As the automotive industry advances towards greater automation, the proliferation of electronic control units (ECUs) has led to a substantial increase in the connectivity of in-vehicle networks with the external environment. However, the widely used Controller Area Network (CAN), which serves as the standard for in-vehicle networks, lacks robust security features, such as authentication or encrypted information transmission. This poses a significant challenge to the security of these networks. Despite the availability of powerful intrusion detection methods based on machine learning and deep learning, there are notable limitations in terms of stability and accuracy in the absence of a supervised learning process with labeled data. To address this issue, this paper introduces a novel in-vehicle intrusion detection system, termed IDS-DEC. This system combines a spatiotemporal self-coder employing LSTM and CNN (LCAE) with an entropy-based deep embedding clustering. Specifically, our approach involves encoding in-vehicle network traffic into windowed messages using a stream builder, designed to adapt to high-frequency traffic. These messages are then fed into the LCAE to extract a low-dimensional nonlinear spatiotemporal mapping from the initially high-dimensional data. The resulting low-dimensional mapping is subjected to a dual constraint in conjunction with our entropy-based pure deep embedding clustering module. This creates a bidirectional learning objective, addressing the optimization problem and facilitating an end-to-end training pattern for our model to adapt to diverse attack environments. The effectiveness of IDS-DEC is validated using both the benchmark Car Hacking dataset and the Car Hacking-Attack & Defense Challenge dataset. Experimental results demonstrate the model's high detection accuracy across various attacks, stabilizing at approximately 99% accuracy with a 0.5% false alarm rate. The F1 score also stabilizes at around 99%. In comparison with unsupervised methods based on deep stream clustering, LSTM-based self-encoder, and classification-based methods, IDS-DEC exhibits significant improvements across all performance metrics.

中文翻译：

---

IDS-DEC：一种基于深度嵌入式集群的新型 CAN 总线流量入侵检测


随着汽车行业朝着更高程度的自动化方向发展，电子控制单元 (ECU) 的激增导致车内网络与外部环境的连接性大幅增加。然而，作为车载网络标准的广泛使用的控制器局域网（CAN）缺乏强大的安全功能，例如身份验证或加密信息传输。这对这些网络的安全提出了重大挑战。尽管存在基于机器学习和深度学习的强大入侵检测方法，但在缺乏标记数据的监督学习过程的情况下，在稳定性和准确性方面存在明显的局限性。为了解决这个问题，本文介绍了一种新型的车载入侵检测系统，称为 IDS-DEC。该系统将采用 LSTM 和 CNN (LCAE) 的时空自编码器与基于熵的深度嵌入聚类相结合。具体来说，我们的方法涉及使用流构建器将车载网络流量编码为窗口消息，旨在适应高频流量。然后，这些消息被输入 LCAE，从最初的高维数据中提取低维非线性时空映射。由此产生的低维映射与我们基于熵的纯深度嵌入聚类模块一起受到双重约束。这创建了一个双向学习目标，解决了优化问题并促进了模型的端到端训练模式，以适应不同的攻击环境。使用基准汽车黑客数据集和汽车黑客攻击与防御挑战数据集验证了 IDS-DEC 的有效性。 实验结果表明，该模型对各种攻击具有较高的检测精度，准确率稳定在 99% 左右，误报率为 0.5%。 F1分数也稳定在99%左右。与基于深度流聚类、基于 LSTM 的自编码器和基于分类的方法的无监督方法相比，IDS-DEC 在所有性能指标上都表现出显着的改进。