Using streaming data algorithm for intrusion detection on the vehicular controller area network
The Controller Area Network (CAN), which is a protocol for the in-vehicle network, is lacking in security features, making the CAN bus vulnerable to a range of cyberattacks such as message injections, replay attacks, and denial of service attacks. This has prompted researchers to develop statistical...
Saved in:
| Main Authors: | , , , |
|---|---|
| Format: | Conference or Workshop Item |
| Language: | English English English |
| Published: |
Springer
2022
|
| Subjects: | |
| Online Access: | http://irep.iium.edu.my/96963/3/96963_Using%20Streaming%20Data%20Algorithm%20for%20Intrusion.pdf http://irep.iium.edu.my/96963/4/96963_Using%20Streaming%20Data%20Algorithm%20for%20Intrusion_SCOPUS.png http://irep.iium.edu.my/96963/1/978-981-19-0468-4_10 http://irep.iium.edu.my/96963/ http://doi.org/10.1007/978-981-19-0468-4_10 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Summary: | The Controller Area Network (CAN), which is a protocol for the in-vehicle network, is lacking in security features, making the CAN bus vulnerable to a range of cyberattacks such as message injections, replay attacks, and denial of service attacks. This has prompted researchers to develop statistical and machine learning based intrusion detection systems for the CAN bus that use various features such as message timing and frequency to detect attacks. In this paper, the adapted streaming data Isolation Forest (iForestASD) algorithm has been applied to CAN intrusion detection. While the Isolation Forest (iForest) anomaly detection algorithm has a linear time complexity and low memory requirement, iForestASD adapts iForest by employing a sliding window that introduces the ability to handle concept drift, which is often characteristic of streaming data such as CAN bus traffic. The detection model is trained with only message timing information, making it applicable to all vehicles regardless of make and model. Results of experiments that compare the attack detection performance of iForestASD and iForest show that CAN traffic stream demonstrates insignificant concept drift and the detection model does not benefit from being retrained with a sliding window of latest CAN traffic, as in iForestASD. The size of the training sample is, however, found to be an important consideration - a model trained with only 30 s of CAN traffic always yields better detection performance than a model trained with a larger window of CAN traffic. |
|---|