DL-based Anomaly Detection on In-Vehicle Networks

Modern vehicles are equipped with Electronic Control Units (ECU) which enable the vehicle to control critical systems such as ABS, airbag or entertainment system. ECUs communicate through Controller Area Network (CAN) bus, which is a serial communication bus developed by Bosch in the mid-1980s, and has become a standard for in-vehicle communication. CAN bus broadcasts CAN messages which may contain information such as acceleration, rpm, wheel speed or angle, to the entire network, and allows only one message to be transmitted at a time. The transmitted message reaches all nodes and each node accepts either receiving the message or ignoring it. Each CAN message can carry different signals and has a unique identifier (ID), which specifies the priority of the message in the CAN traffic.

Anomalies can occur in the CAN bus traffic, which are often caused by malicious attacks or by corruptions in the components of the vehicle. There exist several studies focusing on anomaly detection on in-vehicle networks, particularly on CAN bus. Statistical, rule-based, machine learning or deep learning-based approaches are the most used techniques in the anomaly detection literature. Recent studies indicate that deep learning-based techniques can better handle the multidimensional and complex structure of the CAN bus traffic data and detect anomalies. In the following paragraphs, we will summarize three studies using deep learning-based approaches for anomaly detection on in-vehicle networks.

One of the most used algorithms in anomaly detection is Long Short Term Memory (LSTM) as it has the capability to extract temporal features. Taylor et al. [1] proposed an LSTM-based approach to detect CAN bus attacks in the traffic. They added linear embedding layers to convert binary inputs to real-valued state space. The output of the linear layers are given to the LSTM hidden layers. The proposed structure can be seen in Figure 1.?

Figure 1 - The structure proposed by Taylor et al. [1]

Song et al. [2] proposed a classifier using deep convolutional neural networks (DCNN) to detect cyber-attacks in the CAN traffic. They proposed a frame building module to transform CAN messages into 2D data frames, so that they can be processed with DCNN. For this purpose, the frame builder takes 29-bit identifiers from the most recent 29 CAN messages and concatenates them to build 29x29 size frames. They used Inception-Resnet architecture to construct the model and train a model in a supervised manner using labeled data. The authors reported that the model achieved 99.9% F-score on a private dataset.

Kukkala et al. [3] integrates LSTM-based encoder-decoder architecture with a self-attention mechanism to detect cyber-attacks in the CAN traffic. The proposed structure can be seen in Figure 2. They feed time-series CAN messages to a linear layer and input it to the LSTM encoder. The encoder outputs a latent representation of the input time-series signals. Self-attention block takes the last hidden states of the LSTM encoder and generates the? context vector taking the weighted sum of the hidden states. Attention weights indicate the contribution of previous hidden states to the current states. They trained the model in a semi-supervised manner, using only normal data. Thus, the model learns to predict normal data, and anomalies are detected calculating the error between predicted data and the input data.

Figure 2 -? LSTM encoder-decoder with self-attention [3]

With the rapid increase in autonomous features in modern cars, vehicles become equipped with a large number of ECUs, which increases the software-intensity of the vehicles. Large amounts of software leads vehicles to be more complex systems and increases the data density in in-vehicle networks. This raises the possibility of occurrence of anomalies in vehicle systems and leads to difficulty in detecting possible anomalies. In Proven, we continue R&D studies to develop innovative solutions for anomaly detection on in-vehicle networks.

In addition to CNN and LSTM-based approaches, novel methods using Transformers, GANs and Graph Neural Networks for anomaly detection problems have been proposed in recent years. We are planning to summarize the studies using these methods for CAN bus anomaly detection in our next posts.

?vgü ?ZDEM?R - R&D Software Engineer

REFERENCES

[1]? Adrian Taylor, Sylvain Leblanc, and Nathalie Japkowicz. Anomaly detection in automobile control network data with long short-term memory networks. In 2016 IEEE International Conference on Data Science and Advanced Analytics (DSAA), pages 130–139. IEEE, 2016

[2] Hyun Min Song, Jiyoung Woo, and Huy Kang Kim. In-vehicle network intrusion detection using deep convolutional neural network. Vehicular Communications, 21: 100198, 2020

[3] Vipin Kumar Kukkala, Sooryaa Vignesh Thiruloga, and Sudeep Pasricha. Latte: Lstm self-attention based anomaly detection in embedded automotive platforms. ACM Transactions on Embedded Computing Systems (TECS), 20(5s):1–23, 2021.