IEEE Access (Jan 2021)
Intrusion Detection Method Using Bi-Directional GPT for in-Vehicle Controller Area Networks
Abstract
The controller area network (CAN) bus protocol is exposed to threats from various attacks because it is designed without consideration of security. In a normal vehicle operation situation, controllers connected to a CAN bus transmit periodic and nonperiodic signals. Thus, if a CAN identifier (ID) sequence is configured by collecting the identifiers of CAN signals in their order of occurrence, it will have a certain pattern. However, if only a very small number of attack IDs are included in a CAN ID sequence, it will be difficult to detect the corresponding pattern change. Thus, a detection method that is different from the conventional one is required to detect such attacks. Since a CAN ID sequence can be regarded as a sentence consisting of words in the form of CAN IDs, a generative pretrained transformer (GPT) model can learn the pattern of a normal CAN ID sequence. Therefore, such a model is expected to be able to detect CAN ID sequences that contain a very small number of attack IDs better than the existing long short-term memory (LSTM)-based method. In this paper, we propose an intrusion detection model that combines two GPT networks in a bi-directional manner to allow both past and future CAN IDs (relative to the time of detection) to be used. The proposed model is trained to minimize the negative log-likelihood (NLL) value of the bi-directional GPT network for a normal sequence. When the NLL value for a CAN ID sequence is larger than a prespecified threshold, it is deemed an intrusion. The proposed model outperforms a single uni-directional GPT model with the same degree of complexity as other existing LSTM-based models because the bi-directional structure of the proposed model maintains the estimation performance for most CAN IDs, regardless of their positions in the sequence.
Keywords
