MIDS: Detecting Stealthy Masquerade and Tampering Attacks on CAN Bus via Bidirectional Mamba
作者: Qiqi Liu, Runhan Song, Lei Cui, Heng Zhang, Yuyan Sun, Limin Sun
分类: cs.CR, cs.AI
发布日期: 2026-06-17
💡 一句话要点
提出MIDS以解决CAN总线隐蔽伪装和篡改攻击问题
🎯 匹配领域: 支柱二:RL算法与架构 (RL & Architecture)
关键词: CAN总线 入侵检测 伪装攻击 双流框架 状态空间建模 实时处理 安全防护
📋 核心要点
- 现有入侵检测系统主要针对伪造式攻击,难以有效应对内部伪装攻击,导致安全防护不足。
- MIDS采用双流框架,通过双向选择性状态空间建模,处理CAN标识符和有效载荷,重建其时间语义。
- 在实验中,MIDS在超过1亿个CAN帧的数据集上取得96.94%的F1得分,且在多个公开基准测试中表现优异。
📝 摘要(中文)
控制器局域网(CAN)协议是现代车辆电子控制单元(ECU)的主要通信标准,但其缺乏加密和认证,导致面临多种安全威胁。现有的入侵检测系统主要针对伪造式攻击,而本研究聚焦于更复杂的伪装攻击场景。我们提出了Mamba入侵检测系统(MIDS),该系统通过双流框架并行处理CAN标识符和有效载荷,重建其联合时间语义。MIDS在收集的超过1亿个CAN帧的测试中,F1得分达到96.94%,显著超越现有基线,且具备实时部署的潜力。
🔬 方法详解
问题定义:本研究旨在解决CAN总线中的伪装攻击问题,现有方法在面对内部攻击时表现不佳,无法有效检测在原始传输时隙中替换的合法帧。
核心思路:MIDS通过双流处理CAN标识符和有效载荷,利用双向选择性状态空间建模重建其联合时间语义,从而提高对伪装攻击的检测能力。
技术框架:MIDS的整体架构包括数据采集、双流处理模块和状态空间建模。数据采集模块负责收集CAN帧,双流处理模块并行分析标识符和有效载荷,最后通过状态空间建模重建时间语义。
关键创新:MIDS的主要创新在于其双流框架和双向建模方法,使其能够有效应对伪装攻击,而不仅仅依赖于传统的统计特征。
关键设计:MIDS在参数设置上进行了优化,采用了适合实时处理的损失函数和网络结构,确保在1.147毫秒的推理延迟下实现高效检测。
🖼️ 关键图片
📊 实验亮点
MIDS在超过1亿个CAN帧的测试中,F1得分达到96.94%,比现有最强基线高出8个百分点。同时,在多个公开基准测试中,MIDS的F1得分在93.70%到99.61%之间,超越了八个重现基线的最高值,提升幅度可达13.94个百分点。
🎯 应用场景
MIDS的研究成果具有广泛的应用潜力,尤其是在现代汽车的安全防护中。随着智能汽车的普及,CAN总线的安全性愈发重要,MIDS能够有效提升车辆对伪装和篡改攻击的防御能力,保障行车安全。此外,该技术也可扩展至其他基于CAN协议的工业控制系统,提升其安全性。
📄 摘要(原文)
The Controller Area Network (CAN) protocol is the primary communication standard for Electronic Control Units (ECUs) in modern vehicles, but its lack of encryption and authentication exposes it to a range of security threats. Existing intrusion detection systems are largely tuned to fabrication-style attacks (DoS, fuzzing, ID spoofing realised by frame injection), in which detection signals such as per-ID inter-arrival statistics are readily available. We instead address the harder \emph{masquerade} setting~\cite{b37}, in which an internal adversary substitutes a legitimate frame in-situ at its original transmission slot, preserving traffic periodicity and rendering traffic-statistic defences ineffective. We propose the Mamba Intrusion Detection System (MIDS), an innovative dual-stream framework that processes CAN identifiers and payloads in parallel and reconstructs their joint temporal semantics through bidirectional selective state-space modelling. To evaluate MIDS, we collected over 100 million CAN frames from a physical Tesla Model 3 across three driving regimes and synthesised 54 masquerade attack variants spanning ID-only, data-only, and combined modifications. MIDS attains an F1 of 96.94\% on this dataset, exceeding the strongest reproducible baseline by more than 8 percentage points, while sustaining a 1.147~ms single-window inference latency -- ample headroom for real-time onboard deployment. To verify generalisation, we further evaluate MIDS on four public benchmarks (ROAD, CrySyS, OTIDS, CT\&T) covering both masquerade and injection scenarios; MIDS attains F1 from 93.70\% to 99.61\%, outperforming the strongest of eight reproduced baselines by up to 13.94 percentage points under a unified 5-fold protocol.