Description:Complete Specification:
The following specification describes and ascertains the nature of this invention and the manner in which it is to be performed.

Field of the invention:
The present invention relates to a controller to determine abnormality in CAN communications of a vehicle and method thereof.

Background of the invention:
The Controller Area Network (CAN) was developed to facilitate effective in vehicle communication. The highest baud rate for CAN, a broadcast-based communication system, is 1 Mb per second on a single bus Additionally, it is built to function properly in a setting with electromagnetic disturbance elements. Due to its ability to lower the cost, weight, and complexity of wire, CAN has been shown to be an excellent match for in vehicle networks. Additionally, it offers a reliable error detection system for reliable transmission and quick recovery. Even if many nodes transmit messages at once, the arbitration mechanism does not hinder bus communication. As a result, each node receives messages in turn, and they cannot receive the next message until they have fully processed the previous one.

The Electronic Control Units (of various sorts) are now standard equipment in cars, enabling autonomous features like self-driving, self-parking, lane maintaining, collision avoidance, etc. An internal vehicle network, such as the CAN is used to connect the ECUs to one another. Each vehicle may connect with infrastructures and other vehicles using a variety of communication technologies, including Wi Fi, cellular networks, and vehicle to everything (V2X).

Despite CAN's many benefits, contemporary automobiles' connection to external networks exposes them to fresh dangers. Vehicles now face higher cybersecurity concerns due to this increasing connectedness. An attacker may, for instance, use a malicious software update to remotely access an ECU, get access to an OBD II or Connectivity Control Unit (CCU) connection and inject malicious packets, or flood the network with false information.

Because CAN lacks security features like encryption and authentication, a threat actor might access the CAN bus, insert malicious messages, and so compromise the proper operation of ECUs, endangering the safety of cars and their occupants.

The CAN establishes a standard for dependable and effective real time transmission between in vehicle nodes CAN messages do not include information about the source and destination addresses for validation since they are broadcast from a transmitter to the other nodes on a bus. As a result, an attacker may quickly inject any message to cause system errors.

The risks of malicious manipulation of automotive electronic (E/E systems by unlicensed individuals or by unreliable insiders are getting more and more attention from the general public. If a new security issue (hack of a well-known manufacturer's E/E system, ECU infections, etc.,) is made public, the need for security solutions may increase quickly.

According to a patent literature US2020234101, device and method for classifying data in particular for a controller area network or an automotive ethernet network is disclosed. A device and a computer-implemented method for classifying data, in particular for a Controller Area Network or an automotive Ethernet network. A plurality of messages is received from a communications network. A message that has a predefined message type is selected for an input variable for an input model of a plurality of input models of an artificial neural network associated with the predefined message type. The input variable is determined as a function of the message, and in an output area of the artificial neural network a prediction is output that is usable for classifying the message as a function of the input variable, or a reconstruction of an input variable is output that is usable for classifying the message as a function of this input variable.

Brief description of the accompanying drawings:
An embodiment of the disclosure is described with reference to the following accompanying drawings,
Fig. 1 illustrates a block diagram of the controller to determine abnormality in the CAN communications of a vehicle, according to an embodiment of the present invention, and
Fig. 2 illustrates a method for determining abnormality in CAN communications of a vehicle, according to the present invention.

Detailed description of the embodiments:
Fig. 1 illustrates a block diagram of the controller to determine abnormality in the CAN communications of a vehicle, according to an embodiment of the present invention. The controller 110 configured to receive CAN data packets 102 from a CAN bus of the vehicle, characterized in that, the controller 110 pre-processes a data frame of each of the received CAN data packets 102 and extract pre-determined features 112. The controller 110 further processes the extracted pre-determined features 112 through a Machine Learning (ML) based classifier module 106. The classifier module 106 is pre-trained using labeled CAN data packets 102. The controller 110 then determines abnormality in the CAN data packets 102 using the classifier module 106. Further, the controller 110 classifies the abnormality into different attack types as output 104. The CAN data packets 102 are part of the CAN communications for the vehicle.

In accordance to an embodiment of the present invention, the controller 110 is provided with necessary signal detection, acquisition, and processing circuits. The controller 110 is the one which comprises input interface, output interfaces having pins or ports, the memory element 108 such as Random Access Memory (RAM) and/or Read Only Memory (ROM), Analog-to-Digital Converter (ADC) and a Digital-to-Analog Convertor (DAC), clocks, timers, counters and at least one processor (capable of implementing machine learning) connected with each other and to other components through communication bus channels. The memory element 108 is pre-stored with logics or instructions or programs or applications or modules/models and/or threshold values/ranges, reference values, predefined/predetermined criteria/conditions, lists, which is/are accessed by the at least one processor as per the defined routines. The internal components of the controller 110 are not explained for being state of the art, and the same must not be understood in a limiting manner. The controller 110 may also comprise communication units such as transceivers to communicate through wireless or wired means such as Global System for Mobile Communications (GSM), 3G, 4G, 5G, Wi-Fi, Bluetooth, Ethernet, serial networks, and the like. The controller 110 is implementable in the form of System-in-Package (SiP) or System-on-Chip (SOC) or any other known types. Examples of controller 110 comprises but not limited to, microcontroller, microprocessor, microcomputer, etc.

Further, the processor may be implemented as any or a combination of one or more microchips or integrated circuits interconnected using a parent board, hardwired logic, software stored in the memory element 108 and executed by a microprocessor, firmware, an application specific integrated circuit (ASIC), and/or a field programmable gate array (FPGA). The processor is configured to exchange and manage the processing of various Artificial Intelligence (AI) modules.

According to an embodiment of the present invention, the classifier module 106 is a Sequential Deep Learning (SDL) module trained using a three-layer neural network 114. The classifier module 106 is shown in Fig. 1. The classifier module 106 comprises input layer having three pre-determined features 112. Further, a neural network 114 with hidden layers is shown. Only a 3 layer neural network 114, consisting of a first hidden layer with 32 neurons, a second hidden layer with 24 neurons, and a third hidden layer with 12 neurons, has been taken into consideration. In addition, rectified linear activation function (ReLU) has been employed in this case as an activation unit. The ReLU function is depicted by circles within the neural network 114. The vanishing gradient issue is solved by the ReLU, which enables developed models to learn more quickly and perform better.

Each of the (non-output) layers has received auto encoder training. In essence, it is compelled to learn desirable traits that characterize what originates from the preceding layer. A trained auto encoder is used to replicate the input using a common weight adjustment technique This drives the "hidden layer" units to become effective feature detectors by accomplishing this with ( fewer units than the inputs. A SoftMax classifier 116 is used to categorize the different attacks. A loss layer 118 is a cross entropy which measures the performance of the model and used during training of SDL. The loss layer 118 may or may not be used when the solution is deployed either in the internal device or the external device.

According to an embodiment of the present invention, the pre-determined features 112 comprises a summation of values of eight bits of the one byte data frame as first feature, a minimum of values in the eight bits of the one byte of data frame as a second feature, and a summation of values in first two bits of the data frame as a third feature. The CAN data packets 102 are received continuously and each data frame containing eight bits of data is first converted to a decimal number. The three feature 112 are then calculated as stored separately. Further, the three features 112 are calculated as a moving average of pre-determined samples, such as 1000 samples.
First feature: SumD= ?_(j=0)^7¦?D[j]?
Second feature: minD=?min?_(0=j=7)=D[j]
Third feature: ?MeanD?_12=?_(j=0)^1¦?D[j]?

Where,
D corresponds to data frame of the CAN data packet 102
J corresponds to bit number

According to an embodiment of the present invention, the classifier module 106 is configured to determine the abnormal type due to any one of a Denial of Service (DOS) attack, a Fuzzy attack, and a spoofing attack. The DOS attack floods a network, in automobile or vehicle the CAN, with unwanted traffic and triggers a crash due to overload. For example, the CAN data packets 102 with ID 0 x 000 are injected at a rate that is ten times the regular message interval. The Fuzzy attack sends random compromised IDs with junk data to the CAN network at any time. Also, disables the vehicle’s functionality or causes abnormal ECU reactions. Further, prevents regular message delivery by occupying space on the bus. In the spoofing attack, ID of attack packet is stolen from another existing node on the same bus. The attack appears as though it is sent from a trusted node trojan like attack. The data sent can either be malicious or junk data that impedes the CAN’s functionality. For example, gear spoofing attacks the car gear’s ECU, an RPM spoofing attacks the engine RPM’s ECU, etc.

According to an embodiment of the present invention, the controller 110 is part of at least one of an internal device and an external device with respect to the vehicle. The internal device is at least one selected from a group comprising a Connectivity Control Unit (CCU), a Vehicle Control Unit (VCU) and an Engine Control Unit (ECU), and the external device is at least one selected from a group comprising a smartphone, a smart watch, a laptop, a cloud computer.

According to an embodiment of the present invention, a training phase of the classifier module 106 is explained. The first step of SDL is the training stage, which seeks to develop the classifier module 106 for categorizing CAN bus traffic using optimized SDL model. The training samples are tagged network traces, i.e. labelled data indicating which data frame is malicious by what kind of attack. The data pre-processor module and the Sequential Deep Learning (SDL) module are two key functional components of the training stage. The chosen input features are created/computed utilizing data at the CAN packet level. Every feature has been divided into three categories as per the three features 112 defined above.

According to the present invention, a working of the controller 110 is explained and the same must not be understood in limiting manner. Consider, the controller 110 is part of the external device such as the cloud computer which in-turn is part of cloud based Intrusion Detection System (IDS) solution. The vehicle comprises a Connectivity Control Unit (CCU) which transmits all the CAN communications to the controller 110 for analysis. The CAN data packets 102 are continuously transmitted and the controller 110 computes the three features 112 in real-time based on moving window approach as described earlier. The three features 112 are processed by the ML based classifier module 106. The classifier module 106 then determines the abnormality based on the three features 112 and classifies the CAN data packets 102 as normal or abnormal. Again if abnormal, then the controller 110 also classifies the same into a specific type of attack.

In yet another working example, the controller 110 is part of the internal device, such as the ECU itself or a dedicated control unit in the vehicle. The CAN data packets 102 are analyzed within the vehicle itself and CAN data packets 102 are classified into normal and abnormal type accordingly.

According to an embodiment of the present invention, the controller 110 is part of Intrusion Detection System (IDS) for vehicle.

Fig. 2 illustrates a method for determining abnormality in CAN communications of a vehicle, according to the present invention. The method comprises plurality of steps of which a step 202 comprises receiving, by the controller 110, CAN data packets 102 from the CAN bus of the vehicle. The method is characterized by a step 204 comprising pre-processing, by the controller 110, the data frame of the received CAN data packet 102 and extracting pre-determined features 112. A step 206 comprising processing, by the controller 110, the extracted pre-determined features 112 through the Machine Learning (ML) based classifier module 106. The classifier module 106 is pre-trained using labeled CAN data packets 102. A step 208 comprises determining, by the controller 110, abnormality in the CAN data packets 102 using the classifier module 106. Further, the abnormality determination is followed by classifying, by the controller 110, the abnormality due to any one of the DoS attack, the Fuzzy attack, and the Spoofing attack.

According to the method of the present invention, the classifier module 106 is the Sequential Deep Learning (SDL) module trained using the three-layer neural network 114 and uses of Rectified Linear Activation Function (ReLU) and trained auto-encoder. Further, the pre-determined features 112 comprises summation of values of eight bits of the one byte data frame in decimal form as the first feature, the minimum of values in the eight bits of the one byte of data frame as the second feature, and the summation of values in first two bits of the data frame as the third feature.

According to the present invention, the controller 110 and method provides Artificial Intelligence (AI) and/or ML based Intrusion Detection Systems (IDSes) that have two key characteristics, i.e. Security, or the capacity to identify malicious CAN packets, and Safety, or the ability to avoid interfering with the normal operation of ECUs when the IDS misclassifies harmless packets as attacks.

According to the present invention, an intelligent approach towards secure and safe in vehicle networks using real time can bus data is provided. The present invention leverages payload moving window feature of CAN data packets (or traffic) 102 to build a secure and safe In-Vehicle networks. The traffic payload moving window feature identifies a unique pattern for each of the different CAN traffic classes, i e Normal, DoS attack, Fuzzy attack, and the spoofing attack. A straightforward architecture is provided which uses multi-class classification based Intrusion Detection System (IDS), in contrast to the bulk of studies that use several binary classifiers, each of which seeks to differentiate between regular traffic and one attack. The present invention considers three input features for SDL training hence the computational load is relatively little, and is simple to apply to commercial products. The present invention also offers cloud based secure and safe in vehicle network and intrusion detection using real time CAN bus traffic data.

It should be understood that the embodiments explained in the description above are only illustrative and do not limit the scope of this invention. Many such embodiments and other modifications and changes in the embodiment explained in the description are envisaged. The scope of the invention is only limited by the scope of the claims.
, Claims:We claim:
1. A controller (110) to determine abnormality in CAN communication of a vehicle, said controller (110) configured to,
receive CAN data packets (102) from a CAN bus of said vehicle, characterized in that,
pre-process a data frame of each of said received CAN data packets (102) and extract pre-determined features (112);
process said extracted pre-determined features (112) through a Machine Learning (ML) based classifier module (106), said classifier module (106) is pre-trained using labeled CAN data packets (102), and
determine abnormality in said CAN data packets (102) using said classifier module (106).

2. The controller (110) as claimed in claim 1, wherein said classifier module (106) is a Sequential Deep Learning (SDL) module trained using a three-layer neural network (114).

3. The controller (110) as claimed in claim 2, wherein said classifier module (106) also comprises use of Rectified Linear Activation Function (ReLU) and trained auto-encoder.

4. The controller (110) as claimed in claim 1, wherein said pre-determined features (112) comprises a summation of values of eight bits of said one byte data frame as a first feature, a minimum of values in said eight bits of said one byte of data frame as a second feature, and a summation of values in first two bits of said data frame as a third feature.

5. The controller (110) as claimed in claim 1 is part of at least one of an internal device and an external device with respect to said vehicle, wherein said internal device is at least one selected from a group comprising a Connectivity Control Unit (CCU), Vehicle Control Unit (VCU) and Engine Control Unit (ECU), and said external device is at least one selected from a group comprising a smartphone, a smart watch, a laptop, a cloud computer.

6. The controller (110) as claimed in claim 1, wherein said classifier module (106) is configured to determine said abnormal type due to any one of a Denial of Service (DOS) attack, a Fuzzy attack, and a spoofing attack.

7. A method for determining abnormality in CAN communications of a vehicle, said method comprising the steps of:
receiving CAN data packets (102) from a CAN bus of said vehicle, characterized by,
pre-processing a data frame of each of said received CAN data packets (102) and extracting pre-determined features (112);
processing said extracted pre-determined features (112) through a Machine Learning (ML) based classifier module (106), said classifier module (106) is pre-trained using labeled CAN data packets (102), and
determine abnormality in said CAN data packets (102) using said classifier module (106).

8. The method as claimed in claim 7, wherein said classifier module (106) is a Sequential Deep Learning (SDL) module trained using a three-layer neural network (114) and uses of Rectified Linear Activation Function (ReLU) and trained auto-encoder.

9. The method as claimed in claim 7, wherein said pre-determined features (112) comprises a summation of values of eight bits of said one byte data frame as a first feature, a minimum of values in said eight bits of said one byte of data frame as a second feature, and a summation of values in first two bits of said data frame as a third feature.

10. The method as claimed in claim 7, wherein said classifier module (106) is configured to determine said abnormal type due to any one of a Denial of Service (DOS) attack, a Fuzzy attack, and a spoofing attack.