STATGRAPH: Effective In-vehicle Intrusion Detection via Multi-view Statistical Graph Learning

TL;DR

The paper tackles IVN security by addressing masquerade attacks on CAN buses through a novel multi-view graph learning approach. STATGRAPH constructs two graphs per detection window—TCG for long-term timing correlations and CRG for short-term coupling and payload similarity—and feeds them into a lightweight GCN to classify each CAN message. A new Identification Granularity metric is proposed to quantify fine-grained detection performance, and experiments on Car Hacking and ROAD datasets demonstrate superior accuracy and granularity compared with state-of-the-art baselines. The work highlights practical viability for real-time in-vehicle intrusion detection and lays groundwork for future traceability and unsupervised defenses.

Abstract

In-vehicle network (IVN) is facing complex external cyber-attacks, especially the emerging masquerade attacks with extremely high difficulty of detection while serious damaging effects. In this paper, we propose the STATGRAPH, which is an effective and fine-grained intrusion detection methodology for IVN security services via multi-view statistical graph learning on in-vehicle controller area network (CAN) messages with insight into their variations in periodicity, payload and signal combinations. Specifically, STATGRAPH generates two statistical graphs, timing correlation graph (TCG) and coupling relationship graph (CRG), in every CAN message detection window, where edge attributes in TCGs represent temporal correlation between different message IDs while edge attributes in CRGs denote the neighbour relationship and contextual similarity. Besides, a lightweight shallow layered graph convolution network is trained based on graph property of TCGs and CRGs, which learns the universal laws of various patterns more effectively and further enhance the performance of detection. To address the problem of insufficient attack types in previous intrusion detection, we select two real in-vehicle CAN datasets covering five new instances of sophisticated and stealthy masquerade attacks that are never investigated before. Experimental result shows STATGRAPH improves both detection granularity and detection performance over state-of-the-art intrusion detection methods. Code is available at https://github.com/wangkai-tech23/StatGraph.

Figures (7)

• Figure 1: The architecture of StatGraph. Global Feature Fusion Module (\ref{['section4.2.1']}) generates node feature vectors by constructing TCGs that react to the long-term distribution of IVN CAN messages. Association enhancement module (\ref{['section4.2.2']}) produces adjacency matrixes by constructing CRGs whose edges reflect the topological relationship information between adjacent CAN messages or those with the same ID. GCN classification module (\ref{['section4.2.3']}) accepts the generation of streaming graph-structured data from the global feature fusion module and association enhancement module to perform training and detection tasks.
• Figure 2: NVIDIA Jetson Nano T206.
• Figure 3: Running Time Comparison Evaluation.
• Figure 4: Memory Comparison Evaluation.
• Figure 5: Performance of StatGraph in Different Detection Window Size $N$.

Theorems & Definitions (3)

• Definition 1
• Definition 2
• Definition 3