Two-Stage Intrusion Detection System in Intelligent Transportation Systems Using Rule Extraction Methods From Deep Neural Networks

Abstract

In recent years, intrusion detection systems (IDSs) are offering effective solutions to protect various types of cyber-attacks in different networks such as Internet of Vehicles (IoVs) network in Intelligent Transportation Systems (ITS). Deep learning models have largely been leveraged by these intrusion detection systems to achieve better effectiveness results. However, deep learning models are black boxes, which limits their acceptability in decision systems. Also, they require powerful processing capabilities such as GPU, which limit their deployments in resource-constrained devices in IoV environment. To deal with these issues, we propose a two-stage IDS in ITS to discover suspicious network activity of In-Vehicles Networks (IVN) and vehicles to everything (V2X) networks. Our proposed IDS system uses rule extraction methods from deep learning models, i.e., deep neural networks in two stages. In the first stage, we analyze network traffic to distinguish between normal and attack traffic. If the traffic is found malicious, the second stage is invoked to identify the type of attack. To this end, we propose three variants of rule extraction. The first and the second variants are homogeneous, and they apply <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$DeepRed$</tex-math> </inline-formula> and <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$HypInv$</tex-math> </inline-formula> rule extraction methods in both stages respectively. The third variant is heterogeneous, and it applies <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$HypInv$</tex-math> </inline-formula> in the first stage to perform binary classification, and <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$DeepRed$</tex-math> </inline-formula> in the second stage to perform attack classification. The key idea is to combine the advantages of rule extraction technique and two-stage IDS architecture to resource consumption and improve classification accuracy. The proposed IDS model was tested using four benchmark datasets, i.e. ISCXIDS2012, CIC-IDS2017, and CSE-CIC-IDS2018 datasets are used for external network communications and the car hacking dataset are used for in-vehicle communications. The evaluation results show that the homogeneous <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$DeepRed$</tex-math> </inline-formula> is the optimal one in all cases of IDS system with an accuracy scores ranging between 92.43%-98.32% under CIC-IDS2017 dataset, between 91.32%-99.46% under CSE-CIC-IDS2018 dataset, and between 96.05%-99.21% under Car-hacking dataset.