MKF-ADS: Multi-Knowledge Fusion Based Self-supervised Anomaly Detection System for Control Area Network

TL;DR

This paper tackles the challenge of detecting complex CAN attacks with low false alarms by introducing MKF-ADS, a self-supervised anomaly detector that fuses spatial-temporal and contextual knowledge. It deploys two lightweight modules, STcAM for spatial-temporal features and PatchST for contextual modeling, and uses cross-knowledge distillation to integrate their strengths efficiently. The approach yields strong predictive and detection performance, achieving a low error rate (ER) of about $2.62\%$ and a false alarm rate (FAR) of $2.41\%$, with a high F1-score of $97.3\%$ on six attack scenarios, while maintaining a compact model of 1,748 parameters. Its real-time capability and vehicle-level efficiency make it suitable for deployment in resource-constrained in-vehicle networks, with potential for broader CAN-ID integration and interpretability enhancements in future work.

Abstract

Control Area Network (CAN) is an essential communication protocol that interacts between Electronic Control Units (ECUs) in the vehicular network. However, CAN is facing stringent security challenges due to innate security risks. Intrusion detection systems (IDSs) are a crucial safety component in remediating Vehicular Electronics and Systems vulnerabilities. However, existing IDSs fail to identify complexity attacks and have higher false alarms owing to capability bottleneck. In this paper, we propose a self-supervised multi-knowledge fused anomaly detection model, called MKF-ADS. Specifically, the method designs an integration framework, including spatial-temporal correlation with an attention mechanism (STcAM) module and patch sparse-transformer module (PatchST). The STcAM with fine-pruning uses one-dimensional convolution (Conv1D) to extract spatial features and subsequently utilizes the Bidirectional Long Short Term Memory (Bi-LSTM) to extract the temporal features, where the attention mechanism will focus on the important time steps. Meanwhile, the PatchST captures the combined contextual features from independent univariate time series. Finally, the proposed method is based on knowledge distillation to STcAM as a student model for learning intrinsic knowledge and cross the ability to mimic PatchST. We conduct extensive experiments on six simulation attack scenarios across various CAN IDs and time steps, and two real attack scenarios, which present a competitive prediction and detection performance. Compared with the baseline in the same paradigm, the error rate and FAR are 2.62\% and 2.41\% and achieve a promising F1-score of 97.3\%.

Figures (14)

• Figure 1: The standard structure of CAN frame. In the data field, each ID's signal is translated by the "READ" method. For instance, we extracted four effective physical signals on the '0x260' ID, including $1^{th}-7^{th}$, $8^{th}-15^{th}$, $16^{th}-23^{th}$, and $42^{th}-47^{th}$.
• Figure 2: Illustration of the design intuition for knowledge modeling, of which (a) presents the frequency of CAN ID and an instance; (b) is the bit flip rate of each CAN ID; and (c) visualization of valid signals based on CAN sequences.
• Figure 3: Overview of the proposed MKF-IDS.
• Figure 4: Structure of STcAM component.
• Figure 5: Structure of PatchST component.