Correlation Scaling Attack and Its Covariance-Based Mitigation in Controller Area Network

Modern vehicles rely on in-vehicle network protocols such as Controller Area Network (CAN) protocol, but these protocols were designed without encryption or authentication. Therefore, the vehicles are exposed to cyber attacks. Motion-based Intrusion Detection Systems (MIDSs) exploit correlation between physically related signals to detect attacks. However, we show that MIDSs are vulnerable, because correlation coefficient is invariant to positive linear scaling. Hence, an adversary may manipulate a signal while keeping its correlation high. In this paper, we propose a Correlation Scaling Attack (CSA) that forges wheel speed signals by scaling their original value while keeping the temporal trend consistent with the other signal. We analyze that correlation coefficient remains unchanged when the signal is forged. Consequently, the CSA evades conventional MIDSs. To mitigate this limitation of MIDS, we exploit covariance between two signals as a complementary indicator, since covariance provides magnitude information. We evaluate the proposed attack and defense mechanism using CAN log data collected from a real vehicle. Experimental results verify the effectiveness of CSA, and we demonstrate that CSA can be detected by observing covariance between two signals. Our research not only indicates that the CSA is a significant threat to cars, but provides a feasible mitigation exploiting the covariance.