IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, VOL. 22, NO.

8, AUGUST 2021 5081

CAN-Bus Attack Detection With Deep Learning

Flora Amato , Luigi Coppolino , Francesco Mercaldo , Francesco Moscato ,
Roberto Nardone , and Antonella Santone
Abstract— Modern cars include a huge number of sensors ECUs execute many safety controls, such as skid detection,
and actuators, which continuously exchange data and control crash prediction or anti-lock braking [1]. In general, the whole
commands. The most used protocol for communication of dif- control system, so considerably changed during the years, has
ferent components in automotive system is the Controller Area
Network (CAN). According to CAN, components communicate soft or hard on real-time requirements on network components
by broadcasting messages on a bus. In addition, the standard in order to guarantee the correct operation and the sufficient
definition of the protocol does not provide information for quality levels (i.e., performance, reliability, safety) of the
authentication, so exposing it to attacks. This paper proposes a whole system.
method based on deep learning aiming at discovering attacks The most used communication standard is the Controller
towards the CAN-bus. In particular, Neural Networks and
MultiLayer Perceptrons are the class of networks employed in Area Network (CAN) (also known as CAN-bus) [3]. The
our approach. We also validate our approach by analysing a CAN standard defines a communication protocol; it dates back
real-world dataset with the injection of messages from different to the 80s and it was developed by Bosch GmbH company
types of attacks: denial of service, fuzzy pattern attacks, and in order to provide efficient communication among several
attacks against specific components. The obtained results are automotive applications, also with a critical impact on the
encouraging and demonstrate the effectiveness of the approach.
safety. It became a standard within the ISO 11898-1:2011.1
Index Terms— Automotive, intelligent systems, deep learning, The CAN standard was initially applied to automotive, but
neural networks, attack detection, security. it is currently employed in many industrial applications for
communication of embedded components. It mainly consists
I. I NTRODUCTION in a broadcast protocol where messages sent by a sender
are analysed by all receivers connected to the same network,
I N THE last years, the automotive domain has experienced a
rapid growth of complexity, mainly due to the introduction
of more and more complex components for control, super-
which in turn decide if the message have to be delivered at
application layer [4].
vision or driving assistance. Modern cars include nowadays In the definition of the CAN standard, there is no
many electronic components, computing units and software built-in security mechanism. This exposes modern cars
as well. In addition, all components are linked each other to cyber-security threats. As an example, it is very simple
by complex networks. These elements work no more “stand- to sniff packets from a CAN-bus, as well as it is easy to
alone”, but they need to exchange a plethora of information, enact impersonation attack. In particular, as it will be shown
generating a large amount of data to manage [1]. in the following, malicious ECU can steal identities inject-
Modern cars include dozens of independent processing ing packets with identifiers of other components. However,
units — the so-called Electronic Control Units (ECUs) — that the application of complex reverse engineering techniques is
are interconnected by different buses or networks. [2], [3]. needed to analyse traffic since every manufacturer and every
car model develop a different implementation of the CAN
Manuscript received March 30, 2020; revised September 22, 2020; accepted
November 23, 2020. Date of publication January 15, 2021; date of current
standard (which is not publicly disclose), which differs in the
version August 9, 2021. The Associate Editor for this article was M. Guizani. customization of IDs to represent data, in the data format,
(Corresponding author: Flora Amato.) etc [2].
Flora Amato is with the Department of Electrical and Information Tech- With the wide adoption of CAN in modern cars, passengers
nology Engineering (DIETI), University of Naples Federico II, 80125 Napoli,
Italy (e-mail: [email protected]). are continuously exposed to threats due to attacks to code
Luigi Coppolino is with the Department of Engineering, University running on their automobiles. Indeed, in these systems a
of Naples Parthenope, 80133 Napoli, Italy (e-mail: luigi.coppolino@ compromised software could lead to relevant injuries for
uniparthenope.it).
Francesco Mercaldo is with the Institute for Informatics and Telematics, passengers [5], [6].
National Research Council of Italy (CNR), 56124 Pisa, Italy, and also with the This paper represents a step forward in the direction
Department of Medicine and Health Sciences “Vincenzo Tiberio,” University of securing CAN-buses by means of Artificial Intelligence
of Molise, 86100 Campobasso, Italy (e-mail: [email protected]).
Francesco Moscato is with the Department of Computer Engineering, Elec- techniques. In particular, it shows that deep learning is an
trical Engineering and Applied Mathematics (DIEM), University of Salerno, effective technique that can be exploited to detect attacks on
84084 Fisciano (SA), Italy (e-mail: [email protected]). CAN-bus. In fact, the paper proposes a method for identi-
Roberto Nardone is with the Department of Information Engineer-
ing, Infrastructure and Sustainable Energy (DIIES), Mediterranea Uni- fication of attacks based on deep learning, where data from
versity of Reggio Calabria, 89124 Reggio Calabria, Italy (e-mail: packets represent the features vector. The idea relies on the
[email protected]). fact that the attacks targeting CAN are characterized by a
Antonella Santone is with the Department of Medicine and Health Sciences
“Vincenzo Tiberio,” University of Molise, 86100 Campobasso, Italy (e-mail: common attempt to compromise well-chosen mechanisms in
[email protected]).
Digital Object Identifier 10.1109/TITS.2020.3046974 1 https://www.iso.org/standard/63648.html

1558-0016 © 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.

Authorized licensed use limited to: Tsinghua University. Downloaded on September 19,2022 at 08:15:51 UTC from IEEE Xplore. Restrictions apply.
5082 IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, VOL. 22, NO. 8, AUGUST 2021

the protocol [7]. A concrete experimentation is also conducted and of connected elements. The former type of packets is
by using a real-world dataset where the goal is to prove how continuously present in a car, even if the observation time
the proposed solution is able to discover malicious messages is reduced to few milliseconds; the latter is usually not used
injected by attackers. during normal operation.
The rest of the paper is structured as follows. After the The CAN packets mainly contain the following fields:
description of the concepts representing the background given • Identifier: unique identifier of the specific CAN message
in Section II, Section III conducts the analysis of the related also representing message priority, expressed over 11 bits;
works. Section IV describes the details about the proposed • Remote Transmission Request (RTR): bit specifying the
approach, detailing the detection technique and describing the type of message, choosing between data frame and remote
chosen features. Then Section V describes the experimentation request;
campaign conducted on a real-world dataset. Section VI ends • Data Length Code (DLC): number of data bytes, varying
the paper by drawing some final remarks and addressing from 0 to 8 and expressed as a 4-bit integer;
possible future works. • Data Field: data to be transmitted, in a length varying
from 0 to 8 bytes, according to what expressed in the
II. BACKGROUND
DLC field;
A. Controller Area Network • Cyclic Redundancy Check (CRC): checksum of the mes-
CAN is a network standard that uses a serial protocol for sage.
messages exchanges. It was officially introduced in 2011 by The following Listing reports an example of frame format.
standard ISO 11898-1:2011.2 This standard gives all details As said before, the CAN packet contains up to 8 bytes of data.
needed to set up a connection among ECUs. CAN supports
distributed real-time communication and it is widely used in
communications among control and monitoring subsystems in
cars. The same standard also defines two kinds of formats
for frames: the Classical frame and the Flexible Data Rate
Frame. In particular, the former has a payload of 8bits with
a bit rate of 1 Mbps when the distance does not exceed
40 meters, it is reduced to 125 kbps when the distance B. Deep Learning Techniques
increases up to 500 metres. The payload and the bitrate can We remember that Deep learning techniques have the char-
be increased with the use of Flexible Data Rate frame format. acteristics of exploiting non linear processing among logical
At last, the standard also defines hierarchically the layers of the units that are connected each other in cascade over different
elements in the CAN architecture. It supports three possible layers, where outputs of one layer serve as input of next one.
implementations: (1) classical CAN frame format only; (2) These techniques support both supervised and unsupervised
classical CAN with tolerance of flexible format; (3) mixed approaches.
frame formats. The last option is highly recommended for In particular, we use Deep Neural Networks (DNN), which
novel implementations. As a matter of fact, we can consider is a neural network with multiple layers hidden between input
the protocol at layer 2 of ISO/OSI stack. and output layers. DNNs are able to implement non-linear
The use of CAN-bus well solves the problem of man- classifiers and they create models by layered composition of
agement of the increasing number of sensors and control primitives [9].
devices in modern cars, that previously needed point-to-point DNNs usually exploit feedforward connection of inputs and
connections. CAN ensures low design and implementation outputs [10].
costs in concrete applications and in hostile environments (i.e., In following work we consider the supervised deep learning
high noise and disturbs in the communications) [1]. techniques using two different classification algorithms:
In details, the standard defines that CAN packets have either • Neural Network: this simulates human brain where “neu-
11 bits or 29 bits-long identifiers. To the best of our knowl- rons” are functions managing data in a complex network,
edge, automotive applications typically use 11 bits identifiers. which resembles statistical methods [9]. Neurons (per-
Data have a length up to 8 bytes. Optionally, a checksum could ceptrons) are connected each other resembling linear
be added but only if it fits the maximum length of 8 bytes regressions [11].
(indeed the standard does not specify this). As an example, • Multi Layer Perceptron (MLP): this is a class of feed-
Toyota cars exploit checksums with a variable length of the forward artificial neural network. They allow for imple-
data frame, while many other manufacturers prefer data frame mentation of space separators. They present one or more
o. fixed length with or without checksums [8]. Usually, CAN hidden layers [12]. Perceptrons evaluates outputs by
packets can be classified as normal or diagnostic. In the combining different inputs by a linear weighted transfer
first category, we insert all the packets sent by the ECUs, function [11]. Output layer reports classification results
either containing information and sent in broadcast to all other over mapped inputs.
ECUs or containing commands for specific ECUs. Diagnostic
III. R ELATED W ORK
packets can be used to monitor the state of the network
The CAN standard has been widely studied in literature.
2 https://www.iso.org/standard/63648.html With a specific focus on the attack detection, many works

Authorized licensed use limited to: Tsinghua University. Downloaded on September 19,2022 at 08:15:51 UTC from IEEE Xplore. Restrictions apply.
AMATO et al.: CAN-BUS ATTACK DETECTION WITH DEEP LEARNING 5083

are currently present in literature. In [5] on the basis of the CANet [24] represents a neural network architecture for
current literature, the authors describe the set of possible detecting intrusions targeting the can bus. CANet is evalu-
attacks against a smart car, the found weaknesses and detail ated on simulated attacks i.e., (malicious and legitimate) can
the attack vector, assessing the threat, the vulnerability and packets obtained by exploiting a simulated environment and
the impact. Many of the reported attacks can be conducted by not a real one. Machine learning is investigated in [25] for
violating the CAN-bus. The wide range of possible attacks bus travel time prediction with the aim to provide an efficient
against the CAN-bus is also described in [13], where the scheduling for the passengers. Basically authors experiment
authors confirm that multiple attack vectors exploit CAN vul- three regression methods i.e., linear regression, support vec-
nerabilities. In addition, also wireless communications can be tor regression and artificial neural network for travel time
exploited to take the control of the vehicle, such as positioning prediction.
systems, on-board WiFi and digital radio. Wireless attacks are CANeleon [26] is aimed to detect spoofed frame ID attacks
also at the basis of the work in [14], where the author verify in can networks. The idea behind CANeleon is to defend
how a smartphone app can be used for long-range wireless the can bus from an attacker injecting malicious packets with
attacks. legitimate IDs.
From the protection point of view, the work in [15] proposes An intrusion detector aimed to detect spoofing attacks in
an approach to develop a detector of CAN attacks based on connected electric vehicles is proposed in [27], where authors
long short-term memory, which is a Recurrent Neural Network exploit supervised machine learning by building models with
used in deep learning. This detector is mainly oriented to the Random Forest and the k-Nearest Neighbor algorithms.
the prediction of the next data packet originating by an ECU With respect to the existing approaches, the one described in
by analysing the previous messages generated by the same this paper adopts deep learning techniques to identify human
source. The experimental validation seems to confirm the the actions within the system, in order to discriminate between
anomalies detection has a low false positive rate. The work normal and injected messages. The model developed in this
in [16] proposes an algorithm aiming at detecting denial of work follows the guidelines drawn in several works where the
service attacks continuously monitoring normal behavior of the authors use deep learning to classify human actions without
system. Similarly, the work in [17] offers an intrusion detection using any prior knowledge [28]–[30]. In this direction, this
system for vehicular ad-hoc networks using Artificial Neural work could be seen as a first step in the application of
Networks, mainly employed to detect Denial of Service (DoS) techniques aiming at detecting human behaviour in a complex
attacks. The idea behind this system is to detect an attack using control environment, such as the automotive domain. At last,
the data generated during communication. The simulation has we have to say that, to the best of our knowledge, this work
been obtained by exploiting the NS2 simulator, in order to is the first that performs a validation with real-world data.
basically generate the normal and malicious behavior. In the
same direction, the paper in [18] proposes an approach based IV. T HE M ETHOD
on autonomous road-side infrastructure network that includes a
This section describes the proposed method we developed to
certification authority, distributed among the different regions.
detect attacks targeting CAN-bus. To distinguish the messages
The role of the road-side infrastructures is to cache and
injected by a malicious attacker from those belonging to
to forward certificates, transparently from other autonomous
the normal communication flow, the proposed method uses
network. The final objective is to demonstrate that intrusion
data bytes of CAN packet. With reference to the frame
detection system using certification authorities offer an higher
format described in Section II-A, features from number 1 to
level of protection against malicious cars with valid certifi-
number 8, refer to the first to the eighth byte, and respec-
cates, with better efficiency, scalability and security.
tively to values in the Listing: 19, 21, 22, 30, 08, 8E, 6D
A deep convolutional neural network is proposed in [19] as
and 18.
can bus intrusion detection. They adopt the Inception-ResNet
We validate our approach by providing a real-world use
model which was initially developed for image classification.
case. We use four different datasets that have been provided
CANTransfer [20] adopts transfer learning implementing a
freely.3 Datasets include four kinds of attacks: dos attack (dos),
convolutional long short-term memory. CANTrasfer is aimed
fuzzy attack (fuzzy), drive gear spoofing (gear) and RPM
to detect whether an attack is happening without detect the
gauge spoofing(rpm) [1]. Datasets have been collected by
specific attacks.
OBD-II (On-Board Diagnostics) logging during attacks. More
The idea of adding devices in the road-side infrastructure
that 300 malicious messages have been logged during different
is also exploited in the work in [21] that describes a sensor-
attacks that lasted from 3 to 5 second. Datasets include from
based approach. The sensors are intelligent devices, able to
30 to 40 minutes of bus traffic.
detect incorrect information and also the nodes originating
The leftmost part of Fig.1 reports an example of Denial of
this information. The authors in [22] increase the amount of
Service (dos) attack, where the message with ‘0000’ CAN ID
data to analyse, by collecting external data (radars, traffic etc.)
is injected every 0.3 milliseconds.
dynamically evaluating data similarity. Authors in [23] exploit
The rightmost part of Fig.1 shows a Fuzzy attack with CAN
features obtained from the can bus for driver profiling. In detail
ID and DATA changing every 0.5 ms.
they show how supervised machine learning algorithms can
be employed to distinguish between the car owner and 3 https://sites.google.com/a/hksecurity.net/ocslab/Datasets/car-hacking-
impostors. dataset

Authorized licensed use limited to: Tsinghua University. Downloaded on September 19,2022 at 08:15:51 UTC from IEEE Xplore. Restrictions apply.
5084 IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, VOL. 22, NO. 8, AUGUST 2021

Fig. 1. The dos (in the left box) and fuzzy (in the right box) attacks.

TABLE I We exploited the NN and MLP implementation provided

N UMBER OF T OTAL , N ORMAL AND I NJECTED M ESSAGES IN THE F OUR by the Weka4 toolsuite, an artificial intelligence library wide-
D ATASETS W E C ONSIDER FOR THE ATTACKS AND IN THE F ULL
D ATASET, C ONSTRUCTED BY A DDING A LL THE M ESSAGES
spread in scientific research.5

V. T HE E XPERIMENT
We evaluate the propose deep learning based technique
coherently with the three steps we previously described:
(i) descriptive statistics, (ii) hypotheses testing and (iii) clas-
sification analysis.
The gear/rpm attacks require the injection of messages
related to a CAN ID related to gear/rpm data every 1 ms. A. Descriptive Statistics
Notice that rpm is really important in the automotive context, Fig. 2 shows the distributions of the attacks, and normal
since increasing maliciously the RPMs may cause damage to distributions of messages for the F1 (i.e., Packet #1), F2
engine. (i.e., Packet #2), F3 (i.e., Packet #3) and F5 (i.e., Packet #5)
Table I reports statistics about the number of messages in features. For sake of space, we do not discuss the boxplots
the different datasets. related to the remaining features, where similar trends are
To validate the proposed approach, we set up an experiment also depicted for the features F4, F6, F7 and F8, but similar
in order to understand if the designed features vector contains consideration can be done for the remaining features.
enough information to classify different attacks. From the analysis of the Fig. 2, we can notice that the
We follow three steps in validation: (i) Descriptive Analy- distributions of the fuzzy attacks and the normal messages
sis: we create statistical dependencies among normal and are similar for the Packets number 1, 2, 3 and 5, for this
malicious messages. (ii) Hypotheses testing: we check if reason the features can be successfully employed to train a
different distributions exist for different kinds of messages. classifier with a good precision ability to discriminate between
(iii) Classification Analysis: we evaluate classifications results. fuzzy attacks and normal messages. With regard to the Packet
For the first point, we represent boxplots of the distribution #1 boxplot, we highlight that the media of the dos, gear and
of injected and normal messages with reference to feature normal messages are really closer, while the media of the fuzzy
vectors. messages is higher than the rpm one. This trend is shown also
In the second step, we test the following hypothesis: H0 : in Packet #2, 3 and 5. The gear distribution boxplot exhibits a
‘normal and injected messages show closer values for feature different trend in Packet #1, 2, 3 and 5: as a matter of fact in
vector’. Packet #2, Packet #3 and Packet #5 the distributions show an
The null hypothesis was evaluated with Mann-Whitney, with higher value if compared with the values shown from Packet
Kolmogorov-Smirnov Test and with Wald-Wolfowitz Test. For #1. The dos and the rpm distributions are practically the same
the three test we set a p-level equal to 0.05). in Packet #1, Packet #2, Packet #3 and Packet #5 boxplots;
The objective is to estimate the probability of wrong clas- same trends are shown from the fuzzy attack distributions. With
sification. Here, we reach a significance level of 0.05 (i.e. regards to the normal distributions, we note that the media is
we consider acceptable a mistake rake of 5%). different between different boxplots: the media in the Packet
The last step aims at checking features vector effectiveness #1, Packet #3 and Packet #5 boxplots is smaller than the one
classify malicious and normal messages. Two different deep
learning classification algorithms are considered: NN and MLP 4 http://www.cs.waikato.ac.nz/ml/weka/
with the full set of eight features we considered. 5 https://github.com/Waikato/wekaDeeplearning4j

Authorized licensed use limited to: Tsinghua University. Downloaded on September 19,2022 at 08:15:51 UTC from IEEE Xplore. Restrictions apply.
AMATO et al.: CAN-BUS ATTACK DETECTION WITH DEEP LEARNING 5085

Fig. 2. The boxplots related to normal messages and the four considered attacks (i.e., dos, fuzzy, gear and rpm) distributions for the features F1 (i.e., Packet
#1), F2 (i.e., Packet #2), F3 (i.e., Packet #3) and F5 (i.e., Packet #5).

reached in the Packet #2 boxplot. Clearly more the trend of confirming that features are enough and good to discriminate
different categories (i.e., dos, fuzzy, gear, normal and rpm) those classes of behaviors. As a matter of fact, considering that
is different, more is the probability that the classifiers are all features passed the Mann-Whitney, Kolmogorov-Smirnov
able to generate models aimed to discriminate between these and Wald-Wolfowitz Hypothesis testing, we can state that the
categories with good prediction performance). considered feature vector can represent a good candidate to
discriminate between different malicious attacks targeting the
B. Hypothesis Testing can bus. The next step i.e., the classification analysis, is aimed
The goal here is to understand if different distributions of to build and evaluate models to evaluate the effectiveness
normal and injected messages are identified as different with of the features to discriminate between injected or normal
statistical evidence. packets.
We consider valid results obtained when the null hypothesis
is rejected by the three tests we are going to describe here. C. Classification Analysis
Table II shows results: we can reject the null hypothesis Below we present the performance obtained by several
H0 for all features. This implies that chosen features and classifiers trained with the considered feature vector. Two
features vector are good to use in deep learning methods for different task are considered: the first aimed, aimed to build a
classification. predictive model to discriminate between generic attacks and
Results show that features we selected have different values normal messages and, the second one, aimed to detect the kind
in different distributions related to the four types of messages, of malicious attacks. For this reason for the first task a binary

Authorized licensed use limited to: Tsinghua University. Downloaded on September 19,2022 at 08:15:51 UTC from IEEE Xplore. Restrictions apply.
5086 IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, VOL. 22, NO. 8, AUGUST 2021

TABLE II
R ESULTS OF THE N ULL H YPOTHESIS H0 T EST

TABLE III
S INGLE -ATTACK C LASSIFICATION R ESULTS W ITH THE O NE H IDDEN L AYER MLP A LGORITHM . IM I S FOR I MPOSTOR M ESSAGES ,
W HILE W ITH NM W E L ABEL THE N ORMAL O NES

classification is considered while, with respect to the second messages, while with the NM label the legitimate (i.e., normal)
one, we resort to a multi-label classification. messages.
In order to analyse classification results, we consider the With regard to the attack identification task, a multi label
metrics of Precision, Recall, F-measure, MCC and RocArea classification is considered. In this case the labels are the
metrics. following: dos for the dos attack, fuzzy for the fuzzy attack,
We have implemented the classifier with the features vector gear and rpm respectively for the gear and the rpm spoofing.
we described before, aiming at evaluating its accuracy. Finally, Table V shows results for the multiple attacks
During Training, we take into account messages (M, l), with detection.
l ∈ {IM, NM}. An element m ∈ M creates a feature vector The multilayer perceptron network we used during the
F ∈ R y where y is the number of the features for training identification of single attacks, is a network with one hidden
phase (y = 8). layer (which Fig. 3 reports within the box labelled with “b”)
Then, we apply a k-fold cross-validation method: we Results in Table III, report a weighted average precision
divided the original set into k smoller sets and we used each that ranges from 1 (gear and rpm) to 0.983 (dos). The recall
of them as test set for the remaining k − 1 subsets gathered ranges from 1 ( gear and rpm) to 0.982 (dos).
to create a training set. We iterated this process 10 times with Evaluation of F-Measure parameter for different attack is
k = 10. Finally, we evaluated the average accuracy from all comprised from 1 to 0.982.
results. NN algorithm for single attack classification uses one hid-
Then, we evaluated model Effectiveness by creating a new den layer too within a network of 100 units.
training set T and a testing set T  from the dataset D, with Table IV contains results obtained by NN detection. Notice
T ⊂ D and T  = D − T . Then we first trained the classifier that we have the best weighted precision while detecting rpm
with T and then we tested it with T  attacks. Fuzzy and gear attacks detections score a precision
We used the 90% of elements in D as training dataset and of 0.994 and 0.991 respectively, while dos attacks have a lesser
the remaining elements as testing dataset. precision (that anyway overcomes the value of 0.9).
We then iterated this process for all datasets of the four For what recall evaluation concerns for NN algorithm,
kinds of attacks we have considered, and then we finally mixed we can see that the best recall is for rpm attacks and
all elements in a whole dataset. the worst (0.886) is for dos. Here, the best F-Measure is
In Table III we show the results we collected by using this 1 for rpm, 0.888 for dos, 0.991 for gear and 0.888 too for
evaluation approach. We consider a binary classification for fuzzy.
identification of single attacks with MLP algorithm, while These results show that both MLP and NN are (very) good
Table IV shows results when using the NN algorithm. detectors during single attacks detection, and that MLP scores
In particular we indicate with IM the impostor (i.e., attack) better results compared with NN.

Authorized licensed use limited to: Tsinghua University. Downloaded on September 19,2022 at 08:15:51 UTC from IEEE Xplore. Restrictions apply.
AMATO et al.: CAN-BUS ATTACK DETECTION WITH DEEP LEARNING 5087

TABLE IV
S INGLE -ATTACK C LASSIFICATION R ESULTS W ITH THE NN A LGORITHM . W ITH IM W E I NDICATE THE
I MPOSTOR M ESSAGES , W HILE W ITH NM THE N ORMAL O NES

TABLE V
S ECOND E XPERIMENT R ESULTS

Moreover, once investigated the effectiveness of the pro- Since MLP has best performances, we investigate if adding
posed classification algorithms by building a model for each more layers we can obtain more interesting performances.
attack we consider a multi-label classification i.e., a model In detail in this analysis we exploit six different deep learning
build with all the attacks: the aim is to demonstrate that the configurations, varying hidden layer from 0 to 5. Feature
proposed solution can be generalized for different types of vectors act as input (This is highlighted in green in Figure 3,
attacks. and hidden layers are in red), the labels related to the analysed

Authorized licensed use limited to: Tsinghua University. Downloaded on September 19,2022 at 08:15:51 UTC from IEEE Xplore. Restrictions apply.
5088 IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, VOL. 22, NO. 8, AUGUST 2021

Fig. 3. The MLP networks considered in the second experiment. In green the input features, in red the hidden layers and in yellow the labels related to the
possible predictions i.e., dos, gear, rpm, fuzzy and the legitimate.

attacks and to the normal messages (i.e., dos, gear, rpm, fuzzy compared to the NN one. In fact the MLP with 3 hidden layers
and the legitimate class) represent the output layer (the yellow reached a weighed precision of 0.974 and a weighed recall
label in 3). Figure 3 resumes the network configuration we equal to 0.965, demonstrating an interesting average ability
selected. Boxes from (a) to (f) reports configurations that uses to discriminate between legitimate traffic and malicious ones.
from 0 to 5 hidden layers respectively. With respect to the attack detection a precision and a recall
Table V reports results of other seven experiments. The first equal to 1 is obtained relating to the detection of the malicious
one (NN) considers a network with 100 units and 1 hidden traffic when a gear or a rpm attack is in progress, while a
layer. The other ones consider MLP approaches. The numbers precision (resp. recall) ranging from 0.740 (resp. 1) to 0.997
on each row represent the number of hidden layer in the (resp. 0.943) is obtained respectively for the dos and the fuzzy
experiment. attacks.
From the results of the second experiment, it is worth to note
that all the MLP networks, with the exception of the MLP with VI. C ONCLUSION AND F UTURE W ORK
5 hidden layers, perform better than the NN model. In general, A great amount of data is currently exchanged between the
the weighted precision span between 0.587 by adopting the several electronic units currently employed in modern vehicles.
MLP 5 algorithm, up to 0.974 by using both the MLP 1 and To facilitate this exchange of messages the CAN-bus was
the MLP 3 networks. Moreover, the average recall goes from introduced and from 1996 is mandatory. There are several
0.766 for the MLP 5 network to 0.966 of the MLP 1 network. weaknesses afflicting the CAN-bus for instance, no authen-
At last, the results show that the performance decrease when tication is required to send or receive data and attacks,
more than 4 hidden states are added to the network. In fact, as for instance the denial of service, as demonstrated in
the precision and the recall are 0 for all the attacks in the MLP literature, are easy to perpetrate. The automotive systems
5 network. require highest safety levels, which is in contrast with the
To conclude the MLP algorithm (in a configuration with well-known vulnerabilities of the CAN-bus itself. For these
no more than 3 hidden layers) exhibits better performances if reasons in this paper an approach aimed to detect attacks

Authorized licensed use limited to: Tsinghua University. Downloaded on September 19,2022 at 08:15:51 UTC from IEEE Xplore. Restrictions apply.
AMATO et al.: CAN-BUS ATTACK DETECTION WITH DEEP LEARNING 5089

against the CAN-bus in modern cars is proposed. We employ [17] K. M. A. Alheeti, A. Gruebler, and K. D. McDonald-Maier, “An intru-
deep learning and we consider the CAN packet as feature sion detection system against malicious attacks on the communication
network of driverless cars,” in Proc. 12th Annu. IEEE Consum. Commun.
vector. The main innovation introduced in this work, is that Netw. Conf. (CCNC), Jan. 2015, pp. 916–921.
the approach aims at detecting the malicious injected messages [18] W. Liu, H. Zhang, and W. Zhang, “An autonomous road side infrastruc-
by detecting the human behaviour of the attacker behind ture based system in secure VANETs,” in Proc. 5th Int. Conf. Wireless
Commun., Netw. Mobile Comput., Sep. 2009, pp. 1–6.
them. Experimental results on real-world dataset demonstrate [19] H. M. Song, J. Woo, and H. K. Kim, “In-vehicle network intrusion
the validity of the proposed approach in detecting Denial of detection using deep convolutional neural network,” Veh. Commun.,
vol. 21, Jan. 2020, Art. no. 100198.
Service attacks, fuzzy pattern attacks, and attacks against a [20] S. Tariq, S. Lee, and S. S. Woo, “CANTransfer: Transfer learning based
specific components (i.e., gear and rpm). The algorithm shows intrusion detection on a controller area network using convolutional
the better results when the the MLP classification algorithm is LSTM network,” in Proc. 35th Annu. ACM Symp. Appl. Comput.,
Mar. 2020, pp. 1048–1055.
adopted to train the network. In particular, with 1 and 3 hidden [21] P. Golle, D. Greene, and J. Staddon, “Detecting and correcting malicious
layers it is able to reach a weighted precision higher than 97% data in VANETs,” in Proc. 1st ACM Workshop Veh. Ad Hoc Netw.
and a weighted recall higher than 96.5% in both the cases. (VANET), 2004, pp. 29–37.
[22] G. Yan, S. Olariu, and M. C. Weigle, “Providing VANET security
As a future work, the plan is to validate the proposed through active position detection,” Comput. Commun., vol. 31, no. 12,
network with an extended set of attacks of a different nature. pp. 2883–2897, Jul. 2008.
[23] F. Martinelli, F. Mercaldo, and A. Santone, “Machine learning for driver
Moreover, we plan to adopt formal verification techniques with detection through CAN bus,” in Proc. IEEE 91st Veh. Technol. Conf.
the aim to improve the obtained performances. Furthermore, (VTC-Spring), May 2020, pp. 1–5.
we will consider ensemble learning to try to improve the [24] M. Hanselmann, T. Strauss, K. Dormann, and H. Ulmer, “CANet:
An unsupervised intrusion detection system for high dimensional CAN
classification performance, consisting in a series of classifiers bus data,” IEEE Access, vol. 8, pp. 58194–58205, 2020.
aimed to obtain better predictive performance than the single [25] N. Jargalsaikhan and K. Matsuyama, “An investigation of machine
model. learning methods for prediction bus travel time of Mongolian public
transportation,” Proc. SPIE, vol. 11515, Jun. 2020, Art. no. 115151S.
R EFERENCES [26] K. Cheng, Y. Bai, Y. Zhou, Y. Tang, D. Sanan, and Y. Liu, “CANeleon:
Protecting CAN bus with frame ID chameleon,” IEEE Trans. Veh.
[1] F. Martinelli, F. Mercaldo, V. Nardone, and A. Santone, “Car hacking Technol., vol. 69, no. 7, pp. 7116–7130, Jul. 2020.
identification through fuzzy logic algorithms,” in Proc. IEEE Int. Conf. [27] D. Kosmanos et al., “A novel intrusion detection system against spoof-
Fuzzy Syst. (FUZZ-IEEE), Jul. 2017, pp. 1–7. ing attacks in connected electric vehicles,” Array, vol. 5, Mar. 2020,
[2] K. Koscher et al., “Experimental security analysis of a modern automo- Art. no. 100013.
bile,” in Proc. IEEE Symp. Secur. Privacy, May 2010, pp. 447–462. [28] M. Baccouche, F. Mamalet, C. Wolf, C. Garcia, and A. Baskurt,
[3] F. Martinelli, F. Mercaldo, V. Nardone, A. Orlando, and A. Santone, “Sequential deep learning for human action recognition,” in Proc. Int.
“Who’s driving my car? A machine learning based approach to driver Workshop Hum. Behav. Understand. Berlin, Germany: Springer, 2011,
identification,” in Proc. 4th Int. Conf. Inf. Syst. Secur. Privacy, 2018, pp. 29–39.
pp. 367–372. [29] L. Ding, W. Fang, H. Luo, P. E. D. Love, B. Zhong, and X. Ouyang,
[4] B. I. Kwak, J. Woo, and H. K. Kim, “Know your master: Driver “A deep hybrid learning model to detect unsafe behavior: Integrating
profiling-based anti-theft method,” in Proc. 14th Annu. Conf. Privacy, convolution neural networks and long short-term memory,” Autom.
Secur. Trust (PST), Dec. 2016, pp. 211–218. Construct., vol. 86, pp. 118–124, Feb. 2018.
[5] M. S. Al-kahtani, “Survey on security attacks in vehicular ad hoc [30] H. Rahmani, A. Mian, and M. Shah, “Learning a deep model for human
networks (VANETs),” in Proc. 6th Int. Conf. Signal Process. Commun. action recognition from novel viewpoints,” IEEE Trans. Pattern Anal.
Syst., Dec. 2012, pp. 1–9. Mach. Intell., vol. 40, no. 3, pp. 667–681, Mar. 2018.
[6] G. Samara, W. A. Al-Salihy, and R. Sures, “Security issues and
challenges of vehicular ad hoc networks (VANET),” in Proc. 4th Int.
Conf. New Trends Inf. Sci. Service Sci. (NISS), May 2010, pp. 393–398.
[7] M. Wolf, A. Weimerskirch, and C. Paar, “Security in automotive bus
systems,” in Proc. Workshop Embedded Secur. Cars, 2004, pp. 1–13.
[8] F. Martinelli, F. Mercaldo, A. Orlando, V. Nardone, A. Santone, and Flora Amato is currently a Tenure-track Assis-
A. K. Sangaiah, “Human behavior characterization for driving style tant Professor with the Department of Electrical
recognition in vehicle system,” Comput. Electr. Eng., vol. 83, May 2020, Engineering and Information Technology, Faculty of
Art. no. 102504. Engineering, University of Napoli Federico II, where
[9] J. Schmidhuber, “Deep learning in neural networks: An overview,” she carries out her research activity since 2006. She
Neural Netw., vol. 61, pp. 85–117, Jan. 2015. is also a Professor of Artificial Intelligence for the
[10] L. Deng and D. Yu, “Deep learning: Methods and applications,” Found. degree in Computer Science Engineering with the
Trends Signal Process., vol. 7, nos. 3–4, pp. 197–387, Jun. 2014. University of Naples Federico II. She is author of
[11] I. Sutskever, O. Vinyals, and Q. V. Le, “Sequence to sequence learning more of 150 research articles, published on Inter-
with neural networks,” in Proc. Adv. Neural Inf. Process. Syst., 2014, national journals and Conference Proceedings. Her
pp. 3104–3112. research interests include knowledge management,
[12] G. Villarrubia, J. F. D. Paz, P. Chamoso, and F. D. L. Prieta, “Artifi- information integration, text mining, and formal modeling.
cial neural networks used in optimization problems,” Neurocomputing,
vol. 272, pp. 10–16, Jan. 2018.
[13] S. Checkoway et al., “Comprehensive experimental analyses of auto-
motive attack surfaces,” in Proc. 20th USENIX Secur. Symp. (USENIX
Secur.), San Francisco, CA, USA, vol. 4, 2011, pp. 447–462. Luigi Coppolino is currently an Associate Profes-
[14] S. Woo, H. J. Jo, and D. H. Lee, “A practical wireless attack on the sor with the University of Naples Parthenope. His
connected car and security protocol for in-vehicle CAN,” IEEE Trans. research interests include dependability of comput-
Intell. Transp. Syst., vol. 16, no. 2, pp. 993–1006, Apr. 2015. ing systems, critical infrastructure protection, and
[15] A. Taylor, S. Leblanc, and N. Japkowicz, “Anomaly detection in auto- information security. His research has received mas-
mobile control network data with long short-term memory networks,” sive funding from the European Union, within the
in Proc. IEEE Int. Conf. Data Sci. Adv. Anal. (DSAA), Oct. 2016, context of the Seventh Framework Programme (FP7)
pp. 130–139. and of Horizon 2020 (H2020).
[16] N. Lyamin, A. Vinel, M. Jonsson, and J. Loo, “Real-time detection of
denial-of-service attacks in IEEE 802.11p vehicular networks,” IEEE
Commun. Lett., vol. 18, no. 1, pp. 110–113, Jan. 2014.

Authorized licensed use limited to: Tsinghua University. Downloaded on September 19,2022 at 08:15:51 UTC from IEEE Xplore. Restrictions apply.
5090 IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, VOL. 22, NO. 8, AUGUST 2021

Francesco Mercaldo received the master’s degree Roberto Nardone received the master’s degree in
in computer engineering from the University of computer engineering and the Ph.D. degree in com-
Sannio, Benevento, Italy, with a thesis in software puter and automation engineering from the Univer-
testing, and the Ph.D. degree with a dissertation on sity of Naples Federico II, Italy, in 2009 and 2013,
malware analysis using machine learning techniques, respectively. Since 2018, he has been an Assistant
in 2015. He is currently working as a Researcher Professor with the Mediterranean University of Reg-
with the University of Molise, Campobasso, Italy. gio Calabria, Italy. He has coauthored more than
His research interests include software testing, ver- 60 research articles published in peer-reviewed inter-
ification, and validation, with the emphasis on the national journals and conference proceedings. His
application of empirical methods. research interest includes quantitative evaluation of
non-functional properties by means of model-driven
techniques. He serves as an Associate Editor for distinguished journals, such
as IEEE A CCESS and Journal of Universal Computer Science.

Antonella Santone received the Laurea degree in

computer science from the University of Pisa, Italy,
in April 1993, and the Ph.D. degree in computer
systems engineering from the Dipartimento di Ingeg-
neria della Informazione, University of Pisa, in Sep-
tember 1997. She was an Assistant Professor with
the University of Pisa from November 1998 to Octo-
Francesco Moscato received the degree (summa ber 2001. She was an Associate Professor with the
cum laude) in computer science engineering from Department of Engineering, University of Sannio,
the University of Naples Federico II, and the Ph.D. from November 2001 to August 2017. She has
degree in electronic engineering from the Second been an Associate Professor in computer engineering
University of Naples. He is currently an Associate with the University of Molise, since September 2017. She was involved in
Professor with the University of Salerno. He is several research activities and projects. Her current research interest includes
author of many articles published on international formal verification methods. Her research interests include formal description
journals and books. His research interests include techniques, temporal logic, concurrent and distributed systems modeling,
formal modeling and verification of reliable and heuristic search, and formal methods in systems biology and in software
critical systems. security. She has written more than 150 articles for international journals
and conferences.

Authorized licensed use limited to: Tsinghua University. Downloaded on September 19,2022 at 08:15:51 UTC from IEEE Xplore. Restrictions apply.