ВИЯВЛЕННЯ АНОМАЛІЙ В ТЕЛЕКОМУНІКАЦІЙНОМУ ТРАФІКУ СТАТИСТИЧНИМИ МЕТОДАМИ

Anomaly detection is an important task in many areas of human life. Many statistical methods are used to detect anomalies. In this paper, statistical methods of data analysis, such as survival analysis, time series analysis (fractal), classification method (decision trees), cluster analysis, entropy method were chosen to detect anomalies. A description of the selected methods is given. To analyze anomalies, the traffic and attack implementations from an open dataset were taken. More than 3 million packets from the dataset were used to analyze the described methods. The dataset contained legitimate traffic (75%) and attacks (25%). Simulation modeling of the selected statistical methods was performed on the example of network traffic implementations of telecommunication networks of different protocols. To implement the simulation, programs were written in the Pyton programming language. DDoS attacks, UDP-flood, TCP SYN, ARP attacks and HTTP-flood were chosen as anomalies. A comparative analysis of the performance of these methods to detect anomalies (attacks) on such parameters as the probability of anomaly detection, the probability of false positive detection, the running time of each method to detect the anomaly was carried out. Experimental results showed the performance of each method. The decision tree method is the best in terms of anomaly identification probability, fewer false positives, and anomaly detection time.  The entropy analysis method is slightly slower and gives slightly more false positives. Next is the cluster analysis method, which is slightly worse at detecting anomalies. Then the fractal analysis method showed a lower probability of detecting anomalies, a higher probability of false positives and a longer running time. The worst was the survival analysis method.Виявлення аномалій є важливим завданням у багатьох сферах людського життя. Для виявлення аномалій використовується множина статистичних методів. У даній роботі для виявлення аномалій були обрані статистичні методи аналізу даних, такі як аналіз виживання, аналіз часових рядів (фрактальний), метод класифікації (дерева прийняття рішень), кластерний аналіз, ентропійний метод. Також наводиться опис вибраних методів. Для аналізу аномалій були взяті реалізації трафіків і атак з відкритого датасету. Для аналізу описаних методів було використано понад 3 млн. пакетів з набору даних. Датасет містив легітимний трафік (75%) і атаки (25%). Проведено імітаційне моделювання обраних статистичних методів на прикладі реалізацій мережного трафіку телекомунікаційних мереж різних протоколів. Для реалізації імітаційного моделювання були написані програми на мові програмування Pyton. Як аномалії були обрані DDoS-атаки, UDP-flood, TCP SYN, ARP-атаки і HTTP-flood. Був проведений порівняльний аналіз продуктивності обраних статистичних методів щодо виявлення аномалій (атак) за такими параметрами як ймовірність виявлення аномалій, ймовірність хибнопозитивного виявлення, час роботи кожного методу для виявлення аномалії. Результати експериментів показали працездатність кожного методу. Метод дерева рішень є найкращим за ймовірністю ідентифікації аномалій, меншій кількості хибнопозитивних спрацьовувань і часу виявлення аномалій. Метод ентропійного аналізу дещо повільніше і дає трохи більше помилкових спрацьовувань. Далі слідує метод кластерного аналізу, який дещо гірше виявляє аномалії. Тоді як метод фрактального аналізу показав меншу ймовірність виявлення аномалій, велику ймовірність помилкових спрацьовувань і більший час роботи. Найгіршим виявився метод аналізу виживання

Keep the moving vehicle secure: context-aware intrusion detection system for in-vehicle CAN bus security.

The growth of information technologies has driven the development of the transportation sector, including connected and autonomous vehicles. Due to its communication capabilities, the controller area network (CAN) is the most widely used in-vehicle communication protocol. However, CAN lacks suitable security mechanisms such as message authentication and encryption. This makes the CAN bus vulnerable to numerous cyberattacks. Not only are these attacks a threat to information security and privacy, but they can also directly affect the safety of drivers, passengers and the surrounding environment of the moving vehicles. This paper presents CAN-CID, a context-aware intrusion detection system (IDS) to detect cyberattacks on the CAN bus, which would be suitable for deployment in automobiles, including military vehicles, passenger cars and commercial vehicles, and other CAN-based applications such as aerospace, industrial automation and medical equipment. CAN-CID is an ensemble model of a gated recurrent unit (GRU) network and a time-based model. A GRU algorithm works by learning to predict the centre ID of a CAN ID sequence, and ID-based probabilistic thresholds are used to identify anomalous IDs, whereas the time-based model identifies anomalous IDs using time-based thresholds. The number of anomalies compared to the total number of IDs over an observation window is used to classify the window status as anomalous or benign. The proposed model uses only benign data for training and threshold estimation, avoiding the need to collect realistic attack data to train the algorithm. The performance of the CAN-CID model was tested against three datasets over a range of 16 attacks, including fabrication and more sophisticated masquerade attacks. The CAN-CID model achieved an F1-Score of over 99% for 13 of those attacks and outperformed benchmark models from the literature for all attacks, with near real-time detection latency

Congestion Intrusion Detection-Based Method for Controller Area Network Bus: A Case for KIA SOUL Vehicle

In the vehicle industry, connectivity and autonomy are becoming increasingly important features. One of the most used protocols for in-vehicle communication is the Controller Area Network (CAN) bus which manages the communication between networked components. However, the CAN bus, despite its critical importance, lacks sufficient security features to protect its network as well as the overall car system. Thus, vehicle network security is becoming increasingly crucial. Methods of intrusion detection help to improve the security of the in-vehicle network. This work aims to provide a model that enables effective detection of attacks such as fuzzy, DoS, and impersonation using the Deep Feedforward Neural Network (DeepFNN) model as well as the Long Short- Term Memory model. Moreover, the LSTM model presents the most satisfying outcome in terms of precision and recall metrics

Generative Neural Network-Based Defense Methods Against Cyberattacks for Connected and Autonomous Vehicles

The rapid advancement of communication and artificial intelligence technologies is propelling the development of connected and autonomous vehicles (CAVs), revolutionizing the transportation landscape. However, increased connectivity and automation also present heightened potential for cyber threats. Recently, the emergence of generative neural networks (NNs) has unveiled a myriad of opportunities for complementing CAV applications, including generative NN-based cybersecurity measures to protect the CAVs in a transportation cyber-physical system (TCPS) from known and unknown cyberattacks. The goal of this dissertation is to explore the utility of the generative NNs for devising cyberattack detection and mitigation strategies for CAVs. To this end, the author developed (i) a hybrid quantum-classical restricted Boltzmann machine (RBM)-based framework for in-vehicle network intrusion detection for connected vehicles and (ii) a generative adversarial network (GAN)-based defense method for the traffic sign classification system within the perception module of autonomous vehicles. The author evaluated the hybrid quantum-classical RBM-based intrusion detection framework on three separate real-world Fuzzy attack datasets and compared its performance with a similar but classical-only approach (i.e., a classical computer-based data preprocessing and RBM training). The results showed that the hybrid quantum-classical RBM-based intrusion detection framework achieved an average intrusion detection accuracy of 98%, whereas the classical-only approach achieved an average accuracy of 90%. For the second study, the author evaluated the GAN-based adversarial defense method for traffic sign classification against different white-box adversarial attacks, such as the fast gradient sign method, the DeepFool, the Carlini and Wagner, and the projected gradient descent attacks. The author compared the performance of the GAN-based defense method with several traditional benchmark defense methods, such as Gaussian augmentation, JPEG compression, feature squeezing, and spatial smoothing. The findings indicated that the GAN-based adversarial defense method for traffic sign classification outperformed all the benchmark defense methods under all the white-box adversarial attacks the author considered for evaluation. Thus, the contribution of this dissertation lies in utilizing the generative ability of existing generative NNs to develop novel high-performing cyberattack detection and mitigation strategies that are feasible to deploy in CAVs in a TCPS environment

A wavelet-based intrusion detection system for controller area network (can).

Samie, Mohammad - Associate SupervisorController Area Network (CAN), designed in the early 1980s, is the most widely used in-vehicle communication protocol. The CAN protocol has various features to provide highly reliable communication between the nodes. Some of these features are the arbitration process to provide fixed priority scheduling, error confinement mechanism to eliminate faulty nodes, and message form check along with cyclic redundancy checksum to identify transmission faults. It also has differential voltage architecture on twisted two-wire, eliminating electrical and magnetic noise. Although these features make the CAN a perfect solution for the real-time cyber-physical structure of vehicles, the protocol lacks basic security measures like encryption and authentication; therefore, vehicles are vulnerable to cyber-attacks. Due to increased automation and connectivity, the attack surface rises over time. This research aims to detect CAN bus attacks by proposing WINDS, a wavelet-based intrusion detection system. The WINDS analyses the network traffic behaviour by binary classification in the time-scale domain to identify potential attack instances anomalies. As there is no standard testing methodology, a part of this research constitutes a comprehensive testing framework and generation of benchmarking dataset. Finally, WINDS is tested according to the framework and its competitiveness with state-of-the-art solutions is presented.PhD in Transport System