Online clustering-based unsupervised intrusion detection system for in-vehicle networks
摘要
Modern vehicles are becoming more intelligent, enabled by the extensive use of various electronic control units (ECUs). This increases the interaction between external systems and the controller area network (CAN), which was originally designed as a stable and flexible closed network without considering authentication or authorization mechanisms. However, the potential threats posed by external systems make the security of the CAN bus a serious problem. Most of the existing practical machine learning (ML) models either rely on rare labeled data or have difficulty updating the hyperparameters to adapt to the changing environment. In this paper, we propose a novel online-updated unsupervised method for CAN bus intrusion detection. The method consists of a new feature engineering strategy and an improved online autonomous anomaly detection for streaming CAN data (AADSC) algorithm. Feature engineering focuses on the similar characteristics of CAN data frames in defined time windows, transforming the raw CAN data frames into feature samples composed of eight feature elements. The online AADSC algorithm assigns similar samples to the same clusters and selects the samples from clusters with sizes below or equal to the mean as anomalies. We conduct extensive experiments using the Car-Hacking dataset collected from real cars. Evaluation results demonstrate that the proposed intrusion detection system has excellent performance and competitiveness in CAN security protection, with a maximum recall rate of 100% and a minimum detection time of less than 1 ms.