An Evaluation Framework for Intrusion Prevention Systems on Serial Data Bus Networks
Matthew Rogers and Kasper Rasmussen
Serial data bus networks are a crucial and vulnerable part of modern vehicles and weapons systems. Increasing concern over these networks is resulting in increased demand for intrusion prevention systems (IPSes) to stop attacks, not just detect them with an intrusion detection system (IDS). Considerations must be made to avoid the IPS becoming a de facto attacker. A defender needs to understand what attacks their IPS can safely prevent and how an attacker might circumvent their system. To enable this understanding, we propose a protocol-agnostic evaluation framework which: determines the viability of an IPS for different attack vectors, scores the suitability of an IDS to powering an IPS for certain attacks, and scores the efficacy of the IDS itself against those same attacks. With our framework we analyze IDS and IPS technologies for the CAN and MIL-STD-1553 serial data bus networks. These case studies demonstrate how a defender can use our framework to identify limitations in their IDS, while gearing the aspects of the IDS that work best towards safely powering an IPS. Our framework allows a defender to approach any potential security system fully aware of its limitations and how well it serves their own threat model.