There have been several public demonstrations of attacks on connected vehicles showing the ability of an attacker to take control of a targeted vehicle by injecting messages into their CAN bus. In this paper, using injected speed reading and RPM reading messages in in-motion vehicle, we examine the ability of the Pearson correlation and the unsupervised learning methods k-means clustering and HMM to differentiate 'no-attack' and 'under-attack' states of the given vehicle. We found that the Pearson correlation distinguishes the two states, the k-means clustering method has an acceptable accuracy but high false positive rate and HMM detects attacks with acceptable detection rate but has a high false positive in detecting attacks from speed readings when there is no attack. The accuracy of these unsupervised learning methods are comparable to the ones of the supervised learning methods used by CAN bus IDS suppliers. In addition, the paper shows that studying CAN anomaly detection techniques using off-vehicle test facilities may not properly evaluate the performance of the detection techniques. The results suggest using other features besides the data content of the CAN messages and integrate knowledge about how the ECU collaborate in building effective techniques for the detection of injection of fabricated message attacks.
Available at: http://works.bepress.com/lotfi-benothmane/10/
This is a manuscript of an article published as ben Othmane, Lotfi, Lalitha Dhulipala, Nicholas Multari, and Manimaran Govindarasu. "On the Performance of Detecting Injection of Fabricated Messages into the CAN Bus." IEEE Transactions on Dependable and Secure Computing (2020). DOI: 10.1109/TDSC.2020.2990192. Posted with permission.