X-CANIDS: Signal-Aware Explainable Intrusion Detection System for Controller Area Network-Based In-Vehicle Network

Controller Area Network (CAN) is an essential networking protocol that connects multiple electronic control units (ECUs) in a vehicle. However, CAN-based in-vehicle networks (IVNs) face security risks owing to the CAN mechanisms. An adversary can sabotage a vehicle by leveraging the security risks if they can access the CAN bus. Thus, recent actions and cybersecurity regulations (e.g., UNR 155) require carmakers to implement intrusion detection systems (IDSs) in their vehicles. An IDS should detect cyberattacks and provide a forensic capability to analyze attacks. Although many IDSs have been proposed, considerations regarding their feasibility and explainability remain lacking. This study proposes X-CANIDS, which is a novel IDS for CAN-based IVNs. X-CANIDS dissects the payloads in CAN messages into human-understandable signals using a CAN database. The signals improve the intrusion detection performance compared with the use of bit representations of raw payloads. These signals also enable an understanding of which signal or ECU is under attack. X-CANIDS can detect zero-day attacks because it does not require any labeled dataset in the training phase. We confirmed the feasibility of the proposed method through a benchmark test on an automotive-grade embedded device with a GPU. The results of this work will be valuable to carmakers and researchers considering the installation of in-vehicle IDSs for their vehicles.

Action2Score: An Embedding Approach To Score Player Action

Multiplayer Online Battle Arena (MOBA) is one of the most successful game genres. MOBA games such as League of Legends have competitive environments where players race for their rank. In most MOBA games, a player's rank is determined by the match result (win or lose). It seems natural because of the nature of team play, but in some sense, it is unfair because the players who put a lot of effort lose their rank just in case of loss and some players even get free-ride on teammates' efforts in case of a win. To reduce the side-effects of the team-based ranking system and evaluate a player's performance impartially, we propose a novel embedding model that converts a player's actions into quantitative scores based on the actions' respective contribution to the team's victory. Our model is built using a sequence-based deep learning model with a novel loss function working on the team match. The sequence-based deep learning model process the action sequence from the game start to the end of a player in a team play using a GRU unit that takes a hidden state from the previous step and the current input selectively. The loss function is designed to help the action score to reflect the final score and the success of the team. We showed that our model can evaluate a player's individual performance fairly and analyze the contributions of the player's respective actions.

Unsupervised Driver Behavior Profiling leveraging Recurrent Neural Networks

In the era of intelligent transportation, driver behavior profiling has become a beneficial technology as it provides knowledge regarding the driver's aggressiveness. Previous approaches achieved promising driver behavior profiling performance through establishing statistical heuristics rules or supervised learning-based models. Still, there exist limits that the practitioner should prepare a labeled dataset, and prior approaches could not classify aggressive behaviors which are not known a priori. In pursuit of improving the aforementioned drawbacks, we propose a novel approach to driver behavior profiling leveraging an unsupervised learning paradigm. First, we cast the driver behavior profiling problem as anomaly detection. Second, we established recurrent neural networks that predict the next feature vector given a sequence of feature vectors. We trained the model with normal driver data only. As a result, our model yields high regression error given a sequence of aggressive driver behavior and low error given at a sequence of normal driver behavior. We figured this difference of error between normal and aggressive driver behavior can be an adequate flag for driver behavior profiling and accomplished a precise performance in experiments. Lastly, we further analyzed the optimal level of sequence length for identifying each aggressive driver behavior. We expect the proposed approach to be a useful baseline for unsupervised driver behavior profiling and contribute to the efficient, intelligent transportation ecosystem.

Convolutional Neural Network-based Intrusion Detection System for AVTP Streams in Automotive Ethernet-based Networks

Connected and autonomous vehicles (CAVs) are an innovative form of traditional vehicles. Automotive Ethernet replaces the controller area network and FlexRay to support the large throughput required by high-definition applications. As CAVs have numerous functions, they exhibit a large attack surface and an increased vulnerability to attacks. However, no previous studies have focused on intrusion detection in automotive Ethernet-based networks. In this paper, we present an intrusion detection method for detecting audio-video transport protocol (AVTP) stream injection attacks in automotive Ethernet-based networks. To the best of our knowledge, this is the first such method developed for automotive Ethernet. The proposed intrusion detection model is based on feature generation and a convolutional neural network (CNN). To evaluate our intrusion detection system, we built a physical BroadR-Reach-based testbed and captured real AVTP packets. The experimental results show that the model exhibits outstanding performance: the F1-score and recall are greater than 0.9704 and 0.9949, respectively. In terms of the inference time per input and the generation intervals of AVTP traffic, our CNN model can readily be employed for real-time detection.

Understand Watchdogs: Discover How Game Bot Get Discovered

The game industry has long been troubled by malicious activities utilizing game bots. The game bots disturb other game players and destroy the environmental system of the games. For these reasons, the game industry put their best efforts to detect the game bots among players' characters using the learning-based detections. However, one problem with the detection methodologies is that they do not provide rational explanations about their decisions. To resolve this problem, in this work, we investigate the explainabilities of the game bot detection. We develop the XAI model using a dataset from the Korean MMORPG, AION, which includes game logs of human players and game bots. More than one classification model has been applied to the dataset to be analyzed by applying interpretable models. This provides us explanations about the game bots' behavior, and the truthfulness of the explanations has been evaluated. Besides, interpretability contributes to minimizing false detection, which imposes unfair restrictions on human players.

Unsupervised Intrusion Detection System for Unmanned Aerial Vehicle with Less Labeling Effort

Along with the importance of safety, an IDS has become a significant task in the real world. Prior studies proposed various intrusion detection models for the UAV. Past rule-based approaches provided a concrete baseline IDS model, and the machine learning-based method achieved a precise intrusion detection performance on the UAV with supervised learning models. However, previous methods have room for improvement to be implemented in the real world. Prior methods required a large labeling effort on the dataset, and the model could not identify attacks that were not trained before. To jump over these hurdles, we propose an IDS with unsupervised learning. As unsupervised learning does not require labeling, our model let the practitioner not to label every type of attack from the flight data. Moreover, the model can identify an abnormal status of the UAV regardless of the type of attack. We trained an autoencoder with the benign flight data only and checked the model provides a different reconstruction loss at the benign flight and the flight under attack. We discovered that the model produces much higher reconstruction loss with the flight under attack than the benign flight; thus, this reconstruction loss can be utilized to recognize an intrusion to the UAV. With consideration of the computation overhead and the detection performance in the wild, we expect our model can be a concrete and practical baseline IDS on the UAV.

This Car is Mine!: Automobile Theft Countermeasure Leveraging Driver Identification with Generative Adversarial Networks

As a car becomes more connected, a countermeasure against automobile theft has become a significant task in the real world. To respond to automobile theft, data mining, biometrics, and additional authentication methods are proposed. Among current countermeasures, data mining method is one of the efficient ways to capture the owner driver's unique characteristics. To identify the owner driver from thieves, previous works applied various algorithms toward driving data. Such data mining methods utilized supervised learning, thus required labeled data set. However, it is unrealistic to gather and apply the thief's driving pattern. To overcome this problem, we propose driver identification method with GAN. GAN has merit to build identification model by learning the owner driver's data only. We trained GAN only with owner driver's data and used trained discriminator to identify the owner driver. From actual driving data, we evaluated our identification model recognizes the owner driver well. By ensembling various driver authentication methods with the proposed model, we expect industry can develop automobile theft countermeasures available in the real world.

Automobile Theft Detection by Clustering Owner Driver Data

As automobiles become intelligent, automobile theft methods are evolving intelligently. Therefore automobile theft detection has become a major research challenge. Data-mining, biometrics, and additional authentication methods have been proposed to address automobile theft, in previous studies. Among these methods, data-mining can be used to analyze driving characteristics and identify a driver comprehensively. However, it requires a labeled driving dataset to achieve high accuracy. It is impractical to use the actual automobile theft detection system because real theft driving data cannot be collected in advance. Hence, we propose a method to detect an automobile theft attempt using only owner driving data. We cluster the key features of the owner driving data using the k-means algorithm. After reconstructing the driving data into one of these clusters, theft is detected using an error from the original driving data. To validate the proposed models, we tested our actual driving data and obtained 99% accuracy from the best model. This result demonstrates that our proposed method can detect vehicle theft by using only the car owner's driving data.

Show Me Your Account: Detecting MMORPG Game Bot Leveraging Financial Analysis with LSTM

With the rapid growth of MMORPG market, game bot detection has become an essential task for maintaining stable in-game ecosystem. To classify bots from normal users, detection methods are proposed in both game client and server-side. Among various classification methods, data mining method in server-side captured unique characteristics of bots efficiently. For features used in data mining, behavioral and social actions of character are analyzed with numerous algorithms. However, bot developers can evade the previous detection methods by changing bot's activities continuously. Eventually, overall maintenance cost increases because the selected features need to be updated along with the change of bot's behavior. To overcome this limitation, we propose improved bot detection method with financial analysis. As bot's activity absolutely necessitates the change of financial status, analyzing financial fluctuation effectively captures bots as a key feature. We trained and tested model with actual data of Aion, a leading MMORPG in Asia. Leveraging that LSTM efficiently recognizes time-series movement of data, we achieved meaningful detection performance. Further on this model, we expect sustainable bot detection system in the near future.

ADSaS: Comprehensive Real-time Anomaly Detection System

Since with massive data growth, the need for autonomous and generic anomaly detection system is increased. However, developing one stand-alone generic anomaly detection system that is accurate and fast is still a challenge. In this paper, we propose conventional time-series analysis approaches, the Seasonal Autoregressive Integrated Moving Average (SARIMA) model and Seasonal Trend decomposition using Loess (STL), to detect complex and various anomalies. Usually, SARIMA and STL are used only for stationary and periodic time-series, but by combining, we show they can detect anomalies with high accuracy for data that is even noisy and non-periodic. We compared the algorithm to Long Short Term Memory (LSTM), a deep-learning-based algorithm used for anomaly detection system. We used a total of seven real-world datasets and four artificial datasets with different time-series properties to verify the performance of the proposed algorithm.