GAN model using field fuzz mutation for in-vehicle CAN bus intrusion detection

1.   Introduction

Artificial intelligence, cloud computing, and other advanced technologies are widely used in various fields, and intelligent connected vehicle technology has become the key development direction of the automotive industry ^[1]. An intelligent connected vehicle can analyze and make decisions to realize powerful functions through an onboard sensing system and information interaction in a car network ^[2]. However, the development of intelligent networked vehicles causes serious cyber security threats, and the increase in interfaces outside of the car leads to a significant increase in the attackable path ^[3,4]. The basic electric facilities connected to intelligent connected vehicles, such as charging piles and smart grids, have a higher probability of attacks starting from intelligent connected vehicles and faults, and the prognosis of the above facilities has also become a popular research content ^[5].

Taking electronic control units (ECUs) as an example, most of the ECUs communicate with each other through the CAN bus, and the CAN bus is not designed considering cyber security protection mechanisms. The security vulnerability of in-vehicle CAN buses leads to greater challenges for automotive cybersecurity ^[6]. Intrusion detection algorithms for in-vehicle CAN buses have gradually become a research focus in the field of cyber security ^[7,8,9]. Currently, most common intrusion detection algorithms use message datasets for training, and the message datasets collected from real vehicles cannot meet the coverage requirements of an algorithm for detecting anomalous messages. The effectiveness of the detection algorithms cannot be verified effectively ^[10,11].

Therefore, an in-vehicle CAN fuzz-testing message generation model, namely, the field-associated mutation generation adversarial network (FAMGAN), was designed in this study. This model can generate messages conforming to the in-vehicle CAN protocol specification, which can be applied to the training set or test set of the intrusion detection algorithm to solve the problems of low coverage and poor specificity of traditional intrusion detection algorithms. To generate test messages that conform to the real message protocol specification, FAMGAN uses an in-vehicle CAN message bit transition rate to divide the data field and select conditional random fields (CRFs) to validate the field division result. FAMGAN uses the Apriori algorithm to perform association mining on in-vehicle CAN message fields to extract the relationship between message fields; this improves the similarity between the generated and tested messages. The generators and discriminators in FAMGAN are trained to generate a large number of in-vehicle CAN bus messages that can be used to test the intrusion detection algorithm.

The main contributions of this study are as follows.

1) The Wasserstein generative adversarial network gradient penalty (WGAN-GP)-based fuzz-testing method for in-vehicle CAN messages was employed. The WGAN-GP model was used to learn the protocol format of the CAN bus messages and induce mutations to generate test cases similar to the original messages.

2) To improve the specificity of the WGAN-GP model for in-vehicle CAN messages, an in-vehicle CAN protocol was analyzed, and a field association variant model was developed to optimize the WGAN-GP model by analyzing the in-vehicle CAN message field association.

3) A comparison of experimental results obtained using a real car and a code-built intrusion detection algorithm revealed that the proposed FAMGAN has good in-vehicle CAN anomaly message generation efficiency.

The remainder of this paper is organized as follows. Section 2 describes the current research status of in-vehicle CAN bus intrusion detection and CAN message fuzz-testing techniques, as well as the principles, advantages, and disadvantages of the relevant models. Section 3 introduces FAMGAN, including the mathematical model and implementation process. Section 4 analyzes the performance metrics of the proposed model based on its implementation in a real car, using intrusion detection algorithms. Finally, Section 5 concludes the paper and discusses future research directions.

2.   Related research

Numerous security studies on in-vehicle CAN bus communication networks have been conducted in recent years. In 2013, Valasek and Miller controlled the Ford Impala and Toyota Prius to achieve steering and braking actions through the OBD-II interface ^[12]. In 2015, they used a laptop to control a Jeep Cherokee remotely ^[13]. In 2016, they launched an attack experiment on a Jeep Cherokee, used a laptop to connect to the onboard diagnostics (OBD) interface of the vehicle, and successfully controlled the steering and braking mechanisms ^[14]. In 2018, three security researchers designed an in-vehicle CAN bus security test for an attack traffic generation tool that enables the automatic generation of attack loads for multiple attack modes ^[15]. It is clear that automotive cyber security issues are continuously being exposed, and researchers have proposed a large number of in-vehicle CAN bus message intrusion detection algorithms and testing tools. In this section, the principles of in-vehicle CAN bus message intrusion detection and related studies on in-vehicle CAN message fuzz testing are reviewed.

2.1.   In-vehicle CAN bus intrusion detection algorithm

Intrusion detection for an in-vehicle CAN bus can be divided into rule-based, feature-based, and machine learning-based intrusion detection. The rule-based intrusion detection algorithm judges anomalous messages by establishing a rule database. This class of methods can detect simple signal injection attacks, and alarms occur when messages that do not conform to the protocol rules are detected. Olufowobi et al. used message timing and worst-case response time to develop specifications and extract CAN bus real-time model parameters, and they designed a rule-based intrusion detection system, SAIDUcANT, which has a high detection capability for data injection attacks ^[16].

A feature-based intrusion detection algorithm detects whether anomalies occur in messages by collecting sensitive features, such as the message sending frequency and ECU fingerprint, and comparing them with the subsequent in-vehicle CAN bus transmission features based on the formation of feature fingerprints. Zhou et al. proposed an in-vehicle CAN bus intrusion detection algorithm based on temperature fingerprints and observed that the quartz crystal used in the ECU is more sensitive to temperature. They proposed the concept of an ECU temperature-sensitive fingerprint based on the characteristics of ECU clock deviation with temperature change ^[17]. Li et al. conducted their research on this basis to demonstrate a temperature-varying voltage fingerprinting scheme that can be used to construct a fingerprint database for each ECU based on the voltage signals emitted at different temperatures and the current driving status of the car to perform intrusion detection ^[18]. In other research, a message-periodicity-based adaptive intrusion detection algorithm for an in-vehicle CAN bus was developed. The communication load of the vehicle CAN bus was analyzed, and the period fluctuation and intrusion detection accuracy were mined based on CAN message priority and a message transmission waiting mechanism ^[19]. Intrusion detection algorithm based on attack features has also received attention recently ^[20,21].

A machine learning-based intrusion detection algorithm continuously improves the ability to identify anomalous messages from normal messages by learning the message characteristics. Because the data features of messages sent by spoofing attacks do not conform to the normal variation pattern, the machine learning-based intrusion detection algorithm can detect spoofing attacks. In a previous study, we designed a linear-chain conditional random stochastic-based intrusion detection algorithm for an in-vehicle CAN bus that can identify the relevance of CAN message context content by constructing a dual-profile model of a linear CRF normal model and intrusion model ^[22]. He et al. proposed the hybrid similar neighborhood robust factorization machine (HSNRFM) intrusion detection model for detecting anomalies in CAN bus messages. This model outperforms several classical machine learning models in several evaluation metrics ^[23]. Xie et al. proposed an enhanced deep learning generative adversarial network (GAN) model with well-designed CAN message blocks and enhanced GAN discriminators for intrusion detection in various attacks and threats ^[24].

2.2.   In-vehicle CAN bus fuzz-testing algorithm

Fuzz testing of in-vehicle CAN bus messages can be divided into protocol-based and machine learning-based fuzz testing. Protocol-based fuzz testing generates fuzz-testing cases using mutations. Such algorithms require knowledge of CAN message application layer protocol specification. Lee et al. performed fuzz testing using an open-source tool. They used a mutation-based fuzz-testing method by sending test messages to the vehicle CAN bus after blinking the indicator lights of the vehicle dynamic control system and the OBD indicator light alarm ^[25]. Fowler et al. developed a fuzz-testing tool for a CAN bus communication network. It was applied to the ECU of an experimental vehicle and could effectively investigate errors in the vehicle ECU software and defects in the design of the vehicle communication network. To solve the problem of exploding test case combinations, fuzz testing was performed on each of the 64 bits of the message data field. However, a fuzz-testing algorithm that focused on the CAN bus application layer protocol was not considered ^[26]. Protocol-based fuzz testing has two main drawbacks. First, if the CAN bus data field contains a checksum field, such algorithms can generate invalid message test cases that are ignored by the ECU receiving the message, thereby affecting the fuzz-testing results. Second, the generated data often cannot cover all possible inputs. Because the message data field has, at most, 8 bytes of data, 2⁶⁴ test cases are required to generate all the message data, which can lead to a combinatorial explosion.

Machine learning-based fuzz testing does not require reverse analysis of the CAN bus message protocol. It enables the machine learning model to generate data in the same format as the original data, but with different content after the messages collected from the CAN bus are preprocessed and input to the machine learning model for training. An intrusion detection algorithm that uses a deep learning model to generate an adversarial network can detect unknown attacks using only normal data. An anomalous message dataset was constructed using fuzz testing for model training and evaluation experiments. This intrusion detection algorithm has high detection accuracy for unknown types of malicious attack ^[27]. Owing to the lack of knowledge of the KWP2000 protocol of the body network, Zhang et al. proposed a deep learning-based generative adversarial neural network for the body network KWP2000 protocol vulnerability mining algorithm. The forward feedback network was chosen as the generator and the support vector machine as the discriminator. The output data obtained were used as semi-valid data for fuzz testing ^[28].

Protocol-based fuzz testing requires access to the content of the protocol specification. In the absence of a protocol specification, a protocol inversion is required. Therefore, protocol-based fuzz-testing algorithms are more demanding for security testers. In addition, it is difficult to guarantee that the protocol field format will be correctly parsed when performing a protocol reversal analysis. It is necessary to ensure that the test case data are in the correct format and to ensure that there is some variability in the data content. Therefore, an appropriate machine learning model can be designed to learn the CAN bus protocol format and generate a large number of test cases for in-vehicle CAN bus fuzz testing. When researchers use such methods to construct test cases, they improve testing efficiency ^[29,30]. The generalizability of the CAN bus fuzz-testing algorithm is also improved because CAN private protocols vary from vehicle to vehicle.

3.   FAMGAN model construction

The proposed FAMGAN model takes advantage of protocol-based fuzz testing and machine learning-based fuzz testing. FAMGAN mainly uses WGAN-GP to generate the original in-vehicle CAN bus fuzz-testing messages, adjusts parameters by creating a competing environment between the generator and discriminator, and generates in-vehicle CAN fuzz-testing messages that match a real in-vehicle environment. In addition, FAMGAN selects linear CRF to parse and divide in-vehicle CAN bus messages. The Apriori algorithm is used to realize in-vehicle CAN bus message field association mining, and the extracted field information is mapped onto the GAN generator and discriminator. Compared with the original WGAN-GP and related improved models, FAMGAN improves the specificity of the fuzz-testing message generation.

The basic functional flow of FAMGAN model is as follows: 1) Obtain SAE J1939 message dataset and protocol specification, generate field verification model of vehicle CAN messages by Linear-CRF, and derive real vehicle field division results by combining with vehicle CAN message field division algorithm. 2) Analyze field correlation after field division by Apriori algorithm, and generate test messages with test message constraints. 3) Input real vehicle CAN messages, test message constraints and random noise into the generative adversarial network to realize test message generation for fuzz testing.

Section 3.1 describes how WGAN-GP generates CAN fuzz-testing messages, as well as its implementation process. Section 3.2 analyzes the CAN bus message division characteristics and presents the linear-CRF-based CAN message division method. Finally, Section 3.3 explores the application of association information to the fuzz-testing message generation process of FAMGAN by mining the information of in-vehicle CAN message division using the Apriori algorithm. Furthermore, the overall implementation process of the FAMGAN model is described.

3.1.   Generating testing message using WGAN-GP model

In-vehicle CAN bus fuzz testing is an algorithm for discovering CAN bus network security vulnerabilities by sending a large number of unintended messages to the in-vehicle CAN bus network and monitoring abnormal car operation status. Because the attack behavior characteristics of the in-vehicle CAN bus network differ greatly from those of the Internet, the fuzz-testing algorithms applied to the Internet protocol cannot be directly applied to the in-vehicle CAN bus network. The generated in-vehicle CAN bus test messages should ensure a high similarity to real messages generated by actual vehicles, and the overall in-vehicle CAN bus test messages should have a high coverage rate.

The FAMGAN model is based on the GAN model, which is a deep learning algorithm consisting of a generator and discriminator. Generators and discriminators generally adopt a neural network structure. The data generated by the generator gradually approach the real data by gaming.

The learning process of GAN must consider the dynamic optimization of the two neural networks at the same time, continuously adjusting the parameters of the two models so that they can be optimized simultaneously. The objective function optimized by the GAN is given by

where D represents the discriminator, D(x) represents the probability that x is the true data, G represents the generator, G(z) is the probability distribution of the sample data z, P_data is the real data distribution, and P_z is the generated data distribution. The overall goal is to optimize V (D, G) gradually using adversarial training. For a further understanding of Equation (1), when training the discriminator, the optimization goal is to maximize the probability of correctly classifying the real and generated data:

The optimization goal of training the generator is to minimize the probability that the generated data will be correctly identified by the discriminator:

However, the GAN itself also suffers from problems, such as model nonconvergence, pattern collapse, gradient disappearance, and gradient explosion. To address these problems, Arjovsky et al. proposed the Wasserstein generative adversarial network (WGAN) model ^[31]. In 2017, Gulrajani et al. proposed an improved WGAN ^[32], the WGAN-GP. It was pointed out that using weight clipping in the WGAN leads to the aforementioned adverse effects on training. The WGAN-GP removes the weight clipping term. To ensure that the discriminator still satisfies Lipschitz continuity, the WGAN-GP adds a gradient penalty term for random samples to the objective function of the discriminator, given as

Figure 1 shows the process of the WGAN-GP-based in-vehicle CAN bus message fuzz-testing method. The specific implementation steps are as follows.

1) Dataset construction: Collected CAN messages are usually displayed in hexadecimal format, and preprocessing of the message data is required to construct the dataset for training the GAN. In this approach, redundant and repetitive data are removed from the message dataset, and then the hexadecimal data are converted to decimal data. The processed data constitute the dataset used for training the model.

2) Model construction: There are two requirements. It is necessary to generate test cases of CAN bus messages in the correct format and ensure the differentiation of the message data content to cause abnormal states of the car. Meanwhile, the model must be constructed and test messages generated in a manner that minimizes the time overhead.

3) Input test: Test messages are generated using the GAN model and injected into the automotive CAN bus network. Then, the operating state of the car is observed.

3.2.   Field division of in-vehicle CAN bus data field

Because only the average noise z is input to the generator and discriminator in the WGAN-GP model, the generated in-vehicle CAN messages have a significantly random nature. For CAN bus fuzz testing, the required message test cases must be generated based on the protocol format. By setting appropriate parameters in the FAMGAN model, the field format of the collected CAN bus messages is learned, and its applicability is enhanced. The in-vehicle CAN bus protocol can be considered for parsing before generating test messages; therefore, it is important to divide the message data field.

The SAE J1939 protocol is considered as an example. In SAE J1939, various data types are represented by SPNs, a group of suspect parameter numbers (SPNs) with a high correlation, and the same sending frequency is indexed by parameter group numbers (PGNs). The type, length, range, and resolution of the data are defined in the data field. Referring to the SAE J1939 protocol, the same ID of the message data field should contain various vehicle status parameters for the in-vehicle CAN bus private application layer protocol. The data field of the in-vehicle CAN bus private application layer protocol contains signal fields indicating the vehicle status parameters (abbreviated as signal fields) and a number of other types of field.

1) Constant number field: This is a value that does not change over time. This field may not be used, e.g., the data in the field are all 0. It can also represent a fixed value.

2) Multivalue field: This is a field in which only a few fixed values appear over time. The data type in this field may be a state type, which is used to represent several states of the signal of a car.

3) Counter field: This prevents replay attacks on the CAN bus. This type of field is typically used for critical messages.

4) Checksum field: In addition to the CRC field at the end of each CAN bus message, the data field contains other checksum fields, which are usually located at the end of the data field.

Information about the individual fields in the data field of a CAN bus message for a certain ID is shown in Figure 2. There are different types of field in the 8 bytes of the data field.

To distinguish the fields of the in-vehicle CAN bus messages, the FAMGAN model uses the field bit transition rate feature to achieve different types of field classification. The bit transition rate of each bit of the data field is defined. Assuming that there are n messages data named m of a certain ID in a period of time t, the number of transitions of the j-th bit in time t is defined as

Then, the j-th bit transition rate of the message during that time is

The bit transition rate characterizes how each bit in the message data field changes over time t. The larger the transition rate, the more it changes over time t.

In this model, the fields are divided according to the bit transition rate characteristics of the messages. Therefore, it is necessary to calculate the bit transition rate of the data fields of messages with different IDs over a period of time. The specific approach is to read the message data stream on the CAN bus and save the data. The message is then divided into several substreams according to the message IDs. Subsequently, the bit transition rate of the message is calculated. After the concept of bit transition rate is introduced, the bit transition rate characteristics of each field can be analyzed.

1) Signal field: Owing to the limitation of the cycle time, the transition rate between two consecutive bits in the physical signal field is less different, and two bits with a larger difference in the bit transition rate can be used as the basis for boundary division.

2) Counter field: Every time a message with the same ID is sent, the value of the counter field is increased by 1. Therefore, the bit transition rate of the lowest bit in the counter field is the highest. Each subsequent bit is twice as low as the bit transition rate of the previous bit.

3) Constant and multivalue fields: The bit transition rate of the constant field is 0. The bit transition rate of the multivalue field may be related to the event, while its bit transition rate is more random.

4) Check field: The bit transition rate of the check field obeys a normal probability distribution centered at 0.5 ^[33]. In general, the check field is located at the end of the data field. Therefore, the bit transition rate of the field can be tested for normality. If it conforms to a normal distribution, it can be considered a check field. The pseudo-code of the CAN bus data field division algorithm used to divide signal field is given below.

As a result analyzing the field bit transition rate characteristics, a CAN bus data field division algorithm based on bit transition rate characteristics is proposed. The algorithm is divided into three stages. 1) In the variable region extraction stage, the bit transition rate of the message is calculated, and the entire data field is divided into variable and invariant regions. 2) In the initial signal field division stage, the change in the bit transition rate of two adjacent bits is examined, and an initial physical signal boundary is determined according to the predefined bit transition rate change threshold. 3) In the final field division stage, the field division of the previous stage is analyzed again. The specific field boundaries are determined according to the bit transition rate characteristics of the different types of field. Through these three stages, a simple field division of the in-vehicle CAN bus message data field can be realized. To verify the accuracy of the field division results, linear CRF, an undirected graph model, is used as the field verification model. It can make full use of the bit transition rate of adjacent bits as features for training and inference ^[34]. A specific field-partitioning process based on CRFs is used in this study, as shown in Figure 3.

The observation sequence X represents the field bit transition rate sequence, and the state sequence (format sequence) Y represents the corresponding attribute tag sequence. Here, X can be obtained by calculating the bit transition rate of each bit of the in-vehicle CAN message data field, and Y is obtained by prior knowledge, i.e., the known SAE J1939 protocol specification. For $\forall {Y_i} \in Y$, ${Y_i}{\text{ = }}y \in \{ 0, 1\}$. If $\exists Y' \in Y$ belongs to the field boundary and is the first end of the field, then ${Y_i}^\prime = 1$; vice versa, ${Y_i}^\prime = 0$.

Here, X and Y are sequences generated by random variables—in the case of a given sequence of observed CAN bus message bit transition rate, the output field boundary labeling attribute sequence Y completes the division of the protocol field. In addition, $P(Y|X)$is a linear chain random field. Then, conditional probability $P(y|x)$, where X takes the value x and Y takes the value y, is given by

where t_k and s_l are the transfer and state feature functions, respectively, and k and l are the number of feature functions. Feature functions t_k and s_l represent the constraint relationships among and within the fields, ${\lambda _k}$ and ${\mu _l}$ are the corresponding weights, and $Z(x)$ is the normalization factor. According to the obtained conditional probability formula of linear CRF, verification of the fields can be achieved by providing a sequence of private protocol transition rates $X'$ and finding the conditional probability of $X'$. Private protocol refers to the CAN bus application layer protocol. For in-vehicle CAN bus messages, the application layer protocol specification for the Data field is non-public. The protocol format specification is proprietary to the original vehicle manufacturer and varies by brand, model and year. It is usually stored in a.dbc file format. To improve the convergence speed, the construction process of the linear-CRF model is based on the limited-memory Broyden-Fletcher-Goldfarb-Shanno learning algorithm.

In the field verification phase, observation sequence X is a bit transition rate sequence generated by a private protocol message, and state sequence Y is obtained from the SAE J1939 protocol. The validation process of the in-vehicle CAN message field involves calculating the conditional probability of the observation sequence X for the state sequence Y. If the conditional probability is greater than a certain threshold value, it means that the field validation is passed, which is in accordance with the original SAE J1939 field format. The field validation can be achieved by calculating the conditional probability through the forward–backward algorithm. For each state observation marker $i = 1, 2 \ldots, n + 1$, the forward vector ${\alpha _i}(x)$ and backward vector ${\beta _i}(x)$ are defined, and the conditional probability $P({Y}_{i} = {y}_{i}|x), P({Y}_{i-1} = {y}_{i-1}, {Y}_{i} = {y}_{i}|x)$ can be calculated by

Then, the conditional probability of the observation series is given by

The threshold P_m is set. If $P(y|x) < {P_{m} }$, the observed sequence has a low probability of correctness of field division and does not pass the field validation.

3.3.   Improving generating message specificity with date field association mining

After the in-vehicle CAN bus messages have been divided, the results are input to the generator as a constraint to obtain a message instance that is more in line with the CAN communication protocol. However, although the message instances generated by this method are similar to real messages in format, the data content is not considered reasonable during the generation process. However, this also improves the authenticity of the generated message data content.

The Apriori algorithm is a classical association rule mining algorithm that uses iterative layer-by-layer search to find the relationship of item sets in the dataset to form rules. The process consists of concatenation and pruning. Although the Apriori algorithm performs a global search on the dataset, leading to a high consumption of computational resources, the purpose of using this algorithm in this study was to discover field relationships and constrain the message instance generation conditions of FAMGAN.

For association mining among message fields, the objects for association mining of message fields required by the FAMGAN model are divided into value type and change type, according to the characteristics of in-vehicle CAN bus messages.

1) The value type of the association mining object indicates the association analysis of values corresponding to the fields in the area of interest within a single in-vehicle CAN bus message. For example, if a certain ID of an in-vehicle CAN bus message contains three fields (door switch status, window switch status, and door indicator status), it is easy to find that there must be some association rules between the two fields of door switch status and door indicator status; the two fields of door switch status and window switch status are not directly related. The association rules of these fields can be inferred quickly and accurately. However, more association rules between fields must be mined through algorithms, and field values must be analyzed as association mining objects.

2) When the association mining object is the change type, it indicates the association analysis of the changes in the corresponding values of the fields in the area of interest within the continuous sequence of the in-vehicle CAN bus messages. Real in-vehicle CAN bus messages are continuously distributed over time, and the value changes of some fields in the message data field may have such characteristics as consistency, so using the change type as the association mining object is required.

The field association mining process is similar for value and change types. However, there are some differences in the data preprocessing. Because the fields of in-vehicle CAN message data contain a large number of continuous-type variables, they must be discretized. For value-type field association mining, field values can be classified and tagged according to the value range and granularity requirements, the value tag distribution of all fields can be counted, and the degree of support and confidence among fields can be calculated. For change-type field association mining, messages should be sorted according to the time sequence. For each message, the difference between the field value of the message and the corresponding field value of its previous message is calculated. By marking the positive and negative of the difference, the degree of support and confidence among fields can be calculated. Figure 4 shows the process of calculating support and confidence using the Apriori algorithm after processing the variation-type fields.

After the field association rules for in-vehicle CAN data fields have been determined, the field constraints formed by the abstraction of the association rules can be entered into the generator and discriminator of the FAMGAN model. The overall structure of FAMGAN is shown in Figure 5.

4.   Simulation and experiment

4.1.   Simulation environment

To verify the accuracy of the data field division in FAMGAN, a simulation platform was established using CANoe software. CANoe 12.0 SP4 simulation software was used to establish the in-vehicle CAN bus network communication simulation platform and simulate the nodes on the CAN network to send and receive messages. The message protocol is based on the J1939 protocol and exports CAN bus messages to generate the datasets.

1) Software environment

The simulated in-vehicle CAN communication network uses the CANoe J1939 System Demo, which simulates the working state of each part of the CAN communication network and the message sending situation when a vehicle is running. The Power_train network inside the demo simulates the power CAN bus of the vehicle, including the engine, gears, brakes, and other major control units. Figure 6 shows the in-vehicle CAN network CANoe simulation platform and topology of the two simulated CAN bus subnets Power_train.

For the two simulated CAN bus subnets, the Power_train topology shown in Figure 6(b) contains seven ECUs and 29 different messages. Some of the simulated network messages are listed in Table 1.

2) Acquisition of datasets

CAN bus messages are generated by simulating the driving process of a car in the simulation control interface. The SAE J1939 application layer protocol specification of the messages is stored in the powertrain.dbc file. Part of the CAN bus message dataset is generated using the SAE J1939 protocol specification. At the same time, to differ from the original protocol specification to verify the validity of FAMGAN, some of the contents in the powertrain.dbc file are modified to generate a private message protocol based on the J1939 protocol.

4.2.   Message field division and association verification

In this study, the message with the parameter group number PGN 614,444 (Engine Controller for Electronics) was selected for verification. According to the definition of the protocol specification in SAE J1939, the field format of PGN 614,444 is defined as shown in Table 2. This table is then introduced as prior knowledge.

PGN 61,444 is defined and arranged in the powertrain.dbc file, and each suspect parameter SPN is also defined according to the SAE J1939 protocol specification. To verify the results of the field division, the positions of the brake, gear, and throttle are continuously adjusted randomly to generate the message data and calculate the transition rate of each bit of the PGN 61,444 messages. By continuously repeating the above steps, a dataset of the 64-bit transition rate of PGN 61,444 messages is finally generated. The linear-CRF field verification model is constructed using the transition rate as the observed variable and the division of signal parameters in the powertrain.dbc file as the state variable. The bit transition rate under the SPN 513 field is between 0 and 0.45, and the bit transition rate under the SPN 190 field is between 0.01 and 0.5. When training the field validation model, the bit transition rate observation sequence is divided into 11 levels as ${t_0}, {t_{0.05}}, \cdot \cdot \cdot, {t_{0.5}}$. For example, if the bit transition rate is 0.256, this is marked as ${t_{0.25}}$. At the end of the training phase, the conditional probability of field verification is obtained from 0.721 to 0.987 by substituting the data in the training. Therefore, the threshold value of field verification is set to 0.7. When it is lower than this threshold value, field verification fails.

The powertrain.dbc file is remodified, the definitions of SPN 512 and SPN 1675 are deleted, the signal of wheel speed (SPN 84) is added in the last byte, the factor value of SPN 191 is changed to 0.13, and it is offset to 50. The modified powertrain.dbc file is applied to generate message data and calculate the transition rate of each bit of the PGN 61,444 message.

The SPN parameters in the first, second, and sixth bytes did not change during message acquisition. Only the third byte (SPN 513), the fourth and fifth bytes (SPN 190), and last two bytes (SPN 84) were analyzed. SPN 513 is located in the third byte of the data field and is distributed in bits 17–24. SPN 190 is located in the fourth and fifth bytes of the data field and is distributed in bits 25–40. Field validation is performed using CRFs for the SPN 513 and SPN 190 fields. Choosing the bit transition rate of every 4 bits in the field as the observed sequence, conditional probabilities can be obtained under the CRF model, as shown in Table 3

As shown in Table 3, by setting the boundary state values of the SPN 513 and SPN 190 fields, the conditional probability of the bit transition rate observation sequence for every 4 bits under the CRF model is above the threshold. Therefore, the validation of the fields is passed, indicating that the modified protocol specification also contains SPN 513 and SPN 190 fields.

The bit transition rate of the seventh byte in the message is 0, and the bit transition rate from bits 49 to 64 is not 0. The bit transition rate of the last 2 bytes is shown in Figure 7(a). The field format shown in Figure 7(b) is obtained according to the field division algorithm in FAMGAN. The results show that the final field division results conform to the field format after modification to the SAE J1939 protocol.

To analyze the correlation of the data fields of in-vehicle CAN messages, messages with ID 0xAA were taken as an example for the simulation. The test host hardware for the test case generation method was an Intel Core i7-4720HQ with a 3.00-GHz main frequency. The operating system was a Windows 7 64 bit. The compiler was Python 3.9. After analyzing the field division and meaning of the data field of the in-vehicle CAN message with ID 0xAA, it was found that its 8-byte data field consisted of four 2-byte signal fields, and their meanings were related to the speed of the four wheels of the car. The field extraction of the in-vehicle CAN message with ID 0xAA and acquisition time of 150–330 s yielded the four signal field data changes with time, as shown in Figure 8(a). The correlation analysis of the field data changes yielded the correlation results of the field changes, as shown in Figure 8(b), and the algorithm running time is 11.33 s. The change trend of the four signal fields had a more obvious consistency. The FAMGAN generator generated the message instance with ID 0xAA. The changes in the four signal fields should have a high consistency if the test message sequence with time relation is generated.

4.3.   Model-based generating message execution

The USBCAN-OBD device and OBD-II interface of the vehicle were used to obtain the CAN bus messages. The messages were recorded and exported by the host software ECanTools, and the message dataset was generated for test case generation. Each data record in the dataset included the message reception interval time, message ID, DLC, and data in the data field. The test cases were then generated using the FAMGAN model and converted in order to batch the.can files for storage. The CAN bus messages were sent to the in-vehicle CAN bus for fuzz testing through the USBCAN-OBD device using ECanTools. The process of fuzz testing of the vehicle through the OBD interface is shown in Figure 9.

The deep learning framework TensorFlow was used to build the FAMGAN. Model-generated message execution experiments were performed on a live vehicle to analyze the message execution results. Uniform noise and field constraints were input to the generator, while real message data and field constraints were input to the discriminator for FAMGAN model training. The curve of the training process parameter L with the number of training is shown in Figure 10. It can be seen from the figure that when the learning rate is 0.001, the parameter L converges faster and its final value is smaller. Therefore, the learning rate is set to 0.001 in this paper.

To analyze the distribution of FAMGAN-generated data, the probability density distribution of the second byte of ID 0x1□4 message data is shown in Figure 11, the average training time of FAMGAN algorithm is 3.97 s. The distribution of the generated data is closer to the distribution of the real data as the number of trainings increases.

The partial message data generated by the FAMGAN model with ID 0x 0x1□4 are listed in Table 4. The values of the third, fourth, and sixth bytes of the message data field with ID 0x 0x1□4 remain unchanged, while the values of the remaining fields are mutated only.

The fuzz-testing cases were sent to the CAN bus of the vehicle through the OBD interface to monitor the abnormal status of the vehicle and record abnormal messages. Figure 12 shows the abnormal status of the vehicle during the execution of fuzz-testing cases. Two fuzz-testing methods were used to generate 10,000 test cases for each message ID, and the training time of FAMGAN model is about 2380 s. The messages generated by both fuzz-testing methods affect the anomalous state of the vehicle. The fuzz-testing methods based on field weights and the FAMGAN model triggered nine and eleven anomalous car states respectively, and the inference times are 0.161 and 5.247 s respectively.

As shown in Figure 12(a), after sending the test case with messages with IDs 0x□2 and 0x□4, the low oil pressure warning light, electric steering system warning light, and brake system light on the instrument panel remained constant. This means that the telegram triggered a false alarm, whereas the vehicle did not actually malfunction. As shown in Figure 12(b), after the messages with IDs 0x□3 and 0x1□F were sent, the smart start–stop canceled the indicator light on the instrument panel, the charging system warning light was always on, the front seat belt reminder light flashed, and the digital display on the instrument panel disappeared.

As shown in Figures 12(c), (d), after the test cases with message IDs 0x□4 and 0x□C4 were sent, respectively, the RPM and vehicle speed on the instrument panel changed. The RPM reached 7000 r/min, and the driving speed reached 156 km/h. The car was not actually in a driving condition.

4.4.   In-vehicle CAN bus intrusion detection experiment

The performance analysis of the intrusion detection algorithm based on fuzz testing is divided into the following four steps: message data collection, data preprocessing, classifier training, and performance verification of the classifier based on fuzz testing. Normal and abnormal CAN bus message data were used to extract the features of the message data. The message data were trained using a machine learning classifier. Then, test cases were generated using the fuzz-testing algorithm and input to the machine learning classifier for intrusion detection. Subsequently, the performance of the intrusion detection algorithm was analyzed. During the training phase of the intrusion detection classifier, different intrusion detection algorithms were used to train the CAN bus message dataset to build an intrusion detection classifier. In this study, the k-nearest neighbors (KNN) and AdaBoost algorithms were used to construct the classifier.

The 250,000 real vehicle messages collected were used as the normal message dataset for testing, and the messages were classified and saved according to their IDs. Anomalous messages were generated for training the classifier of the intrusion detection algorithm by manual random synthesis. The experimental environment was as follows. The host hardware was an Intel Core i7-4720HQ with a main frequency of 3.00 GHz. The operating system used was a Windows 7 64-bit system.

During the experiment, 3000 messages for each ID were used as the training set, including 2000 normal messages and 1000 randomly generated abnormal messages. The classifiers based on the KNN and AdaBoost algorithms were implemented by programming software and related toolboxes, and the detection rate of the classifiers was then calculated by fuzz testing.

Ten of these CAN messages with different IDs were selected for training the classifier. CAN message test cases were generated by performing fuzz testing to calculate the detection rate of the intrusion detection algorithm. Figure 13 shows the comparison results of the detection rates based on the KNN and AdaBoost algorithms while using different fuzz-testing algorithms.

The results of the detection rate calculation of the intrusion detection algorithm using the field weight-based fuzz-testing method reveal that the average detection rate of the KNN algorithm was 84.31% and that of the AdaBoost algorithm was 85.06%. The results of the detection rate calculation of the intrusion detection algorithms using the FAMGAN-based fuzz-testing method show that the average detection rate of the KNN algorithm was 78.30% and that of the AdaBoost algorithm was 79.83%. For CAN bus messages with different IDs, in general, both classifiers have lower detection rates for test cases generated by the fuzz-testing method based on the FAMGAN model generation. This is because this type of test method generates messages that are similar to the original message dataset, lowering the detection rate. In terms of the detection rate, AdaBoost is more effective in detecting anomalous messages.

5.   Conclusions

An efficient generation model, FAMGAN, was proposed for in-vehicle CAN messages. In this model, the bit transition rate and CRF model are used to divide the message field, whereas the Apriori algorithm is used to analyze the CAN message field relationships. The algorithms mentioned above improve the compliance and reasonableness of the generated messages using FAMGAN. WGAN-GP was used to achieve large-scale generation of in-vehicle CAN bus messages, input noise, real messages, and field constraints to the generator and discriminator to obtain messages with in-vehicle CAN network specificities. Comprehensive simulations and experiments were conducted to compare intrusion detection algorithms on real vehicles with a code-built intrusion detection algorithm. The results show that the FAMGAN model can generate CAN messages that trigger vehicle anomalies in in-vehicle CAN networks. FAMGAN can also be applied to machine learning-based intrusion detection algorithm evaluation. However, FAMGAN has some limitations. Methods of generating a series of CAN messages with time-dependent characteristics in a batch and improving the efficiency of anomalous message generation should be the focus of future research.

Acknowledgments

This study is supported by "Project for the Development and Application of Safety Testing and Verification Platform for Industrial Robots" under Grant TC200H01Q and Heilongjiang Touyan Innovation Team Program under Grant AUEA5640202520-09.

Conflict of interest

The authors declare there is no conflict of interests.