Detection of Injection Attacks in In-Vehicle Networks

Lotfi ben Othmane, Iowa State University
Lalitha Dhulipala, Iowa State University
Moataz Abdelkhalek, Iowa State University
Manimaran Govindarasu, Iowa State University
Nicholas Multari, Pacific Northwest National Laboratories

This is a draft manuscript of the article Ben Othmane, Lotfi, Lalitha Dhulipala, Moataz Abdelkhalek, Manimaran Govindarasu, and Nicholas Multari. "Detection of Injection Attacks in In-Vehicle Networks." (2019).


There have been several public demonstrations of attacks on connected vehicles showing the ability of an attacker to take control of a targeted vehicle by injecting messages into their Controller Area Network (CAN) bus. In this paper, using injected speed reading and Revolutions Per Minute (RPM) messages, we examined the ability of the Pearson correlation, the k-means clustering, and the Hidden Markov Model (HMM) techniques to differentiate ’no-attack’ and ’under-attack’ states of the given vehicle. We found that the Pearson correlation distinguishes the two states while the k-means fails to distinguish the two states and HMM can successfully detect attacks but may have a high false positive rate. In addition, we found that the HMM-based detection method, and the k-means clustering methods exhibit different capabilities to detect attacks on the speedometer and tachometer sensors. The results suggest using other features besides the data content of the CAN messages and integrate knowledge about how the Electronic Control Units (ECUs) collaborate in building effective techniques for the detection of injection of fabricated message attacks.