Due to the lack of CAN frame encryption and authentication, CAN bus is vulnerable to various attacks, which can in general be divided into message injection, suspension, and falsification. Existing CAN bus anomaly detection mechanisms either can only detect one or two of these attacks, or require numerous CAN messages during predictions, which can hardly realize real-time performance. In this paper, we propose a CAN bus anomaly detection system that can detect all these attacks simultaneously in as short as 3 milliseconds (ms) based on Graph Neural Network (GNN). This work generates directed attributed graphs based on CAN message streams in given message intervals. Node attributes denote data contents in CAN messages while each edge attribute represents the frequency of a typical CAN ID pair in the given interval. Afterwards, a GNN is trained based on generated CAN message graphs. Considering highly imbalanced training data, a two-stage classifier cascade is developed in this paper, which is composed of a one-class classifier for anomaly detection and a multi-class classifier for attack classification. An openmax layer is further introduced to the multi-class classifier to tackle new anomalies from unknown classes. To take advantage of crowdsourcing while protecting user data privacy, we adopt federated learning to train a universal model that covers different driving scenarios and vehicle states. Extensive experiment results show the effectiveness and efficiency of our methodology.

中文翻译：

---

用于控制器区域网络中快速异常检测的联合图神经网络


由于缺乏CAN帧加密和认证，CAN总线容易受到各种攻击，一般可分为报文注入、中止和篡改等。现有的CAN总线异常检测机制要么只能检测到其中的一种或两种攻击，要么需要大量的CAN报文进行预测，难以实现实时性。在本文中，我们提出了一种基于图神经网络（GNN）的 CAN 总线异常检测系统，可以在短短 3 毫秒（ms）内同时检测所有这些攻击。这项工作基于给定消息间隔内的 CAN 消息流生成有向属性图。节点属性表示 CAN 消息中的数据内容，而每个边缘属性表示给定间隔内典型 CAN ID 对的频率。然后，根据生成的 CAN 消息图训练 GNN。考虑到训练数据高度不平衡，本文开发了一种两级分类器级联，由用于异常检测的一类分类器和用于攻击分类的多类分类器组成。多类分类器中进一步引入了 openmax 层，以处理来自未知类的新异常。为了利用众包的同时保护用户数据隐私，我们采用联邦学习来训练涵盖不同驾驶场景和车辆状态的通用模型。大量的实验结果表明了我们方法的有效性和效率。