CANTransfer–TransferLearningbasedIntrusionDetectionon资源-CSDN文库

共31个文件

pyc：10个

py：8个

xml：6个

版权申诉

人工智能

5星 · 超过95%的资源 172 浏览量 2023-04-01 22:50:10 上传评论收藏 163MB ZIP 举报

资源推荐

资源详情

资源评论

收起资源包目录

迁移学习.zip （31个子文件）

progress

DoS_Attack_dataset.csv 181.25MB

data1.csv 186.09MB

samptrain.py 2KB

model.h5 221.62MB

.idea

webServers.xml 651B

workspace.xml 13KB

misc.xml 294B

inspectionProfiles

profiles_settings.xml 174B

modules.xml 275B

deployment.xml 726B

.gitignore 184B

progress.iml 324B

data.csv 105KB

dataPreprocessing.py 2KB

init

evaluation.py 451B

init.py 2KB

sampinit.py 2KB

__pycache__

modelsave.cpython-37.pyc 655B

last_init.cpython-37.pyc 6KB

sampinit.cpython-37.pyc 2KB

multiOut_init.cpython-37.pyc 5KB

init.cpython-36.pyc 2KB

init.cpython-38.pyc 2KB

evaluation.cpython-38.pyc 611B

evaluation.cpython-37.pyc 456B

init.cpython-37.pyc 2KB

convlstm.py 3KB

train.py 2KB

__pycache__

convlstm.cpython-37.pyc 2KB

test.py 497B

4-2020-CANTransfer transfer learning based intrusion detection on a controller area network using convolutional LSTM network(1).pdf 1.36MB

CANTransfer – Transfer Learning based Intrusion Detection on

a Controller Area Network using Convolutional LSTM Network

Shahroz Tariq

∗

Dept. of Computer Science

and Engineering

Sungkyunkwan University

Suwon, South Korea

shahroz@g.skku.edu

Sangyup Lee

∗

Dept. of Computer Science

and Engineering

Sungkyunkwan University

Suwon, South Korea

sangyup.lee@g.skku.edu

Simon S. Woo

†

Dept. of Computer Science

and Engineeing

Dept. of Applied Data Science

Sungkyunkwan University

Suwon, South Korea

swoo@g.skku.edu

ABSTRACT

In-vehicle communications, due to simplicity and reliability, a Con-

troller Area Network (CAN) bus is widely used as the de facto stan-

dard to provide serial communications between Electronic Control

Units (ECUs). However, prior research exhibits several network-

level attacks can be easily performed and exploited in the CAN bus.

Additionally, new types of intrusion attacks are discovered very

frequently. However, unless we have a large amount of data about

an intrusion, developing an ecient deep neural network-based

detection mechanism is not easy. To address this challenge, we pro-

pose CANTransfer, an intrusion detection method using Transfer

Learning for CAN bus, where a Convolutional LSTM based model

is trained using known intrusion to detect new attacks. By apply-

ing one-shot learning, the model can be adaptable to detect new

intrusions with a limited amount of new datasets. We performed

extensive experimentation and achieved a performance gain of

26.60% over the best baseline model for detecting new intrusions.

CCS CONCEPTS

• Security and privacy → Intrusion detection systems

;

• Com-

puting methodologies → Neural networks;

KEYWORDS

Controller Area Network, Intrusion Detection, Transfer Learning,

Convolutional LSTM, In-Vehicle Network

ACM Reference Format:

Shahroz Tariq, Sangyup Lee, and Simon S. Woo. 2020. CANTransfer – Trans-

fer Learning based Intrusion Detection on a Controller Area Network using

Convolutional LSTM Network. In The 35th ACM/SIGAPP Symposium on

Applied Computing (SAC ’20), March 30-April 3, 2020, Brno, Czech Republic.

ACM, New York, NY, USA, 8 pages. https://doi.org/10.1145/3341105.3373868

∗

Equal Contribution

†

Corresponding Author

Permission to make digital or hard copies of all or part of this work for personal or

classroom use is granted without fee provided that copies are not made or distributed

for prot or commercial advantage and that copies bear this notice and the full citation

on the rst page. Copyrights for components of this work owned by others than ACM

must be honored. Abstracting with credit is permitted. To copy otherwise, or republish,

to post on servers or to redistribute to lists, requires prior specic permission and/or a

fee. Request permissions from permissions@acm.org.

SAC ’20, March 30-April 3, 2020, Brno, Czech Republic

ACM ISBN 978-1-4503-6866-7/20/03.. . $15.00

https://doi.org/10.1145/3341105.3373868

1 INTRODUCTION

As demonstrated by the Consumer Electronics Show (CES 2018) [

self-driving cars and related vehicle technologies are one of the

fastest-growing areas of interest to many companies. At CES 2018,

a total of 556 companies were active in the automotive and vehicle

technology sector, including not only major automotive companies

such as Ford, Mercedes-Benz, Toyota, and Hyundai, but also other

Internet companies such as Amazon, Intel, NVIDIA and Cisco [

This area has become an explicit meeting point and a point of a

partnership between traditional car manufacturers and the most

prominent Internet companies [

]. Also, with considerable inter-

ests and developments in the Internet of Things (IoT), we can easily

envisage this automotive technology being seamlessly connected to

many other IoT devices, clouds, and other cyber-physical systems

(CPS) via wireless and cellular networks. Nevertheless, when vehi-

cles link to other networks, there may be periodic network attacks

such as Denial-of-Service (DoS), packet injection, and spoong

attacks to target vehicle subsystems. Security researchers have

discovered that cyberattacks are used to manipulate data inside

the vehicle’s internal control bus [

]. This vulnerability could

allow the intruder to inuence physical subsystems such as the

steering wheel, engine, and brakes that could potentially endanger

passengers or pedestrians. Additionally, new attack approaches

will emerge that exploit particular protocol weaknesses in automo-

tive technology. It is, therefore, necessary to plant and strengthen

various parametric defense mechanisms throughout the vehicle to

extenuate and mitigate cyberattacks.

The Controller Area Network (CAN) bus [

], which is a de-facto

standard for serial communication, has been widely used for in-

vehicle communication to provide an eective, stable and economic

link between electronic control units (ECUs). The CAN bus is a

broadcast-based networking protocol that allows a peak baud rate

of up to 1 Mbps on a single bus built by Bosch in 1985. Due to its

low prices, size, and functionality, most car manufacturers have

embraced the CAN bus. However, due to its simplicity, there are

several vulnerabilities in the CAN bus. As demonstrated by Lee et

al. [

] and Song et al. [

], the receiving node does not verify the

source of a CAN message; hence, many network trac injection

attacks are possible. As a result, numerous network attacks can be

easily carried out and practically deployed on the CAN bus. Types

of such attacks involve ooding the bus with messages meant to

circumvent legitimate ones or using spoofed bus identiers with

1048

invalid information. Additionally, there are far more sophisticated

and stealthy attacks. These attacks seem to be legitimate-looking

trac sequences, and it is hard to distinguish them from regular

trac.

To address these challenges, we need to develop potent detectors

and defense mechanisms and evaluate them against various types

of intrusions. We propose CANTransfer, an intrusion detection

method on Controller Area Network using Transfer Learning [

]

based on Convolutional LSTM model [

]. The intuition is rst

to train the Convolution LSTM (ConvLSTM) based model with

normal data as well as previously known intrusion dataset as a two-

class classication problem. After that, we use one-shot Transfer

Learning [

] to re-train the model to detect new intrusion attacks.

The reason for explicitly using Convolutional LSTM is that they

have previously shown to capture better spatial-temporal details

of the data as compared to LSTM based models, achieving high

performance [30, 35, 36].

We evaluate our approach with CAN datasets collected from two

dierent cars, KIA Soul and Hyundai Sonata, after driving more

than 24 hours with ten dierent drivers [15, 29].

Our contributions are summarized below:

• Novel attack detection architecture:

We developed CAN-

Transfer, a novel intrusion detection architecture based on

ConvLSTM based model, which can detect attacks in multi-

variate time series data. CANTransfer can detect not only

known attacks in a CAN bus but also is capable to detect

unseen attacks via transfer learning.

• Evaluation with real datasets

: We evaluated the accuracy

of our approach with the CAN dataset collected from two

real vehicles, KIA Soul [

] and Hyundai Sonata [

]. We

also compare our model with four other baseline models, and

demonstrate that we achieve higher detection performance

for both known (95.25% vs. 83.3%) and new attacks (88.47%

vs. 58.78%) from the best baseline method.

• Eectiveness of one-shot learning:

In particular, we de-

monstrate a high accuracy using one-shot learning in de-

tecting dierent variant of attacks, where our model only

requires one sample amount of new intrusion samples to

detect a new type of intrusion through various experiments.

Our research shows highly promising results in detecting diverse

types of severe vehicle attacks, and it can be integrated into a vehicle

as an eective defense mechanism. Also, our approach will help

reduce needs for collecting a massive amount of data for detecting

each new type of network intrusion.

The remainder of this paper is organized as follows: In Section 2,

we discuss the background and recent automotive security research

directly relevant to our work. Details of our detection approach

and algorithm are explained in Section 3. Then, we show our exper-

iments and results in Section 4. We oer discussion and describe

limitations in Section 5 and conclude in Section 6.

2 BACKGROUND AND RELATED WORK

Controller Area Network Bus.

The version 2.0 of the Controller

Area Network (CAN) specication is a broadcast-based communica-

tion protocol [

]. With embedded Electronic Control Units (ECUs)

in modern cars, it is the primary means of communication.ECUs

handle all aspects of car behavior, while cars typically have two

CAN buses: the rst type is a high-speed one (about 500Kbps), and

the second type is a slower one (about 125Kbps) dedicated to passen-

ger compartment functionality. Data is transmitted on the CAN bus

in frames containing an arbitration ID, data payload (0-64 bits), and

extra low-level bus control elds, as shown in Fig. 1. There are four

types of the standard CAN frame in this protocol.

(1) data frame

for data transmission,

(2) remote frame

for asking a data frame

for a destination node,

(3) error frame

for notifying an error in the

currently transmitted frame, and

(4) overload frame

for delaying

the next message until the current message is processed. The ID

and the payload of data in a frame are used as main components

to generate attacks in most circumstances. The ID is used for both

identication and bus arbitration, where lower IDs are given higher

priority when two ECUs simultaneously attempt to transmit. For

example, ‘

0000

’ is going to have top priority among all. The data

frames, typically in a proprietary format, contain control commands

and status information about the automobile state.

Intrusion Detection on CAN bus.

Cho and Shin [

] suggested

a recursive least square algorithm to spot abnormalities within the

in-vehicle network. Boudguiga et al. [

] explored the CAN proto-

col’s lack of security mechanisms, making it susceptible to DoS,

impersonation, and isolation attacks. They also suggested a simple

method for CAN intrusion detection by making every microcon-

troller monitor in the CAN bus to detect malicious frames. Muter

and Asaj [

] introduced the concept of entropy in the CAN bus and

used it to detect anomalies through associating entropy with the

reference set. The method is also more systematic and involves sen-

sors to monitor the trac status for the detection of anomalies. Our

work is dierent from the above study, as we provide the algorithm

for intrusion detection, which employs more ne-grained CAN

frame features with better generalizability using transfer learning.

Choi et al. [

] have suggested VoltageIDS that can secure CAN

network in the vehicle. They mainly use the unique features of an

electrical CAN signal in their work as an ECU ngerprint. Hoppe

et al. [

] and Miller and Valasek [

] address the detection

of intrusion in the vehicle using the number of messages sent

over a CAN bus interval. Hoppe et al. [

] introduced simple

attacks from the black box attack on an ECU gateway, enabling an

attacker to sni arbitrary internal communications and suggest an

IT-Forensic intrusion detection system. Miller and Valasek [

]

demonstrated they showed that they were able to take complete

control over the automobile from a remote site by using the wireless

network, provided the IP address of the vehicle is known. Also the

degree of control needed for injecting messages onto the CAN bus

and also suggested countermeasures.

Song et al. [

] found that the interval of time between messages

is changed during the attack, and they can detect anomalies using

this information. Recently, Lee et al. [

] have shown that they

can detect intrusions by using the oset response ratio and time

interval of remote frames. We compared and demonstrated higher

accuracy of our method compared to OTIDS [

]. Recently, Taylor

et al.[

] have introduced an attack framework for automobiles

that describes the characteristics of cyberattacks in the automotive.

We analyzed attacks like a replay attack and found that more ex-

tended events can be identied more eectively than shorter ones.

This paper combines Taylor and others’ work for the replay attack

1049

Figure 1: CAN Bus Frame Format

generation. [

]. This paper incorporates the work by Taylor et

al. [31] for the replay attack generation.

Convolutional LSTM.

Recently, considerable research studies

have shown that deep learning for intrusion and anomaly detection

on time series data is eective [

]. Detecting network

intrusions in the CAN bus by utilizing both the rule-based and RNN

approach showed the eectiveness of RNN in this domain [

Ensembling, the result from the rule-based method and RNN out-

put result, was able to complement each other and detect dierent

attacks that occurred on the bus with high accuracy. For general-

purpose sequence modeling, LSTM is used frequently as a special

RNN structure. As an extension of LSTM, Shi et al. [

] introduced

Convolutional LSTM (ConvLSTM) for nowcasting precipitation and

other forecasting problems. ConvLSTM outperformed fully con-

nected LSTM by having new convolutional structures in both input-

to-state and state-to-state transitions. Another work by Zhang et

al. [

] used ConvLSTM to detect anomalies in multivariate time

series data. They proposed Multi-Scale Convolutional Recurrent

Encoder-Decoder (MSCRED) which applies the attention-based

ConvLSTM network to capture the temporal patterns. Even for

practical operating applications such as Spacecraft multivariate sen-

sor system anomaly detection, ConvLSTM has proved its eciency

and high performance [

]. In this paper, we utilize ConvLSTM to

detect in-vehicle communication intrusion attacks by performing

prediction on the multivariate stream.

Transfer Learning.

Training a neural network for classica-

tion tasks is usually done by training with the source dataset from

scratch. Also, in many machine learning-based classication models,

they assume that the training and testing data must be in the same

domain space [

]. Transfer Learning enables the model to trans-

fer knowledge to another unseen domain by reusing the weights

from the source model of related tasks or domains [

]. Pratt [

]

proposed Discriminability-Based Transfer (DBT) which utilizes pre-

dened weights from the source and rescales the transferred weight

with the target. This work demonstrates that DBT-initialized target

networks learn signicantly faster as compared to networks initial-

ized randomly. Fei-Fei et al. [

] determined the eectiveness of

transfer learning by proposing a framework that learns a represen-

tation across dierent domains in a label ecient way. They utilized

a metric learning-based approach to simultaneously optimize with

labeled source data and unlabeled or sparsely labeled data in the

target domain. Another work from Fei-Fei et al. [

], ‘One Shot

Learning of Object Categories’, coined the term one-shot learning

and opened the new transfer learning research. Instead of training

a classier from scratch, this paper demonstrates that knowledge

from previously learned categories can be used to train a novel

category with one or a handful of images. This paper presented a

variation on a Bayesian framework for representation learning for

object categorization, which produces informative models when the

Table 1: Sample CAN packets, showing dierent ID and DLC

elds

Timestamp ID DLC Data

1479246664.162438 0153 8 00 21 10  00  00 00

1479246664.164967 02b0 5 bd  00 07 dc

1479246664.165822 043f 8 00 40 60  58 28 08 00

1479246664.171065 05f0 2 f4 00

1479246664.171695 0002 8 00 00 00 00 00 06 01 a2

number of new training examples is extremely small. Cozzolino et

al. [

] also used a similar concept of transfer learning to detect fake

or forged images from multiple manipulation approaches. When

training with data from one specic forgery method, they show

that Convolutional Neural Networks detect examples extremely

well. Their work uses the auto encoder-structured model, Forensic-

Transfer, which enforces activations in dierent parts of a latent

vector from the encoder for the real and fake classes. The learned

latent vector acts as a form of anomaly detector. ForensicTrans-

fer shows signicant improvements in transferability by training

from source and transfer learn the same model to a minimal target

dataset. Similarly, our CANTransfer trains the model with known

intrusion, and then transfer learns to new intrusion. However, our

approach uses ConvLSTM to detect attacks in time series.

3 OUR PROPOSED MODEL - CANTransfer

We develop the ConvLSTM-based CANTransfer to address the fol-

lowing research questions (RQs):

(RQ1) Intrusion detection per-

formance.

Can ConvLSTM outperform over other state-of-the-art

intrusion detection methods for CAN bus?

(RQ2) Importance of

preprocessing.

Does the preprocessing and data transformation

matter for intrusion detection performance? Which preprocessing

method works the best for ConvLSTM?

(RQ3) Transfer Learn-

ing.

Does one-shot transfer learning increase the detection rate

and more importantly, does it help in reducing the false-positives

(FP)?

(RQ4) Improvement from zero-shot.

How does one-shot

compare against zero-shot?

(RQ5) False-positive.

How does the

FP-rate aect the performance?

(RQ6) Processing Time.

How

much processing time does CANTransfer take to detect the intru-

sion in the worst-case scenario?

(RQ7) Loss and Accuracy.

Is the

loss for the CANTransfer model converging with time, and how

does the accuracy look like for transfer learning? In order to ad-

dress these questions, we describe the details of CANTransfer in

this section.

CAN Trac Analysis.

In order to better understand normal

CAN bus trac during a standard car operation, we rst studied

high-speed CAN bus trac. Such data helps us to recognize the

regular and frequent CAN bus trac. In order to understand their

dierent behavior, we use two dierent cars, KIA Soul (car 1) and

Hyundai Sonata (car2). We discovered that each car uses dierent

frame IDs for the same operations; however, this comportment is

anticipated as these cars are manufactured by dierent companies.

There is, however, a high correlation between the occurrences and

sequences of priority bits between Car 1 and 2. For example, in

both vehicles, the sensor IDs used for the vehicle braking system

vary, but they have a higher priority on the bus than other sensors.

1050

评论收藏

内容反馈

版权申诉

2301_77216775

2023-10-15

资源和描述一致，质量不错，解决了我的问题，感谢资源主。

AI信仰者

粉丝: 1w+
资源: 143

CANTransfer – Transfer Learning based Intrusion Detection on

Synchronous Adversarial Feature Learning for LiDAR based Loop Closure Detection

论文研究-Nearest Neighbors based Density Peaks Approach to Intrusion Detection.pdf

Decomposition based Transfer Distance Metric Learning for Image Classification

A Survey of Deep Learning-based Object Detection.pdf

A Deep Learning Approach to Network Intrusion Detection

Anomaly-based network intrusion detection

基于模糊逻辑的异常入侵检测系统_Anomaly-based Intrusion Detection System Using F

The Tao of Network Security Monitoring Beyond Intrusion Detection

A Survey of Modern Deep Learning based Object Detection Model

远域迁移学习Distant Domain Transfer Learning=1This slide is based on A

A Survey of Modern Deep Learning based Object Detection Mode

Multidimensional Intrusion Detection System for IEC 61850 based SCADA Networks

M.tech.zip_host_intrusion detection

Intrusion Detection: Network Security beyond the Firewall

Intrusion Detection in Wireless__ Ad-Hoc Networks

Intrusion Detection with SNORT advanced IDS techniques

Shallow and Deep Networks Intrusion Detection System A Taxonomy and Survey.pdf

论文研究-Quantum Particle swarm optimization based network Intrusion feature selection and Detection.pdf

Learning based Symmetric Features Selection for Vehicle Detection

A norvel Intrusion Detection Approach based on Chaos theory in wireless sensor networks

Network Intrusion Detection using Deep Learning_A Feature Learning Approach

referred-paper.rar_On Paper_intrusion detection

bilinear.zip_Intrusion ant_The Show_ant SVM_intrusion detection_

A Virtual Machine Introspection Based Architecture for Intrusion Detection

Snort 2.1 Intrusion Detection.pdf

Snort Intrusion Detection and Prevention Toolkit

最新资源