IDS-DEC: A novel intrusion detection for CAN bus traffic based on deep embedded clustering

As the automotive industry advances towards greater automation, the proliferation of electronic control units (ECUs) has led to a substantial increase in the connectivity of in-vehicle networks with the external environment. However, the widely used Controller Area Network (CAN), which serves as the standard for in-vehicle networks, lacks robust security features, such as authentication or encrypted information transmission. This poses a significant challenge to the security of these networks. Despite the availability of powerful intrusion detection methods based on machine learning and deep learning, there are notable limitations in terms of stability and accuracy in the absence of a supervised learning process with labeled data. To address this issue, this paper introduces a novel in-vehicle intrusion detection system, termed IDS-DEC. This system combines a spatiotemporal self-coder employing LSTM and CNN (LCAE) with an entropy-based deep embedding clustering. Specifically, our approach involves encoding in-vehicle network traffic into windowed messages using a stream builder, designed to adapt to high-frequency traffic. These messages are then fed into the LCAE to extract a low-dimensional nonlinear spatiotemporal mapping from the initially high-dimensional data. The resulting low-dimensional mapping is subjected to a dual constraint in conjunction with our entropy-based pure deep embedding clustering module. This creates a bidirectional learning objective, addressing the optimization problem and facilitating an end-to-end training pattern for our model to adapt to diverse attack environments. The effectiveness of IDS-DEC is validated using both the benchmark Car Hacking dataset and the Car Hacking-Attack & Defense Challenge dataset. Experimental results demonstrate the model's high detection accuracy across various attacks, stabilizing at approximately 99% accuracy with a 0.5% false alarm rate. The F1 score also stabilizes at around 99%. In comparison with unsupervised methods based on deep stream clustering, LSTM-based self-encoder, and classification-based methods, IDS-DEC exhibits significant improvements across all performance metrics.