Anomaly detection for vehicular networks for intrusion and malfunction detection
First Claim
1. A Support Vector Machine (SVM) classifier training device comprising:
- a computer programmed to train a Support Vector Machine (SVM) one-class classifier using a Radial Basis Function (RBF) kernel K calculated using the equation;
K(xi−
xj)=e−
γ
∥
(xi−
xj)∥
2 where x∈
and γ
>
0where is the set of all real numbers, γ
represents the curvature of the hyperplane, xi and xj are features of a training set comprising vectors with associated times representing CAN bus messages, and γ
=ƒ
(Var(D)) where ƒ
( ) denotes a function and D denotes message density in time and Var(D) denotes variance of the message density in time, to perform anomaly monitoring of a controller area network (CAN) bus employing a message-based communication protocol by operations including;
receiving the training set comprising vectors with associated times representing CAN bus messages;
calculating a hyperplane curvature parameter γ
functionally dependent on message density in time; and
training the SVM one-class classifier on the training set using the calculated γ
.
1 Assignment
0 Petitions
Accused Products
Abstract
A security monitoring system for a Controller Area Network (CAN) comprises an Electronic Control Unit (ECU) operatively connected to the CAN bus. The ECU is programmed to classify a message read from the CAN bus as either normal or anomalous using an SVM-based classifier with a Radial Basis Function (RBF) kernel. The classifying includes computing a hyperplane curvature parameter γ of the RBF kernel as γ=ƒ(D) where ƒ( ) denotes a function and D denotes CAN bus message density as a function of time. In some such embodiments γ=ƒ(Var(D)) where Var(D) denotes the variance of the CAN bus message density as a function of time. The security monitoring system may be installed in a vehicle (e.g. automobile, truck, watercraft, aircraft) including a vehicle CAN bus, with the ECU operatively connected to the vehicle CAN bus to read messages communicated on the CAN bus. By not relying on any proprietary knowledge of arbitration IDs from manufacturers through their dbc files, this anomaly detector truly functions as a zero knowledge detector.
15 Citations
14 Claims
-
1. A Support Vector Machine (SVM) classifier training device comprising:
-
a computer programmed to train a Support Vector Machine (SVM) one-class classifier using a Radial Basis Function (RBF) kernel K calculated using the equation;
K(xi−
xj)=e−
γ
∥
(xi −
xj )∥2 where x∈
and γ
>
0where is the set of all real numbers, γ
represents the curvature of the hyperplane, xi and xj are features of a training set comprising vectors with associated times representing CAN bus messages, and γ
=ƒ
(Var(D)) where ƒ
( ) denotes a function and D denotes message density in time and Var(D) denotes variance of the message density in time, to perform anomaly monitoring of a controller area network (CAN) bus employing a message-based communication protocol by operations including;receiving the training set comprising vectors with associated times representing CAN bus messages; calculating a hyperplane curvature parameter γ
functionally dependent on message density in time; andtraining the SVM one-class classifier on the training set using the calculated γ
.- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. An anomaly monitoring system for a Controller Area Network (CAN) comprising an Electronic Control Unit (ECU) operatively connected to a CAN bus to read messages communicated on the CAN bus, the ECU programmed to perform an anomaly monitoring method comprising:
-
classifying a message read from the CAN bus as either normal or anomalous using an SVM-based classifier with a Radial Basis Function (RBF) kernel K calculated using the equation;
K(xi−
xj)=e−
γ
∥
(xi −
xj )∥2 where x∈
and γ
>
0where is the set of all real numbers, γ
represents the curvature of the hyperplane, and xi and xj are features of a training set comprising vectors with associated times representing CAN bus messages;wherein the classifying includes computing a hyperplane curvature parameter γ
of the RBF kernel as γ
=ƒ
(Var(D)) where ƒ
( ) denotes a function and D denotes CAN bus message density as a function of time and Var(D) denotes variance of the CAN bus message density in time.- View Dependent Claims (13, 14)
-
Specification