Anomaly Detection in Automobile Control Network Data with Long Short-Term Memory Networks


  1. Taylor, A.
  2. Leblanc, S.
  3. Japkowicz, N.
Corporate Authors
Defence Research and Development Canada, Ottawa Research Centre, Ottawa ON (CAN);Royal Military Coll of Canada, Kingston ON (CAN) Depart of Electrical and Computer Engineering;American Univ, Washington DC (US)
Modern automobiles have been proven vulnerable to hacking by security researchers. By exploiting vulnerabilities in the car’s external interfaces, such as wifi, bluetooth, and physical connections, they can access a car’s controller area network (CAN) bus. On the CAN bus, commands can be sent to control the car, for example cutting the brakes or stopping the engine. While securing the car’s interfaces to the outside world is an important part of mitigating this threat, the last line of defence is detecting malicious behaviour on the CAN bus. We propose an anomaly detector based on a Long Short- Term Memory neural network to detect CAN bus attacks. The detector works by learning to predict the next data word originating from each sender on the bus. Highly surprising bits in the actual next word are flagged as anomalies. We evaluate the detector by synthesizing anomalies with modified CAN bus data. The synthesized anomalies are designed to mimic attacks reported in the literature. We show that the detector can detect anomalies we synthesized with low false alarm rates. Additionally, the granularity of the bit predictions can provide forensic investigators clues as to the nature of flagged anomalies.
automobiles;computer security;anomaly detection;neural network;long short term memory
Report Number
DRDC-RDDC-2016-P097 — External Literature
Date of publication
24 Oct 2016
Number of Pages
Electronic Document(PDF)

Permanent link

Document 1 of 1

Date modified: