TLDR: GUARD-CAN is a new anomaly detection system for in-vehicle Controller Area Networks (CAN) that uses graph-based learning and time-series modeling. It converts CAN messages into graphs, extracts features with Graph Convolutional Networks (GCN), and then uses Gated Recurrent Units (GRU) to detect temporal anomalies. The system effectively identifies flooding, fuzzing, replay, and spoofing attacks without complex feature engineering, performing best with smaller data windows.
Modern vehicles rely heavily on in-vehicle networks, with the Controller Area Network (CAN) being a foundational protocol. While efficient, CAN lacks crucial security features like encryption and authentication, making it vulnerable to various cyber threats. This vulnerability has been highlighted by real-world hacking incidents, underscoring the urgent need for robust security solutions in automotive systems.
Addressing this critical security gap, researchers Hyeong Seon Kim and Huy Kang Kim from Korea University have introduced GUARD-CAN, an innovative anomaly detection framework. GUARD-CAN stands out by combining graph-based representation learning with time-series modeling to effectively identify unusual patterns in CAN messages.
The core idea behind GUARD-CAN involves a clever approach to analyzing CAN data. It first divides the continuous stream of CAN messages into fixed-length segments, or “windows.” Each of these windows is then transformed into a graph, where the connections between messages preserve their original temporal order. This unique graph representation allows the system to understand both the structure and the time-aware context of the messages.
To detect anomalies, GUARD-CAN employs a sophisticated deep learning architecture. It uses a combination of an overcomplete Autoencoder (AE) and a Graph Convolutional Network (GCN) to generate compact “graph embedding vectors” for each window. These vectors essentially capture the unique characteristics of the CAN message flow within that window. What’s particularly noteworthy is that GUARD-CAN doesn’t require complex, manual feature engineering, simplifying its application.
Furthermore, to account for temporal patterns across different windows, these graph embedding vectors are grouped into sequences. These sequences are then fed into a Gated Recurrent Unit (GRU), a type of neural network well-suited for processing sequential data. The GRU learns to identify temporal anomaly patterns, allowing GUARD-CAN to detect threats that unfold over time.
GUARD-CAN offers a multi-perspective evaluation of its performance, detecting anomalies at both the sequence level (considering the flow of multiple windows) and the individual window level. The research also emphasizes the importance of selecting the right window size for optimal performance, a factor analyzed using Shannon entropy.
The effectiveness of GUARD-CAN was demonstrated against four common types of CAN attacks: flooding, fuzzing, replay, and spoofing. The model proved capable of detecting these attacks efficiently. Experiments showed that GUARD-CAN achieved high detection performance, particularly excelling with smaller window sizes and shorter sequence lengths, indicating its ability to capture localized, meaningful features.
Also Read:
- KD-GAT: A Compact AI System for Detecting Cyberattacks in Car Networks
- Unmasking Silent Network Threats with WBHT
This research marks a significant step forward in securing in-vehicle networks, providing a robust and adaptable solution to protect modern vehicles from evolving cyber threats. For more in-depth information, you can read the full research paper available at arXiv.org.
