Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Machine Learning with Real-time and Small Footprint Anomaly Detection System for In-Vehicle Gateway

Yi Wang, Yuanjin Zheng, Yajun Ha

TL;DR

The paper addresses the need for real-time, low-footprint anomaly detection on in-vehicle CAN gateways to defend against challenging \'one-time\' attacks. It introduces an unsupervised ADS based on information theory that builds a conditional self-information matrix $E_{i-j} = \log_2 \frac{1}{P(V_i|V_j)}$ from consecutive CAN values, with training and testing phases using a reference LUT to detect anomalies without labeled data. Compared to HMM, SVDD, and LSTM baselines, the proposed method achieves significantly lower false positives, faster detection, and a smaller footprint, notably 8.7x lower FPR, 1.77x faster testing, and 4.88x smaller footprint, on highway and urban CAN datasets. The approach is scalable, adaptable to changing driving conditions, and applicable to related CAN threats such as replay, flooding, and cyclic messages, making it practical for gateway ECU deployment.

Abstract

Anomaly Detection System (ADS) is an essential part of a modern gateway Electronic Control Unit (ECU) to detect abnormal behaviors and attacks in vehicles. Among the existing attacks, ``one-time`` attack is the most challenging to be detected, together with the strict gateway ECU constraints of both microsecond or even nanosecond level real-time budget and limited footprint of code. To address the challenges, we propose to use the self-information theory to generate values for training and testing models, aiming to achieve real-time detection performance for the ``one-time`` attack that has not been well studied in the past. Second, the generation of self-information is based on logarithm calculation, which leads to the smallest footprint to reduce the cost in Gateway. Finally, our proposed method uses an unsupervised model without the need of training data for anomalies or attacks. We have compared different machine learning methods ranging from typical machine learning models to deep learning models, e.g., Hidden Markov Model (HMM), Support Vector Data Description (SVDD), and Long Short Term Memory (LSTM). Experimental results show that our proposed method achieves 8.7 times lower False Positive Rate (FPR), 1.77 times faster testing time, and 4.88 times smaller footprint.

Machine Learning with Real-time and Small Footprint Anomaly Detection System for In-Vehicle Gateway

TL;DR

The paper addresses the need for real-time, low-footprint anomaly detection on in-vehicle CAN gateways to defend against challenging \'one-time\' attacks. It introduces an unsupervised ADS based on information theory that builds a conditional self-information matrix from consecutive CAN values, with training and testing phases using a reference LUT to detect anomalies without labeled data. Compared to HMM, SVDD, and LSTM baselines, the proposed method achieves significantly lower false positives, faster detection, and a smaller footprint, notably 8.7x lower FPR, 1.77x faster testing, and 4.88x smaller footprint, on highway and urban CAN datasets. The approach is scalable, adaptable to changing driving conditions, and applicable to related CAN threats such as replay, flooding, and cyclic messages, making it practical for gateway ECU deployment.

Abstract

Anomaly Detection System (ADS) is an essential part of a modern gateway Electronic Control Unit (ECU) to detect abnormal behaviors and attacks in vehicles. Among the existing attacks, ``one-time`` attack is the most challenging to be detected, together with the strict gateway ECU constraints of both microsecond or even nanosecond level real-time budget and limited footprint of code. To address the challenges, we propose to use the self-information theory to generate values for training and testing models, aiming to achieve real-time detection performance for the ``one-time`` attack that has not been well studied in the past. Second, the generation of self-information is based on logarithm calculation, which leads to the smallest footprint to reduce the cost in Gateway. Finally, our proposed method uses an unsupervised model without the need of training data for anomalies or attacks. We have compared different machine learning methods ranging from typical machine learning models to deep learning models, e.g., Hidden Markov Model (HMM), Support Vector Data Description (SVDD), and Long Short Term Memory (LSTM). Experimental results show that our proposed method achieves 8.7 times lower False Positive Rate (FPR), 1.77 times faster testing time, and 4.88 times smaller footprint.
Paper Structure (6 sections, 1 equation, 5 figures, 1 table)

This paper contains 6 sections, 1 equation, 5 figures, 1 table.

Table of Contents

  1. Introduction
  2. Proposed Real-time ADS based on Machine Learning
  3. The Workflow Of Existing Anomaly Detection and Prevention Systems
  4. The Proposed Method
  5. Experimental Results
  6. Conclusion

Figures (5)

  • Figure 1: The work flow of an existing anomaly detection and prevention system
  • Figure 2: Training phase: matrix with conditional self-information
  • Figure 3: Testing phase: anomaly is detected by comparing the trained matrix with the tested matrix
  • Figure 4: (a) Injected anomalies under the highway scenario; (b) Detected anomalies by our proposed method under the highway scenario
  • Figure 5: (a) Injected anomalies under the urban scenario; (b) Detected anomalies by our proposed method under the urban scenario