Jin-zhong HUANG,Miao-liang ZHU,Ye GUO

DOI: https://doi.org/10.3785/j.issn.1008-973X.2006.02.014

2006-01-01

Abstract:Current anomaly detection technique cannot provide any valuable information except simple alarm. To resolve this problem, a new anomaly detection method was proposed. The system call traces are represented as a kind of hierarchy model composed of system call, operation, transition and activity, while the normal program behavior is described using a context-free grammar with semantic labels attached. Some key system calls and their parameters or return values are used to segment and learn normal traces. Experimental results show that this method can effectively detect attacks exploiting vulnerabilities, and can also analyze anomaly scenes and provide much information on anomalous events including intruders' IP addresses.

Aditya Jain,Piyush Tarey

DOI: https://doi.org/10.36001/ijphm.2023.v14i3.3123

2023-02-13

International Journal of Prognostics and Health Management

Abstract:The automotive industry is witnessing its next phase of transformation. The vehicles are getting defined by software, becoming intelligent, connected and more complex to design, develop and analyze. For these complex vehicles, prognostics and proactive maintenance has become ever more critical than before.OEMs and suppliers analyze probable failures that a vehicle component is likely to encounter, define fault codes to identify those failures, and provide procedure or guided steps to resolve them. For smarter vehicles, it is required that vehicles be capable to catch potential problems as soon as the component’s condition starts to deteriorate and becomes a failure. These failures could be known (defined) or new (undefined). Given the vehicle development timelines and increasing complexity, many problems are not analyzed at design stage and remain undetected before production. Hence, no fault code or test case exist for them. Diagnosing such problems become very difficult, postproduction.The aim of this paper is to propose a Machine Learning (ML) based framework which utilizes minimally labelled or unlabeled sensor data generated from a vehicle system at a given frequency. The framework utilizes an ML model to identify any anomalous behavior or aberration, and flag it for further review. This framework can be adopted on large amount of real time or time series data to identify known as well as undefined failures early. These models could be deployed on cloud or on edge (on vehicles) for analyzing real-time sensor data for a given system/component and flag any anomaly. It could further be utilized to create a part specific Predictive Maintenance (PM) model to provide proactive warnings and prevent downtime.

Abdollah Kavousi-Fard,Morteza Dabbaghjamanesh,Tao Jin,Wencong Su,Mahmoud Roustaei

DOI: https://doi.org/10.1109/tits.2020.3015143

IF: 8.5

2021-07-01

IEEE Transactions on Intelligent Transportation Systems

Abstract:This article proposes a deep learning based approach for cyber attack detection in the vehicles. The proposed method is constructed based on generative adversarial network (GAN) classification to assess the message frames transferring between the electric control unit (ECU) and other hardware in the vehicle. To this end, two networks called generator (G) and discriminator (D) will run an adversarial game to fool each other. In such a process, the most optimal structure is found which distinguish between the model normal behavior and abnormalities. Due to the instabilities existing in the GAN model, a new optimization method based on firefly algorithm is proposed to create a class of generators in a feasible region, i.e. the discriminator D. A three-stage modification method is also devised to increase the algorithm population diversity and reduce the possibility of falling in local optima. The performance of the model is assessed on the experimental dataset recorded from the OBD-II port of an undefined vehicle.

engineering, electrical & electronic,transportation science & technology, civil

Ajeet Kumar Dwivedi

DOI: https://doi.org/10.48550/arXiv.2205.03537

2022-05-07

Cryptography and Security

Abstract:The progression of innovation and technology and ease of inter-connectivity among networks has allowed us to evolve towards one of the promising areas, the Internet of Vehicles. Nowadays, modern vehicles are connected to a range of networks, including intra-vehicle networks and external networks. However, a primary challenge in the automotive industry is to make the vehicle safe and reliable; particularly with the loopholes in the existing traditional protocols, cyber-attacks on the vehicle network are rising drastically. Practically every vehicle uses the universal Controller Area Network (CAN) bus protocol for the communication between electronic control units to transmit key vehicle functionality and messages related to driver safety. The CAN bus system, although its critical significance, lacks the key feature of any protocol authentication and authorization. Resulting in compromises of CAN bus security leads to serious issues to both car and driver safety. This paper discusses the security issues of the CAN bus protocol and proposes an Intrusion Detection System (IDS) that detects known attacks on in-vehicle networks. Multiple Artificial Intelligence (AI) algorithms are employed to provide recognition of known potential cyber-attacks based on messages, timestamps, and data packets traveling through the CAN. The main objective of this paper is to accurately detect cyberattacks by considering time-series features and attack frequency. The majority of the evaluated AI algorithms, when considering attack frequency, correctly identify known attacks with remarkable accuracy of more than 99%. However, these models achieve approximately 92% to 97% accuracy when timestamps are not taken into account. Long Short Term Memory (LSTM), Xgboost, and SVC have proved to the well-performing classifiers.

Philipp Meyer,Timo Häckel,Teresa Lübeck,Franz Korf,Thomas C. Schmidt

2024-05-02

Abstract:Connected cars are susceptible to cyberattacks. Security and safety of future vehicles highly depend on a holistic protection of automotive components, of which the time-sensitive backbone network takes a significant role. These onboard Time-Sensitive Networks (TSNs) require monitoring for safety and -- as versatile platforms to host Network Anomaly Detection Systems (NADSs) -- for security. Still a thorough evaluation of anomaly detection methods in the context of hard real-time operations, automotive protocol stacks, and domain specific attack vectors is missing along with appropriate input datasets. In this paper, we present an assessment framework that allows for reproducible, comparable, and rapid evaluation of detection algorithms. It is based on a simulation toolchain, which contributes configurable topologies, traffic streams, anomalies, attacks, and detectors. We demonstrate the assessment of NADSs in a comprehensive in-vehicular network with its communication flows, on which we model traffic anomalies. We evaluate exemplary detection mechanisms and reveal how the detection performance is influenced by different combinations of TSN traffic flows and anomaly types. Our approach translates to other real-time Ethernet domains, such as industrial facilities, airplanes, and UAVs.

Networking and Internet Architecture,Cryptography and Security

J Zhang,D Creighton,C P Lim,B Rolfe,M Weiss,A Neiat,A Zaslavsky,T Nguyen,J Navaei,R Gamasaee,B Barresi,M Novak

DOI: https://doi.org/10.1088/1757-899x/1307/1/012035

2024-06-02

IOP Conference Series Materials Science and Engineering

Abstract:In metal forming, such as stamping of automotive parts, unsupervised machine learning models offer a transformative approach to real-time quality control, especially when labelled data are scarce. Leveraging clustering algorithms and autoencoders, we develop a machine learning system capable of autonomously monitoring sensor data and identifying deviations suggestive of potential defects. The system offers multiple benefits including rapid intervention, reduced part defects and lower stoppages required to rectify defects. The use of unsupervised machine learning models also adds a layer of adaptability, allowing the system to continually refine its understanding of what constitutes a 'normal' operation. Empirical evaluation demonstrates the potential of the developed system in detecting anomalies in production data collected from dynamic automotive manufacturing environments.

Pierpaolo Dini,Sergio Saponara

DOI: https://doi.org/10.3390/s23229231

2023-11-16

Abstract:In recent decades, an exponential surge in technological advancements has significantly transformed various aspects of daily life. The proliferation of indispensable objects such as smartphones and computers underscores the pervasive influence of technology. This trend extends to the domains of the healthcare, automotive, and industrial sectors, with the emergence of remote-operating capabilities and self-learning models. Notably, the automotive industry has integrated numerous remote access points like Wi-Fi, USB, Bluetooth, 4G/5G, and OBD-II interfaces into vehicles, amplifying the exposure of the Controller Area Network (CAN) bus to external threats. With a recognition of the susceptibility of the CAN bus to external attacks, there is an urgent need to develop robust security systems that are capable of detecting potential intrusions and malfunctions. This study aims to leverage fingerprinting techniques and neural networks on cost-effective embedded systems to construct an anomaly detection system for identifying abnormal behavior in the CAN bus. The research is structured into three parts, encompassing the application of fingerprinting techniques for data acquisition and neural network training, the design of an anomaly detection algorithm based on neural network results, and the simulation of typical CAN attack scenarios. Additionally, a thermal test was conducted to evaluate the algorithm's resilience under varying temperatures.

Yi Wang,Yuanjin Zheng,Yajun Ha

2024-06-24

Abstract:Anomaly Detection System (ADS) is an essential part of a modern gateway Electronic Control Unit (ECU) to detect abnormal behaviors and attacks in vehicles. Among the existing attacks, ``one-time`` attack is the most challenging to be detected, together with the strict gateway ECU constraints of both microsecond or even nanosecond level real-time budget and limited footprint of code. To address the challenges, we propose to use the self-information theory to generate values for training and testing models, aiming to achieve real-time detection performance for the ``one-time`` attack that has not been well studied in the past. Second, the generation of self-information is based on logarithm calculation, which leads to the smallest footprint to reduce the cost in Gateway. Finally, our proposed method uses an unsupervised model without the need of training data for anomalies or attacks. We have compared different machine learning methods ranging from typical machine learning models to deep learning models, e.g., Hidden Markov Model (HMM), Support Vector Data Description (SVDD), and Long Short Term Memory (LSTM). Experimental results show that our proposed method achieves 8.7 times lower False Positive Rate (FPR), 1.77 times faster testing time, and 4.88 times smaller footprint.

Cryptography and Security

Chris van der Ploeg,Robin Smit,Alexis Siagkris-Lekkos,Frank Benders,Emilia Silvas

DOI: https://doi.org/10.48550/arXiv.2104.11790

2021-04-24

Abstract:Using Infrastructure-to-Vehicle (I2V) information can be of great benefit when driving autonomously in high-density traffic situations with limited visibility, since the sensing capabilities of the vehicle are enhanced by external sensors. In this research, a method is introduced to increase the vehicle's self-awareness in intersections for one of the largest foreseen challenges when using I2V communication: cyber security. The introduced anomaly detection algorithm, running on the automated vehicle, assesses the health of the I2V communication against multiple cyber security attacks. The analysis is done in a simulation environment, using cyber-attack scenarios from the Secredas Project (Cyber Security for Cross Domain Reliable Dependable Automated Systems) and provides insights into the limitations the vehicle has when facing I2V cyber attacks of different types and amplitudes and when sensor redundancy is lost. The results demonstrate that anomalies injected can be robustly detected and mitigated by the autonomous vehicle, allowing it to react more safely and comfortably and maintaining correct object tracking in intersections.

Cryptography and Security,Optimization and Control

Konstantinos Demestichas,Theodoros Alexakis,Nikolaos Peppes,Evgenia Adamopoulou

DOI: https://doi.org/10.3390/vehicles3020011

2021-04-25

Vehicles

Abstract:The rapid growth of demand for transportation, both for people and goods, as well as the massive accumulation of population in urban centers has augmented the need for the development of smart transport systems. One of the needs that have arisen is to efficiently monitor and evaluate driving behavior, so as to increase safety, provide alarms, and avoid accidents. Capitalizing on the evolution of Information and Communication Technologies (ICT), the development of intelligent vehicles and platforms in this domain is getting more feasible than ever. Nowadays, vehicles, as well as highways, are equipped with sensors that collect a variety of data, such as speed, acceleration, fuel consumption, direction, and more. The methodology presented in this paper combines both advanced machine learning algorithms and open-source based tools to correlate different data flows originating from vehicles. Particularly, the data gathered from different vehicles are processed and analyzed with the utilization of machine learning techniques in order to detect abnormalities in driving behavior. Results from different suitable techniques are presented and compared, using an extensive real-world dataset containing field measurements. The results feature the application of both supervised univariate anomaly detection and unsupervised multivariate anomaly detection methods in the same dataset.

J. R. V. Solaas,N. Tuptuk,E. Mariconti

2024-05-05

Abstract:This systematic review focuses on anomaly detection for connected and autonomous vehicles. The initial database search identified 2160 articles, of which 203 were included in this review after rigorous screening and assessment. This study revealed that the most commonly used Artificial Intelligence (AI) algorithms employed in anomaly detection are neural networks like LSTM, CNN, and autoencoders, alongside one-class SVM. Most anomaly-based models were trained using real-world operational vehicle data, although anomalies, such as attacks and faults, were often injected artificially into the datasets. These models were evaluated mostly using five key evaluation metrics: recall, accuracy, precision, F1-score, and false positive rate. The most frequently used selection of evaluation metrics used for anomaly detection models were accuracy, precision, recall, and F1-score. This systematic review presents several recommendations. First, there is a need to incorporate multiple evaluation metrics to provide a comprehensive assessment of the anomaly detection models. Second, only a small proportion of the studies have made their models open source, indicating a need to share models publicly to facilitate collaboration within the research community, and to validate and compare findings effectively. Third, there is a need for benchmarking datasets with predefined anomalies or cyberattacks to test and improve the effectiveness of the proposed anomaly-based detection models. Furthermore, there is a need for future research to investigate the deployment of anomaly detection to a vehicle to assess its performance on the road. There is a notable lack of research done on intrusion detection systems using different protocols to CAN, such as Ethernet and FlexRay.

Machine Learning

Dacian Goina,Eduard Hogea,George Maties

2024-06-11

Abstract:This paper presents a novel anomaly detection methodology termed Statistical Aggregated Anomaly Detection (SAAD). The SAAD approach integrates advanced statistical techniques with machine learning, and its efficacy is demonstrated through validation on real sensor data from a Hardware-in-the-Loop (HIL) environment within the automotive domain. The key innovation of SAAD lies in its ability to significantly enhance the accuracy and robustness of anomaly detection when combined with Fully Connected Networks (FCNs) augmented by dropout layers. Comprehensive experimental evaluations indicate that the standalone statistical method achieves an accuracy of 72.1%, whereas the deep learning model alone attains an accuracy of 71.5%. In contrast, the aggregated method achieves a superior accuracy of 88.3% and an F1 score of 0.921, thereby outperforming the individual models. These results underscore the effectiveness of SAAD, demonstrating its potential for broad application in various domains, including automotive systems.

Machine Learning

A. Jaekel,Pegah Mansourian,N. Zhang,Marc Kneppers

DOI: https://doi.org/10.1109/TITS.2023.3286611

2023-12-01

Abstract:Although connected mymargin autonomous vehicles (CAVs) hold great potential to improve driving safety and experience significantly, cybersecurity remains a critical concern. As the de-facto standard for in-vehicle networks, the Controller Area Network (CAN) carries messages and commands vital to the operation of the vehicle. However, due to a lack of security mechanisms, intruders are able to conduct devastating attacks on drivers and passengers over CAN. In order to safeguard CAVs, an Intrusion Detection System (IDS) can be deployed to monitor CAN network activities and detect suspicious behavior resulting from an attack. This paper proposes a prediction-based IDS framework for detecting anomalies and attacks on a CAN bus using temporal correlation of message contents. Two candidates are introduced as the prediction module. The first network is an LSTM that predicts time series data separately for each CAN ID, and the second is a ConvLSTM that predicts messages using correlated data of several CAN IDs. An attack is classified according to prediction errors by a Gaussian Naïve Bayes classifier. The proposed IDS is evaluated against other state-of-the-art one-class classifiers, including OCSVM, Isolation Forest, and Autoencoder, and three existing works, including ReducedInception-ResNet, NeuroCAN, and CANLite, using a real-world dataset, the Car Hacking Dataset. A comparison between the two suggested architectures and their use cases is given. Compared to baseline methods and related studies, the proposed method is shown to be more accurate and can achieve F-scores and detection accuracy of almost 100%.

Computer Science,Engineering

Justus Zipfel,Felix Verworner,Marco Fischer,Uwe Wieland,Mathias Kraus,Patrick Zschech

DOI: https://doi.org/10.1016/j.cie.2023.109045

2023-02-04

Abstract:Across many industries, visual quality assurance has transitioned from a manual, labor-intensive, and error-prone task to a fully automated and precise assessment of industrial quality. This transition has been made possible due to advances in machine learning in general, and supervised learning in particular. However, the majority of supervised learning approaches only allow to identify pre-defined categories, such as certain error types on manufactured objects. New, unseen error types are unlikely to be detected by supervised models. As a remedy, this work studies unsupervised models based on deep neural networks which are not limited to a fixed set of categories but can generally assess the overall quality of objects. More specifically, we use a quality inspection case from a European car manufacturer and assess the detection performance of three unsupervised models (i.e., Skip-GANomaly, PaDiM, PatchCore). Based on an in-depth evaluation study, we demonstrate that reliable results can be achieved with fully unsupervised approaches that are even competitive with those of a supervised counterpart.

computer science, interdisciplinary applications,engineering, industrial

Asma Alfardus,Danda B. Rawat

DOI: https://doi.org/10.3390/electronics13101962

IF: 2.9

2024-05-17

Electronics

Abstract:In-vehicle networks (IVNs) are networks that allow communication between different electronic components in a vehicle, such as infotainment systems, sensors, and control units. As these networks become more complex and interconnected, they become more vulnerable to cyber-attacks that can compromise safety and privacy. Anomaly detection is an important tool for detecting potential threats and preventing cyber-attacks in IVNs. The proposed machine learning-based anomaly detection technique uses deep learning and feature engineering to identify anomalous behavior in real-time. Feature engineering involves selecting and extracting relevant features from the data that are useful for detecting anomalies. Deep learning involves using neural networks to learn complex patterns and relationships in the data. Our experiments show that the proposed technique have achieved high accuracy in detecting anomalies and outperforms existing state-of-the-art methods. This technique can be used to enhance the security of IVNs and prevent cyber-attacks that can have serious consequences for drivers and passengers.

engineering, electrical & electronic,computer science, information systems,physics, applied

Nadun Wijesinghe,Hadi Hemmati

2023-10-31

Abstract:Most enterprise applications use logging as a mechanism to diagnose anomalies, which could help with reducing system downtime. Anomaly detection using software execution logs has been explored in several prior studies, using both classical and deep neural network-based machine learning models. In recent years, the research has largely focused in using variations of sequence-based deep neural networks (e.g., Long-Short Term Memory and Transformer-based models) for log-based anomaly detection on open-source data. However, they have not been applied in industrial datasets, as often. In addition, the studied open-source datasets are typically very large in size with logging statements that do not change much over time, which may not be the case with a dataset from an industrial service that is relatively new. In this paper, we evaluate several state-of-the-art anomaly detection models on an industrial dataset from our research partner, which is much smaller and loosely structured than most large scale open-source benchmark datasets. Results show that while all models are capable of detecting anomalies, certain models are better suited for less-structured datasets. We also see that model effectiveness changes when a common data leak associated with a random train-test split in some prior work is removed. A qualitative study of the defects' characteristics identified by the developers on the industrial dataset further shows strengths and weaknesses of the models in detecting different types of anomalies. Finally, we explore the effect of limited training data by gradually increasing the training set size, to evaluate if the model effectiveness does depend on the training set size.

Machine Learning,Software Engineering

Yukun Fang,Haigen Min,Xia Wu,Wuqi Wang,Xiangmo Zhao,Beatriz Martinez-Pastor,Rui Teixeira

DOI: https://doi.org/10.1016/j.inffus.2024.102223

IF: 18.6

2024-01-05

Information Fusion

Abstract:Connected autonomous vehicles (CAVs) are revolutionizing the development of transportation due to their potential to improve transportation performance in many ways, such as enhanced traffic mobility, road compacity, operation safety, and environmental sustainability. Nevertheless, the issue of road vehicle safety in CAVs remains to be fully solved. Data collected from multiple sources provide information about the internal status of the system and the situation of its surroundings, and the occurrence of data anomalies indicates the existence of potential safety risks. Thus, anomaly diagnosis is of major importance to analyze the nature or cause of underlying safety risks and provide insightful information for the subsequent decision-making that ensures safety. Anomaly diagnosis consists of two basic tasks: anomaly detection and anomaly interpretation. In this paper, both of these two tasks are comprehensively surveyed. For anomaly detection, the following four aspects are covered: 1) formalized definition of an anomaly, 2) classification of anomalies, 3) taxonomies of anomaly detection techniques, and 4) review of recent advances for anomaly detection in CAV applications. For anomaly interpretation, related works are investigated in the context of 1) the anomaly detection process, and 2) the tested/monitored system/process, respectively. The novelty particularly lies in the latter, where the interpretation of anomalies combining the analysis of road vehicle safety risks is presented, and related works for anomaly interpretation in CAV applications are reviewed by analyzing 1) functional safety risks, 2) safety of the intended functionality (SOTIF) risks, and 3) cyber security risks, respectively. Finally, open issues, challenges, future directions, and emerging technologies for anomaly diagnosis in CAVs are discussed.

computer science, artificial intelligence, theory & methods

Bechir ALAYA,Lamaa SELLAMI,Pascal Lorenz

DOI: https://doi.org/10.1016/j.adhoc.2024.103417

IF: 4.816

2024-01-25

Ad Hoc Networks

Abstract:In a vehicular environment, by becoming connected, vehicles are subject to more threats in comparison to traditional information systems, with the difference that, as a cyber-physical system, anomalies and intrusions could have repercussions in the physical world. In this work, we have developed an ontological anomaly-detection approach (OADA). The anomalies studied in this work mainly concern: network scans, DNS tunnel attacks, and telemetry data anomalies. Our contribution relates to a study of the attributes of interest for the algorithm used during the detection phase, namely the hierarchical temporal memory algorithm (HTM). The packets exchanged by the vehicle are grouped in instant description windows. These windows are then analyzed to extract a set of attributes. These are linked to the properties of network traffic, such as flow or latency. They are subject to the process of detecting anomalies and intrusions, carried out thanks to the algorithm with HTM. For each entry, the algorithm produces a score that allows us to decide if a window is abnormal and to lift an alert if that is the case. We evaluated our system using a communications and anomalies emulation tool. We use the corpus of data produced thanks to Autobot. We seek to determine from among the best scores of Matthews correlation coefficient (MCC) and Detection efficiency score (DES) which were the parameters for which HTM detects all anomalies with the greatest possible coverage. The obtained results prove that HTM can detect all anomalies for each window duration.

computer science, information systems,telecommunications

Yuning Qiu,Teruhisa Misu,Carlos Busso

DOI: https://doi.org/10.48550/arXiv.2203.08289

2022-03-16

Abstract:Anomaly driving detection is an important problem in advanced driver assistance systems (ADAS). It is important to identify potential hazard scenarios as early as possible to avoid potential accidents. This study proposes an unsupervised method to quantify driving anomalies using a conditional generative adversarial network (GAN). The approach predicts upcoming driving scenarios by conditioning the models on the previously observed signals. The system uses the difference of the output from the discriminator between the predicted and actual signals as a metric to quantify the anomaly degree of a driving segment. We take a driver-centric approach, considering physiological signals from the driver and controller area network-Bus (CAN-Bus) signals from the vehicle. The approach is implemented with convolutional neural networks (CNNs) to extract discriminative feature representations, and with long short-term memory (LSTM) cells to capture temporal information. The study is implemented and evaluated with the driving anomaly dataset (DAD), which includes 250 hours of naturalistic recordings manually annotated with driving events. The experimental results reveal that recordings annotated with events that are likely to be anomalous, such as avoiding on-road pedestrians and traffic rule violations, have higher anomaly scores than recordings without any event annotation. The results are validated with perceptual evaluations, where annotators are asked to assess the risk and familiarity of the videos detected with high anomaly scores. The results indicate that the driving segments with higher anomaly scores are more risky and less regularly seen on the road than other driving segments, validating the proposed unsupervised approach.

Computer Vision and Pattern Recognition