ANOMALY DETECTION FOR VEHICULAR NETWORKS FOR INTRUSION AND MALFUNCTION DETECTION
First Claim
1. A Support Vector Machine (SVM) classifier training device comprising:
- a computer programmed to train a Support Vector Machine (SVM) one-class classifier using a Radial Basis Function (RBF) kernel to perform security monitoring of a controller area network (CAN) bus employing a message-based communication protocol by operations including;
receiving a training set comprising vectors with associated times representing CAN bus messages;
calculating a hyperplane curvature parameter γ
functionally dependent on message density in time; and
training the SVM one-class classifier on the training set using the calculated γ
.
1 Assignment
0 Petitions
Accused Products
Abstract
A security monitoring system for a Controller Area Network (CAN) comprises an Electronic Control Unit (ECU) operatively connected to the CAN bus. The ECU is programmed to classify a message read from the CAN bus as either normal or anomalous using an SVM-based classifier with a Radial Basis Function (RBF) kernel. The classifying includes computing a hyperplane curvature parameter γ of the RBF kernel as γ=ƒ(D) where ƒ( ) denotes a function and D denotes CAN bus message density as a function of time. In some such embodiments γ=ƒ(Var(D)) where Var(D) denotes the variance of the CAN bus message density as a function of time. The security monitoring system may be installed in a vehicle (e.g. automobile, truck, watercraft, aircraft) including a vehicle CAN bus, with the ECU operatively connected to the vehicle CAN bus to read messages communicated on the CAN bus. By not relying on any proprietary knowledge of arbitration IDs from manufacturers through their dbc files, this anomaly detector truly functions as a zero knowledge detector.
43 Citations
23 Claims
-
1. A Support Vector Machine (SVM) classifier training device comprising:
a computer programmed to train a Support Vector Machine (SVM) one-class classifier using a Radial Basis Function (RBF) kernel to perform security monitoring of a controller area network (CAN) bus employing a message-based communication protocol by operations including; receiving a training set comprising vectors with associated times representing CAN bus messages; calculating a hyperplane curvature parameter γ
functionally dependent on message density in time; andtraining the SVM one-class classifier on the training set using the calculated γ
.- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
16. A security monitoring system for a Controller Area Network (CAN) comprising an Electronic Control Unit (ECU) operatively connected to a CAN bus to read messages communicated on the CAN bus, the ECU programmed to perform a security monitoring method comprising:
-
classifying a message read from the CAN bus as either normal or anomalous using an SVM-based classifier with a Radial Basis Function (RBF) kernel; wherein the classifying includes computing a hyperplane curvature parameter γ
of the RBF kernel as γ
=ƒ
(D) where ƒ
( ) denotes a function and D denotes CAN bus message density as a function of time. - View Dependent Claims (17, 18, 19, 20, 21)
-
-
22. A method comprising:
-
(1) receiving a first data subset of controller area network bus (CAN bus) messages; (2) creating a hyperplane based on the first data subset; (3) receiving an additional data subset of CAN bus messages; and (4) creating an additional hyperplane based on the additional data subset; wherein operations (3) and (4) are repeated at least one time. - View Dependent Claims (23)
-
Specification