Modern vehicles house many advanced components; sensors and Electronic Control Units (ECUs) — now numbering in the 100s. These components provide various advanced safety, comfort and infotainment features, but they also introduce additional attack vectors for malicious entities. Attackers can compromise one or more of these sensors and flood the vehicle’s internal network with fake sensor values. Falsified sensor values can confuse the driver, and even cause the vehicle to misbehave. Redundancy can be used to address compromised sensors, but adding redundant sensors will increase the cost per vehicle and is therefore less attractive.
To balance the need for security and cost-efficiency, we exploit the natural redundancy found in vehicles. Natural redundancy occurs when the same physical phenomenon causes symptoms in multiple sensors. For instance, pressing the accelerator pedal will cause the engine to pump faster and increase the speed of the vehicle. Engine RPM and vehicle speed are multiple sensors which respond in a related fashion to the same cause of the accelerator pedal. The challenge is identifying the relationship between similar but different sensors under normal operation and detecting anomalous be-havior accurately.
In this paper, we develop the tools to capture the relationship between sensors. Specifically, we use the pairwise correlation between key variables, and use cluster-analysis to identify distinct behavior of drivers. Moreover, we show preliminary results of using these tools to detect attacks within a vehicular communication bus.