University of Virginia  |  Engineering and Applied Sciences  |  Department of Civil and Environmental Engineering
Center of Transportation Studies
About The Center
Education
Research
Seminars
Smart Travel Lab
Facilities
People
Contact Information
Return home
Message from the Director
Mission Statement
Organization
Contact Information
News
Employment
Useful Links

CTS News

Improving the Survivability of ITS

Virginia’s Smart Travel Laboratory investigates application level intrusion detection

- Brian L. Smith and Robert S. Sielken, March 2000

Intelligent transportation systems are being deployed around the world to improve the safety and efficiency of surface transportation through the application of advanced information technology. There are many benefits of ITS that have been documented over the past several years, however, the introduction of ITS does expose the transportation system to new vulnerabilities.

One very real risk that ITS introduces is that of a cyber attack. Attacking the transportation infrastructure can now be done by attacking ITS information systems in a manner similar to how hackers attempt to break into other information systems, such as those supporting the financial industry. For example, the attacker could conceivably gain access to the signal control system of a major metropolitan area and issue commands that set all the signals to flash. In this scenario, the attacker would likely not have to leave his/her office; this reduced cost barrier to carry out an attack admits many more people to the group of possible attackers.

Currently, the major national ITS initiative is to integrate individual ITS systems on a regional basis. Unfortunately, such integration may further increase the likelihood of cascading failures from one domain, such as an emergency services’ computer-aided dispatch system that may carry over into other domains like freeway management systems.

In the U.S., the Presidential Commission of Critical Infrastruc-ture Protection produced a report detailing the vulnerabilities of vital infrastructures including surface transportation. Presidential Deci-sion Directive 63 was the President’s response to the PCCIP report, further illustrating that this issue is current and not one that should be postponed.

Information system survivability, which can be defined as the capability of a system to fulfill its mission in a timely manner in the presence of attacks, failures or accidents, is an area of great activity.

In order to ensure that ITS fulfills its potential, it is imperative that those implementing such systems design them to be survivable. While total survivability may not be achievable in a world full of infinite possibilities for disaster, survivability can be greatly increased with some conscientious effort.

The Virginia Smart Travel Laboratory, an ITS research facility of the University of Virginia and the Virginia Transportation Research Council, is a leader in conducting research at the interface between innovative information technology and transportation. Recently, re-searchers in the Smart Travel Laboratory completed a study examining the critical issue of ITS survivability.

State-of-the-practice in information system survivability

The most commonly used approaches to increasing the survivability of ITS include physical security, hardware redundancy and software/data backups.

An essential element of a survivable system that has not been adequately addressed to date is intrusion detection.

Intrusion detection seeks to identify individuals that have gained unauthorized access to a system as well as those with authorized access who are actually abusing the system. It involves determining that some entity, an intruder, has attempted to gain, or has gained, unauthorized access to the system.

Intruders are classified into two groups:

  • External intruders do not have any access to the system they attack; and
  • Internal intruders who have some authority but seek to gain additional ability to take action without legitimate authorization.

Intrusion detection has traditionally been performed at the operat-ing system (OS) level by comparing expected and observed system resource usage. OS intrusion detection systems (OS IDS) can only detect intruders, internal or external, who perform specific system actions in a specific sequence or those intruders whose behavior pattern statistically varies from the norm. Since internal intruders have some level of authorized access to the system, they could act within their bounds of authorization but may actually be abusing the system; detection of these abusers is extremely difficult because their actions may be legitimate under certain conditions.

This form of intrusion is significant, given that internal intruders are said to comprise at least 50% of intruders. Unfortunately, intrusion detection systems usually cannot detect such intruder’s actions because they are already legitimate users of the system. Therefore, current research has attempted to detect intrusions at the software application level.

OS intrusion detection

OS IDS monitoring the resource usage of the operating system and the network represent the state-of-the-practice in information technology. Such approaches can only monitor the resources usage of the application and not the application themselves. OS IDS typically obtain the values necessary to perform intrusion detection from the existing audit records of the system and it can detect external and some internal intruders.

Currently, there are two basic approaches to intrusion detection. The first approach, known as anomaly detection, attempts to define and characterize correct static form and/or acceptable dynamic behavior of the system and then detect abnormal behavior by defining statistical relations.

The second approach, called misuse detection, involves characterizing known ways to penetrate a system, usually described as a pattern, and then monitoring for the pattern by defining rule-based relations. The pattern may be a static bit string such as that of a virus or described as a suspect set of sequence of events.

A number of intrusion detection systems have been built pairing both approaches. In some cases, they are combined in a complimentary way in a single intrusion detector. There is a consensus in the community that both approaches continue to have value. Systems also apply these basic approaches to detect intrusions across a network of computers.

Intrusion in ETC

OS IDS have advanced since their inception, however, the rate of improvements to their effectiveness in detecting intrusions has probably decreased. Therefore, a significant change in the approach to intrusion detection is needed to further increase the effectiveness of the IDS.

Two questions to guide the exploration of using the basic intrusion detection techniques and the additional knowledge of application semantics to improve the effectiveness of intrusion detection in ETC system have been defined:

  • What types of intrusions can be detected by an ETC application intrusion detection system; and
  • How well can those intrusions be detected by an ETC application intrusion detection system?

Since the concept of intrusion detection at the application level is fairly new, there is a lack of established literature in the subject for use in answering these questions. Therefore, an example using ETC permits the possible benefits of performing intrusion detection at the application level.

ETC system description

The goal of an ETC system is to expedite the toll collection process through the application of information technologies. The ETC system is comprised of numerous devices organized in a three-level hierarchy. At the lowest level are the individual toll booth lanes and the equipment installed in each lane. A collection of adjacent toll lanes comprises a toll plaza, the middle level in the hierarchy. The toll management center is the central control headwaters that manages all of the system’s toll plazas and performs central accounting operations. The toll management center is generally a single node and constitutes the highest level in the hierarchy.

Application intrusions

To detect intrusions at the application level, the relations based on observable entities that distinguish between normal and anomalous behaviors must be defined. Ex-amples of observable entities in the context of the application include the value of a device reading, the value of a customer’s account, the number of accesses to a user account over some period of time and the frequency with which a system diagnostic process is activated.

One possible way to determine which relations are relevant for intrusion is to consider potential hazards, real world harm, that could be caused by an intrusion of the system and find the relations that could possibly help detect those hazards. To begin determining potential hazards, generic threat categories were considered.

Below are six categories of threats that face an information system:

  • Denial of service attacks prevents the system from operating as intended by interrupting the system;
  • Disclosure involves attaining sensitive information such as ETC account of credit card numbers;
  • Manipulation attacks seek to modify the information in the system such as the information about a tractor-trailer’s contents;
  • Masqueraders attempt to pose as an authorized entity to perform activities for which the masquerader was not authorized;
  • Replay attacks involve retransmitting valid information under invalid circumstances such as taking a valid message from the correct time and sending it again at an invalid time; and
  • Repudiation occurs when a user of the system uses it, but then later denies that service was delivered.

These threats exist at many levels depending on the system. Threats may be specific to center, roadside and/or vehicle components of ITS. Attacks may focus on the hardware, operating system, network or application level of the system.

The threat categories described above were used to help derive specific hazards by providing different perspectives from which to consider penetrating the system. Within each specific hazard there are different methods by which to execute the intrusion that causes the hazard. After the specific hazard and their corresponding methods have been derived from the threat categories, the application specific intrusion detection system designer can determine which of the possible relations could be used to detect each specific hazard.

The relations that could detect a specific hazard are considered for including on the application specific IDS, while the other relations will be eliminated from consideration since they do not increase the effectiveness of the application-specific IDS.

After exploring the possibility of performing intrusion detection at the application level in ETC systems, key differences were identified between intrusion detection at the OS and application levels. It is these differences that make an application specification IDS in-crease the overall finding of intrusion detection as compared to a system with only an OS IDS. Based on this finding, it is clear that there is a need to commit resources to developing application level IDS for the side range of ITS.

The research efforts address areas of important concern regarding ITS information systems survivability. Given the importance of surface transportation to a region’s economy and the potential vulnerabilities introduced by ITS, it is imperative that further work be conducted to increase the survivability of ITS.

Brian L. Smith is assistant professor of civil engineering at the University of Virginia. Robert S. Sielken is a graduate research assistant, computer science at the University of Virginia.

 

 

About CTS | Education | Research | Publications | Smart Travel Lab | Facilities | People | Contact | Home
Copyright & Privacy Statement | Contact Us
Center for Transportation Studies, University of Virginia, 351 McCormick Road, Charlottesville, VA 22904