信息网络安全 ›› 2025, Vol. 25 ›› Issue (3): 478-493.doi: 10.3969/j.issn.1671-1122.2025.03.010

• 技术研究 • 上一篇    下一篇

基于时空图神经网络的CAN总线入侵检测方法

刘晨飞1,2, 万良1,2()   

  1. 1.公共大数据国家重点实验室,贵阳 550025
    2.贵州大学计算机科学与技术学院,贵阳 550025
  • 收稿日期:2025-01-14 出版日期:2025-03-10 发布日期:2025-03-26
  • 通讯作者: 万良 E-mail:lwan@gzu.edu.cn
  • 作者简介:刘晨飞(2000—),男,贵州,硕士研究生,主要研究方向为网络安全|万良(1974—),男,贵州,教授,博士,主要研究方向为网络空间安全
  • 基金资助:
    国家自然科学基金(62262004)

CAN Bus Intrusion Detection Method Based on Spatio-Temporal Graph Neural Networks

LIU Chenfei1,2, WAN Liang1,2()   

  1. 1. State Key Laboratory of Public Big Data, Guiyang 550025, China
    2. College of Computer Science and Technology, Guizhou University, Guiyang 550025, China
  • Received:2025-01-14 Online:2025-03-10 Published:2025-03-26
  • Contact: WAN Liang E-mail:lwan@gzu.edu.cn

摘要:

现代智能车辆中的控制器局域网(CAN)作为连接各电子控制单元(ECU)的主要通信媒介,因缺乏加密和认证机制而面临多种安全威胁。传统基于深度学习的入侵检测方法在提取CAN消息特征时,未能充分考虑其上下文关系及CAN消息的时序动态变化,导致在复杂攻击类型的检测中存在精度不足的问题。因此,文章提出一种基于时空图神经网络的入侵检测方法GNLNet。该方法通过在预定义的时间窗口内利用消息ID构建CAN消息图,并捕捉CAN消息的时序关联,以增强时空信息的建模能力。模型首先利用GraphSage提取局部空间特征,再通过双向图注意力网络加强节点间信息的交互,最后使用长短期记忆网络对数据流的时间序列进行分析,捕捉数据流随时间的动态变化。在Car_hacking和Survival_Analysis两个公开数据集上进行实验。结果表明,GNLNet在检测和分类拒绝服务攻击及模糊攻击等复杂攻击类型时,检测准确率和F1分数均达到99%,优于现有方法。

关键词: CAN总线, 入侵检测, 时空图神经网络, 双向图注意力网络, 时空分析

Abstract:

The Controller Area Network in modern intelligent vehicles serves as the primary communication medium connecting various Electronic Control Units. However, it faces numerous security threats due to the lack of encryption and authentication mechanisms. Traditional deep learning-based intrusion detection methods fail to fully consider the contextual relationships and temporal dynamics of CAN messages, leading to insufficient accuracy in detecting complex attacks. This paper proposed a spatio-temporal graph neural network-based intrusion detection method, GNLNet. The method constructed CAN message graphs within predefined time windows using message IDs, captured temporal associations of CAN messages to enhance the modeling of spatio-temporal information. The model first extracted local spatial features using GraphSage, then enhanced node interactions with a bidirectional graph attention network, and finally analyzed time series data with Long Short-Term Memory networks to capture dynamic changes over time. Experimental results on the Car_hacking and Survival_Analysis datasets demonstrate that GNLNet achieve detection accuracy and F1 score to 99% in identifying and classifying complex attacks such as DoS and Fuzzy, surpasses existing methods.

Key words: CAN bus, intrusion detection, spatio-temporal graph neural network, bidirectional graph attention network, spatio-temporal analysis

中图分类号: