Panasonic develops automotive intrusion detection and prevention system
Panasonic Corp. announced that it has developed an automotive intrusion detection and prevention system as a cyber security countermeasure for autonomous and connected cars. By using the system, the company says it is possible to collect information on the evolved attacks on the cloud side, detect the attacks by distributing and updating the new rules of the countermeasures to the vehicles, and discard and disabling the attacks using the prevention system.
The system has the following features:
1. Detects intrusions of attacks from the Internet at an early stage, and detects intrusions to the in-vehicle network as a second step.
The in-vehicle device-type host intrusion detection technology detects intrusions from the Internet, which is an early stage of the attacks, and can be installed and used with Internet connected devices such as in-vehicle infotainment and telematics communication units. In addition to identifying the attacks from the obtainable logs from an OS like Linux and other various security functions, the system can also detect the attacks by combining multiple types of behavioral information.
2. In addition to CAN, the system is also compatible with Ethernet, which is expected to develop in the future as an in-vehicle network; it enables comprehensive detection of intrusions to the entire vehicle.
The CAN intrusion detection technology detects intrusions to CAN communication systems, which is a second stage of the attacks, and can be installed and used with CAN connected devices (ECU). CAN monitoring is of two types: 1) CAN filter that filters unauthorized CAN commands received by the installed ECU, and 2) CAN monitoring that detects unauthorized commands by monitoring all CAN bus systems that are connected by the installed ECU. Unauthorized commands are judged by considering various conditions of the vehicle, so it is possible to reduce the number of false positives under specific conditions. Detection of unauthorized commands can be made for each single command, resulting in real-time prevention after detection.
In-vehicle device-type Ethernet intrusion detection technology detects intrusions to Ethernet communication systems, which is also a second stage of the attacks, and can be installed and used with Ethernet connected devices (ECU). An Ether filter removes unauthorized Ether frames that are received or intercepted by the installed ECU. The system consists of the overlook method, which can lightly determine unauthorized commands by analyzing the frame headers and a detailed method, which has a high-load operation, but can accurately determine unauthorized commands. Flexible detection is possible by combining these methods.
3. By collecting information from multiple vehicles on the cloud, the system can detect attacks before they are identified as true security incidents.
The cloud-type vehicle intrusion detection technology analyzes a large amount of logs collected from in-vehicle devices of multiple vehicles through machine learning and can be used by placing it in the cloud. As for the usage, an in-vehicle network model that has conducted prior learning will automatically narrow down the logs that may become potential security risks. Then, the attack analysts will analyze only the selected logs. By linking with various in-vehicle device-type intrusion detection technologies, it is possible to identify signs of attacks before they are identified as true security incidents.
In summary, the system consists of a vehicle-installed “monitoring module” and a “monitoring cloud” that is linked to the monitoring module. The vehicle-installed monitoring module monitors the entire vehicle based on the monitoring rules. By using the new system, once the attacks that cannot be detected with existing monitoring modules are discovered, the systems can prevent new attacks by updating the monitoring rules from the monitoring cloud. Therefore, the system helps to maintain safety even after the vehicle is released on the market. Also, by identifying signs of attacks before they are identified as true security incidents, it is possible to implement countermeasures in advance to minimize the effects of attacks.