One-Class Classification for Intrusion Detection on Vehicular Networks

TL;DR

This paper evaluates various one-class classification techniques for detecting injection cyber-attacks on vehicular Controller Area Network systems, highlighting the superior performance of the Subspace Support Vector Data Description method.

Contribution

It provides a comparative analysis of state-of-the-art one-class classifiers for vehicular network security, focusing on injection attack detection.

Findings

Subspace Support Vector Data Description outperformed others with ~85% Gmean.

One-class classifiers effectively detect unknown injection attacks.

Evaluation on real vehicle CAN bus data demonstrates practical applicability.

Abstract

Controller Area Network bus systems within vehicular networks are not equipped with the tools necessary to ward off and protect themselves from modern cyber-security threats. Work has been done on using machine learning methods to detect and report these attacks, but common methods are not robust towards unknown attacks. These methods usually rely on there being a sufficient representation of attack data, which may not be available due to there either not being enough data present to adequately represent its distribution or the distribution itself is too diverse in nature for there to be a sufficient representation of it. With the use of one-class classification methods, this issue can be mitigated as only normal data is required to train a model for the detection of anomalous instances. Research has been done on the efficacy of these methods, most notably One-Class Support Vector Machine and Support Vector Data Description, but many new extensions of these works have been proposed and have yet to be tested for injection attacks in vehicular networks. In this paper, we investigate the performance of various state-of-the-art one-class classification methods for detecting injection attacks on Controller Area Network bus traffic. We investigate the effectiveness of these techniques on attacks launched on Controller Area Network buses from two different vehicles during normal operation and while being attacked. We observe that the Subspace Support Vector Data Description method outperformed all other tested methods with a Gmean of about 85%.