MaREA: Multi-class Random Forest for Automotive Intrusion Detection

The technology inside modern vehicles is rapidly growing and poses newer security risks, as vehicle communication protocols are not yet fully secured and vulnerable to attacks. Consequently, the implementation of automotive cybersecurity systems has gained more attention. Controller Area Network (CAN) is one of the most studied communication protocols in the literature and lacks inherent cybersecurity measures. Several works proposed Intrusion Detection Systems (IDSs) using Machine Learning (ML) and Deep Learning (DL) algorithms to identify attacks on the CAN bus. Exploiting ML or DL techniques in a multi-class approach makes it possible to know the attack typology and to support developers' decisions to integrate concrete design methods in the software automotive development life-cycle. However, most automotive IDSs are tested on data sets that contain raw CAN messages without the possibility of decoding these messages to understand how the attack was generated. Based on these gaps, a Multi-class Random Forest for Automotive Intrusion Detection (MaREA) is presented, and a new Synthetic Automotive Hacking Dataset (SA-Hacking Dataset) is generated with a Database for CAN (DBC) file. First, the model is validated on the Car-Hacking dataset and compared with two other works in the literature that used the same classifier and dataset for the multi-class approach. Then, the Random Forest model is tested by concatenating the Survival Analysis Dataset and the SA-Hacking Dataset. The proposed approach presented better-quality results for both the Car-Hacking dataset and the aforementioned concatenated dataset.