The increased connectivity of vehicles expands the attack surface of in-vehicle
networks, enabling attackers to infiltrate through external interfaces and
inject malicious traffic. These malicious flows often contain anomalous semantic
information, potentially leading to misleading control instructions or erroneous
decisions. While most semantic-based anomaly detection methods for in-vehicle
networks focus on extracting semantic context, they often overlook interactions
and associations between multiple semantics, resulting in a high false positive
rate (FPR). To address these challenges, the Adaptive Structure Graph Attention
Network Model (AS-GAT) is proposed for in-vehicle network anomaly detection. Our
approach combines a semantic extractor with a continuously updated graph
structure learning method based on attention weight similarity constraints. The
semantic extractor identifies semantic features within messages, while the graph
structure learning module adaptively updates the graph structure based on
attention weights between semantics. This model effectively learns relationships
between multiple semantics in in-vehicle network packets, thereby enhancing
anomaly detection accuracy. A case study on a CAN-FD dataset from real vehicles
demonstrates that using AS-GAT achieves an F1 score of 97.56% in anomaly
detection, outperforming baseline methods by effectively identifying attack
packets causing abnormal semantic time series changes, such as fuzzing,
spoofing, and replay attacks. Additional experiments on two public datasets,
SWaT and WADI, further validate AS-GAT’s superior anomaly detection performance
compared to baseline models, highlighting the universal applicability of our
approach.
