Cosine similarity based anomaly detection methodology for the CAN bus

Byung Il Kwak, Mee Lan Han, Huy Kang Kim

Research output: Contribution to journalArticlepeer-review

22 Citations (Scopus)


In recent years, vehicular technology has rapidly evolved in terms of the driver's convenience and safety, along with the convergence of vehicle communication and the expansion of external interfaces. However, the connectivity of the vehicle to the external environment poses a considerable driving risk because of the pre-existing vulnerabilities in the vehicle. Furthermore, most of the in-vehicle networks, such as controller area network (CAN), local interconnect network (LIN), and FlexRay network, are not ready to cope with malicious attacks from the outside. For that reason, various studies have addressed the security issues of the automobiles, as protecting the life and safety of the drivers and passengers is one of the core values of the in-vehicle technology. In the present study, in order to address these critical security issues, we propose an anomaly detection method based on cosine similarity for in-vehicle network through the analysis of self-similarity of the CAN bus. Our main goal is to detect three types of injection attacks without having additional information about the attacks. To this end, we evaluated the performance of the proposed method by measuring the accuracy and detection time using a dataset extracted from two real vehicles in driving and stationary conditions. More specifically, we designed a light-weight feature vector that can accomplish real-time detection and then analyzed the performance in terms of accuracy, recall, and detection time by the time window. In the performance evaluation, we achieved high detection accuracy–namely, 98.93% and 99.18% for KIA Soul in the driving condition and in the stationary condition, respectively, 99.43% and 99.49% for the HYUNDAI YF Sonata in the driving condition and in the stationary condition, respectively. Finally, we also showed that the cosine similarity in the CAN bus is a meaningful feature to identify and classify the types of attacks on target CAN IDs.

Original languageEnglish
Article number114066
JournalExpert Systems With Applications
Publication statusPublished - 2021 Mar 15

Bibliographical note

Funding Information:
This work was supported by Samsung Research Funding & Incubation Center for Future Technology under Project Number SRFC-TB1403-51.

Publisher Copyright:
© 2020 Elsevier Ltd


  • Anomaly detection
  • Cosine similarity
  • In-vehicle network
  • Self-similarity

ASJC Scopus subject areas

  • General Engineering
  • Computer Science Applications
  • Artificial Intelligence


Dive into the research topics of 'Cosine similarity based anomaly detection methodology for the CAN bus'. Together they form a unique fingerprint.

Cite this