Protecting vehicles from cyberattacks: context aware AI-based intrusion detection for vehicle CAN bus security.

Abstract

Modern automobiles are equipped with a large number of electronic control units (ECUs), which are interconnected through the controller area network (CAN) bus for real-time data exchange. However, the CAN bus lacks security measures, rendering it susceptible to cyberattacks, endangering passenger safety. Although artificial intelligence (AI)-based intrusion detection systems (IDSs) can detect these attacks, achieving higher detection rates in near-real-time poses challenges. This research aims to enhance in-vehicle network (IVN) attack detection by developing a deployable AI-based IDS. First, a lightweight context-aware IDS named CAN-CID is introduced, employing a combination of a gated recurrent unit (GRU)-based recurrent neural network (RNN) model and a time-based model. CAN-CID is designed to detect injection and masquerade attacks on the CAN bus. It achieved an F1 score of over 99% on three publicly available CAN attack datasets for 10 injections and three masquerade attacks, outperforming baseline models. To overcome the challenge of requiring a large dataset for effective attack detection with the GRU-based model for medium and low frequent IDs, CAN-ODTL, a novel on-device transfer learning technique, is introduced. CAN-ODTL outperformed the pre-trained and baseline models with over 99% detection rate for realistic attacks. CAN-ODTL is designed to be trained with a larger dataset compared to CAN-CID model to learn the majority of benign patterns of medium and low-frequency IDs, thus enhancing its ability to detect attacks targeting such IDs. As streaming learning approaches such as CAN-ODTL are susceptible to data poisoning attacks, an anomaly detection method leveraging the Mahalanobis distance is employed to identify and eliminate poisoned data samples before model retraining. Evaluation on a real dataset with varying percentages of data poisoning attacks demonstrates the method's high accuracy of 100% in detecting poisoned samples. While CAN ID-based CAN-ODTL is effective against injection and certain masquerade attacks, it faces challenges in detecting attacks that only alter the payload field. To address this limitation, an improved autoencoder (AE)-based model, known as Latent AE, is introduced for detecting attacks aimed at the payload data. The ensemble of the GRU-based RNN model and Latent AE demonstrated its superiority over baseline models, exhibiting near-real-time detection latency. In response to the current lack of realistic attack datasets, a novel CAN bus dataset is presented. The improved models of proposed CAN-ODTL and Latent AE models are then deployed in a real vehicle and evaluated with real-world attacks. This demonstrated the effectiveness of the proposed IDS by achieving over a 99% attack detection rate for 23 attacks with near-real time detection latency of 25ms. These results highlight the effectiveness of employing multiple IDSs, each utilizing distinct fields of the CAN data, in detecting attacks and achieving near-real-time detection.