In-Vehicle Network Intrusion Detection and Explanation Using Density Ratio Estimation

Most modern vehicles are equipped with Electronic Control Units (ECUs) and they are interconnected by Controller Area Network (CAN), a widely used communication protocol for in-vehicle networks. Recent studies have demonstrated that injecting malicious packets into in-vehicle networks can cause unintended behaviors of vehicles, and such a security threat is considered as an urgent issue to address in the industry. In this paper, we tackle with the task of detecting injected malicious packets as well as the task of explaining these injected packets, that is, to find which parts of the injected packets are essential in the attack. In contrast with the previous approaches using statistical anomaly detection techniques to find anomalous contents, our approach employs change detection which can detect small changes of frequencies of non-anomalous contents. Especially, our change detection approach is based on a density ratio estimation method using a neural network classifier; therefore, we can interpret the detection results using recent techniques to interpret decisions by deep neural networks. Our experimental results using real CAN packet datasets collected from an actual vehicle facing several kinds of attacks show the advantage of the proposed approach over anomaly detection based methods.