Research on LSTM-Based CAN Intrusion Detection Model

doi:10.3969/j.issn.1671-1122.2022.12.007

Abstract

Abstract:

The controller area network (CAN) is connected to the core electronic control units of the intelligent networked automobile system, which is crucial to ensure the safety of the vehicle system. But it is vulnerable to denial of service(DoS) attack, replay attack and fuzzy attack due to its lack of adequate information security measures and thus causes serious security threat for automobiles and drivers. In order to effectively detect whether the CAN bus was attacked, the security threats and communication features were analyzed, and a model of CAN intrusion detection based on long short term memory (LSTM) was proposed, which could preserve the timing characteristics of CAN messages and effectively perform intrusion detection and attack classification. The experimental results show that the detection accuracy of the model is 99.99%.

Key words: intelligent networked automobile, CAN, intrusion detection, LSTM

CLC Number:

TP309

YIN Ying, ZHOU Zhihong, YAO Lihong. Research on LSTM-Based CAN Intrusion Detection Model[J]. Netinfo Security, 2022, 22(12): 57-66.

Figures/Tables 12

References 25

[1]	Upstream. Upstream’s 2022 Global Automotive Cybersecurity Report[EB/OL]. (2022-01-26) [2022-09-08]. https://upstream.auto/2022report/.
[2]	XIA Ziyan, ZHOU Zhitong, LI Xiang, et al. Feasibility Study on Automobile Electronic Control System of ECU Intrusion and Virus[J]. Netinfo Security, 2014, 14(9): 193-195.
	夏子焱, 周之童, 李响, 等. 汽车ECU电控系统入侵与汽车病毒编写的可行性研究[J]. 信息网络安全, 2014, 14(9):193-195.
[3]	FENG Cong. Research on the Governance and Law Enforcement of Network Security of Intelligent Connected Vehicles[J]. Netinfo Security, 2020(S1):44-47.
	冯聪. 智能网联汽车网络安全问题的治理与执法探索[J]. 信息网络安全, 2020(S1):44-47.
[4]	Security Guest. 360 Network Attack and Defense Lab Has Revealed a Second High Risk Vulnerability in a Tesla Vehicle-The Ability to Open the Vehicle Without a Key[EB/OL]. (2015-01-21) [2022-09-08]. https://anyun.org/a/yejiezixun/2015/0129/4460.html.
	安全客. 360网络攻防实验室公布第二例特斯拉高危漏洞—无需钥匙开启车辆[EB/OL].(2015-01-21) [2022-09-08]. https://anyun.org/a/yejiezixun/2015/0129/4460.html.
[5]	Tencent Technology. Tencent Cohen Lab Successfully Invaded Tesla Remotely for the First Time in the World[EB/OL]. (2016-09-20) [2022-09-08]. https://news.mydrivers.com/1/500/500287.htm.
	腾讯科技. 腾讯科恩实验室成功远程入侵特斯拉为全球首次[EB/OL].(2016-09-20) [2022-09-08]. https://news.mydrivers.com/1/500/500287.htm.
[6]	LI Yilin, YAN Zheng, XIE Haomeng. Survey of Privacy Preservation in VANET[J]. Netinfo Security, 2019, 19(4): 63-72.
	李怡霖, 闫峥, 谢皓萌. 车载自组织网络的隐私保护综述[J]. 信息网络安全, 2019, 19(4):63-72.
[7]	CHOI W, JO H J, WOO S, et al. Identifying ECUs Using Inimitable Characteristics of Signals in Controller Area Networks[J]. IEEE Transactions on Vehicular Technology, 2018, 67(6): 4757-4770. doi: 10.1109/TVT.2018.2810232 URL
[8]	NILSSON D K, LARSON U E, JONSSON E. Efficient in-Vehicle Delayed Data Authentication Based on Compound Message Authentication Codes[C]// IEEE. 2008 IEEE 68th Vehicular Technology Conference. New York: IEEE, 2008: 1-5.
[9]	HAZEM A, FAHMY H A. LCAP-a Lightweight Can Authentication Protocol for Securing in-Vehicle Networks[EB/OL]. (2012-06-20) [2022-09-08]. http://www.eece.cu.edu.eg/-hfahmy/publish/escar2012.pdf.
[10]	GMIDEN M, GMIDEN M H, TRABELSI H. An Intrusion Detection Method for Securing in-Vehicle CAN Bus[C]// IEEE. 2016 17th International Conference on Sciences and Techniques of Automatic Control and Computer Engineering (STA). New York: IEEE, 2016: 176-180.
[11]	MARCHETTI M, STABILI D. Anomaly Detection of CAN Bus Messages through Analysis of ID Sequences[C]// IEEE. 2017 IEEE Intelligent Vehicles Symposium (IV). New York: IEEE, 2017: 1577-1583.
[12]	MÜTER M, ASAJ N. Entropy-Based Anomaly Detection for in-Vehicle Networks[C]// IEEE. 2011 IEEE Intelligent Vehicles Symposium (IV). New York: IEEE, 2011: 1110-1115.
[13]	STABILI D, MARCHETTI M, COLAJANNI M. Detecting Attacks to Internal Vehicle Networks through Hamming Distance[C]// IEEE. 2017 AEIT International Annual Conference. New York: IEEE, 2017: 1-6.
[14]	CHO K T, SHIN K G. Fingerprinting Electronic Control Units for Vehicle Intrusion Detection[C]// USENIX. 25th USENIX Security Symposium (USENIX Security 16). Berkeley:USENIX, 2016: 911-927.
[15]	SEO E, SONG H M, KIM H K. Gids: GAN Based Intrusion Detection System for in-Vehicle Network[C]// IEEE. 2018 16th Annual Conference on Privacy, Security and Trust (PST). New York: IEEE, 2018: 1-6.
[16]	ZHU Konglin, CHEN Zhicheng, PENG Yuyang, et al. Mobile Edge Assisted Literal Multi-Dimensional Anomaly Detection of in-Vehicle Network Using LSTM[J]. IEEE Transactions on Vehicular Technology, 2019, 68(5): 4275-4284. doi: 10.1109/TVT.2019.2907269 URL
[17]	GAZDAG A, NEUBRANDT D, BUTTYÁN L, et al. Detection of Injection Attacks in Compressed CAN Traffic Logs[C]// Springer. 2018 Security and Safety Interplay of Intelligent Software Systems. New York: Springer, 2018: 111-124.
[18]	KANG M J, KANG J W. Intrusion Detection System Using Deep Neural Network for in-Vehicle Network Security[EB/OL]. (2016-06-07) [2022-09-08]. https://pubmed.ncbi.nlm.nih.gov/27271802/.
[19]	MO Xiuliang, CHEN Pengyuan, WANG Jianing, et al. Anomaly Detection of Vehicle CAN Network Based on Message Content[C]// Springer. International Conference on Security and Privacy in New Computing Environments. New York: Springer, 2019: 96-104.
[20]	SONG H M, WOO J, KIM H K. In-Vehicle Network Intrusion Detection Using Deep Convolutional Neural Network[EB/OL]. (2019-10-03) [2022-09-08]. https://www.sciencedirect.com/science/article/abs/pii/S2214209619302451.
[21]	HOCHREITER S, SCHMIDHUBER J. Long Short-Term Memory[J]. Neural Computation, 1997, 9(8): 1735-1780. pmid: 9377276
[22]	MALHOTRA P, VIG L, SHROFF G, et al. Long Short Term Memory Networks for Anomaly Detection in Time Series[EB/OL]. (2015-04-22) [2022-09-08]. https://www.researchgate.net/publication/304782562_Long_Short_Term_Memory_Networks_for_Anomaly_Detection_in_Time_Series.
[23]	MARKOVITZ M, WOOL A. Field Classification, Modeling and Anomaly Detection in Unknown CAN Bus Networks[J]. Vehicular Communications, 2017(9): 43-52.
[24]	LIU Xin, WANG Jiayin, YANG Haorui, et al. An Internet of Vehicles Authentication Protocol Based on Blockchain and SecGear Framework[J]. Netinfo Security, 2022, 22(1): 27-36.
	刘忻, 王家寅, 杨浩睿, 等. 一种基于区块链和SecGear框架的车联网认证协议[J]. 信息网络安全, 2022, 22(1):27-36.
[25]	HCRL. Car Hacking for Intrusion Detection[EB/OL]. (2018-08-01) [2022-09-08]. https://ocslab.hksecurity.net/Dataset/CAN-intrusion-dataset.

特征分类	具体表述	维数
CAN ID相关	报文的ID字段F_n_,_ID₁，十进制整数	1
CAN ID相关	下一条报文的ID字段F_n_,_ID₂，十进制整数	1
CAN数据字段相关	报文的数据字段DATA_n[0], DATA_n[1],…, DATA_n[7]，十进制整数	8
	与上一报文数据字段的差异D₁（data_n_-1, data_n），十进制整数	1
	与相同ID的上一报文数据字段的差异D₂（data_n_-1, data_n），十进制整数	1
时间间隔相关	报文频率f，实数	1
	相邻报文的时间间隔T_A，实数	1
	相同ID报文的时间间隔T_B，实数	1

攻击类型	总报文数量/条	正常报文		注入报文
攻击类型	总报文数量/条	数量/条	百分比	数量/条	百分比
DoS攻击	3665771	3078250	84%	587521	16%
Fuzzy攻击	3838860	3347013	87%	491847	13%
Spoofing攻击	6308856	5056707	80%	1252149	20%

训练集+验证集	正常报文数	DoS报文数	Fuzzy报文数	Spoofing 报文数
训练集+验证集	8037379	410165	349211	876504
测试集	正常报文数	DoS报文数	Fuzzy报文数	Spoofing 报文数
测试集	3444591	177356	142636	375645

	FNR	ER	Precision	Recall	F1
针对DoS攻击的检测模型	0.10%	0.03%	1.0	0.9989	0.9995
针对Fuzzy攻击的检测模型	0.35%	0.18%	0.9995	0.9965	0.9980
针对Spoofing攻击的检测模型	0.11%	0.05%	0.9999	0.9989	0.9994

	FNR	ER	Precision	Recall	F1
DoS攻击检测	0.016%	0.002%	0.9999	0.9999	0.9999
Fuzzy攻击检测	0.085%	0.006%	0.9995	0.9997	0.9996
Spoofing攻击检测	0.012%	0.001%	1.0000	0.9999	1.0000