GIDS: GAN based Intrusion Detection System for In-Vehicle Network
GGIDS: GAN
BASED I NTRUSION D ETECTION S YSTEM FOR I N -V EHICLE N ETWORK
A P
REPRINT
Eunbi Seo
Graduate School of Information SecurityKorea UniversitySeoul, Republic of Korea [email protected]
Hyun Min Song
Graduate School of Information SecurityKorea UniversitySeoul, Republic of Korea [email protected]
Huy Kang Kim
Graduate School of Information SecurityKorea UniversitySeoul, Republic of Korea [email protected]
July 18, 2019 A BSTRACT
A Controller Area Network (CAN) bus in the vehicles is an efficient standard bus enabling commu-nication between all Electronic Control Units (ECU). However, CAN bus is not enough to protectitself because of lack of security features. To detect suspicious network connections effectively, theintrusion detection system (IDS) is strongly required. Unlike the traditional IDS for Internet, thereare small number of known attack signatures for vehicle networks. Also, IDS for vehicle requireshigh accuracy because any false-positive error can seriously affect the safety of the driver. To solvethis problem, we propose a novel IDS model for in-vehicle networks,
GIDS (GAN based IntrusionDetection System) using deep-learning model, Generative Adversarial Nets.
GIDS can learn to detectunknown attacks using only normal data. As experiment result,
GIDS shows high detection accuracyfor four unknown attacks. K eywords Generative Adversarial Nets · Intrusion detection System · Controller Area Network · In-Vehicle Security
The advances in the automotive technology have brought great convenience to driver’s life. However, as V2X technologyenables interactions with vehicles and everything from outside (e.g., vehicles, infrastructure), security threats on ECUof vehicles become higher. Therefore, we need to develop a security system to mitigate the various risks of the vehicle.In particular, intrusion detection system (IDS) for in-vehicle network is required to protect all of the ECUs and relatedequipment in the vehicle from emerging threats.Controller Area Network (CAN) is a standard of the bus system for in-vehicle network and provides efficient com-munication between ECUs. CAN bus is a reliable and economical serial bus for the in-vehicle network. However,because it uses a broadcast communication without authentication, attackers can access CAN bus easily, and it causessevere risk. For example, an adversary could inject a malicious packet in CAN bus via a vulnerability at one of thenumerous external interfaces Also, many modern cars which have a communication module for infotainment servicecan be exposed to the attacks via Over-The-Air (OTA) update module. These attacks could result in not only seriousmalfunctions of the vehicle but also threats to the safety of drivers. a r X i v : . [ c s . CR ] J u l PREPRINT - J
ULY
18, 2019IDS is the best way to detect and respond known and unknown attacks of today because it can continuously monitor thein-vehicle system and detect suspicious network events generated by ECUs in real time. Recently, there has been someresearch for IDS to detect attacks targeted on the vehicles. For example, Song et al. proposed a detection model basedon time interval analysis of CAN data [1], and Lee et al. presented a method to detect intrusion by monitoring the timeinterval of the request and response of CAN data [2].Although these models are lightweight and efficient, they have some limitations. When in-vehicle environments arechanged, it can require a lot of updates. Also, targets to be detected may be limited since specific attacks are reflectedwhen constructing detection system. If IDS be leaked to the attacker, the attacker can manipulate and avoid detection.To solve these problems, we propose
GIDS (Generative Adversarial Nets based Intrusion Detection System) which hasthe following characteristics: expandability, effectiveness, and security.1.
Expandability : GIDS maintains consistent detection methodology even if in-vehicle environments are changed.It requires only one training process.2.
Effectiveness : Because
GIDS can be trained using only normal data, it
GIDS can detect intrusions withoutbeing limited to specific types of attacks. Thus,
GIDS is likely to detect unknown attacks not used in theimplementation process of the IDS.3.
Security : GIDS is one of the deep-learning model which has the characteristic of black-box. Thus,it is difficultfor an attacker to manipulate internal structure of detection system.
We introduced in-vehicle networks and IDS for in-vehicle network in §1. The rest of the paper is organized as follows.§2 presents the recent researches. We introduce our IDS,
GIDS in §3. In §4, we describe the result of the experimentand discuss the experiment result. Finally we conclude the paper in §5.
The early research for anomaly detection of the in-vehicle system was introduced by Hoppe et al. [3]. He presented threeselected characteristics as patterns available for anomaly detection that include the recognition of an increased frequencyof cyclic CAN messages, the observation of low-level communication characteristics, and the identification of obviousmisuse of message IDs. Müter et al. proposed an anomaly detection based entropy [4]. Marchetti et al. analyzedand identified anomalies in the sequence of CAN [5]. The proposed model features low memory and computationalfootprints. SALMAN et al. proposed a software-based light-weight IDS and two anomaly-based algorithms based onmessage cycle time analysis and plausibility analysis of messages [6]. It contributed to more advanced research in thefield of IDS for in-vehicle networks.Many security research in various fields has adopted deep-learning methods for IDS. For example, Zhang et al. presenteda deep-learning method to detect Web attacks by using the specially designed CNN [7]. The method is based onanalyzing the HTTP request packets, to which only some preprocessing is needed whereas the tedious feature extractionis done by the CNN itself. Recently, Generative Adversarial Nets (GAN) was adopted to not only image generationbut also other research like anomaly detection. Schlegl et al. proposed AnoGAN, a deep convolutional generativeadversarial network to learn a manifold of normal anatomical variability. The model demonstrated that the approachcorrectly identifies anomalous images, such as images containing retinal fluid [8].Although various studies using GAN have been published, most of them are focused only on discrimination of imagedata. GAN could be useful for security such as IDS. However, few works have explored the use of GAN for security ofother fields. We developed a GAN based IDS for in-vehicle security and showed high performance on CAN data that isone of the in-vehicle network datasets. We proved expandability, effectiveness, and security of the proposed model forin-vehicle networks. GIDS : GAN based IDS
CAN bus supports the ECU to ECU communication. In CAN bus, there are frequent transmissions composed ofperiodically used CAN messages. ECUs in the vehicle generate about 2,000 CAN data per second to CAN bus. A largeamount of real-time CAN data generated by ECUs are must be able to be processed. If all the bits of CAN data are useddirectly for image conversion, the converted image can be very complex. In the case,
GIDS may require a long time not2
PREPRINT - J
ULY
18, 2019suitable for real-time detection. CAN IDs in CAN data show repetitive patterns and we extracted only patterns of CANIDs from CAN data for training as in Fig. 1. Also, we converted extracted CAN IDs into a simple image by encodingwith one-hot-vector. This method can reduce detection time required for real-time, and improve the performance ofIDS. Figure 1: Structure of CAN frameFig. 2 shows the process of encoding CAN IDs with one-hot-vector. Firstly, because the CAN ID is hexadecimal, eachelement of the CAN ID such as ‘2’ in ‘0x2a0’ is expressed in a binary form with 16 digits. After that, binary forms ofeach element of the CAN IDs are encoded to one-hot-vector. Encoding with one-hot-vector makes one of the bits to be1, and the remaining bits to be all 0. For example, if the element of the CAN ID is ‘2’ in ‘0x2a0’, A one-hot-vectorconsists of only one bit of the second digit as 1 and the remaining all bits as 0. Finally, a CAN ID of 3-digit such as‘0x2a0’ is expressed in 16*3 matrix form. For example, if the CAN ID is ‘0x2a0’, it consists of 3 one-hot-vectors suchas [0100 ... 000], [0..0100000], and [0..1000000]. We name this matrix as a ‘CAN image’.
18f 2 …0 a [ one-hot vector shape ]1 2 3 4 5 6 7 8 9 0 a b c d e f convert to one-hot vector shape [ raw CAN data ] [ normal CAN data image ]2a0 convert to can data to images
1 2 3 4 5 6 7 8 9 0 a b c d e f
Figure 2: The process of one-hot-vector encoding output … [ normal CAN data image ] nd D G [ random data ] … [ fake CAN data image ] … back propagationback propagation Training for Unknown Attack … [ abnormal CAN data image ] … [ normal CAN data image ] st D outputback propagationEx. FUZZY attack data
Training for Known Attack
Figure 3: The training process of GIDSIn this study, we propose GAN based IDS model for the in-vehicle network. We named this model as
GIDS . GANis one of the deep-learning models. GAN is the new framework for estimating generative models via an adversarialprocess, in which we simultaneously train two models: a generative model G that captures the data distribution, and adiscriminative model D that estimates the probability that a sample came from the training data rather than G [9]. GAN3
PREPRINT - J
ULY
18, 2019
TEST st D … output output Threshold Threshold >else nd D Abnormal status Discriminator for Known Attack Discriminator for Unknown Attack Figure 4: The process of one-hot-vector encodingis often used to generate fake images that are similar to real ones. We focused on the fact and designed our IDS usingthis fact. GIDS has two discriminative model, the first discriminator and the second discriminator which are trained withthe following procedure as shown in Fig. 3.1. Training for known attack : the First discriminator receives normal CAN images and abnormal CAN imageswhich are extracted from the actual vehicle. Because the first discriminator uses attack data in the trainingprocess, the type of attacks that can be detected is likely to be limited to the attacks used for training.2. Training for unknown attack : The generator G and the second discriminator are trained simultaneously byan adversarial process. The generator generates fake images by using random noise. The second discriminatorreceives normal CAN images and the fake images generated by the generator and estimates the probability thatreceived images are real CAN images. That is, the second discriminator discriminates whether input imagesare real CAN images or fake images generated by the generator. The generator and the second discriminatorcompete with each other and increase their performance. In the GIDS model, the second discriminatorultimately win the generator so that the second discriminator can detect even fake images similar to real CANimages. GIDS detects attacks of the in-vehicle networks with the following procedure as shown in Fig. 4.1. The real-time CAN data is encoded with one-hot-vector, and it is converted into CAN images.2. The first discriminator receives CAN images and outputs one value which is between 0 and 1.3. If output is lower than the threshold, current status is classified as abnormal. (Because the first discriminatoris trained for known attacks, unknown attacks are unlikely to be detected in this process.)4. If output is higher than the threshold, the corresponding CAN images are received by the second discriminator.As in step 2 and step 3, the second discriminator receives CAN images and outputs one value which is between0 and 1.5. If output is lower than the threshold, current status is classified as abnormal. (Because the second discriminatoris trained with only normal data, attack data to be detected are not limited. That is, it may even be possible todetect unknown attacks.)Our goal is to ensure high accuracy for detecting even unpredictable attacks with only normal data. However, if we useonly the second discriminator trained with only normal data, the detection accuracy can be lower than when using thefirst discriminator trained with attack data. Therefore, we combine the first discriminator and the second discriminator,which is able to detect both known attacks and unknown attacks. In the chapter, we describe two model structures of the discriminator and the generator in the GIDS model. We measuredthe detection performance for four combinations of discriminator and generator composed of the convolutional neuralnetwork (CNN) and deep neural network (DNN). The neural networks of GIDS was selected as the combination whichare shown the best detection performance.1. Design the discriminator The discriminator consists of a deep neural network composed of three layers as shown in Fig. 5 (b). Thediscriminator reduces the dimension of the input data to one output between 0 and 1. Fig. 5 (b) shows the4 PREPRINT - J ULY 18, 2019 (a) Architecture of generator in GIDS (b) Architecture of discriminator in GIDS Figure 5: Architecture of GIDS Node A Node CNode B0X2a0 0X4b10X0000X000CAN bus Delayed Delayed (a) DoS Attack Node A Node CNode B0X2a0 0X4b10X2a00X4b1CAN bus (b) FUZZY Attack Node A Node CNode B0X2a0 0X4b10X316CAN bus about RPM 0X43 f about GEAR or (c) RPM/GEAR Attack Figure 6: Illustration of DoS, FUZZY and RPM/GEAR attacksprocess of reduction dimension of the discriminator when the number of CAN IDs is 64. The activationfunction of each layer is ReLU, and the activation function of the last layer is sigmoid. Finally, the output ofthe discriminator is used to distinguish between normal status and abnormal status in the in-vehicle network.2. Design the generator The generator consists of a deconvolutional neural network composed of five layersas shown in 5 (a). The generator expands the dimension of random noise data to the one image of the samesize as the input data of the discriminator. That is, the generator generates a fake image similar to the realCAN image converted from the CAN IDs. ReLU is used by the activation function of each layer, and Tanh isused as activation function of the last layer. The generator and the discriminator calculate the cost throughback-propagation reducing the errors between actual answers and outputs of the model. In the Experiment, we use two criteria: Detection rate and accuracy. The detection rate is defined as the proportionof the detected abnormal data accounting for the total abnormal ones. The accuracy is defined as the proportion ofdata including normal and abnormal to be correctly classified. We tested the GIDS model in the following experimentenvironment.1. CPU: Intel(R) Xeon(R) CPU E5-1650 v4 @ 3.60GHz2. RAM: 32.0GB3. GPU: NVIDIA GeForce GTX 1080 Hyundai’s YF Sonata is used as a testing vehicle. To capture CAN bus traffic, we plug Y-cable into OBD-II port;OBD-II port of YF Sonata is located under the steering wheel. Then, Raspberry Pi3 is used to connect to CAN bus.Also, a laptop computer is connected to Raspberry Pi3 through WiFi as shown in Fig. 7.We launched four types of attacks on CAN bus as illustrated in Fig. 6. Each attack is defined as follows.1. DoS attack: Dos attack is to inject high priority of CAN messages (e.g. ‘0x000’ CAN ID packet) in a shortcycle. We injected ‘messages of ‘0x000’ CAN ID every 0.3 milliseconds.5 PREPRINT - J ULY 18, 2019Figure 7: Data acquisition setup via OBD-II port of YF sonata with Raspberry Pi32. FUZZY attack: Fuzzy attack is to inject messages of spoofed random CAN ID and DATA values. We injectedmessages of CAN ID and CAN data every 0.5 milliseconds.3. RPM/GEAR attack: RPM/GEAR attack is to inject messages of certain CAN ID related to RPM/GEARinformation. We injected messages related to RPM/GEAR every 1 millisecond.After data acquisition, we did labeling for the captured attack-free state traffic and attack traffic data. Wereleased the dataset used in our experiments to foster further research. We make our dataset available athttp://ocslab.hksecurity.net/Datasets/CAN-intrusion-dataset.Table 1 shows dataset which was used to test our model. The dataset consists of the training dataset and test dataset.The dataset was extracted from the running vehicle for about 10 minutes and contains both normal and abnormal packetwith labeling. In Table 1, ‘ Data Attack type Training set Normal data 1,171,637 N/ATest set DoS attack data 3,665,771 17,128FUZZY attack data 3,838,860 20,317RPM attack data 4,621,702 32,501GEAR attack data 4,443,142 29,751 (a) binary image density (b) GIDS image density Figure 8: Distribution of the output before and after one-hot-vector encoding We converted the CAN data extracted from the vehicle into simple form images by encoding them with one-hot-vector.Fig. 9 shows the images generated by this way, and Fig. 10 shows the images not encoded with the one-hot-vector; AllCAN IDs of 11 bits are converted into an image. In both Fig. 9 and Fig. 10, the left image is real CAN image and theright image is fake CAN image generated by the generator. Fig. 9 shows more simple form whereas Fig. 10 showscomplex form. 6 PREPRINT - J ULY 18, 2019Encoding with one-hot-vector can reduce the required time and show better performance than when the binary CANdata are converted as it is. Fig. 8 shows the distribution of the output of GIDS before and after one-hot-vector encoding.In the left model which uses binary images as it is, the output is widely distributed from 0 to 1. On the other hand, asshown in the right model, GIDS model using images converted with one-hot-vector has a certain threshold to classifynormal data and abnormal data. That is, one-hot-vector encoding allows the intrusion detection model to separatenormal data and attack data explicitly.Figure 9: Imagesamples encoded withone-hot-vector Figure 10: Image sam-ples not encoded withone-hot-vector Based on the experiment, we set some hyperparameters of the GIDS model, which can improve the detection performanceof the GIDS model. GIDS shows different performance according to values of these parameters. Parameters consistof detection threshold, attack threshold, and input size. We found the most suitable values of parameters throughexperiments and applied it to the final GIDS model. We present experimental results for each parameter as follows.1. Detection threshold : The outputs of GIDS model are 0 to 1. Among these outputs, GIDS classify attack dataand normal data by a specific detection threshold. We define detection threshold as 0.1. If the output of the GIDS model is less than 0.1, it is judged to an anomaly. Although some outputs in the normal data weredistributed below 0.1 as in Fig. 8(b), it may be regarded as an error that can appear in the sampling process.2. Input size : Input size means a unit to convert CAN IDs into images. CAN IDs extracted from the vehicleare grouped by input size and they are converted into images. We measured the accuracy of the GIDS model,increasing the input size from a minimum of 32 to a maximum of 128. Experimental results showed that theaccuracy increased until 64 input size, but it tended to decrease after that as shown in Fig. 11. Therefore, wedefine an input size as 64, and it can be changed flexibly depending on the vehicle environment.Figure 11: Accuracy of GIDS according to input size3. Attack threshold : The attack threshold is a criterion for judging attack CAN images. We define attackthreshold as 1. That is, if at least one attack packet is included in the CAN image, it is judged to be an abnormalimage. We improve the security of the GIDS model by detecting even occasionally injected abnormal packets.7 PREPRINT - J ULY 18, 2019Table 2: Detection rate of the first discriminator in GIDS according to attack data of training set training set DoS detection rate FUZZY detection rate RPM detection rate GEAR detection rate Normality detection rate DoS % 0.0% 100.0%GEAR 0.0% 0.9% 0.0% Firstly, we tested the accuracy of the first discriminator which is trained using known attack data. Table 2 shows thedetection rates of first discriminator for each attack data. As results of the experiment, attack data used in the trainingprocess were detected well but attack data not used for training were hardly detected. It requires a new detection modelthat can detect attacks even if only normal data are used in the training process.Secondly, we tested the detection accuracy of the second discriminator which uses random fake data in the trainingprocess instead of the real attack data. Table 3 shows the detection performance for each of the four attack data. Anyattacks in the Table 3 were not used in the training process of the second discriminator. As results of the experiment,each of the four attacks was detected with an average of 98% accuracy. Although the accuracy is less than 100%, wecan improve the accuracy of the GIDS model by combining it with first discriminator which uses attack data for thetraining process. Table 3: Performance of the second discriminator in GIDS Data type Detection rate Precision Accuracy AUC DoS attack 99.6% 96.8% 97.9% 0.999FUZZY attack 99.5% 97.3% 98.0% 0.999RPM attack 99.0% 98.3% 98.0% 0.999GEAR attack 96.5% 98.1% 96.2% 0.996 In this study, we presented the GIDS , GAN based IDS for the in-vehicle network. Firstly, we proposed encoding a largenumber of CAN IDs with simple one-hot-vector, which can increase the performance and speed of the GIDS. Also,the proposed GIDS uses random fake data in the training process instead of the real attack data. It allows the GIDS model to detect unknown attacks with only normal data. Finally, we proposed a detection system that combines thefirst discriminator for detecting known attack data and the second discriminator for detecting unknown attack data. Itcan improve the detection accuracy of the proposed GIDS model. As a result of the experiment, The GIDS showed theaverage accuracy of 100% for the first discriminator and the average accuracy of 98% for the second discriminator. GIDS can be applied to the various types of the vehicle through the new training process and adjustment of thehyperparameters. Because the GIDS is pre-trained system and uses the deep-learning method, it is difficult to bemanipulated by the attacker. Also, it can be real-time intrusion detection for the in-vehicle network. In practically, thenumber of messages that CAN bus system generates per second is about 1,954. GIDS takes only 0.18 seconds to detectabout 1,954 CAN messages and it has a constant ratio of elapsed time for intrusion detection even if the amount ofCAN data to be detected increases.The proposed GIDS model has the strengths of expandability, effectiveness, and security so it can be suitable IDS forthe in-vehicle network. Although GAN based IDS describes the CAN network traffic well, it is still challenging point to distinguish anomaloustraffic caused from ‘normal malfunctioning of electronic components’ from anomalous traffic caused from ‘intentionalattacks by hacker’. Nonetheless, GAN based IDS is still effective under the circumstance of lack of ‘known attackpatterns for vehicles’ such as nowadays. GAN based IDS and its evaluation becomes more precise as many attackpatterns for vehicles become revealed. 8 PREPRINT - J ULY 18, 2019 Acknowledgment This work was supported by Institute for Information & communications Technology Promotion(IITP) grant funded bythe Korea government(MSIT) (No. R7117-16-0161, Anomaly Detection Framework for Autonomous Vehicles) References [1] H. M. Song, H. R. Kim, and H. K. Kim, “Intrusion detection system based on the analysis of time intervals of canmessages for in-vehicle network,” in Information Networking (ICOIN), 2016 International Conference on . IEEE,2016, pp. 63–68.[2] H. Lee, S. H. Jeong, and H. K. Kim, “Otids: A novel intrusion detection system for in-vehicle network by usingremote frame.”[3] T. Hoppe, S. Kiltz, and J. Dittmann, “Security threats to automotive can networks–practical examples and selectedshort-term countermeasures,” Computer Safety, Reliability, and Security , pp. 235–248, 2008.[4] M. Müter and N. Asaj, “Entropy-based anomaly detection for in-vehicle networks,” in Intelligent Vehicles Sympo-sium (IV), 2011 IEEE . IEEE, 2011, pp. 1110–1115.[5] M. Marchetti and D. Stabili, “Anomaly detection of can bus messages through analysis of id sequences,” in Intelligent Vehicles Symposium (IV), 2017 IEEE . IEEE, 2017, pp. 1577–1583.[6] N. SALMAN and M. BRESCH, “Design and implementation of an intrusion detection system (ids) for in-vehiclenetworks.”[7] M. Zhang, B. Xu, S. Bai, S. Lu, and Z. Lin, “A deep learning method to detect web attacks using a speciallydesigned cnn,” in International Conference on Neural Information Processing . Springer, 2017, pp. 828–836.[8] T. Schlegl, P. Seeböck, S. M. Waldstein, U. Schmidt-Erfurth, and G. Langs, “Unsupervised anomaly detection withgenerative adversarial networks to guide marker discovery,” in International Conference on Information Processingin Medical Imaging . Springer, 2017, pp. 146–157.[9] I. Goodfellow, J. Pouget-Abadie, M. Mirza, B. Xu, D. Warde-Farley, S. Ozair, A. Courville, and Y. Bengio,“Generative adversarial nets,” in