With the requirements of Intelligent Transport Systems (ITSs) for extensive connectivity of Electronic Control Units (ECUs) to the outside world, safety and security have become stringent problems. Intrusion detection systems (IDSs) are a crucial safety component in remediating Controller Area Network (CAN) bus vulnerabilities. However, supervised-based IDSs fail to identify complexity attacks and anomaly-based IDSs have higher false alarms owing to capability bottleneck. In this paper, we propose a novel multi-knowledge fused anomaly detection model, called MKF-IDS. Specifically, the method designs an integration framework, including spatial-temporal correlation with an attention mechanism (STcAM) module and patch sparse-transformer module (PatchST). The STcAM with fine-pruning uses one-dimensional convolution (Conv1D) to extract spatial features and subsequently utilizes the Bidirectional Long Short Term Memory (Bi-LSTM) to extract the temporal features, where the attention mechanism will focus on the important time steps. Meanwhile, the PatchST captures the combined long-time historical features from independent univariate time series. Finally, the proposed method is based on knowledge distillation to STcAM as a student model for learning intrinsic knowledge and cross the ability to mimic PatchST. In the detection phase, the MKF-ADS only deploys STcAM to maintain efficiency in a resource-limited IVN environment. Moreover, the redundant noisy signal is reduced with bit flip rate and boundary decision estimation. We conduct extensive experiments on six simulation attack scenarios across various CAN IDs and time steps, and two real attack scenarios, which present a competitive prediction and detection performance. Compared with the baseline in the same paradigm, the error rate and FAR are 2.62% and 2.41% and achieve a promising F1-score of 97.3%.

翻译：随着智能交通系统对电子控制单元与外部世界广泛连接的需求，安全与防护已成为严峻问题。入侵检测系统是弥补控制器局域网总线漏洞的关键安全组件。然而，基于监督学习的入侵检测系统难以识别复杂攻击，而基于异常的入侵检测系统由于能力瓶颈导致误报率较高。本文提出一种名为MKF-IDS的新型多知识融合异常检测模型。具体而言，该方法设计了一个集成框架，包含带注意力机制的时空关联模块和补丁稀疏变换器模块。采用精细剪枝的STcAM通过一维卷积提取空间特征，进而利用双向长短期记忆网络提取时序特征，其中注意力机制聚焦关键时间步长。同时，PatchST从独立单变量时间序列中捕获组合的长时历史特征。最后，本方法基于知识蒸馏，以STcAM为学生模型学习内在知识并具备模仿PatchST的能力。在检测阶段，MKF-ADS仅部署STcAM以维持资源受限的车载网络环境中的效率。此外，通过比特翻转率和边界决策估计减少冗余噪声信号。我们在涵盖不同CAN ID和时间步长的六种仿真攻击场景以及两种真实攻击场景上进行了广泛实验，展现出有竞争力的预测与检测性能。与同类范式下的基线相比，错误率和误报率分别为2.62%和2.41%，并达到了97.3%的优越F1分数。