Assessing the Resilience of Automotive Intrusion Detection Systems to Adversarial Manipulation

TL;DR

This paper investigates the vulnerability of automotive intrusion detection systems to gradient-based adversarial attacks across different knowledge scenarios, highlighting factors influencing attack success and real-time feasibility.

Contribution

It extends previous work by analyzing attack effectiveness under white-box, grey-box, and black-box conditions against state-of-the-art automotive IDSs using real datasets.

Findings

Attack success varies with attacker knowledge level.

Dataset quality and IDS type influence attack effectiveness.

Real-time attack payload precomputation is feasible.

Abstract

The security of modern vehicles has become increasingly important, with the controller area network (CAN) bus serving as a critical communication backbone for various Electronic Control Units (ECUs). The absence of robust security measures in CAN, coupled with the increasing connectivity of vehicles, makes them susceptible to cyberattacks. While intrusion detection systems (IDSs) have been developed to counter such threats, they are not foolproof. Adversarial attacks, particularly evasion attacks, can manipulate inputs to bypass detection by IDSs. This paper extends our previous work by investigating the feasibility and impact of gradient-based adversarial attacks performed with different degrees of knowledge against automotive IDSs. We consider three scenarios: white-box (attacker with full system knowledge), grey-box (partial system knowledge), and the more realistic black-box (no knowledge of the IDS' internal workings or data). We evaluate the effectiveness of the proposed attacks against state-of-the-art IDSs on two publicly available datasets. Additionally, we study effect of the adversarial perturbation on the attack impact and evaluate real-time feasibility by precomputing evasive payloads for timed injection based on bus traffic. Our results demonstrate that, besides attacks being challenging due to the automotive domain constraints, their effectiveness is strongly dependent on the dataset quality, the target IDS, and the attacker's degree of knowledge.