In a vehicular environment, by becoming connected, vehicles are subject to more threats in comparison to traditional information systems, with the difference that, as a cyber-physical system, anomalies and intrusions could have repercussions in the physical world. In this work, we have developed an ontological anomaly-detection approach (OADA). The anomalies studied in this work mainly concern: network scans, DNS tunnel attacks, and telemetry data anomalies. Our contribution relates to a study of the attributes of interest for the algorithm used during the detection phase, namely the hierarchical temporal memory algorithm (HTM). The packets exchanged by the vehicle are grouped in instant description windows. These windows are then analyzed to extract a set of attributes. These are linked to the properties of network traffic, such as flow or latency. They are subject to the process of detecting anomalies and intrusions, carried out thanks to the algorithm with HTM. For each entry, the algorithm produces a score that allows us to decide if a window is abnormal and to lift an alert if that is the case. We evaluated our system using a communications and anomalies emulation tool. We use the corpus of data produced thanks to Autobot. We seek to determine from among the best scores of Matthews correlation coefficient (MCC) and Detection efficiency score (DES) which were the parameters for which HTM detects all anomalies with the greatest possible coverage. The obtained results prove that HTM can detect all anomalies for each window duration.
Read full abstract