Machine Learning with Real-time and Small Footprint Anomaly Detection System for In-Vehicle Gateway

TL;DR

This paper introduces a real-time, low-footprint anomaly detection system for in-vehicle gateways using self-information theory and unsupervised learning, effectively detecting one-time attacks with minimal resource use.

Contribution

It proposes a novel self-information based method for real-time anomaly detection in vehicle ECUs, reducing computational footprint and eliminating the need for labeled attack data.

Findings

Achieves 8.7x lower false positive rate

Runs 1.77x faster in testing

Uses 4.88x less memory footprint

Abstract

Anomaly Detection System (ADS) is an essential part of a modern gateway Electronic Control Unit (ECU) to detect abnormal behaviors and attacks in vehicles. Among the existing attacks, ``one-time`` attack is the most challenging to be detected, together with the strict gateway ECU constraints of both microsecond or even nanosecond level real-time budget and limited footprint of code. To address the challenges, we propose to use the self-information theory to generate values for training and testing models, aiming to achieve real-time detection performance for the ``one-time`` attack that has not been well studied in the past. Second, the generation of self-information is based on logarithm calculation, which leads to the smallest footprint to reduce the cost in Gateway. Finally, our proposed method uses an unsupervised model without the need of training data for anomalies or attacks. We have compared different machine learning methods ranging from typical machine learning models to deep learning models, e.g., Hidden Markov Model (HMM), Support Vector Data Description (SVDD), and Long Short Term Memory (LSTM). Experimental results show that our proposed method achieves 8.7 times lower False Positive Rate (FPR), 1.77 times faster testing time, and 4.88 times smaller footprint.