CAN Bus Intrusion Detection Based on Auxiliary Classifier GAN and Out-of-distribution Detection

Zhao, Qingling; Chen, Mingqiang; Gu, Zonghua; Luan, Siyu; Zeng, Haibo; Chakrabory, Samarjit

doi:10.1145/3540198

Cited by 25 publications

(7 citation statements)

References 49 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Frequency/Timing-Based: Regards the timing or sequencing of arbitration IDs [17,[19][20][21][22][23] Payload-Based: Considers the data frame (message contents) as a string of bits, without explicitly recovering the signals these bits represent [16,[24][25][26][27][28][29][30] Signal-Based: Requires first decoding raw data field bits into constituent signals, and uses time series' of signal values as inputs [5,17,[31][32][33][34][35][36][37] Physical Side-Channel: Uses physical layer attributes (e.g., voltage) [15,[38][39][40] Other: Includes works that do not fall into the above categories (e.g., using rules to guarantee specific characteristics of the CAN messages are followed [41,42]).…”

Section: The Growth and State Of Can Ids Researchmentioning

confidence: 99%

A comprehensive guide to CAN IDS data and introduction of the ROAD dataset

Verma,

Bridges,

Iannacone

et al. 2024

PLoS ONE

View full text Add to dashboard Cite

Although ubiquitous in modern vehicles, Controller Area Networks (CANs) lack basic security properties and are easily exploitable. A rapidly growing field of CAN security research has emerged that seeks to detect intrusions or anomalies on CANs. Producing vehicular CAN data with a variety of intrusions is a difficult task for most researchers as it requires expensive assets and deep expertise. To illuminate this task, we introduce the first comprehensive guide to the existing open CAN intrusion detection system (IDS) datasets. We categorize attacks on CANs including fabrication (adding frames, e.g., flooding or targeting and ID), suspension (removing an ID’s frames), and masquerade attacks (spoofed frames sent in lieu of suspended ones). We provide a quality analysis of each dataset; an enumeration of each datasets’ attacks, benefits, and drawbacks; categorization as real vs. simulated CAN data and real vs. simulated attacks; whether the data is raw CAN data or signal-translated; number of vehicles/CANs; quantity in terms of time; and finally a suggested use case of each dataset. State-of-the-art public CAN IDS datasets are limited to real fabrication (simple message injection) attacks and simulated attacks often in synthetic data, lacking fidelity. In general, the physical effects of attacks on the vehicle are not verified in the available datasets. Only one dataset provides signal-translated data but is missing a corresponding “raw” binary version. This issue pigeon-holes CAN IDS research into testing on limited and often inappropriate data (usually with attacks that are too easily detectable to truly test the method). The scarcity of appropriate data has stymied comparability and reproducibility of results for researchers. As our primary contribution, we present the Real ORNL Automotive Dynamometer (ROAD) CAN IDS dataset, consisting of over 3.5 hours of one vehicle’s CAN data. ROAD contains ambient data recorded during a diverse set of activities, and attacks of increasing stealth with multiple variants and instances of real (i.e. non-simulated) fuzzing, fabrication, unique advanced attacks, and simulated masquerade attacks. To facilitate a benchmark for CAN IDS methods that require signal-translated inputs, we also provide the signal time series format for many of the CAN captures. Our contributions aim to facilitate appropriate benchmarking and needed comparability in the CAN IDS research field.

show abstract

Section: The Growth and State Of Can Ids Researchmentioning

confidence: 99%

A comprehensive guide to CAN IDS data and introduction of the ROAD dataset

Verma,

Bridges,

Iannacone

et al. 2024

PLoS ONE

View full text Add to dashboard Cite

show abstract

“…Along with unsupervised methods, self-supervised method-based IDS are also studied [62]. A few works converted the sequences of CAN IDs into 2D images and trained generative adversarial networks (GANs) in an unsupervised fashion [63], [64]. Recently, motivated by natural language processing, some researchers considered the sequence of CAN IDs as a sentence and utilized world embedding and language models to build the CAN IDS [65], [66].…”

Section: Related Workmentioning

confidence: 99%

CANShield: Deep-Learning-Based Intrusion Detection Framework for Controller Area Networks at the Signal Level

Shahriar

Xiao²,

Moriano³

et al. 2023

IEEE Internet Things J.

View full text Add to dashboard Cite

Modern vehicles rely on a fleet of electronic control units (ECUs) connected through controller area network (CAN) buses for critical vehicular control. With the expansion of advanced connectivity features in automobiles and the elevated risks of internal system exposure, the CAN bus is increasingly prone to intrusions and injection attacks. As ordinary injection attacks disrupt the typical timing properties of the CAN data stream, rule-based intrusion detection systems (IDS) can easily detect them. However, advanced attackers can inject false data to the signal/semantic level, while looking innocuous by the pattern/frequency of the CAN messages. The rule-based IDS, as well as the anomaly-based IDS, are built merely on the sequence of CAN messages IDs or just the binary payload data and are less effective in detecting such attacks. Therefore, to detect such intelligent attacks, we propose CANShield, a deep learningbased signal-level intrusion detection framework for the CAN bus. CANShield consists of three modules: a data preprocessing module that handles the high-dimensional CAN data stream at the signal level and parses them into time series suitable for a deep learning model; a data analyzer module consisting of multiple deep autoencoder (AE) networks, each analyzing the time-series data from a different temporal scale and granularity, and finally an attack detection module that uses an ensemble method to make the final decision. Evaluation results on two highfidelity signal-based CAN attack datasets show the high accuracy and responsiveness of CANShield in detecting advanced intrusion attacks.

show abstract

“…Therefore, we can use a threshold of softmax score to determine whether the current test input is OOD. MSP is widely used as the comparison baseline method due to its simplicity [11], but it may not be very accurate, since a DNN often outputs incorrect yet overconfident predictions for OOD data, i.e., the ranges of softmax scores of ID and OOD data often overlap with each other. 2.…”

Section: Background and Related Workmentioning

confidence: 99%

Timing Performance Benchmarking of Out-of-Distribution Detection Algorithms

Luan

Saremi

et al. 2023

J Sign Process Syst

Self Cite

View full text Add to dashboard Cite

In an open world with a long-tail distribution of input samples, Deep Neural Networks (DNNs) may make unpredictable mistakes for Out-of-Distribution (OOD) inputs at test time, despite high levels of accuracy obtained during model training. OOD detection can be an effective runtime assurance mechanism for safe deployment of machine learning algorithms in safety–critical applications such as medical imaging and autonomous driving. A large number of OOD detection algorithms have been proposed in recent years, with a wide range of performance metrics in terms of accuracy and execution time. For real-time safety–critical applications, e.g., autonomous driving, timing performance is of great importance in addition to accuracy. We perform a comprehensive and systematic benchmark study of multiple OOD detection algorithms in terms of both accuracy and execution time on different hardware platforms, including a powerful workstation and a resource-constrained embedded device, equipped with both CPU and GPU. We also profile and analyze the internal details of each algorithm to identify the performance bottlenecks and potential for GPU acceleration. This paper aims to provide a useful reference for the practical deployment of OOD detection algorithms for real-time safety–critical applications.

show abstract

CAN Bus Intrusion Detection Based on Auxiliary Classifier GAN and Out-of-distribution Detection

Cited by 25 publications

References 49 publications

A comprehensive guide to CAN IDS data and introduction of the ROAD dataset

A comprehensive guide to CAN IDS data and introduction of the ROAD dataset

CANShield: Deep-Learning-Based Intrusion Detection Framework for Controller Area Networks at the Signal Level

Timing Performance Benchmarking of Out-of-Distribution Detection Algorithms

Contact Info

Product

Resources

About