Abstract: Systems, apparatuses, and methods to identify an electronic control unit transmitting a message on a communication bus, such as an in-vehicle network bus, are provided. ECUs transmit messages by manipulating voltage on conductive lines of the bus. Observation circuitry can observe voltage transitions associated with the transmission at a point on the in-vehicle network bus. A domain bitmap can be generated from the observed voltage transitions. ECUs can be identified and/or fingerprinted based on the domain bitmaps.

Abstract: Systems, apparatuses, and methods to response to distinguish a ghost target from an actual target based on radar signals is provided. In particular, the disclosure provides an intrusion detection system adapted to receive radar signals and distinguish a potential ghost target from a legitimate target based on a signal to noise ratio of the radar signals and a range to the ghost target and the legitimate target.

Abstract: Techniques and screening messages based on tags in an automotive environment, such as, messages communicated via a communication bus, like the CAN bus. Messages can be tagged with either a binary or probabilistic tag indicating whether the message is fraudulent. ECUs coupled to the CAN bus can receive the messages and the message tags and can determine whether to fully consume the message based on the tag.

Abstract: Logic may implement observation layer intrusion detection systems (IDSs) to combine observations by intrusion detectors and/or other intrusion detection systems. Logic may monitor one or more control units at one or more observation layers of an in-vehicle network, each of the one or more control units to perform a vehicle function. Logic may combine observations of the one or more control units at the one or more observation layers. Logic may determine, based on a combination of the observations, that one or more of the observations represent an intrusion. Logic may determine, based at least on the observations, characteristics of an attack, and to pass the characteristics of the attack information to a forensic logging system to log the attack or pass the characteristics of the attack to a recovery system for informed selection of recovery procedures. Logic may dynamically adjust a threshold for detection of suspicious activity.

Abstract: Techniques include receiving a message with time information from a clock leader by a clock follower in a time-synchronized network (TSN), the time information to synchronize a clock to a network time for the TSN, retrieving an actual time offset value for the message, the actual time offset value to comprise a value between an actual sending time and an actual receiving time of the message, retrieving an estimated time offset value for the message, the estimated time offset value to comprise a value between an estimated sending time and an estimated receiving time of the message, the estimated time offset value generated using a physics-aware model of the TSN and a clock adjustment value for the clock based on the time information, and determining whether the time information for the message was modified to cause the clock to desynchronize based on difference information. Other embodiments are described and claimed.

Abstract: Techniques include receiving a message with time information at an ingress queue for an ingress interface of an intrusion detection system (IDS), the IDS to monitor a network node of a time-synchronized network (TSN), generating an entrance timestamp for the message, the entrance timestamp to comprise a time value representing when the message is received at the ingress queue of the ingress interface of the IDS, inspecting the message for indications of a security attack by the IDS, generating an exit timestamp for the message, the exit timestamp to comprise a time value representing when the message is received at an egress queue of an egress interface of the IDS, and generating an inspection time interval associated with the IDS, the inspection time interval to represent a time interval between the entrance timestamp and the exit timestamp for the message while transiting the IDS. Other embodiments are described and claimed.

Abstract: A device includes a sensor, configured to detect electromagnetic radiation originating from a source external to the device and reflected from an object; and to generate an electrical signal representing the detected electromagnetic radiation; and a processor, configured to determine a distance between the device and the object based on the electrical signal.

Abstract: Systems, apparatuses, and methods to response to distinguish a ghost target from an actual target based on radar signals and ranges determined from the radar signals. In particular, the disclosure provides an intrusion detection system receiving ranges and velocities for targets detected based on radar signals, determining a potential ghost target from the received velocities and confirming the potential ghost target based on estimated ranges and perturbations of the vehicle speed.

Abstract: Various systems and methods for bus-off attack detection are described herein. An electronic device for bus-off attack detection and prevention includes bus-off prevention circuitry coupled to a protected node on a bus, the bus-off prevention circuitry to: detect a transmitted message from the protected node to the bus; detect a bit mismatch of the transmitted message on the bus; suspend further transmissions from the protected node while the bus is analyzed; determine whether the bit mismatch represents a bus fault or an active attack against the protected node; and signal the protected node indicating whether a fault has occurred.

Abstract: Systems, apparatuses, and methods to response to detected attacks in an autonomous system based on context of the autonomous system are described. In particular, the disclosure provides an intrusion detection system receiving contexts and contracts dictating particular response guide rails from a higher level components or stack on the autonomous system. The intrusion detection system is arranged to respond to attacks according to the contract without intervention by the higher level components or stack.

Abstract: Techniques include an apparatus to retrieve a first parameter for the IDS to monitor a device for a time-synchronized network. The first parameter may represent a number of messages the IDS needs to analyze in order to detect a security attack. The messages may comprise time information to synchronize a clock for a device to a network time for a time-synchronized network. The processor circuitry may retrieve a second parameter for a time sensitive application. The second parameter may represent a defined amount of time error tolerated by the time sensitive application, and determine a third parameter for the IDS based on the first and second parameters. The third parameter may represent a defined frequency to receive a number of messages with time information in order to detect the security attack on the device within a defined time interval. Other embodiments are described and claimed.

Abstract: An apparatus for clock manager redundancy comprises a clock circuitry to manage a clock for a device; a first processing circuitry coupled to the clock circuitry to execute instructions to perform operations for a clock manager, the clock manager to receive messages with time information for a network and generate clock manager control information to adjust the clock to a network time for the network; a hardened execution environment coupled to the clock circuitry and the first processing circuitry, the hardened execution environment to comprise: a detector to monitor the clock manager and generate an alert when the detector identifies abnormal behavior of the clock manager; and a second processing circuitry to execute instructions to perform operations for a redundant clock manager, the redundant clock manager to take over operations for the clock manager in response to the alert from the detector. Other embodiments are described and claimed.

Abstract: Systems, apparatuses, and methods to mitigate effects of glitch attacks on a broadcast communication bus are provided. The voltage levels of the communication bus are repeatedly sampled to identify glitch attacks. The voltage level on the communication bus can be overdriven or overwritten to either corrupt received messages or correct received messages.

Abstract: Various embodiments are generally directed to providing authentication and confidentiality mechanisms for message communication over an in-vehicle network. For example, authentication data associated with a communicating node may be transmitted over the network by encoding different predefined voltage levels on top of the message bits of the message being communicated. Different voltage levels may represent different encodings, such as a bit-pair or any bit combination of the authentication data. In a further example, messaging confidentiality between at least two communicating nodes may be achieved by pseudo-randomly flipping, or scrambling, the dominant and recessive voltages of the entire message frame at the analog level based on a pseudo-random control bit sequence.

Abstract: Systems, apparatus, methods, and techniques for reporting an attack or intrusion into an in-vehicle network are provided. The attack can be broadcast to connected vehicles over a vehicle-to-vehicle network. The broadcast can include an indication of a sub-system involved in the attack and can include a request for assistance in recovering from the attack. Connected vehicles can broadcast responses over the vehicle-to-vehicle network. The responses can include indications of data related to the compromised sub-system. The vehicle can receive the responses and can use the responses to recover from the attack, such as, estimate data.

Abstract: Systems, apparatus, methods, and techniques for an ego vehicle to respond to detecting misbehaving information from remote vehicles are provided. An ego vehicle, in addition to reporting misbehaving vehicles to a misbehavior authority via a vehicle-to-anything communication network, can, take additional actions based in part on how confident the ego vehicle is about the evidence of misbehavior. Where the confidence is high the ego vehicle can simply discard the misbehaving data and provide an alternative estimate for such data from alternative sources. Where the confidence is not high the ego vehicle can request assistance from neighboring vehicles and roadside units to provide independent estimates of the data to increase confidence in the evidence of misbehavior.

Abstract: Systems, apparatus, methods, and techniques for functional safe execution of encryption operations are provided. A fault tolerant counter and a complementary pair of encryption flows are provided. The fault tolerant counter may be based on a gray code counter and a hamming distance checker. The complementary pair of encryption flows have different implementations. The output from the complementary pair of encryption flows can be compared, and where different, errors generated.

Abstract: Systems, apparatuses, and methods to establish a mapping between message identifications for messages transmitted on a communication bus and electronic control units transmitting the messages is provided. In particular, retransmission of a low priority message onto the bus is forced such that the retransmitted low priority message overlaps with a higher priority message to determine whether the messages originated from the same ECU.

Abstract: Various embodiments are generally directed to techniques for providing improved privacy protection against vehicle tracking for connected vehicles of a vehicular network. For example, at least one road side unit may: identify a set of vehicles that require pseudonym changes and send an invitation for a pseudonym change event to each of the vehicles, determine at least a total number of the acceptances, determine whether the total number meets or exceeds a predetermined threshold number, send acknowledgement messages to the accepting vehicles if the threshold number is met, and form a vehicle group to coordinate the pseudonym change event during a privacy period. During the privacy period, the RSU and the vehicles may communicate with each other in a confidential and private manner via key-session-based unicast transmission, and coordinate transmission power and vehicle trajectory adjustments to maximize the benefits for safety and obfuscation for privacy.

Abstract: Systems, apparatuses, and methods to establish ground truth for an intrusion detection system using machine learning models to identify an electronic control unit transmitting a message on a communication bus, such as an in-vehicle network bus, are provided. Voltage signatures for overlapping message identification (MID) numbers are collapsed and trained on a single ECU label.