There have been several public demonstrations of attacks on connected vehicles showing the ability of an attacker to take control of a targeted vehicle by injecting messages into their Controller Area Network (CAN) bus. In this paper, using injected speed reading and Revolutions Per Minute (RPM) messages, we examined the ability of the Pearson correlation, the k-means clustering, and the Hidden Markov Model (HMM) techniques to differentiate ’no-attack’ and ’under-attack’ states of the given vehicle. We found that the Pearson correlation distinguishes the two states while the k-means fails to distinguish the two states and HMM can successfully detect attacks but may have a high false positive rate. In addition, we found that the HMM-based detection method, and the k-means clustering methods exhibit different capabilities to detect attacks on the speedometer and tachometer sensors. The results suggest using other features besides the data content of the CAN messages and integrate knowledge about how the Electronic Control Units (ECUs) collaborate in building effective techniques for the detection of injection of fabricated message attacks.
Available at: http://works.bepress.com/lotfi-benothmane/5/