基于时空图神经网络的CAN总线入侵检测方法

doi:10.3969/j.issn.1671-1122.2025.03.010

摘要/Abstract

摘要：

现代智能车辆中的控制器局域网（CAN）作为连接各电子控制单元（ECU）的主要通信媒介，因缺乏加密和认证机制而面临多种安全威胁。传统基于深度学习的入侵检测方法在提取CAN消息特征时，未能充分考虑其上下文关系及CAN消息的时序动态变化，导致在复杂攻击类型的检测中存在精度不足的问题。因此，文章提出一种基于时空图神经网络的入侵检测方法GNLNet。该方法通过在预定义的时间窗口内利用消息ID构建CAN消息图，并捕捉CAN消息的时序关联，以增强时空信息的建模能力。模型首先利用GraphSage提取局部空间特征，再通过双向图注意力网络加强节点间信息的交互，最后使用长短期记忆网络对数据流的时间序列进行分析，捕捉数据流随时间的动态变化。在Car_hacking和Survival_Analysis两个公开数据集上进行实验。结果表明，GNLNet在检测和分类拒绝服务攻击及模糊攻击等复杂攻击类型时，检测准确率和F1分数均达到99%，优于现有方法。

关键词: CAN总线, 入侵检测, 时空图神经网络, 双向图注意力网络, 时空分析

Abstract:

The Controller Area Network in modern intelligent vehicles serves as the primary communication medium connecting various Electronic Control Units. However, it faces numerous security threats due to the lack of encryption and authentication mechanisms. Traditional deep learning-based intrusion detection methods fail to fully consider the contextual relationships and temporal dynamics of CAN messages, leading to insufficient accuracy in detecting complex attacks. This paper proposed a spatio-temporal graph neural network-based intrusion detection method, GNLNet. The method constructed CAN message graphs within predefined time windows using message IDs, captured temporal associations of CAN messages to enhance the modeling of spatio-temporal information. The model first extracted local spatial features using GraphSage, then enhanced node interactions with a bidirectional graph attention network, and finally analyzed time series data with Long Short-Term Memory networks to capture dynamic changes over time. Experimental results on the Car_hacking and Survival_Analysis datasets demonstrate that GNLNet achieve detection accuracy and F1 score to 99% in identifying and classifying complex attacks such as DoS and Fuzzy, surpasses existing methods.

Key words: CAN bus, intrusion detection, spatio-temporal graph neural network, bidirectional graph attention network, spatio-temporal analysis

中图分类号:

TP309

刘晨飞, 万良. 基于时空图神经网络的CAN总线入侵检测方法[J]. 信息网络安全, 2025, 25(3): 478-493.

LIU Chenfei, WAN Liang. CAN Bus Intrusion Detection Method Based on Spatio-Temporal Graph Neural Networks[J]. Netinfo Security, 2025, 25(3): 478-493.

图/表 14

图1

图2

图3

表1

图4

表2

表3

表4

图5

图6

图7

表5

表6

模型在不同时间窗口下对CHD数据集的性能评估

时间窗口 $U$ /ms	准确率	精确率	召回率	F1分数
20	98.52%	95.33%	97.70%	96.48%
40	99.87%	99.58%	99.81%	99.69%
60	99.99%	99.68%	99.92%	99.80%
80	99.99%	99.60%	99.93%	99.75%
100	99.98%	99.72%	99.89%	99.80%

表6

表7

参考文献 32

[1]	LUO Qian, LIU Jiajia. Wireless Telematics Systems in Emerging Intelligent and Connected Vehicles: Threats and Solutions[J]. IEEE Wireless Communications, 2018, 25(6): 113-119.
[2]	ZHOU Haibo, LIU Bo, LUAN T H, et al. ChainCluster: Engineering a Cooperative Content Distribution Framework for Highway Vehicular Communications[J]. IEEE Transactions on Intelligent Transportation Systems, 2014, 15(6): 2644-2657.
[3]	SHARMA K, BUTLER B, JENNINGS B. Graph-Based Heuristic Solution for Placing Distributed Video Processing Applications on Moving Vehicle Clusters[J]. IEEE Transactions on Network and Service Management, 2022, 19(3): 3076-3089.
[4]	MARTINELLI F, MERCALDO F, NARDONE V, et al. Who’s Driving My Car?A Machine Learning Based Approach to Driver Identification[C]// IEEE. Proceedings of the 4th International Conference on Information Systems Security and Privacy. New York: IEEE, 2018: 367-372.
[5]	CAO Yue, LI Sifan, LYU Chenchen, et al. Towards Cyber Security for Low-Carbon Transportation: Overview, Challenges and Future Directions[EB/OL]. (2023-06-19)[2024-12-30]. https://doi.org/10.1016/j.rser.2023.113401.
[6]	WARD D, IBARRA I, RUDDLE A. Threat Analysis and Risk Assessment in Automotive Cyber Security[J]. SAE International Journal of Passenger Cars-Electronic and Electrical Systems, 2013, 6(2): 507-513.
[7]	MILLER C. Remote Exploitation of an Unaltered Passenger Vehicle[EB/OL]. (2015-08-10)[2024-12-30]. https://cis.temple.edu/-qzeng/cis4360-spring17/papers/Remote-Car-Hacking.pdf.
[8]	WANG Kai, ZHANG Aiheng, SUN Haoran, et al. Analysis of Recent Deep-Learning-Based Intrusion Detection Methods for in-Vehicle Network[J]. IEEE Transactions on Intelligent Transportation Systems, 2023, 24(2): 1843-1854.
[9]	CORRIGAN S. Introduction to the Controller Area Network (CAN)[EB/OL]. (2016-05-10)[2024-12-30]. https://www.ti.com/cn/lit/an/sloa101b/sloa101b.pdf?ts=1740374594584.
[10]	DAI Yinfei, ZHOU Xiuzhen, LIU Yubao, et al. In-Vehicle Network Intrusion Detection System Based on Can Bus Data[EB/OL]. (2024-04-09)[2024-12-30]. https://doi.org/10.13229/j.cnki.jdxbgxb.20240044.
	戴银飞, 周秀贞, 刘玉宝, 等. 基于CAN总线数据的车载网络入侵检测系统[EB/OL]. (2024-04-09)[2024-12-30]. https://doi.org/10.13229/j.cnki.jdxbgxb.20240044.
[11]	LIU Jiajia, ZHANG Shubin, SUN Wen, et al. In-Vehicle Network Attacks and Countermeasures: Challenges and Future Directions[J]. IEEE Network, 2017, 31(5): 50-58.
[12]	DELWAR H M, INOUE H, OCHIAI H, et al. An Effective in-Vehicle CAN Bus Intrusion Detection System Using CNN Deep Learning Approach[C]// IEEE. 2020 IEEE Global Communications Conference. New York: IEEE, 2020: 1-6.
[13]	SONG H M, WOO J, KIM H K. In-Vehicle Network Intrusion Detection Using Deep Convolutional Neural Network[EB/OL]. (2019-10-03)[2024-12-30]. https://doi.org/10.1016/j.vehcom.2019.100198.
[14]	AHMED I, JEON G, AHMAD A. Deep Learning-Based Intrusion Detection System for Internet of Vehicles[J]. IEEE Consumer Electronics Magazine, 2023, 12(1): 117-123.
[15]	HANSELMANN M, STRAUSS T, DORMANN K, et al. CANet: An Unsupervised Intrusion Detection System for High Dimensional CAN Bus Data[J]. IEEE Access, 2020, 8: 58194-58205.
[16]	JEDH M, BEN O L, AHMED N, et al. Detection of Message Injection Attacks Onto the CAN Bus Using Similarities of Successive Messages-Sequence Graphs[J]. IEEE Transactions on Information Forensics and Security, 2021, 16: 4133-4146.
[17]	LONGARI S, NOVA V D H, ZAGO M, et al. CANnolo: An Anomaly Detection System Based on LSTM Autoencoders for Controller Area Network[J]. IEEE Transactions on Network and Service Management, 2021, 18(2): 1913-1924.
[18]	AGRAWAL K, ALLADI T, AGRAWAL A, et al. NovelADS: A Novel Anomaly Detection System for Intra-Vehicular Networks[J]. IEEE Transactions on Intelligent Transportation Systems, 2022, 23(11): 22596-22606.
[19]	ZEKRY A, SAYED A, MOUSSA M, et al. Anomaly Detection Using IoT Sensor-Assisted ConvLSTM Models for Connected Vehicles[C]// IEEE. 2021 IEEE 93rd Vehicular Technology Conference (VTC2021-Spring). New York: IEEE, 2021: 1-6.
[20]	ZHANG Hengrun, ZENG Kai, LIN Shuai. Federated Graph Neural Network for Fast Anomaly Detection in Controller Area Networks[J]. IEEE Transactions on Information Forensics and Security, 2023, 18: 1566-1579.
[21]	XIAO Junchao, YANG Lin, ZHONG Fuli, et al. Robust Anomaly-Based Intrusion Detection System for in-Vehicle Network by Graph Neural Network Framework[J]. Applied Intelligence, 2023, 53(3): 3183-3206.
[22]	XIAO Junchao, CHEN Hongbo, ZHONG Fuli. A Novel Feature Extraction Framework Using Graph Node Attention Network for in-Vehicle Networks Intrusion Detection[J]. IEEE Systems Journal, 2024, 18(1): 150-161.
[23]	HAMILTON W L, YING R, LESKOVEC J, et al. Inductive Representation Learning on Large Graphs[C]// ACM. Proceedings of the 31st International Conference on Neural Information Processing Systems. New York: ACM, 2017: 1025-1035.
[24]	VELICKOVIC P, CUCURULL G, CASANOVA A, et al. Graph Attention Networks[EB/OL]. (2018-02-04)[2024-12-30]. https://arxiv.org/abs/1710.10903.
[25]	YIN Ying, ZHOU Zhihong, YAO Lihong. Research on LSTM-Based CAN Intrusion Detection Model[J]. Netinfo Security, 2022, 22(12): 57-66.
	银鹰, 周志洪, 姚立红. 基于LSTM的CAN入侵检测模型研究[J]. 信息网络安全, 2022, 22(12): 57-66.
[26]	HAN M L, KWAK B I, KIM H K. Anomaly Intrusion Detection Method for Vehicular Networks Based on Survival Analysis[J]. Vehicular Communications, 2018, 14: 52-63.
[27]	GUPTA K D, SHARMA D K, DWIVEDI R, et al. AHDNN: Attention-Enabled Hierarchical Deep Neural Network Framework for Enhancing Security of Connected and Autonomous Vehicles[EB/OL]. [2024-12-30]. https://doi.org/10.1142/S0218126623500585.
[28]	LO W, ALQAHTANI H, THAKUR K, et al. A Hybrid Deep Learning Based Intrusion Detection System Using Spatial-Temporal Representation of in-Vehicle Network Traffic[EB/OL]. (2022-03-30)[2024-12-30]. https://doi.org/10.1016/j.vehcom.2022.100471.
[29]	KARPAGAVALLI C, KALIAPPAN M. Edge Implicit Weighting with Graph Transformers for Robust Intrusion Detection in Internet of Things Network[EB/OL]. (2024-12-21)[2024-12-30]. https://doi.org/10.1016/j.cose.2024.104299.
[30]	LIN Lieqing, ZHONG Qi, QIU Jiasheng, et al. E-GRACL: An IoT Intrusion Detection System Based on Graph Neural Networks[EB/OL]. (2024-10-21)[2024-12-30]. https://doi.org/10.1007/s11227-024-06471-5.
[31]	LO W W, LAYEGHY S, SARHAN M, et al. E-GraphSAGE: A Graph Neural Network Based Intrusion Detection System for IoT[C]// IEEE. NOMS 2022 IEEE/IFIP Network Operations and Management Symposium. New York: IEEE, 2022: 1-9.
[32]	ABUALHOUL M Y, SHAGDAR O, NASHASHIBI F. Visible Light Inter-Vehicle Communication for Platooning of Autonomous Vehicles[C]// IEEE. 2016 IEEE Intelligent Vehicles Symposium (IV). New York: IEEE, 2016: 508-513.

编辑推荐 0

Metrics

阅读次数

全文

HTML			PDF

最新录用	在线预览	正式出版	最新录用	在线预览	正式出版
0	0	6	0	0	18

来源	本网站	其他网站

次数	24	0
比例	100%	0%

摘要

最新录用	在线预览	正式出版

0	0	39

	来源	本网站

	次数	39
	比例	100%

属性	描述
时间戳	记录时间（s）
CAN ID	CAN消息的十六进制标识符（如02C0）
DLC	数据字段包含的字节数（0~8字节）
DATA[0]~DATA[7]	数据字段的字节值
标签	消息类型（“T”表示攻击，“R”表示正常）

类别	模型	准确率	精确率	召回率	F1分数
正常	AHDNN^[27]	98.20%	96.94%	97.57%	96.94%
	DCNN^[13]	98.30%	98.82%	98.55%	99.39%
	VGG-16^[14]	97.17%	97.66%	97.42%	97.66%
	HyDL^[28]	98.90%	99.28%	98.90%	99.53%
	CANnolo^[17]	97.93%	96.37%	97.14%	96.37%
	NovelADS^[18]	99.34%	99.19%	99.26%	99.19%
	GNLNet	99.99%	100%	99.99%	99.99%
DoS攻击	AHDNN^[27]	94.16%	97.02%	94.16%	95.57%
	DCNN^[13]	95.98%	90.80%	95.98%	93.32%
	VGG-16^[14]	95.58%	95.54%	94.12%	95.81%
	HyDL^[28]	97.96%	98.30%	96.34%	97.32%
	CANnolo^[17]	97.47%	96.66%	95.82%	96.24%
	NovelADS^[18]	98.01%	97.34%	97.31%	97.19%
	GNLNet	99.65%	98.24%	99.65%	98.94%
Fuzzy攻击	AHDNN^[27]	95.12%	96.52%	93.16%	94.79%
	DCNN^[13]	94.13%	95.51%	92.14%	93.78%
	VGG-16^[14]	92.13%	93.61%	91.12%	92.35%
	HyDL^[28]	97.11%	97.64%	96.68%	97.11%
	CANnolo^[17]	96.17%	97.14%	95.16%	96.17%
	NovelADS^[18]	98.09%	98.31%	98.12%	96.16%
	GNLNet	99.87%	99.89%	99.87%	99.88%
Gear欺骗攻击	AHDNN^[27]	98.35%	98.42%	99.04%	98.35%
	DCNN^[13]	98.14%	98.41%	98.01%	98.22%
	VGG-16^[14]	98.93%	99.05%	98.65%	98.96%
	HyDL^[28]	99.31%	99.27%	99.03%	99.35%
	CANnolo^[17]	98.46%	98.65%	98.32%	98.72%
	NovelADS^[18]	99.85%	99.89%	99.80%	99.84%
	GNLNet	99.99%	100%	99.99%	100%
RPM欺骗攻击	AHDNN^[27]	98.85%	98.26%	99.05%	98.93%
	DCNN^[13]	98.13%	98.59%	98.02%	98.30%
	VGG-16^[14]	98.26%	99.02%	98.78%	98.64%
	HyDL^[28]	99.06%	99.15%	99.25%	99.06%
	CANnolo^[17]	98.94%	99.05%	98.96%	99.14%
	NovelADS^[18]	99.35%	99.36%	99.16%	99.26%
	GNLNet	100%	100%	100%	100%

类别	模型	准确率	精确率	召回率	F1分数
正常	GNAT^[22]	99.76%	99.86%	99.76%	99.81%
	CAN-GAT-2^[21]	99.81%	99.92%	99.81%	99.86%
	EIW-AGT^[29]	98.92%	98.74%	99.91%	97.83%
	E-GRACL^[30]	97.84%	96.47%	97.82%	96.64%
	GNLNet	99.99%	100%	99.99%	99.99%
DoS攻击	GNAT^[22]	99.05%	96.51%	99.05%	97.76%
	CAN-GAT-2^[21]	99.13%	97.09%	99.13%	98.10%
	EIW-AGT^[29]	97.36%	98.23%	98.12%	97.24%
	E-GRACL^[30]	96.56%	96.84%	96.18%	95.84%
	GNLNet	99.65%	98.24%	99.65%	98.94%
Fuzzy攻击	GNAT^[22]	98.47%	99.46%	98.47%	98.96%
	CAN-GAT-2^[21]	99.36%	99.68%	99.36%	99.52%
	EIW-AGT^[29]	96.45%	95.74%	96.53%	95.68%
	E-GRACL^[30]	97.03%	97.64%	96.89%	96.96%
	GNLNet	99.87%	99.89%	99.87%	99.88%
Gear欺骗攻击	GNAT^[22]	99.94%	99.95%	99.94%	99.94%
	CAN-GAT-2^[21]	99.98%	99.98%	99.98%	99.98%
	EIW-AGT^[29]	98.69%	96.90%	96.68%	96.77%
	E-GRACL^[30]	98.04%	95.02%	95.39%	95.18%
	GNLNet	99.99%	100%	99.99%	100%
RPM欺骗攻击	GNAT^[22]	99.95%	99.96%	99.95%	99.96%
	CAN-GAT-2^[21]	99.99%	99.99%	99.99%	99.99%
	EIW-AGT^[29]	97.82%	98.17%	98.27%	97.57%
	E-GRACL^[30]	96.38%	97.63%	97.51%	96.22%
	GNLNet	100%	100%	100%	100%

测试车型	类别	准确率	精确率	召回率	F1分数
起亚Soul	正常	92.68%	94.75%	96.38%	95.96%
	泛洪攻击	97.01%	87.20%	82.29%	84.67%
	Fuzzy攻击	95.95%	72.30%	64.18%	68.00%
	故障攻击	99.42%	84.34%	79.77%	81.99%
雪佛兰Spark	正常	91.60%	94.56%	95.29%	94.92%
	泛洪攻击	96.42%	81.49%	80.39%	80.94%
	Fuzzy攻击	95.56%	66.98%	61.98%	64.38%
	故障攻击	99.16%	74.63%	73.74%	74.18%

类别	图构建方法	准确率	精确率	召回率	F1分数
正常	文献[22]	78.28%	72.54%	73.46%	70.31%
正常	加入回溯链接机制	88.26%	82.93%	84.39%	82.74%
DoS攻击	文献[22]	72.32%	68.02%	69.54%	68.75%
DoS攻击	加入回溯链接机制	85.01%	79.71%	81.23%	80.46%
Fuzzy攻击	文献[22]	71.03%	66.81%	68.32%	67.56%
Fuzzy攻击	加入回溯链接机制	82.94%	78.92%	81.31%	79.11%
Gear欺骗攻击	文献[22]	74.12%	69.25%	70.41%	69.33%
Gear欺骗攻击	加入回溯链接机制	87.67%	87.53%	87.75%	87.64%
RPM欺骗攻击	文献[22]	75.24%	70.46%	71.47%	70.73%
RPM欺骗攻击	加入回溯链接机制	88.34%	89.65%	89.78%	89.71%