Abstract:Anomaly Detection System (ADS) is an essential part of a modern gateway Electronic Control Unit (ECU) to detect abnormal behaviors and attacks in vehicles. Among the existing attacks, ``one-time`` attack is the most challenging to be detected, together with the strict gateway ECU constraints of both microsecond or even nanosecond level real-time budget and limited footprint of code. To address the challenges, we propose to use the self-information theory to generate values for training and testing models, aiming to achieve real-time detection performance for the ``one-time`` attack that has not been well studied in the past. Second, the generation of self-information is based on logarithm calculation, which leads to the smallest footprint to reduce the cost in Gateway. Finally, our proposed method uses an unsupervised model without the need of training data for anomalies or attacks. We have compared different machine learning methods ranging from typical machine learning models to deep learning models, e.g., Hidden Markov Model (HMM), Support Vector Data Description (SVDD), and Long Short Term Memory (LSTM). Experimental results show that our proposed method achieves 8.7 times lower False Positive Rate (FPR), 1.77 times faster testing time, and 4.88 times smaller footprint.
What problem does this paper attempt to address?
The problem that this paper attempts to solve is the detection difficulty of "one - time attack" in the vehicle - mounted gateway electronic control unit (ECU). Specifically, the paper aims to design a real - time and resource - sparing anomaly detection system (ADS) to meet the following challenges:
1. **Real - time requirement**: Detect abnormal behaviors and attacks within microseconds or even nanoseconds, especially in critical automotive applications.
2. **Resource limitation**: Ensure that the ADS occupies as little code space as possible, so as to leave more resources for other applications.
3. **No need for labeled data**: Reduce the extra work required to process data sets, especially without the need for abnormal or attack data for training.
### Problem Background
Existing in - vehicle networks (such as CAN buses) face a variety of security threats, including spoofing attacks, manipulation attacks, man - in - the - middle attacks, etc. Among them, the "one - time attack" is one of the most challenging types of attacks because it manipulates the data payload or content through only one malicious CAN message, and this data is still within the valid range. Such an attack may cause serious consequences to critical ECUs (such as brake control, airbag control, and engine control) involving sensitive information.
### Limitations of Existing Methods
Most of the current machine - learning - based ADSs are supervised models, which require a large amount of labeled data for training, and it is difficult to support the real - time detection of multiple driving behaviors while occupying a large amount of resources. In addition, the existing non - machine - learning methods can detect certain types of anomalies, but they do not focus on "one - time attack".
### Solutions Proposed in the Paper
To solve the above problems, the paper proposes a real - time ADS based on unsupervised machine learning, with the following main contributions:
1. **Application of self - information theory**: Use self - information to generate the values of training and test matrices, thereby achieving "one - time attack" detection at the millisecond level.
2. **Minimizing resource occupation**: Generate self - information based on logarithmic calculations, making the model have the minimum code footprint and reducing the cost of the gateway ECU.
3. **Reducing data processing workload**: Compared with the existing supervised models, it reduces the extra work required to process data sets. This method can be trained using normal data sets without the need for data containing anomalies or attacks.
### Experimental Results
The experimental results show that, compared with existing models such as HMM, SVDD, and LSTM, this method achieves a 8.7 - fold lower false positive rate (FPR), a 1.77 - fold faster test time, and a 4.88 - fold smaller code footprint.
In summary, the main goal of this paper is to develop an efficient real - time ADS that can accurately detect "one - time attack" in a resource - constrained environment and provide a fast response and a low false alarm rate.