Controller Area Network bus systems within vehicular networks are not equipped with the tools necessary to ward off and protect themselves from modern cyber-security threats. Work has been done on using machine learning methods to detect and report these attacks, but common methods are not robust towards unknown attacks. These methods usually rely on there being a sufficient representation of attack data, which may not be available due to there either not being enough data present to adequately represent its distribution or the distribution itself is too diverse in nature for there to be a sufficient representation of it. With the use of one-class classification methods, this issue can be mitigated as only normal data is required to train a model for the detection of anomalous instances. Research has been done on the efficacy of these methods, most notably One-Class Support Vector Machine and Support Vector Data Description, but many new extensions of these works have been proposed and have yet to be tested for injection attacks in vehicular networks. In this paper, we investigate the performance of various state-of-the-art one-class classification methods for detecting injection attacks on Controller Area Network bus traffic. We investigate the effectiveness of these techniques on attacks launched on Controller Area Network buses from two different vehicles during normal operation and while being attacked. We observe that the Subspace Support Vector Data Description method outperformed all other tested methods with a Gmean of about 85%.

翻译：车辆网络中的控制器局域网（CAN）总线系统缺乏抵御现代网络安全威胁所需的工具。已有研究利用机器学习方法检测并报告这些攻击，但常见方法对未知攻击的鲁棒性不足。这些方法通常依赖充分的攻击数据表示，然而由于数据量不足以充分刻画其分布，或分布本身过于多样化导致无法充分表示，此类数据可能难以获取。通过使用单分类方法，仅需正常数据即可训练模型检测异常实例，从而缓解这一问题。已有研究评估了此类方法的有效性，尤其是一类支持向量机（One-Class SVM）和支持向量数据描述（SVDD），但许多新提出的扩展方法尚未在车辆网络注入攻击场景下进行测试。本文研究了多种先进单分类方法在检测CAN总线流量注入攻击时的性能。我们评估了这些方法在正常操作和遭受攻击期间，针对两辆不同车辆CAN总线发起攻击的有效性。实验结果表明，子空间支持向量数据描述（Subspace SVDD）方法在所有测试方法中表现最优，其Gmean值约为85%。