Anomaly detection for SOME/IP using complex event processing

Nadine Herold; Stephan A. Posselt; Oliver Hanka; Georg Carle

doi:10.1109/NOMS.2016.7502991

Anomaly detection for SOME/IP using complex event processing

Nadine Herold, Stephan A. Posselt, Oliver Hanka, Georg Carle

Informatics 8 - Chair of Network Architectures and Services

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

16 Scopus citations

Abstract

Recent developments favor the adoption of IP-based protocols in automotive and aerospace domains. The increased connectivity between components helps to cut costs and enables better re-use of standardized components. However, increased connectivity also increases the attack surface of the overall system and necessitates dedicated security solutions. This paper presents an anomaly detection system for SOME/IP, a standardized automotive middleware protocol. Within the system, Esper, a complex event processing engine, applies a domain-specific rule set to a stream of SOME/IP packets. Possible attacks and protocol violations on the SOME/IP protocol are identified, suitable rules for detection are presented, and finally, the performance of the system is evaluated.

Original language	English
Title of host publication	Proceedings of the NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium
Editors	Sema Oktug Badonnel, Mehmet Ulema, Cicek Cavdar, Lisandro Zambenedetti Granville, Carlos Raniery P. dos Santos
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	1221-1226
Number of pages	6
ISBN (Electronic)	9781509002238
DOIs	https://doi.org/10.1109/NOMS.2016.7502991
State	Published - 30 Jun 2016
Event	2016 IEEE/IFIP Network Operations and Management Symposium, NOMS 2016 - Istanbul, Turkey Duration: 25 Apr 2016 → 29 Apr 2016

Publication series

Name	Proceedings of the NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium

Conference

Conference	2016 IEEE/IFIP Network Operations and Management Symposium, NOMS 2016
Country/Territory	Turkey
City	Istanbul
Period	25/04/16 → 29/04/16

Access to Document

10.1109/NOMS.2016.7502991

Cite this

Herold, N., Posselt, S. A., Hanka, O., & Carle, G. (2016). Anomaly detection for SOME/IP using complex event processing. In S. O. Badonnel, M. Ulema, C. Cavdar, L. Z. Granville, & C. R. P. dos Santos (Eds.), Proceedings of the NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium (pp. 1221-1226). Article 7502991 (Proceedings of the NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/NOMS.2016.7502991

Herold, Nadine ; Posselt, Stephan A. ; Hanka, Oliver et al. / Anomaly detection for SOME/IP using complex event processing. Proceedings of the NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium. editor / Sema Oktug Badonnel ; Mehmet Ulema ; Cicek Cavdar ; Lisandro Zambenedetti Granville ; Carlos Raniery P. dos Santos. Institute of Electrical and Electronics Engineers Inc., 2016. pp. 1221-1226 (Proceedings of the NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium).

@inproceedings{27d53286a8f84f8c8cb8d0a677ccab35,

title = "Anomaly detection for SOME/IP using complex event processing",

abstract = "Recent developments favor the adoption of IP-based protocols in automotive and aerospace domains. The increased connectivity between components helps to cut costs and enables better re-use of standardized components. However, increased connectivity also increases the attack surface of the overall system and necessitates dedicated security solutions. This paper presents an anomaly detection system for SOME/IP, a standardized automotive middleware protocol. Within the system, Esper, a complex event processing engine, applies a domain-specific rule set to a stream of SOME/IP packets. Possible attacks and protocol violations on the SOME/IP protocol are identified, suitable rules for detection are presented, and finally, the performance of the system is evaluated.",

author = "Nadine Herold and Posselt, {Stephan A.} and Oliver Hanka and Georg Carle",

note = "Publisher Copyright: {\textcopyright} 2016 IEEE.; 2016 IEEE/IFIP Network Operations and Management Symposium, NOMS 2016 ; Conference date: 25-04-2016 Through 29-04-2016",

year = "2016",

month = jun,

day = "30",

doi = "10.1109/NOMS.2016.7502991",

language = "English",

series = "Proceedings of the NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "1221--1226",

editor = "Badonnel, {Sema Oktug} and Mehmet Ulema and Cicek Cavdar and Granville, {Lisandro Zambenedetti} and {dos Santos}, {Carlos Raniery P.}",

booktitle = "Proceedings of the NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium",

}

Herold, N, Posselt, SA, Hanka, O & Carle, G 2016, Anomaly detection for SOME/IP using complex event processing. in SO Badonnel, M Ulema, C Cavdar, LZ Granville & CRP dos Santos (eds), Proceedings of the NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium., 7502991, Proceedings of the NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium, Institute of Electrical and Electronics Engineers Inc., pp. 1221-1226, 2016 IEEE/IFIP Network Operations and Management Symposium, NOMS 2016, Istanbul, Turkey, 25/04/16. https://doi.org/10.1109/NOMS.2016.7502991

Anomaly detection for SOME/IP using complex event processing. / Herold, Nadine; Posselt, Stephan A.; Hanka, Oliver et al.
Proceedings of the NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium. ed. / Sema Oktug Badonnel; Mehmet Ulema; Cicek Cavdar; Lisandro Zambenedetti Granville; Carlos Raniery P. dos Santos. Institute of Electrical and Electronics Engineers Inc., 2016. p. 1221-1226 7502991 (Proceedings of the NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Anomaly detection for SOME/IP using complex event processing

AU - Herold, Nadine

AU - Posselt, Stephan A.

AU - Hanka, Oliver

AU - Carle, Georg

PY - 2016/6/30

Y1 - 2016/6/30

N2 - Recent developments favor the adoption of IP-based protocols in automotive and aerospace domains. The increased connectivity between components helps to cut costs and enables better re-use of standardized components. However, increased connectivity also increases the attack surface of the overall system and necessitates dedicated security solutions. This paper presents an anomaly detection system for SOME/IP, a standardized automotive middleware protocol. Within the system, Esper, a complex event processing engine, applies a domain-specific rule set to a stream of SOME/IP packets. Possible attacks and protocol violations on the SOME/IP protocol are identified, suitable rules for detection are presented, and finally, the performance of the system is evaluated.

AB - Recent developments favor the adoption of IP-based protocols in automotive and aerospace domains. The increased connectivity between components helps to cut costs and enables better re-use of standardized components. However, increased connectivity also increases the attack surface of the overall system and necessitates dedicated security solutions. This paper presents an anomaly detection system for SOME/IP, a standardized automotive middleware protocol. Within the system, Esper, a complex event processing engine, applies a domain-specific rule set to a stream of SOME/IP packets. Possible attacks and protocol violations on the SOME/IP protocol are identified, suitable rules for detection are presented, and finally, the performance of the system is evaluated.

UR - http://www.scopus.com/inward/record.url?scp=84979777182&partnerID=8YFLogxK

U2 - 10.1109/NOMS.2016.7502991

DO - 10.1109/NOMS.2016.7502991

M3 - Conference contribution

AN - SCOPUS:84979777182

T3 - Proceedings of the NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium

SP - 1221

EP - 1226

BT - Proceedings of the NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium

A2 - Badonnel, Sema Oktug

A2 - Ulema, Mehmet

A2 - Cavdar, Cicek

A2 - Granville, Lisandro Zambenedetti

A2 - dos Santos, Carlos Raniery P.

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 2016 IEEE/IFIP Network Operations and Management Symposium, NOMS 2016

Y2 - 25 April 2016 through 29 April 2016

ER -

Herold N, Posselt SA, Hanka O, Carle G. Anomaly detection for SOME/IP using complex event processing. In Badonnel SO, Ulema M, Cavdar C, Granville LZ, dos Santos CRP, editors, Proceedings of the NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium. Institute of Electrical and Electronics Engineers Inc. 2016. p. 1221-1226. 7502991. (Proceedings of the NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium). doi: 10.1109/NOMS.2016.7502991

Anomaly detection for SOME/IP using complex event processing

Abstract

Publication series

Conference

Access to Document

Other files and links

Fingerprint

Cite this