Qingling Zhao,Mingqiang Chen,Zonghua Gu,Siyu Luan,Haibo Zeng,Samarjit Chakrabory

DOI: https://doi.org/10.1145/3540198

2022-09-05

ACM Transactions on Embedded Computing Systems

Abstract:The Controller Area Network (CAN) is a ubiquitous bus protocol present in the Electrical/Electronic (E/E) systems of almost all vehicles. It is vulnerable to a range of attacks once the attacker gains access to the bus through the vehicle’s attack surface. We address the problem of Intrusion Detection on the CAN bus and present a series of methods based on two classifiers trained with Auxiliary Classifier Generative Adversarial Network (ACGAN) to detect and assign fine-grained labels to Known Attacks and also detect the Unknown Attack class in a dataset containing a mixture of (Normal + Known Attacks + Unknown Attack) messages. The most effective method is a cascaded two-stage classification architecture, with the multi-class Auxiliary Classifier in the first stage for classification of Normal and Known Attacks, passing Out-of-Distribution (OOD) samples to the binary Real-Fake Classifier in the second stage for detection of the Unknown Attack class. Performance evaluation demonstrates that our method achieves both high classification accuracy and low runtime overhead, making it suitable for deployment in the resource-constrained in-vehicle environment.

computer science, software engineering, hardware & architecture

Tianqi Yu,Jianling Hu,Jianfeng Yang

DOI: https://doi.org/10.3390/electronics12112510

IF: 2.9

2023-06-02

Electronics

Abstract:The Internet of Vehicles (IoV) empowers intelligent and tailored services for intelligent connected vehicles (ICVs). However, with the increasing number of onboard external communication interfaces, ICVs face the challenges of malicious network intrusions. The closure of traditional vehicles had led to in-vehicle communication protocols, including the most commonly applied controller area network (CAN), and a lack of security and privacy protection mechanisms. Therefore, to protect the connected vehicles and IoV systems from being attacked, an intrusion-detection method is proposed based on the features extracted from the arbitration identifier (ID) field of CAN messages. Specifically, a sliding window is used to continuously extract a frame of streaming CAN messages first. Afterward, the weighted self-information of the CAN message ID is defined, and both the weighted self-information and the normalized value of an ID are extracted as features. Based on the extracted features, a lightweight one-class classifier, the local outlier factor (LOF), is used to identify the outliers and detect malicious network intrusion attacks. Simulation experiments were conducted based on the public CAN dataset provided by the HCR Lab. The proposed method, using four different one-class classifiers, was analyzed, and it is also benchmarked with three information entropy-based intrusion-detection methods in the literature. The experimental results indicate that, compared to the benchmarks, the proposed method dramatically improves the detection accuracy for injection attacks, namely denial-of-service (DoS) and spoofing, especially when the number of injected messages is low.

engineering, electrical & electronic,computer science, information systems,physics, applied

Chen Dong,Hao Wu,Qingyuan Li

DOI: https://doi.org/10.1109/access.2023.3265018

IF: 3.9

2023-04-14

IEEE Access

Abstract:As modern vehicles become more intelligent and connected, the number of ECUs and communication interfaces with external networks (such as 3G/4G and Bluetooth) has increased significantly, which raises potential network security risks. Due to the absence of effective security measures, there is a frequent occurrence of cybersecurity incidents targeting vehicles, particularly the in-vehicle CAN bus network. As the main bus in the vehicle, the CAN bus faces important challenges in its safety due to the lack of security mechanisms. Therefore, we propose a CAN bus intrusion detection system based on multiple observation HMM for in-vehicle networks to enhance the security of the vehicle. Specifically, the proposed algorithm builds a multiple observation HMM-based on the ID and data fields of normal CAN bus traffic. According to the established HMMs, we calculate the existence probability of the frame under the defined time window as the detection threshold. When the existence probability of the frame to be detected exceeds the normal threshold range, it is considered abnormal. Furthermore, we establish four common attack models based on the collected real vehicle data and evaluate the performance of the proposed algorithm in these attack scenarios. The experimental results show that the proposed method has better detection performance than other frame-by-frame anomaly detection methods in four attack scenarios.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jake Guidry,Fahad Sohrab,Raju Gottumukkala,Satya Katragadda,Moncef Gabbouj

2023-09-25

Abstract:Controller Area Network bus systems within vehicular networks are not equipped with the tools necessary to ward off and protect themselves from modern cyber-security threats. Work has been done on using machine learning methods to detect and report these attacks, but common methods are not robust towards unknown attacks. These methods usually rely on there being a sufficient representation of attack data, which may not be available due to there either not being enough data present to adequately represent its distribution or the distribution itself is too diverse in nature for there to be a sufficient representation of it. With the use of one-class classification methods, this issue can be mitigated as only normal data is required to train a model for the detection of anomalous instances. Research has been done on the efficacy of these methods, most notably One-Class Support Vector Machine and Support Vector Data Description, but many new extensions of these works have been proposed and have yet to be tested for injection attacks in vehicular networks. In this paper, we investigate the performance of various state-of-the-art one-class classification methods for detecting injection attacks on Controller Area Network bus traffic. We investigate the effectiveness of these techniques on attacks launched on Controller Area Network buses from two different vehicles during normal operation and while being attacked. We observe that the Subspace Support Vector Data Description method outperformed all other tested methods with a Gmean of about 85%.

Machine Learning,Cryptography and Security

Zhixia Zhang,Yang Cao,Zhihua Cui,Wensheng Zhang,Jinjun Chen

DOI: https://doi.org/10.1109/tvt.2021.3057074

IF: 6.8

2021-01-01

IEEE Transactions on Vehicular Technology

Abstract:With accelerated ensemble of the Internet of Things technology and automotive industry, vehicular network has been established as powerful tools. However, it is a significant challenge for dynamic and heterogeneous vehicular network to meet high requirements of the sixth-generation (6G) network such as high reliability and high security. To address this challenge, we design a novel weight-based ensemble machine learning algorithm (WBELA) to identify abnormal messages of vehicular Controller Area Network (CAN) bus network. Then, we establish a model based on many-objective optimization for intrusion detection of CAN bus network. To support this model, a many-objective optimization algorithm based on balance convergence and diversity (MaOEA-BCD) is designed. Open-source CAN bus message data sets and tamper attack scenarios are used to evaluate the effectiveness of proposed algorithm for different ID data frames. Experimental results revealed that proposed methods significantly enhance precision, reduce the false positive rate and have better performance than other methods so as to enhance security of vehicular networks in 6G.

Zhangwei Yu,Yan Liu,Guoqi Xie,Renfa Li,Siming Liu,Laurence T. Yang

DOI: https://doi.org/10.1109/tii.2022.3202539

IF: 12.3

2022-12-17

IEEE Transactions on Industrial Informatics

Abstract:Intelligent connected vehicle is rapidly growing with the 5-G technology; the diversity of functional interfaces has significantly expanded the avenues of attack, making automotive controller area network (CAN) more vulnerable to cyberthreats. Automotive CAN network attacks are a direct threat to traffic safety, and in this study, we explore the use of intrusion detection techniques for mitigating cyberattacks. However, most automotive CAN network intrusion detection technologies are not capable of defending against sophisticated attacks, making it extremely challenging for detecting intrusions in practice. In this article, we propose a novel time interval conditional entropy method for detecting intrusions in automotive CAN networks. The time interval conditional entropy intrusion detection method is not susceptible to interference and is capable of detecting a variety of attacks. In our experiments, the conditional entropy values of regular communication messages are collected and utilized to distinguish and detect the attacks. The time interval conditional entropy detection method is implemented and evaluated in our controller area net-work bus (CAN-BUS) network platform. The experiments show that our method has higher detection accuracy and is easier to deploy compared to existing automotive CAN network intrusion detection methods.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Zixiang Bi,Guoai Xu,Guosheng Xu,Miaoqing Tian,Ruobing Jiang,Sutao Zhang

DOI: https://doi.org/10.1155/2022/2554280

IF: 1.968

2022-03-07

Security and Communication Networks

Abstract:As the number and computational power of electronic computing units installed in standard automobiles continue to increase, contemporary motor vehicles face more cybersecurity threats than previous designs, while providing greater convenience and various useful features. Although vehicles are attacked at various entry points, eventually, attacks are injected into the in-vehicle controller area network (CAN) to cause vehicle anomalies. Currently, OEMs and research fields have implemented protection for the CAN bus in terms of external interfaces, internal protocols, and intrusion detection. Although the deployment of intrusion detection solutions is the most effective approach, the main challenges currently faced by automobile intrusion detection algorithms in practice involve limited computing resources, insufficient real-time responsiveness, and low recognition accuracy. In this study, we propose a novel intrusion detection method based on the message and time transfer matrix to address these difficulties, which can be applied to the vehicle Electronic Control Unit (ECU) to achieve real-time attack signal identification with high accuracy. Experiments on actual vehicles show that the proposed algorithm identified various attacks with high accuracy while consuming less computational and storage resources than previous methods. Moreover, the efficiency of the proposed algorithm is not affected by the attack injection frequency. Compared with other methods, the proposed method achieved better attack identification performance. Additionally, the message and time transfer matrix used by the algorithm can be used as a message transfer fingerprint of the CAN bus to discover anomalies.

computer science, information systems,telecommunications

Asma Alfardus,Danda B. Rawat

DOI: https://doi.org/10.1109/uemcon53757.2021.9666745

2021-12-01

Abstract:The advent of automotive industry has an increasing market demand pertaining to installation of intelligent transportation facilities in modern vehicles. Now more comfortable and safer travelling experience is one best trait of these vehicles. Moreover, it has opened new gates to advancement in automotive sector. Modern vehicles are connected to advance systems and technologies using various communication protocols. Amongst numerous communication protocols, one widely used protocol is the controller area network (CAN) bus which serves as a central medium for in-vehicle communications. However, the communication in these vehicles may impose greater threats and may ultimately compromise the security by breaching the system. Various attacks on CAN bus may compromise the confidentiality, integrity and availability of vehicular data through intrusions which may endanger the physical safety of vehicle and passengers. In this paper, a novel machine learning based approach is used to devise an Intrusion Detection System for the CAN bus network. The proposed system is scalable and adaptable to a diverse set of emerging attacks on autonomous vehicles. Results witnessed the accuracy of 100% of our proposed system in detecting and safeguarding threats against multiple impersonation and denial of service attacks as well as 99% accuracy of fuzzy attacks.

Junchao Xiao,Hao Wu,Xiangxue Li,Yuan Linghu

DOI: https://doi.org/10.1007/978-3-030-38961-1_40

2020-01-01

Abstract:A vehicle bus is a specialized internal communication network that interconnects components inside a vehicle. The Controller Area Network (CAN bus), a robust vehicle bus standard, allows microcontrollers and devices to communicate with each other. The community has seen many security breach examples that exploit CAN functionalities and other in-vehicle flaws. Intrusion detection systems (IDSs) on in-vehicle network are advantageous in monitoring CAN traffic and suspicious activities. Whereas, existing IDSs on in-vehicle network only support one or two attack models, and identifying abnormal in-vehicle CAN traffic against diversified attack models with better performance is more expected as can be then implemented practically. In this paper, we propose an intrusion detection system that can detect many different attacks. The method analyzes the CAN traffic generated by the in-vehicle network in real time and identifies the abnormal state of the vehicle practically. Our proposal fuses the autoencoder trick to the SVM model. More precisely, we introduce to the system an autoencoder that learns to compress CAN traffic data into extracted features (which can be uncompressed to closely match the original data). Then, the support vector machine is trained on the features to detect abnormal traffic. We show detailed model parameter configuration by adopting several concrete attacks. Experimental results demonstrate better detection performance (than existing proposals).

Qiang Dong,Zenglu Song,Haoshu Shao

DOI: https://doi.org/10.1049/ell2.13112

2024-01-30

Electronics Letters

Abstract:This research presents a novel method for detecting and defending against intrusions in the Controller Area Network (CAN) bus used in automotive systems. By analysing frequency anomalies in message transmission and utilizing the arbitration mechanism of the CAN bus, this approach effectively identifies and disrupts illegal messages in real‐time, ensuring the security of the network. As automobile intelligence continues to develop, the electronic control units connected to the Controller Area Network (CAN) bus within vehicles face an increasing number of threats from potential attacks originating from the internet. To address this issue, an intrusion detection and defence method is proposed that is capable of detecting illegal messages through the use of frequency anomaly detection, and subsequently disrupting them through utilization of the CAN bus arbitration mechanism. This proposed method offers a simple implementation compared to traditional approaches, while being able to identify suspicious units and neutralize threats in real‐time. Experimental results demonstrate the effectiveness of this approach.

engineering, electrical & electronic

Ziming Zhao,Zhaoxuan Li,Xiaofei Xie,Jiongchi Yu,Fan Zhang,Rui Zhang,Binbin Chen,Xiangyang Luo,Ming Hu,Wenrui Ma

DOI: https://doi.org/10.1109/tnet.2024.3413789

2024-01-01

Abstract:Anomaly-based network intrusion detection systems (NIDSs) are essential for ensuring cybersecurity. However, the security communities realize some limitations when they put most existing proposals into practice. The challenges are mainly concerned with fine-grained unknown attack detection and ever-changing legitimate traffic adaptation. To tackle these problem, we present three key design norms. The core idea is to construct a model to split the data distribution hyperplane and leverage the concept of isolation, as well as advance the incremental model update. We utilize the isolation tree as the backbone to design our model, named, to echo back three norms. By analyzing the popular dataset of network intrusion traces, we show that significantly outperforms the state-of-the-art methods. Further, we perform an initial deployment of by working with the Internet Service Provider (ISP) to detect distributed denial of service (DDoS) attacks. With real-world tests and manual analysis, we demonstrate the effectiveness of to identify previously-unseen attacks in a fine-grained manner.

Jingwen Wei,Ye Chen,Yingxu Lai,Yuhang Wang,Zhaoyi Zhang

DOI: https://doi.org/10.1109/lcomm.2022.3195486

IF: 3.5529

2022-11-12

IEEE Communications Letters

Abstract:A controller area network (CAN) bus that controls real-time communication and data transmission of electronic control units in vehicles lacks security mechanisms and is highly vulnerable to attacks. The detection effectiveness of existing In-Vehicle network intrusion detection systems (IDSs) is usually reliant on training samples of known attacks. Owing to the simple structure of the CAN bus protocol, attackers can easily create variants based on known attacks. In this study, we propose a CAN bus IDS based on a domain adversarial neural network, which can achieve high detection performance on unlearned variant attack data. In addition, we used feature fusion techniques to synthetically extract the features of the attack data to improve detection capability. The experimental results demonstrate that our proposed model has high performance and generalization ability in attack detection.

telecommunications

Easa Alalwany,Imad Mahgoub

DOI: https://doi.org/10.3390/s22239195

2022-11-26

Abstract:Connectivity and automation have expanded with the development of autonomous vehicle technology. One of several automotive serial protocols that can be used in a wide range of vehicles is the controller area network (CAN). The growing functionality and connectivity of modern vehicles make them more vulnerable to cyberattacks aimed at vehicular networks. The CAN bus protocol is vulnerable to numerous attacks, as it is lacking security mechanisms by design. It is crucial to design intrusion detection systems (IDS) with high accuracy to detect attacks on the CAN bus. In this paper, we design an effective machine learning-based IDS scheme for binary classification that utilizes eight supervised ML algorithms, along with ensemble classifiers. The scheme achieved a higher effectiveness score in detecting normal and abnormal activities when trained with normal and malicious CAN traffic datasets. Random Forest, Decision Tree, and Xtreme Gradient Boosting classifiers provided the most accurate results. Then we evaluated three ensemble methods, voting, stacking, and bagging, for this classification task. The ensemble classifiers achieved better accuracy than the individual models, since ensemble learning strategies have superior performance through a combination of multiple learning mechanisms. These mechanisms have a varied range of capabilities that improve the prediction reliability while lowering the possibility of classification errors. Our model outperformed the most recent study that used the same dataset, with an accuracy of 0.984.

Ajeet Kumar Dwivedi

DOI: https://doi.org/10.48550/arXiv.2205.03537

2022-05-07

Cryptography and Security

Abstract:The progression of innovation and technology and ease of inter-connectivity among networks has allowed us to evolve towards one of the promising areas, the Internet of Vehicles. Nowadays, modern vehicles are connected to a range of networks, including intra-vehicle networks and external networks. However, a primary challenge in the automotive industry is to make the vehicle safe and reliable; particularly with the loopholes in the existing traditional protocols, cyber-attacks on the vehicle network are rising drastically. Practically every vehicle uses the universal Controller Area Network (CAN) bus protocol for the communication between electronic control units to transmit key vehicle functionality and messages related to driver safety. The CAN bus system, although its critical significance, lacks the key feature of any protocol authentication and authorization. Resulting in compromises of CAN bus security leads to serious issues to both car and driver safety. This paper discusses the security issues of the CAN bus protocol and proposes an Intrusion Detection System (IDS) that detects known attacks on in-vehicle networks. Multiple Artificial Intelligence (AI) algorithms are employed to provide recognition of known potential cyber-attacks based on messages, timestamps, and data packets traveling through the CAN. The main objective of this paper is to accurately detect cyberattacks by considering time-series features and attack frequency. The majority of the evaluated AI algorithms, when considering attack frequency, correctly identify known attacks with remarkable accuracy of more than 99%. However, these models achieve approximately 92% to 97% accuracy when timestamps are not taken into account. Long Short Term Memory (LSTM), Xgboost, and SVC have proved to the well-performing classifiers.

Fei Gao,Jinshuo Liu,Yingqi Liu,Zhenhai Gao,Rui Zhao

DOI: https://doi.org/10.3390/s24113461

IF: 3.9

2024-05-28

Sensors

Abstract:As an enhanced version of standard CAN, the Controller Area Network with Flexible Data (CAN-FD) rate is vulnerable to attacks due to its lack of information security measures. However, although anomaly detection is an effective method to prevent attacks, the accuracy of detection needs further improvement. In this paper, we propose a novel intrusion detection model for the CAN-FD bus, comprising two sub-models: Anomaly Data Detection Model (ADDM) for spotting anomalies and Anomaly Classification Detection Model (ACDM) for identifying and classifying anomaly types. ADDM employs Long Short-Term Memory (LSTM) layers to capture the long-range dependencies and temporal patterns within CAN-FD frame data, thus identifying frames that deviate from established norms. ACDM is enhanced with the attention mechanism that weights LSTM outputs, further improving the identification of sequence-based relationships and facilitating multi-attack classification. The method is evaluated on two datasets: a real-vehicle dataset including frames designed by us based on known attack patterns, and the CAN-FD Intrusion Dataset, developed by the Hacking and Countermeasure Research Lab. Our method offers broader applicability and more refined classification in anomaly detection. Compared with existing advanced LSTM-based and CNN-LSTM-based methods, our method exhibits superior performance in detection, achieving an improvement in accuracy of 1.44% and 1.01%, respectively.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Yijie Xun,Zhouyan Deng,Jiajia Liu,Yilin Zhao

DOI: https://doi.org/10.1109/tvt.2023.3236820

IF: 6.8

2023-01-01

IEEE Transactions on Vehicular Technology

Abstract:Intelligent connected vehicles (ICVs) integrate advanced equipment and communication network technologies to realize information exchange and sharing between vehicles and people, roads, clouds, etc., bringing great convenience to people's lives. However, the interconnection of intelligent equipment and vehicles also brings many vulnerable interfaces, threatening the security of in-vehicle networks, e.g., controller area network (CAN) bus. For protecting the security of CAN bus, some researchers propose a data encryption and decryption protocol-based method. Note that due to the resource constraints of computing and bandwidth and the requirements for low-delay data transmission, the research on protocol-based data encryption and decryption method is progressing slowly. For this reason, more researchers study vehicle intrusion detection systems (IDSs) based on side channel analysis. It does not occupy the bandwidth of CAN bus, and detects intrusion by analyzing the physical characteristics of CAN bus. Nevertheless, most of the existing work either cannot locate the source electronic control unit (ECU) of the malicious data frames, or cannot detect malicious data frames from ECUs and external nodes simultaneously, which greatly limits their practical application value. Therefore, we propose a novel IDS based on vehicle voltage signals. Specifically, we map multiple identifiers (IDs) sent for each ECU without developer documentation. In addition, we creatively design FeatureBagging-CNN combined model to detect malicious intrusion. When the external nodes or compromised ECUs send malicious data frames, the system can accurately detect them and locate their sender.

telecommunications,engineering, electrical & electronic,transportation science & technology

Qian Wang,Zhaojun Lu,Gang Qu

DOI: https://doi.org/10.48550/arXiv.1808.04046

2018-08-13

Abstract:Dozens of Electronic Control Units (ECUs) can be found on modern vehicles for safety and driving assistance. These ECUs also introduce new security vulnerabilities as recent attacks have been reported by plugging the in-vehicle system or through wireless access. In this paper, we focus on the security of the Controller Area Network (CAN), which is a standard for communication among ECUs. CAN bus by design does not have sufficient security features to protect it from insider or outsider attacks. Intrusion detection system (IDS) is one of the most effective ways to enhance vehicle security on the insecure CAN bus protocol. We propose a new IDS based on the entropy of the identifier bits in CAN messages. The key observation is that all the known CAN message injection attacks need to alter the CAN ID bits and analyzing the entropy of such bits can be an effective way to detect those attacks. We collected real CAN messages from a vehicle (2016 Ford Fusion) and performed simulated message injection attacks. The experimental results showed that our entropy based IDS can successfully detect all the injection attacks without disrupting the communication on CAN.

Cryptography and Security

Yuhang Wang,Yingxu Lai,Ye Chen,Jingwen Wei,Zhaoyi Zhang

DOI: https://doi.org/10.1007/s00521-023-08233-5

2023-04-25

Neural Computing and Applications

Abstract:Controller area networks (CANs) are the de-facto standard for in-vehicle networks and enable real-time data communication between the electronic control units in a vehicle. However, owing to inadequate security mechanisms, CANs are vulnerable to cyberattacks. The sophistication of these attacks evolves constantly and new types of attacks emerge over time. Most existing intrusion detection systems (IDSs) can handle known attacks, but their ability to detect unknown attacks requires urgent improvements. Although IDSs can be updated via the Internet of Vehicles cloud to improve their detection performance, an unacceptable amount of time is required to collect enough labeled data and the updates are slow. Considering these problems, we propose a transfer learning-based self-learning IDS (TLSIDS) for CANs. The proposed TLSIDS uses a cascade detection approach that is capable of detecting both known and unknown attacks with high performance, and the self-learning function can solve the problem of slow updates, thus improving the speed and performance of the TLSIDS in detecting unknown attacks. The TLSIDS consists of four modules, namely the basic detection module (BDM), the advanced detection module (ADM), the unknown attacks classification module (UACM), and the self-learning module (SLM). The efficacy of the TLSIDS was evaluated using a public dataset provided by the Hacking and Countermeasure Research Lab (HCRL). The results revealed that our proposed TLSIDS has effectiveness and robustness in distinct scenarios.

computer science, artificial intelligence

Maloy Kumar Devnath

2023-09-24

Abstract:The Controller Area Network (CAN) bus serves as a standard protocol for facilitating communication among various electronic control units (ECUs) within contemporary vehicles. However, it has been demonstrated that the CAN bus is susceptible to remote attacks, which pose risks to the vehicle's safety and functionality. To tackle this concern, researchers have introduced intrusion detection systems (IDSs) to identify and thwart such attacks. In this paper, we present an innovative approach to intruder detection within the CAN bus, leveraging Graph Convolutional Network (GCN) techniques as introduced by Zhang, Tong, Xu, and Maciejewski in 2019. By harnessing the capabilities of deep learning, we aim to enhance attack detection accuracy while minimizing the requirement for manual feature engineering. Our experimental findings substantiate that the proposed GCN-based method surpasses existing IDSs in terms of accuracy, precision, and recall. Additionally, our approach demonstrates efficacy in detecting mixed attacks, which are more challenging to identify than single attacks. Furthermore, it reduces the necessity for extensive feature engineering and is particularly well-suited for real-time detection systems. To the best of our knowledge, this represents the pioneering application of GCN to CAN data for intrusion detection. Our proposed approach holds significant potential in fortifying the security and safety of modern vehicles, safeguarding against attacks and preventing them from undermining vehicle functionality.

Cryptography and Security

Md Hasan Shahriar,Yang Xiao,Pablo Moriano,Wenjing Lou,Y. Thomas Hou

DOI: https://doi.org/10.1109/JIOT.2023.3303271

2023-10-08

Abstract:Modern vehicles rely on a fleet of electronic control units (ECUs) connected through controller area network (CAN) buses for critical vehicular control. With the expansion of advanced connectivity features in automobiles and the elevated risks of internal system exposure, the CAN bus is increasingly prone to intrusions and injection attacks. As ordinary injection attacks disrupt the typical timing properties of the CAN data stream, rule-based intrusion detection systems (IDS) can easily detect them. However, advanced attackers can inject false data to the signal/semantic level, while looking innocuous by the pattern/frequency of the CAN messages. The rule-based IDS, as well as the anomaly-based IDS, are built merely on the sequence of CAN messages IDs or just the binary payload data and are less effective in detecting such attacks. Therefore, to detect such intelligent attacks, we propose CANShield, a deep learning-based signal-level intrusion detection framework for the CAN bus. CANShield consists of three modules: a data preprocessing module that handles the high-dimensional CAN data stream at the signal level and parses them into time series suitable for a deep learning model; a data analyzer module consisting of multiple deep autoencoder (AE) networks, each analyzing the time-series data from a different temporal scale and granularity, and finally an attack detection module that uses an ensemble method to make the final decision. Evaluation results on two high-fidelity signal-based CAN attack datasets show the high accuracy and responsiveness of CANShield in detecting advanced intrusion attacks.

Cryptography and Security,Machine Learning