Intrusion detection systems in in-vehicle networks based on bag-of-words

Abstract

This paper investigates the application of the Bag-of-Words approach for the implementation of Intrusion Detection Systems on CAN-bus traffic in in-vehicle networks. A sliding window approach is used for dimensionality reduction where a set of CAN-bus messages (the window) is transformed to Bag-of-Words statistics. In an initial step, the Bag-of-Words approach is used to create a dictionary on the basis of legitimate CAN-bus traffic without attacks. Then, the Bag-of-Words approach is applied to detect four different types of intrusion attacks. The study presented in this paper investigates the application of Bag-of-Words to different combinations of the data present in the traffic including the arbitration field (CAN-ID) and the payload data. The results of this study confirms the results of the literature, which show that the CAN-ID information provides the optimal detection accuracy. In fact, for some attacks a perfect detection accuracy is obtained (100%). Taking in consideration that the CAN-ID information can be spoofed, the study investigates the use of the payload data as well. The use of payload data decreases the detection accuracy in comparison to the case of using the CAN-ID only, but it still provides an excellent performance (more than 98%) in intrusion detection. Overall, the results of the study show that the Bag-of-Words approach can be applied with success to the detection of various attacks in in-vehicle networks.