using Complex Event Processing 18
![Page 37: Anomaly Detection for SOME/IP using Complex Event Processing · Anomaly Detection for SOME/IP using Complex Event Processing Chair of Network Architectures and Services TUM Department](https://reader033.vdocuments.us/reader033/viewer/2022041517/5e2be20ddc17374dd3200207/html5/thumbnails/37.jpg)
Check for missing request1 SELECT ∗ FROM SomeIPPacket ( type = RESPONSE) . win : leng th ( 1 ) s1
2 WHERE NOT EXISTS (
3 SELECT ∗ FROM SomeIPPacket ( type = REQUEST) . win : leng th (100) s2
4 WHERE (s1 corresponds to s2)
5 AND s1 . timestamp > s2 . timestamp
6 AND s2 . timestamp < s1 . timestamp + δ ) )
7 OR
8 ( (SELECT count (∗ ) from SomeIPPacket ( type = REQUEST) . win : leng th (50) s2
9 WHERE (s1 corresponds to s2)
10 AND s1 . timestamp > s2 . timestamp
11 AND s2 . timestamp < s1 . timestamp + δ )
12 =
13 (SELECT count (∗ ) from SomeIPPacket ( type = ERROR or type = RESPONSE) . win : leng th
(50) s2
14 WHERE (s1 equals s2)
15 AND s1 . timestamp > s2 . timestamp
16 AND s2 . timestamp < s1 . timestamp + δ
17 AND s2 . timestamp > minValue ) ) )
Nadine Herold (TUM) | DISSECT 2016 | Anomaly Detection for SOME/IP using Complex Event Processing 19
![Page 38: Anomaly Detection for SOME/IP using Complex Event Processing · Anomaly Detection for SOME/IP using Complex Event Processing Chair of Network Architectures and Services TUM Department](https://reader033.vdocuments.us/reader033/viewer/2022041517/5e2be20ddc17374dd3200207/html5/thumbnails/38.jpg)
Check for missing request (Helper Query)1 ON SomeIPPacket ( type = RESPONSE) as s1
2 SET minValue = (
3 SELECT min ( s . timestamp ) FROM SomeIPPacket ( type = REQUEST) . win : leng th (100) s
4 WHERE (s1 equals s2)
5 AND s1 . timestamp > s . timestamp
6 AND s . timestamp < s1 . timestamp + δ
Nadine Herold (TUM) | DISSECT 2016 | Anomaly Detection for SOME/IP using Complex Event Processing 20
![Page 39: Anomaly Detection for SOME/IP using Complex Event Processing · Anomaly Detection for SOME/IP using Complex Event Processing Chair of Network Architectures and Services TUM Department](https://reader033.vdocuments.us/reader033/viewer/2022041517/5e2be20ddc17374dd3200207/html5/thumbnails/39.jpg)
Check for Missing Response1 SELECT ∗ FROM
2 SomeIPPacket . win : leng th ( 1 ) s1 ,
3 SomeIPPacket . win : leng th ( 1 ) s2 ,
4 SomeIPPacket ( type = REQUEST) . win : leng th (100) s3
5 WHERE s1 . timestamp > s2 . timestamp
6 AND s3 . timestamp < ( s1 . timestamp − δ )
7 AND s3 . timestamp > ( s2 . timestamp − δ )
8 AND NOT EXISTS
9 (SELECT ∗ FROM SomeIPPacket ( type = RESPONSE OR type = ERROR) . win : leng th (50) s4
10 WHERE (s3 corresponds to s4)
11 AND s3 . timestamp < s4 . timestamp )
Nadine Herold (TUM) | DISSECT 2016 | Anomaly Detection for SOME/IP using Complex Event Processing 21