Cosine similarity based anomaly detection methodology for the CAN bus

Abstract

In recent years, vehicular technology has rapidly evolved in terms of the driver’s convenience and safety, along with the convergence of vehicle communication and the expansion of external interfaces. However, the connectivity of the vehicle to the external environment poses a considerable driving risk because of the pre-existing vulnerabilities in the vehicle. Furthermore, most of the in-vehicle networks, such as controller area network (CAN), local interconnect network (LIN), and FlexRay network, are not ready to cope with malicious attacks from the outside. For that reason, various studies have addressed the security issues of the automobiles, as protecting the life and safety of the drivers and passengers is one of the core values of the in-vehicle technology. In the present study, in order to address these critical security issues, we propose an anomaly detection method based on cosine similarity for in-vehicle network through the analysis of self-similarity of the CAN bus. Our main goal is to detect three types of injection attacks without having additional information about the attacks. To this end, we evaluated the performance of the proposed method by measuring the accuracy and detection time using a dataset extracted from two real vehicles in driving and stationary conditions. More specifically, we designed a light-weight feature vector that can accomplish real-time detection and then analyzed the performance in terms of accuracy, recall, and detection time by the time window. In the performance evaluation, we achieved high detection accuracy–namely, 98.93% and 99.18% for KIA Soul in the driving condition and in the stationary condition, respectively, 99.43% and 99.49% for the HYUNDAI YF Sonata in the driving condition and in the stationary condition, respectively. Finally, we also showed that the cosine similarity in the CAN bus is a meaningful feature to identify and classify the types of attacks on target CAN IDs.