GIDS: GAN based Intrusion Detection System forIn-Vehicle Network

Abstract—A Controller Area Network (CAN) bus in thevehicles is an efficient standard bus enabling communicationbetween all Electronic Control Units (ECU). However, CAN busis not enough to protect itself because of lack of security features.Thus, vehicle networks are exposed to the external threats suchas attacks from outside network. To detect suspicious networkconnections effectively, the intrusion detection system (IDS) forvehicle network is strongly required. Unlike the traditional IDSfor Internet, there are small number of known attack signaturesfor vehicle networks. Also, IDS for vehicle requires high accuracybecause any false-positive error can seriously affect the safety ofthe driver. To solve this problem, we propose a novel IDS modelfor in-vehicle networks, GIDS (GAN based Intrusion DetectionSystem) using deep-learning model, Generative Adversarial Nets.GIDS can learn to detect unknown attacks using only normaldata. The generator in GIDS repeatedly generates random fakedata similar to normal data and the discriminator in GIDS usethe fake data for training instead of specific attack data. Asexperiment result, GIDS shows high detection accuracy for fourunknown attacks.

Index Terms—Generative Adversarial Nets, deep-learning, In-trusion detection System, Controller Area Network, in-vehiclesecurity

I. INTRODUCTION

The advances in the automotive technology have broughtgreat convenience to driver’s life. Modern vehicles can com-prise up to 150 Electronic Control Units (ECU), whichcommunicate with other automotive bus systems. As V2Xtechnology enables interactions with vehicles and everythingfrom outside (e.g., vehicles, pedestrians and infrastructure),security threats on ECU of vehicles become higher. Risks onthe vehicles could cause more severe damage to cars, driversand pedestrians; while traditional security threats mainly affectthe confidentiality of data, operating systems and networks.Therefore, we need to develop a security system to mitigate thevarious risks of the vehicle. In particular, intrusion detectionsystem (IDS) for in-vehicle network is required to protect all ofthe ECUs and related equipment in the vehicle from emergingthreats.

A. In-vehicle Network

In-vehicle networks have various protocols. Among them,there are three well-known protocols, Controller Area Network(CAN), Local Interconnect Network (LIN) and FlexRay. CANis a standard of the bus system for in-vehicle network andprovides efficient communication between ECUs. LIN busenables the inexpensive integration of sensors and actuatorsin-vehicle networks. FlexRay is designed to be redundant than

CAN. FlexRay is able to implement an appropriate bus systemfor security-critical applications and enables deterministic timeresponses. CAN bus is a reliable and economical serial bus forthe in-vehicle network. However, because it uses a broadcastcommunication without authentication, attackers can accessCAN bus easily, and it causes severe risk. For example, anadversary could inject a malicious packet in CAN bus via avulnerability at one of the numerous external interfaces, whichinterferes with the normal operation of the vehicle. Koscher etal. proved that it is possible to control the ECUs and it enabledbrake failure, wheel control, and engine shutdown [1]. Also,many modern cars which have a communication module forinfotainment service can be exposed to the attacks via Over-The-Air (OTA) update module. For instance, Checkoway etal. showed successful remote attacks using wireless networkssuch as Bluetooth and cellular radio at a long distance [2].These attacks could result in not only serious malfunctions ofthe vehicle but also threats to the safety of drivers.

B. IDS for In-vehicle Network

There are several security measures for in-vehicle networkssuch as in-vehicle firewall for the access control between net-work segments. However, attack surfaces of vehicle networksbecome larger and larger (e.g., Bluetooth communication, LTEcommunication, Over-the-Air update protocol, etc.), and newattack patterns are continuously developing, too. Thus, IDSis the best way to detect and respond known and unknownattacks of today. IDS can continuously monitor the in-vehiclesystem and detect suspicious network events generated byECUs in real time. Recently, there has been some research forIDS to detect attacks targeted on the vehicles. For example,Song et al. proposed a detection model based on time intervalanalysis of CAN data [3], and Lee et al. presented a methodto detect intrusion by monitoring the time interval of therequest and response of CAN data [4]. Although these modelsare lightweight and efficient, they have some limitations.When in-vehicle environments are changed, it can require alot of updates. Also, targets to be detected may be limitedsince specific attacks are reflected when constructing detectionsystem. If IDS be leaked to the attacker, the attacker canmanipulate and avoid detection. To solve these problems, wepropose GIDS (Generative Adversarial Nets based IntrusionDetection System) which has the following characteristics:expandability, effectiveness, and security.

1) Expandability: GIDS maintains consistent detection

methodology even if in-vehicle environments arechanged. It requires only one training process.

2) Effectiveness: GIDS can detect intrusions without beinglimited to specific types of attacks. GIDS can be trainedusing only normal data. Generator in GIDS repeatedlygenerates random fake data instead of specific attackdata. Thus, GIDS is likely to detect unknown attacks notused in the implementation process of the IDS. Also, itis suitable for real-time intrusion detection for the in-vehicle network because GIDS is the pre-trained model.In practically, the number of messages that CAN bussystem generates per second is about 1,954. GIDS takesonly 0.18 seconds to detect about 1,954 CAN messages.

3) Security: GIDS ensures high security against adaptiveattacks, where if an attacker knows about the detectionmethod. Because the deep-learning model has the char-acteristic of black-box, it is difficult for an attacker tomanipulate internal structure of detection system.

C. Organization of This Paper

We introduced in-vehicle networks and IDS for in-vehiclenetwork in §I. The rest of the paper is organized as follows. §IIpresents the recent researches. We introduce our IDS, GIDSin §III. In §IV, we describe the result of the experiment anddiscuss the experiment result. Finally we conclude the paperin §V.

II. RELATED WORKS

A. Recent Researches for In-vehicle Network Security

The early research for anomaly detection of the in-vehiclesystem was introduced by Hoppe et al. [5]. He presentedthree selected characteristics as patterns available for anomalydetection that include the recognition of an increased fre-quency of cyclic CAN messages, the observation of low-level communication characteristics, and the identification ofobvious misuse of message IDs. Abbott et al. presented adesign for a real-time Intrusion Prevention System (IPS) thatactively monitors CAN bus to offset attacks by removingmalicious messages [6]. Song et al. proposed a detectionmodel based on time interval analysis of CAN data that issuitable to apply to the in-vehicle because it is lightweight [3].Lee et al. proposed a method to detect intrusion by monitoringthe time interval of the request and response of CAN datashowing high accuracy [4]. Matsumoto et al. introduced ananomaly detection to perform prevention and detection of ve-hicle attack simultaneously by minimizing the ECU’s currentarchitecture. The proposed method is also capable of operatingon CAN because CAN protocol is interconnected to multiplegateways [7]. Muter et al. proposed an anomaly detectionbased entropy [8]. Marchetti et al. analyzed and identifiedanomalies in the sequence of CAN [9]. The proposed modelfeatures low memory and computational footprints. Markovitzet al. used a classification system to characterize the CANdata field type and proposed a method of anomaly detectionbased on Ternary Content-Addressable Memory (TCAM) [10].The proposed method implemented efficiently both in software

and hardware. SALMAN et al. proposed a software-basedlight-weight IDS and two anomaly-based algorithms basedon message cycle time analysis and plausibility analysis ofmessages [11]. It contributed to more advanced research inthe field of IDS for in-vehicle networks.

B. IDS using Deep-learning

Many security research in various fields has adopted deep-learning methods for IDS. For example, Zhang et al. pre-sented a deep-learning method to detect Web attacks by usingthe specially designed CNN [12]. The method is based onanalyzing the HTTP request packets, to which only somepreprocessing is needed whereas the tedious feature extractionis done by the CNN itself. Gorokhov et al. developed aspecific CNN architecture for anomaly detection in text data[13]. Proposed CNN was tested on anomalies discovering ina stream of text documents, and it demonstrated better resultsin comparison with the traditional outlier detection methodsbased on one-class Support Vector Machines (SVM) and Non-negative Matrix Factorization (NMF). Recently, GenerativeAdversarial Nets (GAN) was adopted to not only image gen-eration but also other research like anomaly detection. Schleglet al. proposed AnoGAN, a deep convolutional generativeadversarial network to learn a manifold of normal anatomicalvariability. The model demonstrated that the approach cor-rectly identifies anomalous images, such as images containingretinal fluid [14]. Deecke et al. proposed a novel approachto anomaly detection using generative adversarial networks.Proposed method achieved state-of-the-art performance onstandard image benchmark datasets [15]. Zenati et al. lever-aged recently developed GAN models for anomaly detection,and achieved high performance in image intrusion datasets,while being several hundred-fold faster at test time than theonly published GAN based method [16].

Although various studies using GAN have been published,most of them are focused only on discrimination of imagedata. GAN could be useful for security such as IDS. However,few works have explored the use of GAN for security ofother fields. We developed a GAN based IDS for in-vehiclesecurity and showed high performance on CAN data that is oneof the in-vehicle network datasets. We proved expandability,effectiveness, and security of the proposed model for in-vehicle networks.

III. GIDS: GAN BASED IDSA. Converting CAN Data to Image

CAN bus supports the ECU to ECU communication. InCAN bus, there are frequent transmissions composed of pe-riodically used CAN messages. ECUs in the vehicle generateabout 2,000 CAN data per second to CAN bus. A large amountof real-time CAN data generated by ECUs are must be able tobe processed. If all the bits of CAN data are used directly forimage conversion, the converted image can be very complex.In the case, GIDS may require a long time not suitable for real-time detection. CAN IDs in CAN data show repetitive patternsand we extracted only patterns of CAN IDs from CAN data

output…

[ normal CAN data image ]

2nd D

G

[ random data ]

…

[ fake CAN data image ]

…

back

propagation

back

propagation

Training for Unknown Attack

…

[ abnormal CAN data image ]

…

[ normal CAN data image ]

1st D output

back

propagation

Ex. FUZZY attack data

Training for Known Attack

Fig. 1: The training process of GIDS

Fig. 2: Structure of CAN frame

for training as in Fig. 2. Also, we converted extracted CANIDs into a simple image by encoding with one-hot-vector. Thismethod can reduce detection time required for real-time, andimprove the performance of IDS.

Fig. 3 shows the process of encoding CAN IDs with one-hot-vector. Firstly, because the CAN ID is hexadecimal, eachelement of the CAN ID such as ‘2’ in ‘0x2a0’ is expressedin a binary form with 16 digits. After that, binary forms ofeach element of the CAN IDs are encoded to one-hot-vector.Encoding with one-hot-vector makes one of the bits to be 1,and the remaining bits to be all 0. For example, if the elementof the CAN ID is ‘2’ in ‘0x2a0’, A one-hot-vector consistsof only one bit of the second digit as 1 and the remainingall bits as 0. Finally, a CAN ID of 3-digit such as ‘0x2a0’ isexpressed in 16*3 matrix form. For example, if the CAN IDis ‘0x2a0’, it consists of 3 one-hot-vectors such as [0100 ...000], [0..0100000], and [0..1000000]. We name this matrix asa CAN image.

4b1

…

2a0

18f

2

…0

a

[ one-hot vector shape ]

1 2 3 4 5 6 7 8 9 0 a b c d e f

convert to

one-hot vector shape

[ raw CAN data ] [ normal CAN data image ]

2

a

0

convert to

can data to images

1 2 3 4 5 6 7 8 9 0 a b c d e f

Fig. 3: The process of one-hot-vector encoding

B. Proposed Intrusion Detection Model

In this study, we propose GAN based IDS model for thein-vehicle network. We named this model as GIDS. GAN isone of the deep-learning models. GAN is the new frameworkfor estimating generative models via an adversarial process, inwhich we simultaneously train two models: a generative modelG that captures the data distribution, and a discriminativemodel D that estimates the probability that a sample camefrom the training data rather than G [17]. GAN is often used togenerate fake images that are similar to real ones. We focusedon the fact and designed our IDS using this fact. GIDS has twodiscriminative model, the first discriminator and the seconddiscriminator which are trained with the following procedureas shown in Fig. 1.

1) Training for known attack: the First discriminator re-ceives normal CAN images and abnormal CAN imageswhich are extracted from the actual vehicle. Becausethe first discriminator uses attack data in the trainingprocess, the type of attacks that can be detected is likelyto be limited to the attacks used for training.

2) Training for unknown attack: The generator G andthe second discriminator are trained simultaneously byan adversarial process. The generator generates fakeimages by using random noise. The second discrimi-nator receives normal CAN images and the fake imagesgenerated by the generator and estimates the probabilitythat received images are real CAN images. That is, thesecond discriminator discriminates whether input imagesare real CAN images or fake images generated by thegenerator. The generator and the second discriminatorcompete with each other and increase their performance.In the GIDS model, the second discriminator ultimatelywin the generator so that the second discriminator candetect even fake images similar to real CAN images.

GIDS detects attacks of the in-vehicle networks with thefollowing procedure as shown in Fig. 4.

1) The real-time CAN data is encoded with one-hot-vector,and it is converted into CAN images.

TEST

1st D…

output output Threshold<

if

output Threshold>

else 2nd D

Abnormal status

Discriminator

for Known Attack

Discriminator

for Unknown Attack

Fig. 4: The detection process of the GIDS

2) The first discriminator receives CAN images and out-puts one value which is between 0 and 1.

3) If output is lower than the threshold, current status isclassified as abnormal. (Because the first discriminator istrained for known attacks, unknown attacks are unlikelyto be detected in this process.)

4) If output is higher than the threshold, the correspondingCAN images are received by the second discriminator.As in step 2 and step 3, the second discriminator receivesCAN images and outputs one value which is between 0and 1.

5) If output is lower than the threshold, current status isclassified as abnormal. (Because the second discrimina-tor is trained with only normal data, attack data to bedetected are not limited. That is, it may even be possibleto detect unknown attacks.)

Our goal is to ensure high accuracy for detecting evenunpredictable attacks with only normal data. However, if weuse only the second discriminator trained with only normaldata, the detection accuracy can be lower than when usingthe first discriminator trained with attack data. Therefore, wecombine the first discriminator and the second discriminator,which is able to detect both known attacks and unknownattacks.

C. Design of Neural NetworksIn the chapter, we describe two model structures of the

discriminator and the generator in the GIDS model. Wemeasured the detection performance for four combinationsof discriminator and generator composed of the convolutionalneural network (CNN) and deep neural network (DNN). Theneural networks of GIDS was selected as the combinationwhich are shown the best detection performance.

1) Design the discriminatorThe discriminator consists of a deep neural networkcomposed of three layers as shown in Fig. 5 (b). Thediscriminator reduces the dimension of the input data(CAN IDs converted with an image) to one output be-tween 0 and 1. Fig. 5 (b) shows the process of reductiondimension of the discriminator when the number of

CAN IDs is 64. The activation function of each layeris ReLU, and the activation function of the last layeris sigmoid. Finally, the output of the discriminator isused to distinguish between normal status and abnormalstatus in the in-vehicle network.

2) Design the generator The generator consists of a de-convolutional neural network composed of five layers asshown in 5 (a). The generator expands the dimension ofrandom noise data to the one image of the same size asthe input data of the discriminator. That is, the generatorgenerates a fake image similar to the real CAN imageconverted from the CAN IDs. Like the discriminator,ReLU is used by the activation function of each layer,and Tanh is used as activation function of the last layer.The generator and the discriminator calculate the costthrough back-propagation reducing the errors betweenactual answers and outputs of the model.

IV. EXPERIMENT AND RESULT

A. EvaluationTo evaluate the effectiveness of GIDS model, we use two

criteria: Detection rate and accuracy. We use TP, FP, TN, andFN to represent the number of true positives, false positives,true negatives and false negatives respectively. The detectionrate is defined as the proportion of the detected abnormal dataaccounting for the total abnormal ones as shown in (1). Theaccuracy is defined as the proportion of data including normaland abnormal to be correctly classified as shown in (2).

Detection rate =T P

T P+FN(1)

Accuracy =T P+T N

T P+FP+T N +FN(2)

B. Experiment EnvironmentWe tested the GIDS model in the following experiment

environment.1) CPU: Intel(R) Xeon(R) CPU E5-1650 v4 @ 3.60GHz2) RAM: 32.0GB3) GPU: NVIDIA GeForce GTX 1080

(a) Architecture of generator in GIDS (b) Architecture of discriminator in GIDS

Fig. 5: Architecture of GIDS

Node A Node C

Node B

0X2a0 0X4b1

0X000

0X000CAN bus

Delayed Delayed

(a) DoS Attack

Node A Node C

Node B

0X2a0 0X4b1

0X2a0

0X4b1CAN bus

(b) FUZZY Attack

Node A Node C

Node B

0X2a0 0X4b1

0X316CAN bus

about

RPM

0X43f

about

GEAR

or

(c) RPM/GEAR Attack

Fig. 6: Illustration of DoS, FUZZY and RPM/GEAR attacks

C. Attack Design and Dataset

Hyundai’s YF Sonata is used as a testing vehicle. To captureCAN bus traffic, we plug Y-cable into OBD-II port; OBD-II port of YF Sonata is located under the steering wheel.Then, Raspberry Pi3 is used to connect to CAN bus. Also, alaptop computer is connected to Raspberry Pi3 through WiFias shown in Fig. 7.

Fig. 7: Data acquisition setup via OBD-II port of YF sonatawith Raspberry Pi3

We launched four types of attacks on CAN bus as illustratedin Fig. 6. Each attack is defined as follows.

1) DoS attack: Dos attack is to inject high priority of CANmessages (e.g. ‘0x000 CAN ID packet) in a short cycle.We injected messages of ‘0x000’ CAN ID every 0.3milliseconds.

2) FUZZY attack: Fuzzy attack is to inject messages ofspoofed random CAN ID and DATA values. We injectedmessages of CAN ID and CAN data every 0.5 millisec-onds.

3) RPM/GEAR attack: RPM/GEAR attack is to injectmessages of certain CAN ID related to RPM/GEAR in-formation. We injected messages related to RPM/GEARevery 1 millisecond.

After data acquisition, we did labeling for the capturedattack-free state traffic and attack traffic data. We releasedthe dataset used in our experiments to foster further research.We make our dataset available at http://anonymized-url-for-submission.

Table I shows dataset which was used to test our model. Thedataset consists of the training dataset and test dataset. Thedataset was extracted from the running vehicle for about 10minutes and contains both normal and abnormal packet withlabeling. In Table I, ‘#CAN message’ means the total numberof CAN packets including abnormal and normal ones duringthe attacks. ‘#Attack image’ means the only total number ofthe CAN images containing at least one abnormal CAN packet.Each dataset in Table I is independent of each other and nota multi-class.

TABLE I: Data type and size

Data Attack type #CAN message #Attack imageTraining set Normal data 1,171,637 N/A

Test set

DoS attack data 3,665,771 17,128FUZZY attack data 3,838,860 20,317

RPM attack data 4,621,702 32,501GEAR attack data 4,443,142 29,751

D. Evaluating One-hot-vector Encoding

We converted the CAN data extracted from the vehicle intosimple form images by encoding them with one-hot-vector.Fig. 9 shows the images generated by this way, and Fig. 10shows the images not encoded with the one-hot-vector; AllCAN IDs of 11 bits are converted into an image. In both Fig.9 and Fig. 10, the left image is real CAN image and the rightimage is fake CAN image generated by the generator. Fig.

(a) binary image density (b) GIDS image density

Fig. 8: Distribution of the output before and after one-hot-vector encoding

9 shows more simple form whereas Fig. 10 shows complexform.

Fig. 9: Image sam-ples encoded withone-hot-vector

Fig. 10: Imagesamples not encodedwith one-hot-vector

Encoding with one-hot-vector can reduce the required timeand show better performance than when the binary CAN dataare converted as it is. Fig. 8 shows the distribution of theoutput of GIDS before and after one-hot-vector encoding. Inthe left model which uses binary images as it is, the output iswidely distributed from 0 to 1. On the other hand, as shownin the right model, GIDS model using images converted withone-hot-vector has a certain threshold to classify normal dataand abnormal data. That is, one-hot-vector encoding allows theintrusion detection model to separate normal data and attackdata explicitly.E. Evaluating the Design of Neural Networks

We designed the neural network of discriminator and gen-erator in the GIDS model. We evaluated the performanceof different discriminators and generators implemented withCNN and DNN, and selected the best combination of them asthe neural network structures of the GIDS. Fig. 11 shows theoutput distribution for each combination of discriminators andgenerators having different neural network structures. In theFig. 11, DNN-G means a generator with DNN structure andDeconv-G means a generator with a CNN structure. Likewise,DNN-D means a discriminator with DNN structure and Conv-D means a discriminator with CNN structure. When the

generator was implemented as DNN, it tended to judge mostof the attack data as normal data. On the other hand, whenboth the generator and the discriminator were implemented asCNN, most of the attack data were distributed widely, and onlynormal data tended to be distributed over a certain threshold.That is, there was no specific threshold which could separateattack data and normal data. Finally, when the generator wasimplemented as CNN, and the discriminator was implementedas DNN, there was a specific threshold which could classifynormal data and attack data. Based on experimental results, weselected DNN-D/Deconv-G combination, the best combinationof the four combinations as the neural network structure ofGIDS. We focused on the discriminator in the GAN model,and the ultimate goal of the training process is to improve theperformance of the discriminator so that fake data similar tothe real CAN data can be detected by the discriminator.

F. Hyperparameters

Based on the experiment, we set some hyperparameters ofthe GIDS model, which can improve the detection perfor-mance of the GIDS model. GIDS shows different performanceaccording to values of these parameters. If the environmentof the vehicle is changed, these parameters may be requiredto be adjusted so as to be properly mounted on the vehicle.Parameters consist of detection threshold, attack threshold, andinput size. We found the most suitable values of parametersthrough experiments and applied it to the final GIDS model.We present experimental results for each parameter as follows.

1) Detection threshold: The outputs of GIDS model are0 to 1. Among these outputs, GIDS classify attack dataand normal data by a specific detection threshold. Wedefine detection threshold as 0.1. That is, the outputof the GIDS model is less than 0.1, it is judged toan anomaly. As in Fig. 8(b), the outputs of the GIDSmodel are divided into normal data and attack data basedon the detection threshold of 0.1. For attack data, theoutput is distributed below 0.1, while for normal data,the output is distributed over 0.1. Although some outputsin the normal data were distributed below 0.1, it may be

Fig. 11: Distribution of outputs of GIDS according to neural network designs

regarded as an error that can appear in the samplingprocess.

2) Input size: Input size means a unit to convert CANIDs into images. CAN IDs extracted from the vehicleare grouped by input size and they are converted intoimages. We measured the accuracy of the GIDS model,increasing the input size from a minimum of 32 to amaximum of 128. Experimental results showed that theaccuracy increased until 64 input size, but it tended todecrease after that as shown in Fig. 12 and Table II.Therefore, we define an input size as 64, and it can bechanged flexibly depending on the vehicle environment.

Fig. 12: Accuracy of GIDS according to input size

3) Attack threshold: The attack threshold is a criterion forjudging attack CAN images. For example, if there areabnormal packets above the attack threshold in a CANimage, the CAN image is defined as the attack image.We define attack threshold as 1. That is, if at least oneattack packet is included in the CAN image, it is judged

TABLE II: Accuracy of the GIDS according to input size

Data type 32 size 48 size 64 size 80 sizeDoS attack 93.8% 97.3% 97.9% 66.7%

FUZZY attack 95.6% 98.0% 98.0% 74.3%RPM attack 94.4% 97.5% 98.0% 74.8%

GEAR attack 94.2% 97.7% 96.2% 74.0%

to be an abnormal image. We improve the security ofthe GIDS model by detecting even occasionally injectedabnormal packets.

G. Experiment Result

As mentioned in §IV, the GIDS model consists of a dualdiscriminator structure. The first discriminator is trained usingknown attack data, and the second discriminator based onGAN is trained using only normal data. The GIDS modeldetects known attacks at the first discriminator. After that,the second discriminator in the GIDS model detects unknownattacks which are not detec ted at the first discriminator. Firstly,we tested the accuracy of the first discriminator. Table IIIshows the detection rates of first discriminator for each attackdata. As results of the experiment, attack data used in thetraining process were detected well but attack data not used fortraining were hardly detected. Fig. 13 shows the distributionof outputs of the GIDS model for each attack data. Likewise,each attack data used in the training process showed a differentoutput distribution from the normal data explicitly, while inthe attack data not used in the training process, there wasno particular distribution which could be distinguished fromthe normal data. It requires a new detection model that candetect attacks even if only normal data are used in the trainingprocess.

Fig. 13: Density of outputs of the first discriminator for each attack data

TABLE III: Detection rate of the first discriminator in GIDS according to attack data of training set

training set DoS detection rate FUZZY detection rate RPM detection rate GEAR detection rate Normality detection rateDoS 99.9% 0.0% 0.0% 0.0% 99.9%

FUZZY 2.0% 98.7% 33.0% 1.9% 100.0%RPM 0.0% 0.0% 99.6% 0.0% 100.0%

GEAR 0.0% 97.7% 0.0% 99.8% 99.6%

Secondly, we tested the detection accuracy of the seconddiscriminator which uses random fake data in the trainingprocess instead of the real attack data. Table IV shows thedetection performance for each of the four attack data andFig. 14 shows the ROC curve of GIDS. Any attacks inthe Table IV were not used in the training process of thesecond discriminator. As results of the experiment, each of thefour attacks was detected with an average of 98% accuracy.Although the accuracy is less than 100%, we can improvethe accuracy of the GIDS model by combining it with firstdiscriminator which uses attack data for the training process.

TABLE IV: Performance of the second discriminator in GIDS

Data type Detection rate Precision Accuracy AUCDoS attack 99.6% 96.8% 97.9% 0.999

FUZZY attack 99.5% 97.3% 98.0% 0.999RPM attack 99.0% 98.3% 98.0% 0.999

GEAR attack 96.5% 98.1% 96.2% 0.996

V. CONCLUSION

In this study, we presented the GIDS, GAN based IDSfor the in-vehicle network. Firstly, we proposed encoding alarge number of CAN IDs with simple one-hot-vector, whichcan increase the performance and speed of the GIDS. Also,the proposed GIDS uses random fake data in the trainingprocess instead of the real attack data. It allows the GIDSmodel to detect unknown attacks with only normal data.

Fig. 14: ROC curve of GIDS

Finally, we proposed a detection system that combines thefirst discriminator for detecting known attack data and thesecond discriminator for detecting unknown attack data. It canimprove the detection accuracy of the proposed GIDS model.As a result of the experiment, The GIDS showed the averageaccuracy of 100% for the first discriminator and the averageaccuracy of 98% for the second discriminator.GIDS can be applied to the various types of the vehicle

through the new training process and adjustment of the hy-perparameters. Because the GIDS is pre-trained system anduses the deep-learning method, it is difficult to be manipulated

Fig. 15: Elapsed time of GIDS

by the attacker. Also, it can be real-time intrusion detectionfor the in-vehicle network. Fig. 15 shows the elapsed timeof GIDS model according to the size of the CAN images.The GIDS model has a constant ratio of elapsed time forintrusion detection even if the amount of CAN data to bedetected increases.

The proposed GIDS model has the strengths of expandabil-ity, effectiveness, and security so it can be suitable IDS forthe in-vehicle network.

A. Discussion and future works

We used the GAN model to train the proposed IDS withonly normal data. The generator of the GAN allows thediscriminator to train the normal data better. Although thismodel describes the CAN network traffic well, it is stillchallenging point to distinguish anomalous traffic causedfrom ‘normal malfunctioning of electronic components’ fromanomalous traffic caused from ‘intentional attacks by hacker’.Nonetheless, GAN based IDS is still effective under thecircumstance of lack of ‘known attack patterns for vehicles’such as nowadays. GAN based IDS and its evaluation becomesmore precise as many attack patterns for vehicles becomerevealed. In future work, we will implement the prototypesof the GIDS model in the GPU dashboard so that it canbe mounted on an actual vehicle. We will also measure theaccuracy of the GIDS for other vehicle types or unknownattack types. It can ensure more higher performance of theproposed IDS.

REFERENCES

[1] K. Koscher, A. Czeskis, F. Roesner, S. Patel, T. Kohno, S. Checkoway,D. McCoy, B. Kantor, D. Anderson, H. Shacham et al., “Experimentalsecurity analysis of a modern automobile,” in Security and Privacy (SP),2010 IEEE Symposium on. IEEE, 2010, pp. 447–462.

[2] S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham,S. Savage, K. Koscher, A. Czeskis, F. Roesner, T. Kohno et al.,“Comprehensive experimental analyses of automotive attack surfaces.”in USENIX Security Symposium. San Francisco, 2011.

[3] H. M. Song, H. R. Kim, and H. K. Kim, “Intrusion detection systembased on the analysis of time intervals of can messages for in-vehiclenetwork,” in Information Networking (ICOIN), 2016 International Con-ference on. IEEE, 2016, pp. 63–68.

[4] H. Lee, S. H. Jeong, and H. K. Kim, “Otids: A novel intrusion detectionsystem for in-vehicle network by using remote frame.”

[5] T. Hoppe, S. Kiltz, and J. Dittmann, “Security threats to automotive cannetworks–practical examples and selected short-term countermeasures,”Computer Safety, Reliability, and Security, pp. 235–248, 2008.

[6] S. Abbott-McCune and L. A. Shay, “Intrusion prevention system ofautomotive network can bus,” in Security Technology (ICCST), 2016IEEE International Carnahan Conference on. IEEE, 2016, pp. 1–8.

[7] T. Matsumoto, M. Hata, M. Tanabe, K. Yoshioka, and K. Oishi, “Amethod of preventing unauthorized data transmission in controller areanetwork,” in Vehicular Technology Conference (VTC Spring), 2012 IEEE75th. IEEE, 2012, pp. 1–5.

[8] M. Muter and N. Asaj, “Entropy-based anomaly detection for in-vehiclenetworks,” in Intelligent Vehicles Symposium (IV), 2011 IEEE. IEEE,2011, pp. 1110–1115.

[9] M. Marchetti and D. Stabili, “Anomaly detection of can bus messagesthrough analysis of id sequences,” in Intelligent Vehicles Symposium(IV), 2017 IEEE. IEEE, 2017, pp. 1577–1583.

[10] M. Markovitz and A. Wool, “Field classification, modeling and anomalydetection in unknown can bus networks,” Vehicular Communications,vol. 9, pp. 43–52, 2017.

[11] N. SALMAN and M. BRESCH, “Design and implementation of anintrusion detection system (ids) for in-vehicle networks.”

[12] M. Zhang, B. Xu, S. Bai, S. Lu, and Z. Lin, “A deep learning methodto detect web attacks using a specially designed cnn,” in InternationalConference on Neural Information Processing. Springer, 2017, pp.828–836.

[13] O. Gorokhov, M. Petrovskiy, and I. Mashechkin, “Convolutional neuralnetworks for unsupervised anomaly detection in text data,” in Inter-national Conference on Intelligent Data Engineering and AutomatedLearning. Springer, 2017, pp. 500–507.

[14] T. Schlegl, P. Seebock, S. M. Waldstein, U. Schmidt-Erfurth, andG. Langs, “Unsupervised anomaly detection with generative adversarialnetworks to guide marker discovery,” in International Conference onInformation Processing in Medical Imaging. Springer, 2017, pp. 146–157.

[15] L. Deecke, R. Vandermeulen, L. Ruff, S. Mandt, and M. Kloft, “Anomalydetection with generative adversarial networks,” 2018.

[16] H. Zenati, C. S. Foo, B. Lecouat, G. Manek, and V. R. Chan-drasekhar, “Efficient gan-based anomaly detection,” arXiv preprintarXiv:1802.06222, 2018.

[17] I. Goodfellow, J. Pouget-Abadie, M. Mirza, B. Xu, D. Warde-Farley,S. Ozair, A. Courville, and Y. Bengio, “Generative adversarial nets,” inAdvances in neural information processing systems, 2014, pp. 2672–2680.