Abstract
Handcrafted rule-based intrusion detection systems tend to overlook sophisticated intrusions due to unexpected cyberattacker behaviors or human error in analyzing complex control flows. Current machine learning systems, mostly based on artificial neural networks, have the inherent problem that models cannot be verified since the decisions depend on probabilities. To bridge the gap between handcrafted rule systems and probability-based systems, our approach uses genetic programming to generate rules that are verifiable, in the sense that one can confirm that the extracted pattern matches a known attack. The RulEth rules language is designed to be predictive of a packet window, which allows the system to detect anomalies in message flow. Alerts are enriched to include the root cause about the characterization as an anomalous event, which in turn supports decisions to trigger countermeasures. Although the attacks examined in this work are far more complex than those considered in most other works in the automotive domain, our results show that most of the attacks examined can be well identified. By being able to evaluate each rule generated separately, the rules that are not working effectively can be sorted out, which improves the robustness of the system. Furthermore, using design flaws found in a public dataset, we demonstrate the importance of verifiable models for reliable systems.
R. Rieke—Independent researcher.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Upstream: 2023 global automotive cybersecurity report (2023). https://upstream.auto/reports/global-automotive-cybersecurity-report/. Accessed 19 June 2023
Sommer, R., Paxson, V.: Outside the closed world: on using machine learning for network intrusion detection. In: IEEE Symposium on Security and Privacy 2010, pp. 305–316 (2010)
Lundberg, H.: Increasing the trustworthiness of AI-based in-vehicle ids using explainable AI. Master’s thesis, Mid Sweden University (2022)
Rastogi, N., Rampazzi, S., Clifford, M., Heller, M., Bishop, M., Levitt, K.: Explaining radar features for detecting spoofing attacks in connected autonomous vehicles (2022). https://arxiv.org/abs/2203.00150
European Commission: Directorate-General for Communications Networks, Content and Technology, Ethics guidelines for trustworthy AI. Publications Office (2019)
Matheus, K., Königseder, T.: Automotive Ethernet. Cambridge University Press, Cambridge (2021)
AUTOSAR: Some/IP protocol specification (2016). https://www.autosar.org/fileadmin/standards/foundation/1-4/AUTOSAR_PRS_SOMEIPProtocol.pdf. Accessed 31 Mar 2023
AUTOSAR: Autosar partnership (2022). https://www.autosar.org/. Accessed 31 Mar 2023
Iorio, M., Buttiglieri, A., Reineri, M., Risso, F., Sisto, R., Valenza, F.: Protecting in-vehicle services: security-enabled some/IP middleware. IEEE Veh. Technol. Mag. 15(3), 77–85 (2020)
Kreissl, J.: Absicherung der some/IP kommunikation bei adaptive autosar. Master’s thesis, University of Stuttgart (2017)
Perrig, A., Canetti, R., Tygar, J.D., Song, D.: The tesla broadcast authentication protocol. RSA Cryptobytes 5(2), 2–13 (2002)
Zelle, D., Kern, D., Lauser, T., Kraus, C.: Analyzing and securing some/IP automotive services with formal and practical methods. In: 4th International Conference on Availability, Reliability and Security (ARES). ACM (2021)
Yu, J., Wagner, S., Wang, B., Luo, F.: A systematic mapping study on security countermeasures of in-vehicle communication systems, arXiv preprint arXiv:2105.00183 (2021)
Herold, N.: Incident handling systems with automated intrusion response. Ph.D. dissertation, Technische Universität München (2017)
Gehrmann, T., Duplys, P.: Intrusion detection for some/IP: challenges and opportunities. In: 2020 23rd Euromicro Conference on Digital System Design (DSD), pp. 583–587. IEEE (2020)
Li, W.: Using genetic algorithm for network intrusion detection. In: Proceedings of the United States Department of Energy Cyber Security Group, vol. 1, pp. 1–8 (2004)
Gong, R.H., Zulkernine, M., Abolmaesumi, P.: A software implementation of a genetic algorithm based approach to network intrusion detection. In: Sixth International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing and First ACIS International Workshop on Self-Assembling Wireless Network, pp. 246–253 (2005)
Song, D., Heywood, M.I., Zincir-Heywood, A.N.: A linear genetic programming approach to intrusion detection. In: Cantú-Paz, E., et al. (eds.) GECCO 2003. LNCS, vol. 2724, pp. 2325–2336. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-45110-2_125
Gómez, J., Gil, C., Baños, R., Márquez, A.L., Montoya, F.G., Montoya, M.G.: A pareto-based multi-objective evolutionary algorithm for automatic rule generation in network intrusion detection systems. Soft Comput. 17(2), 255–263 (2013)
Rastegari, S., Hingston, P., Lam, C.-P.: Evolving statistical rulesets for network intrusion detection. Appl. Soft Comput. 33, 348–359 (2015)
Buschlinger, L., Rieke, R., Sarda, S., Krauß, C.: Decision tree-based rule derivation for intrusion detection in safety-critical automotive systems. In: 2022 30th Euromicro International Conference on Parallel, Distributed and Network-Based Processing (PDP), pp. 246–254 (2022)
Roesch, M., et al.: Snort: lightweight intrusion detection for networks. Lisa 99(1), 229–238 (1999)
Alkhatib, N., Ghauch, H., Danger, J.-L.: Some, IP intrusion detection using deep learning-based sequential models in automotive ethernet networks. In: IEEE 12th Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON) 2021, pp. 0954–0962 (2021)
Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983)
Hussain, A., Heidemann, J., Papadopoulos, C.: A framework for classifying denial of service attacks. In: Proceedings of the 2003 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, pp. 99–110 (2003)
Zdun, U., Strembeck, M.: Reusable architectural decisions for DSL design: foundational decisions in DSL development. In: 14th European Conference on Pattern Languages of Programs (EuroPLoP) (2009)
Anonimized: Additional paper resources (2023). https://anonymous.4open.science/r/ruleth-paper-resources-8D62. Accessed 30 Mar 2023
UN Regulation No. 156: Uniform provisions concerning the approval of vehicles with regards to software update and software updates management system. United Nations (2021). https://unece.org/sites/default/files/2021-03/R156e.pdf. Accessed 31 Mar 2023
Koza, J.R.: Non-linear genetic algorithms for solving problems. United States Patent 4935877, 19 June 1990, filed may 20, 1988, issued June 19, 1990, 4,935,877. Australian patent 611,350 issued 21 September 1991. Canadian patent 1,311,561 issued 15 December 1992
Python Software Foundation: Python3 (2022). https://www.python.org/. Accessed 31 Mar 2023
De Rainville, F.-M., Fortin, F.-A., Gardner, M.-A., Parizeau, M., Gagné, C.: Deap: a python framework for evolutionary algorithms. In: Proceedings of the 14th Annual Conference Companion on Genetic and Evolutionary Computation, pp. 85–92 (2012)
Koza, J.R.: Genetic Programming: On the Programming of Computers by Means of Natural Selection, vol. 1. MIT Press, Cambridge (1992)
Fenzl, F., Rieke, R., Dominik, A.: In-vehicle detection of targeted can bus attacks. In: The 16th International Conference on Availability, Reliability and Security, pp. 1–7 (2021)
Eclipse: Xtend (2022). https://www.eclipse.org/xtend. Accessed 31 Mar 2023
seladb. Pcapplusplus (2022). https://pcapplusplus.github.io/. Accessed 31 Mar 2023
Granberg, N.: Evaluating the effectiveness of free rule sets for snort. Master’s thesis, Linköping University, Department of Computer and Information Science, Database and Information Techniques (2022)
Independent High-Level Expert Group on Artificial Intelligence: Ethics guidelines for trustworthy AI. European Commission (2019). https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=60419. Accessed 31 Mar 2023
Acknowledgements
This work has been partly funded by the German Federal Ministry of Education and Research and the Hessen State Ministry for Higher Education, Research and the Arts within their joint support of the National Research Center for Applied Cybersecurity ATHENE and by the BMBF project FINESSE (ID 16KIS1586) and has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 883135 (E-CORRIDOR).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Ethics declarations
Ethical Discussion
In this paper we present RulEth, a Genetic Programming based solution to generate security rules with the ability to detect attacks based on the packet flow. During the design process, we followed the seven key requirements derived by the European ethics guidelines for trustworthy AI [37], namely (1) human agency and oversight, (2) technical robustness and safety, (3) privacy and data governance, (4) transparency, (5) diversity, non-discrimination and fairness, (6) environmental and societal well-being and (7) accountability. In fact, one major research goal was to improve the current state of human agency, transparency, and accountability in intrusion detection systems.
Human Agency and Oversight. Human Agency is coupled tightly with the developed architecture, as a human-in-the-loop can interact with each step of the rule generation process, and hold back, improve or generate self-written rules as measures of quality control for the generated model.
Technical Robustness and Safety. In order to maintain the confidentiality and safety of the system, adherence to UN regulation R156 [28] is required for uploading logs to the backend and provisioning new rules. The traffic logging module within the vehicle must be secured using trusted computing and authenticated with the backend. Furthermore, the backend must operate within a secure environment.
Privacy and Data Governance. In order to ensure data governance, we envision the sharing of logs from a users vehicle to be optional, verifying informed consent. Additionally, the privacy of shared data is reached during the aggregation phase. Attacks should not depend on personal information like GPS coordinates, therefore the data can be anonymized.
Transparency. The design focuses around transparency, as rules are explainable and easy to understand through the use of a Domain Specific Language. Alerts generated by the system contain the rule and packets responsible for the decision, ensuring traceability.
Diversity, Non-Discrimination and Fairness. We try to mitigate unfair bias by using a blacklist approach, denying only communications that exactly match an anomaly pattern.
Environmental and Societal Well-Being. The goal of the system is to detect anomalies in the packet flow, we do not see the risk of a negative impact on the society. The detection of anomalies using rules is lightweight, minimizing a negative environmental impact.
Accountability. The proposed rule-generation mechanism together with the human approval of the rules facilitate the system’s auditability and traceability, as well as logging and documentation of the AI system’s processes and outcomes.
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Gail, F.C., Rieke, R., Fenzl, F. (2023). RulEth: Genetic Programming-Driven Derivation of Security Rules for Automotive Ethernet. In: De Francisci Morales, G., Perlich, C., Ruchansky, N., Kourtellis, N., Baralis, E., Bonchi, F. (eds) Machine Learning and Knowledge Discovery in Databases: Applied Data Science and Demo Track. ECML PKDD 2023. Lecture Notes in Computer Science(), vol 14175. Springer, Cham. https://doi.org/10.1007/978-3-031-43430-3_12
Download citation
DOI: https://doi.org/10.1007/978-3-031-43430-3_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-43429-7
Online ISBN: 978-3-031-43430-3
eBook Packages: Computer ScienceComputer Science (R0)
