CANTransfer – Transfer Learning based Intrusion Detection on
a Controller Area Network using Convolutional LSTM Network
Shahroz Tariq
∗
Dept. of Computer Science
and Engineering
Sungkyunkwan University
Suwon, South Korea
shahroz@g.skku.edu
Sangyup Lee
∗
Dept. of Computer Science
and Engineering
Sungkyunkwan University
Suwon, South Korea
sangyup.lee@g.skku.edu
Simon S. Woo
†
Dept. of Computer Science
and Engineeing
Dept. of Applied Data Science
Sungkyunkwan University
Suwon, South Korea
swoo@g.skku.edu
ABSTRACT
In-vehicle communications, due to simplicity and reliability, a Con-
troller Area Network (CAN) bus is widely used as the de facto stan-
dard to provide serial communications between Electronic Control
Units (ECUs). However, prior research exhibits several network-
level attacks can be easily performed and exploited in the CAN bus.
Additionally, new types of intrusion attacks are discovered very
frequently. However, unless we have a large amount of data about
an intrusion, developing an ecient deep neural network-based
detection mechanism is not easy. To address this challenge, we pro-
pose CANTransfer, an intrusion detection method using Transfer
Learning for CAN bus, where a Convolutional LSTM based model
is trained using known intrusion to detect new attacks. By apply-
ing one-shot learning, the model can be adaptable to detect new
intrusions with a limited amount of new datasets. We performed
extensive experimentation and achieved a performance gain of
26.60% over the best baseline model for detecting new intrusions.
CCS CONCEPTS
• Security and privacy → Intrusion detection systems
;
• Com-
puting methodologies → Neural networks;
KEYWORDS
Controller Area Network, Intrusion Detection, Transfer Learning,
Convolutional LSTM, In-Vehicle Network
ACM Reference Format:
Shahroz Tariq, Sangyup Lee, and Simon S. Woo. 2020. CANTransfer – Trans-
fer Learning based Intrusion Detection on a Controller Area Network using
Convolutional LSTM Network. In The 35th ACM/SIGAPP Symposium on
Applied Computing (SAC ’20), March 30-April 3, 2020, Brno, Czech Republic.
ACM, New York, NY, USA, 8 pages. https://doi.org/10.1145/3341105.3373868
∗
Equal Contribution
†
Corresponding Author
Permission to make digital or hard copies of all or part of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed
for prot or commercial advantage and that copies bear this notice and the full citation
on the rst page. Copyrights for components of this work owned by others than ACM
must be honored. Abstracting with credit is permitted. To copy otherwise, or republish,
to post on servers or to redistribute to lists, requires prior specic permission and/or a
fee. Request permissions from permissions@acm.org.
SAC ’20, March 30-April 3, 2020, Brno, Czech Republic
© 2020 Association for Computing Machinery.
ACM ISBN 978-1-4503-6866-7/20/03.. . $15.00
https://doi.org/10.1145/3341105.3373868
1 INTRODUCTION
As demonstrated by the Consumer Electronics Show (CES 2018) [
5
],
self-driving cars and related vehicle technologies are one of the
fastest-growing areas of interest to many companies. At CES 2018,
a total of 556 companies were active in the automotive and vehicle
technology sector, including not only major automotive companies
such as Ford, Mercedes-Benz, Toyota, and Hyundai, but also other
Internet companies such as Amazon, Intel, NVIDIA and Cisco [
16
].
This area has become an explicit meeting point and a point of a
partnership between traditional car manufacturers and the most
prominent Internet companies [
16
]. Also, with considerable inter-
ests and developments in the Internet of Things (IoT), we can easily
envisage this automotive technology being seamlessly connected to
many other IoT devices, clouds, and other cyber-physical systems
(CPS) via wireless and cellular networks. Nevertheless, when vehi-
cles link to other networks, there may be periodic network attacks
such as Denial-of-Service (DoS), packet injection, and spoong
attacks to target vehicle subsystems. Security researchers have
discovered that cyberattacks are used to manipulate data inside
the vehicle’s internal control bus [
15
,
28
]. This vulnerability could
allow the intruder to inuence physical subsystems such as the
steering wheel, engine, and brakes that could potentially endanger
passengers or pedestrians. Additionally, new attack approaches
will emerge that exploit particular protocol weaknesses in automo-
tive technology. It is, therefore, necessary to plant and strengthen
various parametric defense mechanisms throughout the vehicle to
extenuate and mitigate cyberattacks.
The Controller Area Network (CAN) bus [
32
], which is a de-facto
standard for serial communication, has been widely used for in-
vehicle communication to provide an eective, stable and economic
link between electronic control units (ECUs). The CAN bus is a
broadcast-based networking protocol that allows a peak baud rate
of up to 1 Mbps on a single bus built by Bosch in 1985. Due to its
low prices, size, and functionality, most car manufacturers have
embraced the CAN bus. However, due to its simplicity, there are
several vulnerabilities in the CAN bus. As demonstrated by Lee et
al. [
15
] and Song et al. [
28
], the receiving node does not verify the
source of a CAN message; hence, many network trac injection
attacks are possible. As a result, numerous network attacks can be
easily carried out and practically deployed on the CAN bus. Types
of such attacks involve ooding the bus with messages meant to
circumvent legitimate ones or using spoofed bus identiers with
1048