Sampath Rajapaksha (Robert Gordon University), Harsha Kalutarage (Robert Gordon University), M.Omar Al-Kadri (Birmingham City University), Andrei Petrovski (Robert Gordon University), Garikayi Madzudzo (Horiba Mira Ltd)
Modern automobiles are equipped with a large number of electronic control units (ECUs) to provide safe, driver assistance and comfortable service. The controller area network (CAN) provides real-time data transmission between ECUs with adequate reliability for in-vehicle communication. However, the lack of security measures such as authentication and encryption makes the CAN bus vulnerable to cyberattacks, which affect the safety of passengers and the surrounding environment. Intrusion Detection Systems (IDS) based on one-class classification have been proposed to detect CAN bus intrusions. However, these IDSs require large amounts of benign data with different driving activities for training, which is challenging given the variety of such activities. This paper presents CAN-ODTL, a novel on-device transfer learning-based technique to retrain the IDS using streaming CAN data on a resource-constrained Raspberry Pi device to improve the IDS. Optimized data pre-processing and model quantization minimize the CPU and RAM usage of the Raspberry Pi by making CAN-ODTL suitable to deploy in the CAN bus as an additional ECU to detect in-vehicle cyber attacks. Float 16 quantization improves the Tensorflow model with 78% of memory and 83% of detection latency reduction. Evaluation on a real public dataset over a range of seven attacks, including more sophisticated masquerade attacks, shows that CAN-ODTL outperforms the pre-trained and baseline models with over 99% detection rate for realistic attacks. Experiments on Raspberry Pi demonstrate that CAN-ODTL can detect a wide variety of attacks with near real-time detection latency of 125ms.