@inproceedings { , title = {Keep the moving vehicle secure: context-aware intrusion detection system for in-vehicle CAN bus security.}, abstract = {The growth of information technologies has driven the development of the transportation sector, including connected and autonomous vehicles. Due to its communication capabilities, the controller area network (CAN) is the most widely used in-vehicle communication protocol. However, CAN lacks suitable security mechanisms such as message authentication and encryption. This makes the CAN bus vulnerable to numerous cyberattacks. Not only are these attacks a threat to information security and privacy, but they can also directly affect the safety of drivers, passengers and the surrounding environment of the moving vehicles. This paper presents CAN-CID, a context-aware intrusion detection system (IDS) to detect cyberattacks on the CAN bus, which would be suitable for deployment in automobiles, including military vehicles, passenger cars and commercial vehicles, and other CAN-based applications such as aerospace, industrial automation and medical equipment. CAN-CID is an ensemble model of a gated recurrent unit (GRU) network and a time-based model. A GRU algorithm works by learning to predict the centre ID of a CAN ID sequence, and ID-based probabilistic thresholds are used to identify anomalous IDs, whereas the time-based model identifies anomalous IDs using time-based thresholds. The number of anomalies compared to the total number of IDs over an observation window is used to classify the window status as anomalous or benign. The proposed model uses only benign data for training and threshold estimation, avoiding the need to collect realistic attack data to train the algorithm. The performance of the CAN-CID model was tested against three datasets over a range of 16 attacks, including fabrication and more sophisticated masquerade attacks. The CAN-CID model achieved an F1-Score of over 99\% for 13 of those attacks and outperformed benchmark models from the literature for all attacks, with near real-time detection latency.}, conference = {14th International conference on Cyber conflict 2022 (CyCon 2022): keep moving}, doi = {10.23919/CyCon55549.2022.9811048}, isbn = {9789916978900}, note = {INFO COMPLETE (Info via IEEExplore alert 7/7/2022 LM) PERMISSION GRANTED (version = AAM; embargo = none; licence = Pub's own; POLICY = https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=\&arnumber=9811004 ) PENDING DOCUMENT (AAM requested 7/7/2022 LM) ADDITIONAL INFO - Contact: Sampath Rajapaksha; Harsha Kalutarage; Andrei Petrovski Set Statement - (No part of this publication may be reprinted, reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior written permission of the NATO Cooperative Cyber Defence Centre of Excellence (publications@ccdcoe.org). This restriction does not apply to making digital or hard copies of this publication for internal use within NATO, or for personal or educational use when for non-profit or non-commercial purposes, provided that copies bear this notice and a full citation on the first page as follows: RAJAPAKSHA, S., KALUTARAGE, H., AL-KADRI, M.O., MADZUDZO, G. and PETROVSKI, A.V., Keep the moving vehicle secure: context-aware intrusion detection system for in-vehicle CAN bus security. 2022 14th International Conference on Cyber Conflict: Keep Moving. T. Jančárková, G. Visky, I. Winther (Eds.) 2022 © CCDCOE Publication.)}, pages = {309-330}, publicationstatus = {Published}, publisher = {CCDCOE Nato Cooperative Cyber Defence Centre of Excellence}, url = {https://rgu-repository.worktribe.com/output/1706298}, keyword = {Controller area network, Anomaly detection, Vehicle networks, CAN bus}, year = {2022}, author = {Rajapaksha, Sampath and Kalutarage, Harsha and Al-Kadri, M. Omar and Madzudzo, Garikayi and Petrovski, Andrei V.} editor = {Jan?rkov, T. and Visky, G. and Winther, I.} }