An Unsupervised Learning Approach for In-Vehicle Network Intrusion Detection

In-vehicle networks remain largely unprotected from a myriad of vulnerabilities to failures caused by adversarial activities. Remote attacks on the SAE J1939 protocol based on controller access network (CAN) bus for heavy-duty ground vehicles can lead to detectable changes in the physical characteristics of the vehicle. In this paper, I develop an unsupervised learning approach to monitor the normal behavior within the CAN bus data and detect malicious traffic. The J1939 data packets have some text-based features that I convert to numerical values. In addition, I propose an algorithm based on hierarchical agglomerative clustering that considers multiple approaches for linkages and pairwise distances between observations. I present prediction performance results to show the effectiveness of this ensemble algorithm. In addition to in-vehicle network security, this algorithm is also transferrable to other cybersecurity datasets, including botnet attacks in traditional enterprise IP networks.