Anomaly Detection for In-Vehicle Network Using CNN-LSTM With Attention Mechanism

Abstract

With the increasing connectivity between the Electronic Control Units (ECUs) and the outside world, safety and security have become stringent problems. The Controller Area Network (CAN) bus is the most commonly used in-vehicle network protocol, which lacks security mechanisms by design, so it is vulnerable to various attacks. In this paper, we propose a novel intrusion detection model called CNN-LSTM with Attention model (CLAM) for the in-vehicle network, especially CAN. The CLAM model uses one-dimensional convolution (Conv1D) to extract the abstract features of the signal values at each time step and feeds it into the Bidirectional Long Short Term Memory (Bi-LSTM) to extract the time dependence. By combining the attention mechanisms, we calculate the weight of each hidden state output by Bi-LSTM and perform a weighted summation, so that the model focuses only on locally important time steps, which can improve the convergence speed of the model and prediction accuracy. The proposed model uses the bit flip rate to extract continuous signal boundaries in the 64-bit CAN data, so it does not need to parse the CAN communication matrix and is suitable for different vehicles. The extensive evaluation results demonstrate that our proposed CLAM model can effectively detect CAN attacks, with an average F1-score of 0.951 and an error rate of 2.16%. Compared with the work in related research fields, the accuracy of attack detection is improved by 2.5%.