Intrångsdetektering på CAN bus data: En studie för likvärdig jämförelse av metoder
2020 (Swedish)Independent thesis Basic level (degree of Bachelor), 10 credits / 15 HE credits
Student thesis
Abstract [sv]
Utförda hacker-attacker på moderna fordon belyser ett behov av snabb detektering av hot inom denna miljö, särskilt när det förekommer en trend inom denna industri där moderna fordon idag kan klassas som IoT-enheter. Det förekommer kända fall av attacker där en angripare förmår stoppa fordon i drift, eller ta bromsar ur funktion, och detta har påvisats ske fjärrstyrt.
Denna studie undersöker detektion av utförda attacker, på en riktig bil, genom studie av CAN bus meddelanden. De två modellerna CUSUM, från området Change Point Detection, och Random Forests, från området maskininlärning, tillämpas på riktig datamängd, för att sedan jämföras på simulerad data sinsemellan.
En ny hypotesdefinition introduceras vilket möjliggör att evalueringsmetoden Conditional expected delay kan nyttjas för fallet Random Forests, där resultat förmås jämföras med evalueringsresultat från CUSUM. Conditional expected delay har inte tidigare studerats för metod av maskininlärning. De båda metoderna evalueras också genom ROC-kurva. Sammantaget förmås de båda metoderna jämföras sinsemellan, med varandras etablerade evalueringsmetoder.
Denna studie påvisar metod och hypotes för att brygga de två områdena change point detection och maskininlärning, för att evaluera de två enligt gemensamt motiverade parametervärden.
Abstract [en]
There are known hacker attacks which have been conducted on modern vehicles. These attacks illustrates a need for early threat detection in this environment. Development of security systems in this environment is of special interest due to the increasing interconnection of vehicles and their newfound classification as IoT devices. Known attacks, that have even been carried out remotely on modern vehicles, include attacks which allow a perpetrator to stop vehicles, or to disable brake mechanisms.
This study examines the detection of attacks carried out on a real vehicle, by studying CAN bus messages. The two methods CUSUM, from the field of Change Point Detection, and Random Forests, from the field of Machine Learning, are both applied to real data, and then later comparably evaluated on simulated data.
A new hypothesis defintion is introduced which allows for the evaluation method Conditional expected delay to be used in the case of Random Forests, where results may be compared to evaluation results from CUSUM. Conditional expected delay has not been studied in the machinelarning case before. Both methods are also evaluated by method of ROC curve. The combined hypothesis definition for the two separate fields, allow for a comparison between the two models, in regard to each other's established evaluation methods.
This study present a method and hypothesis to bridge the two separate fields of study, change point detection, and machinelearning, to achieve a comparable evaluation between the two.
Place, publisher, year, edition, pages
2020. , p. 72
Keywords [en]
CUSUM, random Forests, CAN Bus, anomaly detection, change point detection, machine learning, outlier detection, intrusion detection system
Keywords [sv]
CUSUM, random forests, CAN Bus, anomaly detection, change point detection, machine learning, outlier detection, intrusion detection system
National Category
Computer Systems Communication Systems Other Electrical Engineering, Electronic Engineering, Information Engineering Other Engineering and Technologies
Identifiers
URN: urn:nbn:se:hh:diva-42354OAI: oai:DiVA.org:hh-42354DiVA, id: diva2:1439799
Subject / course
Digital Forensics
Educational program
IT Forensics and Information Security, 180 credits
Supervisors
Examiners
2020-06-162020-06-122025-02-10Bibliographically approved