ID Sequence Analysis for Intrusion Detection in the CAN bus using Long Short Term Memory Networks

The number of computer controlled vehicles throughout the world is rising at a staggering speed. Even though this enhances the driving experience, it opens a new security hole in the automotive industry. To alleviate this issue, we are proposing an intrusion detection system (IDS) to the controller area network (CAN), which is the de facto communication standard of present-day vehicles. We implemented an IDS based on the analysis of ID sequences. The IDS uses a trained Long-Short Term Memory (LSTM) to predict an arbitration ID that will appear in the future by looking back to the last 20 packet arbitration IDs. The output from the LSTM network is a softmax probability of all the 42 arbitration IDs in our test car. The softmax probability is used in two approaches for IDS. In the first approach, a single arbitration ID is predicted by taking the class which has the highest softmax probability. This method only gave us an accuracy of 0.6. Applying this result in a real vehicle would give us a lot of false negatives, hence we devised a second approach that uses log loss as an anomaly signal. The evaluated log loss is compared with a predefined threshold to see if the result is in the anomaly boundary. Furthermore, We have tested our approach using insertion, drop and illegal ID attacks which greatly outperform the conventional method with practical F1 scores of 0.9, 0.84, and 1.0 respectively.

[1]  Alex Graves,et al.  Supervised Sequence Labelling with Recurrent Neural Networks , 2012, Studies in Computational Intelligence.

[2]  Manuel Barbosa,et al.  An overview of controller area network , 1999 .

[3]  Hisashi Kashima,et al.  Supervised and Unsupervised Intrusion Detection Based on CAN Message Frequencies for In-vehicle Network , 2018, J. Inf. Process..

[4]  Nathalie Japkowicz,et al.  Frequency-based anomaly detection for the automotive CAN bus , 2015, 2015 World Congress on Industrial Control Systems Security (WCICSS).

[5]  Nathalie Japkowicz,et al.  Anomaly Detection in Automobile Control Network Data with Long Short-Term Memory Networks , 2016, 2016 IEEE International Conference on Data Science and Advanced Analytics (DSAA).

[6]  Lance Sherry,et al.  Anomaly detection in aircraft data using Recurrent Neural Networks (RNN) , 2016, 2016 Integrated Communications Navigation and Surveillance (ICNS).

[7]  Huy Kang Kim,et al.  Intrusion detection system based on the analysis of time intervals of CAN messages for in-vehicle network , 2016, 2016 International Conference on Information Networking (ICOIN).

[8]  Kang G. Shin,et al.  Viden: Attacker Identification on In-Vehicle Networks , 2017, CCS.

[9]  Mirco Marchetti,et al.  Anomaly detection of CAN bus messages through analysis of ID sequences , 2017, 2017 IEEE Intelligent Vehicles Symposium (IV).

[10]  Jia Zhou,et al.  A Survey of Intrusion Detection for In-Vehicle Networks , 2020, IEEE Transactions on Intelligent Transportation Systems.

[11]  Kang G. Shin,et al.  Fingerprinting Electronic Control Units for Vehicle Intrusion Detection , 2016, USENIX Security Symposium.

[12]  Keqin Li,et al.  Sliding Window Optimized Information Entropy Analysis Method for Intrusion Detection on In-Vehicle Networks , 2018, IEEE Access.

[13]  Mauro Conti,et al.  Secure OTA Software Updates in Connected Vehicles: A survey , 2019, ArXiv.

[14]  Christopher Huth,et al.  Scission: Signal Characteristic-Based Sender Identification and Intrusion Detection in Automotive Networks , 2018, CCS.