CAN-BiGRUBERT: unveiling automotive vehicle intruders by profiling and characterizing anomalies in controller area network

Abstract

In-vehicle Controller Area Networks (CAN) are vulnerable to various injection attacks that can compromise the safety of vehicle occupants and result in financial losses. While a substantial body of work on CAN intrusion detection exists, it lacks multiclass attack classification models. Current multiclass models do not encompass all attack types or account for the vehicle’s state, i.e., whether the car is stationary or in motion. This work addresses these limitations by proposing CAN-BiGRUBERT, a multiclass CAN intrusion detection model that jointly predicts the vehicle state and attack class from CAN traffic windows. CAN-BiGRUBERT employs Bidirectional Encoder Representations from Transformers (BERT) to capture spatial dependencies within individual CAN frames, and a Bidirectional Gated Recurrent Unit (BiGRU) network to capture temporal dependencies across multiple frames in a window. For training and evaluating CAN BiGRUBERT, we comprehensively reviewed current CAN intrusion datasets to select the HCRL Attack & Defense dataset, which contains all injection attacks executed in both vehicle states. We implemented CAN-BiGRUBERT and compared its performance with other variants and state-of-the-art CAN attack classification models, based on individual CAN frames, arbitration identifier (AID) sequences, and windows of complete frames. Compared to the baseline models, the proposed model achieved higher accuracy and F1-score, indicating its superior ability to predict the vehicle state and attack class simultaneously. Specifically excelling in detecting replay attacks and discriminating between driving and stationary states, CAN-BiGRUBERT represents a promising enhanced, informative intrusion detection method for in-vehicle CAN