Research on CAN Bus Anomaly Detection Based on LSTM AndResNet

With the rapid development of intelligent network vehicles, the safety of the vehicle network is taken seriously increasingly, the CAN as the most widely used car on-board network, its security problem has become one of the most important problemsin intelligent made car development, the communication of CAN bus network characteristic and the existing safety problems and analyzes the common means of attack, on the basis of this puts forward the anomaly detection model based on LSTM And ResNet, through the experimental results show that this method CAN effectively detect deception attack.


Introduction
With the rapid development of communication networks and industrial intelligence, the automobile industry has begun to change into an intelligent and networked one. With the increase of various intelligent devices in automobiles, the interaction with the external network is increasingly frequent. While bringing convenience to people, it also faces various security risks such as privacy leakage and vehicle attack [1]. In recent years, car networking security accidents have been constantly emerging: In 2016, China Qihoo 360 announced that it cracked BYD cloud service, remote driving, and other functions as well as Tesla remote control function [2]. In 2017, Tencent Cohen's Lab successfully launched a remote attack on Tesla, realized the remote coordinated Control of multiple ECU(Electronic Control Unit) of Tesla, and finally invaded tesla's interior network to achieve any remote Control. In 2018, a thief in the UK managed to steal a Tesla Model S car by using the frequency of the owner's key intercepted by tablets and phones to unlock the door. To make matters worse, the thieves appear to have found a way to disable remote login, making it impossible for the

Introduction to CAN Bus
Communication between ECUs mainly relies on CAN bus for transmission. ECU broadcasts data packets with a specified ID to the network, and ECU on the network CAN receive or respond to messages selectively according to the message ID. Using data frames for messaging between ECUs, CAN bus data message consists of the following parts: 1 bit frame start (SOF), 11 bit standard frame ID or 29 bit extension frame ID, 1 bit identifier extension IDE indicating whether its use extension format, 6 bit control field instructions with the length of the data bytes, following a CAN data frames can carry 0 to 8 bytes of data, data domain with 16 bit CRC check code after, 2 bit ACK response field and 7 bit "stealth" end of the frame (EOF) [6].

Can bus communication characteristics
Broadcast transmission: According to the design of the physical layer and logical link layer of CAN bus, once CAN message is sent, it is broadcast to all nodes on the bus, and malicious components on the network CAN easily spy on all communications or data packets sent to any node on the network.
No authentication domain: CAN bus in the data message does not contain the authentication domain, or even any source identifier field, which means that any nodes in a network of CAN indiscriminately to send datagrams to any other node, which means the node is unable to determine the data came from a normal nodes or malicious nodes.
No encryption mechanism: The data on CAN bus provides no encryption mechanism and is almost transmitted in plaintext, so it is easy to be cracked by attackers.
Arbitration mechanism: CAN bus is CSMA/CA communication protocol, the physical and electrical characteristics of CAN bus to guarantee its bus arbitration logic link layer, with the identifier as arbitration domain, has the high priority the dominant position of "0" priority to send, so CAN bus message sent completely determined by the priority of identifier ID [7]. If a node keeps sending messages with high ID priority, other messages cannot be sent normally, affecting the normal operation of CAN bus.

Common attack mode of CAN bus
In view of various defects existing in CAN bus, attackers CAN gain access to the bus through various means, and the main attack means are as follows： DoS attack: Since the message mediation mechanism of CAN bus determines its priority according to the size of the ID number when the attacker controls the malicious node to send messages with a smaller ID number or a higher priority, CAN bus cannot operate normally.
Discard attack: The attacker controls the gateway to delete or not forward some ECU data, resulting in the failure of the ECU.
Spoofing attack: Due to the lack of authentication mechanism on CAN bus, the source of data message cannot be determined. The attacker CAN send error messages to the ECU on the bus to respond and consume the ECU processor resources.
Replay attack: When an attacker exploits the broadcast characteristics of CAN bus to eavesdrop on messages, it is easy to implement a replay attack, because a replay attack does not require too much prior knowledge and only needs to ensure that there is no data transmission on CAN bus during replay attack.
Among them, the detection of Dos attack, discard attack, and replay attack has been studied in depth by researchers, so this paper focuses on the study of deceptive attack behavior.

LSTM
LSTM network is a branch of RNN. Due to its unique design structure, it is suitable for the prediction and processing of serialized data, while all messages on CAN bus are serialized, which actually shows time series data [8]. Better results CAN be obtained by using LSTM for processing.

ResNet
ResNet is a deep convolutional network proposed by HeMingkai et al. for image recognition and classification in 2015 [9]. The biggest difference of ResNet is the introduction of residual mechanism, that is, every 2-3 layers is regarded as a unit, and the output of the unit is the sum of the forward output of the internal convolutional layer and the output of the unit： = ( , ) + (7) Where x and y are input and output, i W is the parameter of layer l ，The residual learning module of ResNet is shown in Figure 3. The specific method is as follows: x is input data,The expected output is ( ),If you pass the input x directly to the output as the initial result,Now, the target that we need to learn is ( ) = ( ) − .In the traditional convolutional layer or full connection layer, there are more or less problems such as information loss and loss in information transmission. ResNet solves this problem to a certain extent. It protects the integrity of the information by directly passing the input information to the output. The whole network only needs to learn the part of the difference between the output and the input, which simplifies the learning goal and difficulty. Fig.3 The residual learning module of ResNet

CAN bus anomaly detection model based on LSTM And ResNet
LSTM and ResNet's handling of the data is slightly different: the convolution ResNet network can be seen as an application on time sequence and sliding filter, filter the results or a time series, the dimension and the dimension of the filter used is the same, but after this process will produce more has the characteristics of distinctiveness, it is crucial to the accuracy of experimental results. LSTM can learn and remember the input data sequence, and it can judge whether the current information is normal or not based on the historical information. Such a correlation between data is very effective for the classification of time series data. Therefore, this paper integrates LSTM and ResNet to build a new data processing model. First, the data is entered into ResNet, then into the LSTM, and then the data is normalized and processed through PRelu and a Dropout layer. This is followed by a Softmax layer for classification, with the complete model structure shown in Fig.4.   Fig. 4 LSTM and ResNet combination model

Data set introduction
This paper uses the Seo.EunbiA CAN bus data set disclosed by et al. In 2018 includes spoofing transmission devices and cheating tachometer [10]. Data set records can bus data from the real vehicle through OBD port during message injection. The data set contains every 300 messages injected intrusions, and each intrusion is executed for 3-5 seconds. Each data set has 30-40 minutes of can traffic. The specific data are shown in Tab From the experimental results, the performance of the CAN bus anomaly detection model proposed in this paper has been significantly improved after 30 rounds of iteration, and the high F1-Score also indicates that the fused model is more effective than other models. This paper proposes a CAN bus anomaly detection model based on deep learning. This model USES LSTM and ResNet, neural network models to fuse, so as to learn the characteristics of CAN bus data more comprehensively and efficiently and judge whether the data is abnormal more accurately and effectively. Experiments show that this model has a good detection effect on spoofing attacks on CAN bus.

Conclusion
There are still some shortcomings in this paper. The detection results still have room for further improvement, and the detection efficiency still needs to be improved. It should also be considered whether multiple attacks can be detected simultaneously and whether the detection of various attacks is efficient and accurate.