TY - JOUR
T1 - CANShield
T2 - Deep-Learning-Based Intrusion Detection Framework for Controller Area Networks at the Signal Level
AU - Shahriar, Md Hasan
AU - Xiao, Yang
AU - Moriano, Pablo
AU - Lou, Wenjing
AU - Hou, Y. Thomas
N1 - Publisher Copyright:
© 2014 IEEE.
PY - 2023/12/15
Y1 - 2023/12/15
N2 - Modern vehicles rely on a fleet of electronic control units (ECUs) connected through controller area network (CAN) buses for critical vehicular control. With the expansion of advanced connectivity features in automobiles and the elevated risks of internal system exposure, the CAN bus is increasingly prone to intrusions and injection attacks. As ordinary injection attacks disrupt the typical timing properties of the CAN data stream, rule-based intrusion detection systems (IDS) can easily detect them. However, advanced attackers can inject false data to the signal/semantic level, while looking innocuous by the pattern/frequency of the CAN messages. The rule-based IDS, as well as the anomaly-based IDS, are built merely on the sequence of CAN messages IDs or just the binary payload data and are less effective in detecting such attacks. Therefore, to detect such intelligent attacks, we propose CANShield, a deep learning-based signal level intrusion detection framework for the CAN bus. CANShield consists of three modules: 1) a data preprocessing module that handles the high-dimensional CAN data stream at the signal level and parses them into time series suitable for a deep learning model; 2) a data analyzer module consisting of multiple deep autoencoder (AE) networks, each analyzing the time-series data from a different temporal scale and granularity; and 3) finally an attack detection module that uses an ensemble method to make the final decision. Evaluation results on two high-fidelity signal-based CAN attack data sets show the high accuracy and responsiveness of CANShield in detecting advanced intrusion attacks.
AB - Modern vehicles rely on a fleet of electronic control units (ECUs) connected through controller area network (CAN) buses for critical vehicular control. With the expansion of advanced connectivity features in automobiles and the elevated risks of internal system exposure, the CAN bus is increasingly prone to intrusions and injection attacks. As ordinary injection attacks disrupt the typical timing properties of the CAN data stream, rule-based intrusion detection systems (IDS) can easily detect them. However, advanced attackers can inject false data to the signal/semantic level, while looking innocuous by the pattern/frequency of the CAN messages. The rule-based IDS, as well as the anomaly-based IDS, are built merely on the sequence of CAN messages IDs or just the binary payload data and are less effective in detecting such attacks. Therefore, to detect such intelligent attacks, we propose CANShield, a deep learning-based signal level intrusion detection framework for the CAN bus. CANShield consists of three modules: 1) a data preprocessing module that handles the high-dimensional CAN data stream at the signal level and parses them into time series suitable for a deep learning model; 2) a data analyzer module consisting of multiple deep autoencoder (AE) networks, each analyzing the time-series data from a different temporal scale and granularity; and 3) finally an attack detection module that uses an ensemble method to make the final decision. Evaluation results on two high-fidelity signal-based CAN attack data sets show the high accuracy and responsiveness of CANShield in detecting advanced intrusion attacks.
KW - Controller area networks (CANs)
KW - deep learning
KW - ensemble method
KW - intrusion detection systems (IDS)
UR - http://www.scopus.com/inward/record.url?scp=85167786627&partnerID=8YFLogxK
U2 - 10.1109/JIOT.2023.3303271
DO - 10.1109/JIOT.2023.3303271
M3 - Article
AN - SCOPUS:85167786627
SN - 2327-4662
VL - 10
SP - 22111
EP - 22127
JO - IEEE Internet of Things Journal
JF - IEEE Internet of Things Journal
IS - 24
ER -