Good Enough to Learn: LLM-based Anomaly Detection in ECU Logs without Reliable Labels

TL;DR

This paper introduces a decoder-only Large Language Model for anomaly detection in automotive ECU logs, effectively handling unreliable labels and learning from minimal data to improve detection accuracy.

Contribution

It presents a novel decoder-only LLM architecture for ECU anomaly detection, addressing label inconsistency and adaptability across use cases.

Findings

Effective anomaly detection in ECU logs using minimal labeled data

Entropy regularization increases model uncertainty in known anomalies

Scalable approach reduces manual labeling costs

Abstract

Anomaly detection often relies on supervised or clustering approaches, with limited success in specialized domains like automotive communication systems where scalable solutions are essential. We propose a novel decoder-only Large Language Model (LLM) to detect anomalies in Electronic Control Unit (ECU) communication logs. Our approach addresses two key challenges: the lack of LLMs tailored for ECU communication and the complexity of inconsistent ground truth data. By learning from UDP communication logs, we formulate anomaly detection simply as identifying deviations in time from normal behavior. We introduce an entropy regularization technique that increases model's uncertainty in known anomalies while maintaining consistency in similar scenarios. Our solution offers three novelties: a decoder-only anomaly detection architecture, a way to handle inconsistent labeling, and an adaptable LLM for different ECU communication use cases. By leveraging the generative capabilities of decoder-only models, we present a new technique that addresses the high cost and error-prone nature of manual labeling through a more scalable system that is able to learn from a minimal set of examples, while improving detection accuracy in complex communication environments.