HP-LSTM: Hawkes Process–LSTM-Based Detection of DDoS Attack for In-Vehicle Network

Abstract

Connected and autonomous vehicles (CAVs) are advancing at a fast speed with the improvement of the automotive industry, which opens up new possibilities for different attacks. A Distributed Denial-of-Service (DDoS) attacker floods the in-vehicle network with fake messages, resulting in the failure of driving assistance systems and impairment of vehicle control functionalities, seriously disrupting the normal operation of the vehicle. In this paper, we propose a novel DDoS attack detection method for in-vehicle Ethernet Scalable service-Oriented Middleware over IP (SOME/IP), which integrates the Hawkes process with Long Short-Term Memory networks (LSTMs) to capture the dynamic behavioral features of the attacker. Specifically, we employ the Hawkes process to capture features of the DDoS attack, with its parameters reflecting the dynamism and self-exciting properties of the attack events. Subsequently, we propose a novel deep learning network structure, an HP-LSTM block, inspired by the Hawkes process, while employing a residual attention block to enhance the model’s detection efficiency and accuracy. Additionally, due to the scarcity of publicly available datasets for SOME/IP, we employed a mature SOME/IP generator to create a dataset for evaluating the validity of the proposed detection model. Finally, extensive experiments were conducted to demonstrate the effectiveness of the proposed DDoS attack detection method.

1. Introduction

Connected vehicles have advanced communication capabilities that allow them to interact with other vehicles, infrastructure, and the surrounding environment, while autonomous vehicles operate without human intervention, relying on sensors, artificial intelligence, and advanced algorithms for navigation and decision making. In integrating these two technologies of connected vehicles and autonomous vehicles, connected and autonomous vehicles (CAVs) offer a new paradigm for transportation, such as enhanced transport efficiency, improved safety, and reduced accidents [1,2]. It is precisely these advantages that have led to the rapid development of CAVs in recent years, characterized mainly by an increase in the number of Electronic Control Units (ECUs) [3]. However, as CAVs continue to develop rapidly, their potential threats are also increasing, such as data privacy breaches [4] and malicious message injections [5]. In particular, the enhancement of connectivity and automation levels inevitably necessitates an increase in computing resources [2,6]. Increasing the level of computational functionality and connectivity increases the exposure of potential vulnerabilities, which can offer attackers a greater number of possibilities for attack [7].

The Distributed Denial-of-Service (DDoS) attack is currently one of the common vulnerabilities within in-vehicle network systems [8], where malicious users attempt to disrupt the normal operation by flooding the network with an overwhelming amount of false requests or abnormal data packets. These attacks can impair various vehicle functionalities, including driving assistance systems, entertainment features, and communication platforms. By generating excessive network traffic, attackers hinder legitimate users and vehicle control systems from accessing essential network resources, thus posing severe security risks. Given the increasing reliance on network connectivity and automation in modern vehicles, DDoS attacks present significant challenges to the security of CAVs.

The increasing number of ECUs and the development of infotainment systems have led to the emergence of in-vehicle Ethernet with ultra-high bandwidth [9,10]. The main driving forces behind this trend are the growing demand for computational and communication bandwidth, as well as the need for flexibility in adding software [11]. In this case, the SOME/IP, unique for its communication mechanism, has seen rapid development since being proposed by BMW in 2011. However, the lack of a robust security architecture in SOME/IP has made it a target for various network attacks, including DDoS attacks [3,12]. In addition, in contrast to the considerable attention garnered by the CAN bus within research circles [13], in-vehicle Ethernet has received relatively less scrutiny, exacerbating the scarcity of publicly available datasets pertaining to SOME/IP. This scarcity notably complicates research efforts aimed at understanding network attacks targeting SOME/IP.

To overcome the above challenges, we propose a novel detection method for DDoS attacks on SOME/IP, called HP-LSTM. Initially, we model the SOME/IP communication data using the Hawkes process, wherein the Hawkes parameters reflect the dynamism and self-exciting properties of the attack events, taking into account the dynamic behavior characteristics of attackers. Subsequently, we propose a simple yet efficient deep learning network for detecting DDoS attack. The network is combined with multiple HP-LSTM blocks, residual self-attention blocks, Packet Mapping blocks, and MLPs. HP-LSTM blocks capture complex temporal features that original LSTM blocks cannot by introducing Hawkes parameters to our well-designed structure. The code is available at the following link: https://github.com/jamesnulliu/HP-LSTM/ (accessed on 20 May 2024).

Our primary contributions are as follows:

• We are the first to utilize the Hawkes process for modeling and analysis in the field of DDoS intrusion detection in the context of the detection of in-vehicle DDoS attacks, where the Hawkes process parameters are capable of capturing the dynamic and self-exciting properties inherent in the sequence of attack events.
• We propose a novel network structure, the HP-LSTM block, which simulates the Hawkes process by introducing Hawkes parameters to capture more temporal features compared to the original LSTM structure. Moreover, our model combines this structure with residual self-attention blocks, enhancing efficiency in detecting DDoS attacks in the in-vehicle Ethernet SOME/IP.
• Based on our extensive experiments, where various HP-LSTM structures were compared, we identified the optimal HP-LSTM design, achieving an average F1-score of 99.3% in detecting DDoS attacks. Furthermore, HP-LSTM demonstrates its capability to meet the stringent traffic and real-time constraints outlined in IEEE 802.1DG [14] (<1 ms), thereby showcasing its proficiency in achieving real-time detection within real-world vehicular environments.

The structure of the remaining sections of this paper is as follows. Section 2 reviews the current detection models for in-vehicle DDoS attacks and the state-of-the-art detection methods based on the Hawkes process in cyber attacks. Section 3 introduces the structure and communication modes of the SOME/IP, as well as the intensity function of the Hawkes process. Section 4 provides a detailed description of our detection model, while Section 5 offers an evaluation of the model’s performance. Finally, in Section 7, we present conclusions and the future works.

2. Related Work

2.1. Review of Existing Research on DDoS Detection for In-Vehicle Network

In the development of CAVs, the automotive security domain continues to grapple with the prevalent yet challenging threat posed by Distributed Denial-of-Service (DDoS) attacks. This ongoing concern has spurred significant research efforts in the field. In order to detect DDoS attacks in vehicular networks, researchers have proposed a series of intrusion detection systems. In 2020, Adhikary et al. [15] introduced a hybrid detection algorithm based on AnovaDot and RBFDot SVM kernel methods for detecting DDoS attacks in VANETs. In 2021, Kadam et al. [16] proposed a novel Hybrid KSVM scheme based on the KNN and SVM algorithms to build a secure framework to detect DDoS attack. In 2023, Dong et al. [17] proposed a Controller Area Network (CAN) bus intrusion detection system based on Multi-Observation Hidden Markov Models (MOHIDS), which effectively detects four types of attacks including DDoS attacks. In fact, relying solely on the aforementioned statistical-based detection methods and traditional machine learning has proven insufficient in adapting to complex attack scenarios and varying attack intensities, presenting a significant challenge in this research field.

On the other hand, with the advancement of deep learning, an increasing number of researchers have begun to utilize deep learning to detect DDoS attacks. Duan et al. [18] proposed a detection model integrating Generative Adversarial Networks (GANs) and Deep Belief Networks (DBN) for detecting intrusions in vehicular networks, including DDoS attacks. The proposed model significantly improves the detection performance of a small number of network attack samples. Jaton et al. [19] proposed a novel distributed multi-layer perceptron classifier (MLPC) for DDoS detection and evaluated the performance of the proposed detection scheme in vehicular communication systems. In order to achieve a higher detection accuracy, more scholars are now using LSTM to detect intrusions in vehicular networks [20]. A Long Short-Term Memory network (LSTM), as an improved version of an RNN, is capable of more effectively capturing long-term dependencies when processing long sequential data, effectively mitigating the issues of vanishing and exploding gradients encountered in traditional RNNs. A deep learning architecture-based LSTM autoencoder algorithm, proposed by Ashraf et al. [21], has been employed for the identification of intrusion events from the central network gateways of autonomous vehicles (AVs). This algorithm showcases detection accuracies of 99% and 98% on real and simulated datasets, respectively. Similarly, Liu et al. [3] verified, through extensive comparative experiments, that in vehicular network attack detection, LSTM models outperform other deep learning models (such as CNNs and RNNs) in terms of performance. As an intelligent decision-making method, reinforcement learning combined with a neural network is widely used in in-vehicle network detection to achieve intelligent detection in complex attack environments. Li et al. [22] presented a reinforcement learning-based feature adaptation method named FAST. They elaborately designed a combination action space and devised a reward function based on the Kalman filter method and historical data traffic flows, enabling FAST to identify DDoS attacks in vehicular networks more quickly and accurately.

2.2. Hawkes Process for Modeling Network Attack

Hawkes processes, as a type of self-exciting point process, have found increasingly widespread applications in the field of network attack modeling, particularly in financial security and social network security [23,24,25,26]. Dutta et al. [23] developed a novel classifier named HawkesEye, which utilizes time windows for prediction. This classifier combines Hawkes processes with specific topic models for analyses based on time and textual information. Qu et al. [24] proposed a social network witch attack detection model based on multi-stimulus Hawkes processes. This model simulates other users’ endorsement behaviors toward a particular user through external stimuli and reflects the user’s own reposting and commenting behaviors through internal stimuli, effectively identifying witch attacks in social networks. Sun et al. [25] applied Hawkes processes to zombie network detection in the Internet of Things (IoT). Using multivariate Hawkes processes, they identified potential connections among attackers by exploiting the mutually excitatory characteristics. Additionally, in the field of vehicular network security, research teams have explored the feasibility and superiority of Hawkes processes. Specifically, for the issue of safety in autonomous driving vehicles, Pan et al. [26] proposed a multi-stage Hawkes process (MSHP). This approach aims to predict the occurrence probability of errors in each stage of the perception system and their potential impacts on subsequent stages by treating errors at each stage as events in a Hawkes process, thus achieving the accurate prediction of errors in the perception system of autonomous driving vehicles. These research findings not only demonstrate the strong potential of Hawkes processes in both theory and practice but also provide insights for research on network security, social network monitoring, IoT security, and the safety of autonomous driving vehicles.

2.3. Critical Review

Table 1. Comparison of HP-LSTM with existing works.

Literature	Type	ML	Che	Ea	Wb	Oa
Adhikary, Kaushik, et al. [15]	AnovaDot and RBFDot SVM	✓	×	×	×	×
Kadam, Nivedita, and  Raja Sekhar Krovi [16]	KNN and SVM	✓	×	×	×	×
Li, Zhong, et al. [22]	Reinforcement learning-based	✓	✓	×	×	✓
Dong, C., et al. [17]	MOHIDS	×	✓	×	✓	×
Jaton, Nicholas, et al. [19]	MLPC	✓	×	×	×	×
Duan, Yali, et al. [18]	GANs and DBN	✓	×	×	×	✓
Ashraf, Javed, et al. [21]	LSTM	✓	✓	×	✓	✓
Dutta, H. S., et al. [23]	Hawkes Process	✓	✓	×	×	×
Qu, Z., et al. [24]	Multi-Stimuli Hawkes Process	✓	✓	×	×	×
Sun et al. [25]	Multivariate Hawkes process	✓	✓	×	×	×
Pan, F., et al. [26]	Multi-Stage Hawkes Process	✓	✓	×	✓	×
HP-LSTM	Hawkes Process + LSTM	✓	✓	✓	✓	✓

ML: Machine Learning Approach; Che: Consider the impact of historical events; Ea: For Ethernet data; Wb: window-based; Oa: Open access.

summarizes the key features of works on DDoS detection and Hawkes modeling. Our model is unique in the following aspects. (i) It not only considers the impact of historical events but also takes into account the variation in attack intensity over time, providing a better characterization of attacker behavior. (ii) Unlike traditional neural network detection models, we introduce Hawkes coefficients to simulate the forgetting and excitation of Hawkes processes and apply them to the HP-LSTM cell gates. (iii) We innovatively utilize the Hawkes process combined with an LSTM for detecting network attacks in Ethernet data.

3. Preliminary

3.1. SOME/IP Protocol

3.1.1. Specification of Message Format

SOME/IP is an emerging communication middleware proposed by BMW AG (Munich, Germany) in 2011 and incorporated into the AUTOSAR 4.1 specification in November 2013 [12,27], which supports remote procedure calls (RPCs), event notifications, and the underlying serialization/wire format [28].

An RPC represents a method call from one Electronic Control Unit (ECU) to another, transmitted through messages. Serialization involves converting data into a byte stream for network transmission. Event notifications encapsulate a general Publish/Subscribe concept. Typically, a client sends subscription event requests to the server. In certain scenarios, the server publishes events to the client, which usually consist of updated values or previously occurred events. Importantly, the subscription and publishing mechanisms are implemented using SOME/IP-SD rather than SOME/IP [13,29].

The header frame format of the SOME/IP protocol consists of the following:

• Message ID (Service ID/Method ID) [32 Bits];
• Length [32 Bits];
• Request ID (Client ID/Session ID) [32 Bits];
• Protocol Version [8 Bits];
• Interface Version [8 Bits];
• Message Type [8 Bits];
• Return Code [8 Bits].

The entire message comprises the header and payload sections, as depicted in Figure 1.

Table 2. Some of the fields presented in the SOME/IP packet.

Message ID	Message ID is a 32-bit identifier used to identify either an RPC call to a method of an application or an event.
Length	The Length field specifies the byte length from the Request ID/Client ID to the end of the SOME/IP message.
Request ID	The Request ID enables differentiation between multiple concurrent uses of the same method, getter, or setter by a server and client.
Protocol Version	The Protocol Version field, occupying eight bytes, identifies the used SOME/IP Header format.
Interface Version	The Interface Version is an eight-bit field containing the Major Version of the Service Interface.
Message Type	The Message Type field is utilized to distinguish between different types of messages. According to AUTOSAR, there are approximately ten commonly used message types.
Return Code	The Return Code is used to indicate whether a request has been successfully processed. Additionally, each message should transmit the Return Code field.
Payload	The Payload field represents the valid information content to be transmitted.

elaborates on the content represented by each field in the SOME/IP message.

3.1.2. Communication Pattern

We will discuss three communication patterns in the SOME/IP protocol in this section. Figure 2 illustrates three communication patterns for SOME/IP.

• Request/Response: Request/Response is one of the most crucial communication patterns, in which one ECU sends a request and another ECU sends a response. In fact, Request/Response communication is an RPC that comprises a request and a response [28]. The response should be sent after the request, and the server must not send response messages to clients that have not sent requests.
• Fire&Forget: Requests without response message are called Fire&Forget [28]. This means that the client sends a request without the server providing any response. This type of request, known as “REQUEST NO RETURN”, differs from the request in Request/Response communication.
• Notification Events: This communication pattern requires the client to first send a subscription request to the server, and the server responds with a confirmation message. These mechanisms are implemented in SOME/IP-SD [28]. In certain scenarios, the server publishes events to the clients, typically containing updated values or previously occurred events. Additionally, it should be noted that the message type for the entire publication process is NOTIFICATION.

3.2. Hawkes Process

The Hawkes process, proposed by Hawkes A.G. in 1971 [30,31], is a type of linear self-exciting point process that assumes past events will have a positive influence on present events. In this study, we utilized the HP-LSTM model, which incorporates Hawkes process parameters, to capture the temporal characteristics of DDoS attacks, thereby capturing the dynamic behavioral characteristics of the attackers. To elucidate the principle of the Hawkes process, we provide some fundamental background knowledge.

• Counting process: A counting process, typically denoted as $N\left(t\right)$, is a type of stochastic process. The mathematical expression for the counting process $N\left(t\right)$ is given by

  $$N\left(t\right)=\sum _{i=1}^{n}I\left(t_i\right)$$

  (1)

  where $t_i$ represents the time points at which events occur, and $I\left(t_i\right)$ is an indicator function that equals 1 if an event occurs at time $t_i$ and 0 otherwise. Therefore, the counting process represents the number of events occurring within the given time interval $[0,t]$. Additionally, the counting process satisfies the following properties [32]:

  $$P[N\left(0\right)=0]=1,P[N\left(0\right)=k]=0,\sum _{k=0}^{\infty }P[N\left(t\right)=k]=1$$

  (2)

  where $P\left[N\right(t)=k]$ denotes the probability of $k>0$ events occurring within the time interval $[0,t)$.
• Intensity function: The intensity function is commonly denoted as $\lambda \left(t\right)$. For instance, in the case of a homogeneous Poisson process, its intensity function is a constant [33]:

  $$\lambda \left(t\right)=\mu$$

  (3)

  where $\mu$ belongs to ${\mathbb{R}}^{+}$.

However, for some point processes that consider additional factors affecting event occurrence rates, we introduce the conditional intensity $\lambda \left(t\right|H)$, where H denotes additional conditional information. As a self-exciting point process, the conditional intensity function of the Hawkes process is defined as [34,35,36]

$$\lambda \left(t\right|H)=\underset{h\to 0}{lim}\frac{E[N(t+h)-N\left(t\right)|{\mathcal{F}}_t]}{h}$$

(4)

This represents the likelihood of events occurring in the extended region beyond the observed data ${\mathcal{F}}_t$. Furthermore, the intensity function is defined as follows. Note that the subsequent mentions of the intensity function for the Hawkes process all refer to the conditional intensity function denoted by $\lambda \left(t\right)$:

$$\lambda \left(t\right)=\mu +{\int }_0^t\alpha (t-s)dN\left(s\right)$$

(5)

where $\mu$ denotes the baseline intensity, and $\alpha (t-s)$ is referred to as the excitation function.

The Hawkes process posits that prior occurrences exert a positive influence on present events. In contrast to Poisson processes, which exhibit memorylessness by not considering the impact of historical events on current events, Hawkes processes often incorporate the influence of past occurrences on the present. As indicated by Equation (5), the occurrence of new events leads to an increase in the intensity function, thereby enhancing the likelihood of subsequent event occurrences. Typically, the excitation function is modeled as an exponentially decaying function, reflecting the phenomenon where the influence of events diminishes over time. The excitation function is commonly defined as $\alpha e^{-\beta (t-t_i)}$ [37], and the intensity function is parameterized as

$$\lambda \left(t\right)=\mu +\sum _{t_i<t}\alpha e^{-\beta (t-t_i)}$$

(6)

where $\alpha$ represents the amplitude parameter, $\beta$ denotes the decay parameter, and $t_i$ signifies the time of the $t_i$ event occurrence.

4. HP-LSTM Detection Model

4.1. Overview of Our Model

In this section, we introduce our innovative HP-LSTM detection model. As shown in Figure 3, the model utilizes a SOME/IP generator to produce a set of labeled simulated data, simulating the scenario where ECUs are subject to a DDoS attack, based on the framework proposed by [3]. Subsequently, the collected data undergo preprocessing, as depicted in the Training Module. The preprocessed data are used both as input for the neural network and for the calculation of parameters in the Hawkes process.

In the Hawkes Process Formulation Module, we assume that each ECU in the vehicle corresponds to a unique IP address in network communications [38,39]. We model the IP addresses within each time window using the Hawkes process and apply the maximum likelihood estimation method to estimate the Hawkes parameters for each IP address within each time window according to Equation (11). These parameters, along with the preprocessed data, are then fed into the Training Module for the HP-LSTM model to learn. Details of the training process will be elaborated in Section 4.4.

Finally, the test data are analyzed by the model to determine whether the ECUs within the time window are in a normal state or have encountered a DDoS attack. Next, we will elaborate on the details of the model.

4.2. Cyberattack Modeling Module

The SOME/IP protocol is an application layer protocol utilized over Ethernet in automotive networks. In this study, we assume that the hacker has indirect access to certain physical interfaces within the vehicle, such as OBD-II, and has gained access to the vehicle’s Ethernet network. This implies that the attacker can access SOME/IP data packets. In fact, Stephen Checkoway et al. [40] proposed methods for accessing vehicle networks via wireless interfaces such as Bluetooth and WiFi.

Given our focus on DDoS attacks, and considering the three communication patterns outlined in Section 3.1.2, where both Fire&Forget and Notification Events communication patterns do not necessitate responses [28], our attack is specifically tailored to target the Request/Response communication pattern. Figure 4 illustrates the attack scenario we simulated. We assume that after obtaining the IP addresses of one or multiple targets, the attacker sends a large number of forged request packets to the target, rendering it unable to respond to other tasks.

4.3. Hawkes Process Formulation Module

In order to simulate the temporal logic behavior of DDoS attackers, we make the following assumption regarding the number of IP addresses within a certain period of time (a window): the IP address is fixed. We employ separate one-dimensional Hawkes intensity functions to each IP address within each window. The occurrence of a packet with the source IP address $I{P}_i$ is considered an event occurrence for the ith one-dimensional Hawkes process. During a DDoS attack orchestrated by attackers, the adversaries utilize a multitude of legitimate IP addresses to inundate the victim with a significant volume of fabricated packets, consequently resulting in notable discrepancies between the Hawkes parameters associated with the spoofed IP addresses and those under normal circumstances. The differences in these parameters are advantageous for our model to better distinguish between attacked and unattacked entities [23].

In Equation (6), we introduce the most fundamental intensity function of a one-dimensional Hawkes process, while Equation (7) represents the intensity function used in our experimental process. Since the only difference among different IP addresses lies in the parameter values of the intensity function, this section focuses solely on presenting the one-dimensional Hawkes process for a single IP address.

$$\lambda \left(t\right)={\theta }_0+\sum _{x^{\tau }<t}\alpha e^{-\beta (t-x^{\tau })}$$

(7)

We now provide a more in-depth explanation of the parameters in the intensity function as follows:

• ${\theta }_0$ represents the baseline intensity of event occurrences, indicating the initial trend of packet-forwarding events.
• $\alpha$ denotes the amplitude parameter, which reflects the abrupt increase in the intensity function for each event occurrence. It signifies the positive influence of each event occurrence on subsequent events.
• $\beta$ is the decay parameter controlling the decay rate of event occurrences, indicating that the positive influence of event occurrences diminishes over time.

Using the likelihood function for parameter estimation: To estimate the parameters of a one-dimensional Hawkes process, according to T. Ozaki [37], the likelihood function for a one-dimensional Hawkes process is given by

$$L(\lambda ,t)=\prod _{t=t_1}^l\lambda \left(x^{\tau }\right)e^{-{\int }_0^{t_l}\lambda \left(t\right)dt}$$

(8)

The likelihood function is further transformed into the following:

$$lnL(\lambda ,t)=\sum _{t=t_1}^{t_l}ln\lambda \left(x^{\tau }\right)-{\int }_0^{t_l}\lambda \left(t\right)dt$$

(9)

We define $F\left(t_l\right)={\int }_0^{t_l}\lambda \left(t\right)dt$; thus, the logarithm of the likelihood function becomes

$$lnL(\lambda ,t)=\sum _{t=t_1}^{t_l}ln\left[{\theta }_0+\sum _{x^{\tau }<t}\alpha e^{-\beta (t-x^{\tau })}\right]-F\left(t_l\right)$$

(10)

In fact, $F\left(t_l\right)$ is a computable function, so we provide the following derivation steps:

$$\begin{array}{cc}\hfill F\left(t_l\right)& ={\int }_0^{t_l}\lambda \left(t\right)dt\hfill \\ \hfill & ={\int }_0^{t_1}{\theta }_{0}dt+\sum _{i=1}^{l-1}{\int }_{t_i}^{t_{i+1}}\lambda \left(t\right)dt\hfill \\ \hfill & ={\int }_0^{t_1}{\theta }_{0}dt+\sum _{i=1}^{l-1}{\int }_{t_i}^{t_{i+1}}\left({\theta }_0+\sum _{x^{\tau }<t}\alpha e^{-\beta (t-x^{\tau })}\right)dt\hfill \\ \hfill & ={\theta }_0{t}_l+\sum _{i=1}^{l-1}{\int }_{t_i}^{t_{i+1}}\left(\alpha \sum _{x^{\tau }=t_1}^{t_i}{e}^{-\beta (t-x^{\tau })}\right)dt\hfill \\ \hfill & ={\theta }_0{t}_l+\alpha \sum _{i=1}^{l-1}\sum _{x^{\tau }=t_1}^{t_i}{\int }_{t_i}^{t_{i+1}}{e}^{-\beta (t-x^{\tau })}dt\hfill \\ \hfill & ={\theta }_0{t}_l-\frac{\alpha }{\beta }\sum _{i=1}^{l-1}\sum _{x^{\tau }=t_1}^{t_i}\left[e^{-\beta (t_{i+1}-x^{\tau })}-e^{-\beta (t_i-x^{\tau })}\right]\hfill \\ \hfill & ={\theta }_0{t}_l-\frac{\alpha }{\beta }\sum _{i=1}^{l-1}\left[e^{-\beta (t_l-t_i)}-1\right]\hfill \end{array}$$

Therefore, the final form of the logarithm of the likelihood function is

$$lnL(\lambda ,t)=\sum _{t=t_1}^{t_l}ln\left[{\theta }_0+\sum _{x^{\tau }<t}\alpha e^{-\beta (t-x^{\tau })}\right]-{\theta }_0{t}_l+\frac{\alpha }{\beta }\sum _{i=1}^{l-1}\left[e^{-\beta (t_l-t_i)}-1\right]$$

(11)

After obtaining the likelihood function as shown in Equation (11), we compute the partial derivatives and Hessian matrix of our likelihood function [37]. Subsequently, we utilize the gradient descent method to estimate the parameters $\alpha$, $\beta$, and ${\theta }_0$. Through this computation, each one-dimensional Hawkes process yields a set of estimated parameters.

4.4. Training Module

Figure 5 illustrates our training process. Initially, we preprocess the data generated by the SOME/IP generator, primarily by performing OneHot encoding on key fields such as ‘Message Type’ to make it easier for the model to understand the differences between different categories. The preprocessed data are utilized as input for the neural network and also for calculating the corresponding parameters in the Hawkes process.

Subsequently, the preprocessed data and computed Hawkes parameters are fed into the HP-LSTM for training. The HP-LSTM utilizes Hawkes parameters to compute Hawkes coefficients, which act on the calculation of the HP-LSTM cell by constraining the forget gate and input gate. Regarding the structure of HP-LSTM, we propose four different approaches, and in Section 5.2, we compare the original LSTM with these four variants of the HP-LSTM design, resulting in the optimal design approach for the HP-LSTM.

Traditional LSTM operations involve a series of gating mechanisms, including input, output, and forget gates, which iteratively update the cell and hidden states, selectively retaining or discarding information across sequences. The following equation describe the LSTM update at time step t:

$$\begin{array}{cc}\hfill i^t& \leftarrow \sigma (W_i{x}^{(t-1)}+U_i{h}^{(t-1)}+b_i)\hfill \\ \hfill c^t& \leftarrow f^t\ast c+i^{t}tanh(W_c{x}^{(t-1)}+U_c{h}^{(t-1)}+b_c)\hfill \\ \hfill h^t& \leftarrow \sigma (W_o{x}^{(t-1)}+U_o{h}^{(t-1)}+b_o)tanh\left(c^t\right)\hfill \\ \hfill y^t& \leftarrow W_y{h}^{(t-1)}\hfill \end{array}$$

(12)

where $i^t$ represents the input gate, and $f^t$ represents the forget gate. $C^t$ and $h^t$ are the cell state and hidden state, $y^t$ represents the output at time step t, $\sigma$ denotes the sigmoid function, tanh denotes the hyperbolic tangent function, and U and b denote the weights and bias terms, respectively.

However, traditional LSTM structures lack the capability to recognize the precise timing of events and the subsequent impact on future events. Traditionally, time information is encoded into the input data, allowing the neural network to learn autonomously. Conversely, the HP-LSTM aims to address these shortcomings by utilizing parameters derived from the Hawkes process to quantify the influence of events in terms of both stimulation and inhibition, as detailed in Equations (13)–(16):

• HP-LSTM (our best):

  $$\begin{array}{cc}\hfill {hks}^t& \leftarrow tanh(A{\alpha }^x-B{e}^{{\beta }^x{T}_{\mathrm{span}}^x}+C{\theta }^x)\hfill \\ \hfill c^t& \leftarrow {hks}^t\ast (f^t\ast c+i^{t}tanh(W_c{x}^{(t-1)}+U_c{h}^{(t-1)}+b_c))\hfill \end{array}$$

  (13)
• HP-LSTM hted-chm:

  $$\begin{array}{cc}\hfill {hks}^t& \leftarrow tanh(A{\alpha }^x-B{e}^{{\beta }^x{T}_{span}^x}+C{\theta }^x+\mathbf{D})\hfill \\ \hfill c^t& \leftarrow {hks}^t\ast (f^t\ast c+i^{t}tanh(W_c{x}^{(t-1)}+U_c{h}^{(t-1)}+b_c))\hfill \end{array}$$

  (14)
• HP-LSTM ht-chm:

  $$\begin{array}{cc}\hfill {hks}^t& \leftarrow tanh(A{\alpha }^x-\mathit{B}\ast {\mathit{\beta }}^{\mathit{x}}{\mathit{T}}_{\mathrm{span}}^{\mathit{x}}+C{\theta }^x)\hfill \\ \hfill c^t& \leftarrow {hks}^t\ast (f^t\ast c+i^{t}tanh(W_c{x}^{(t-1)}+U_c{h}^{(t-1)}+b_c))\hfill \end{array}$$

  (15)
• HP-LSTM hte-chp:

$$\begin{array}{cc}\hfill {hks}^t& \leftarrow tanh(A{\alpha }^x-B{e}^{{\beta }^x{T}_{span}^x}+C{\theta }^x)\hfill \\ \hfill c^t& \leftarrow {\mathit{hks}}^{\mathit{t}}+{\mathit{f}}^{\mathit{t}}\ast \mathit{c}+i^{t}tanh(W_c{x}^{(t-1)}+U_c{h}^{(t-1)}+b_c)\hfill \end{array}$$

(16)

where ${hks}^t$ represents the Hawkes coefficient; ${\alpha }^x$, ${\beta }^x$, and ${\theta }^x$ are the Hawkes parameters; and A, B, C, and D are learnable weights.

Firstly, we proposed the original HP-LSTM structure, which introduces three parameters of the Hawkes process, using ${\alpha }^x$ to simulate the heightened mutation intensity with increasing $\alpha$; employing ${\beta }^x$ to model the decay of stimuli over time; and utilizing ${\theta }^x$ to simulate the inherent properties of the baseline intensity in the Hawkes process. For HP-LSTM hted-chm, we additionally introduced a learnable parameter D to enhance the expressiveness of the neural network. While for HP-LSTM ht-chm, we modified the Hawkes parameter $\beta$ treated with an exponential function to linear processing, aiming to investigate whether exponential operations can better reproduce the dynamics described by the Hawkes process, thus benefiting the model learning. Finally, for HP-LSTM hte-chp, we changed the influence of the Hawkes coefficients on the cell state of the HP-LSTM, replacing the multiplication relationship with an addition relationship to explore its impact on neural network learning. Moreover, it is worth mentioning that in Section 4.3, we partition network traffic data into multiple windows, each representing data within a specific time interval. We stipulate that each window comprises 128 packets from different IP addresses. In the training process, the Hawkes parameters contained in the Hawkes coefficients corresponding to each packet (denoted as $X_t$) within the window represent the parameters of the Hawkes process for the source IP address of that packet.

Additionally, we introduce an RSAB (residual attention block), a neural network module designed for processing sequential data. The essence of the RSAB lies in its utilization of the self-attention mechanism, enabling the model to concurrently consider the correlations among each element within the input sequence. Through this mechanism, the RSAB can effectively capture global information in sequential data, thus enhancing the model’s representation and generalization capabilities. Within our model, the RSAB dynamically weights input features, effectively highlighting the unique patterns exhibited by DDoS attacks within vast network data flows, thereby facilitating subsequent layers of the model to more accurately identify and classify them, thus improving the model’s detection performance.

The equation of the RSAB is based on the self-attention mechanism, typically using the Scaled Dot Product Attention mechanism to compute attention weights [41,42]. Specifically, the equation of the RSAB is as follows:

$$\mathrm{Attention}(Q,K,V)=\mathrm{softmax}\left(\frac{Q{K}^T}{\sqrt{d_k}}\right)V$$

(17)

where Q, K, and V represent the query, key, and value vectors, respectively, obtained through a linear transformation of the input sequence. $d_k$ denotes the dimensionality of the query and key vectors, typically the length of the vectors. $\frac{Q{K}^T}{\sqrt{d_k}}$ denotes the dot product of the query and key vectors, divided by the scaling factor $\sqrt{d_k}$. This step is intended to scale the attention scores to improve the stability of the model. The softmax function is used to convert the scaled attention scores into weights, representing the importance of each position.

After passing through the RSAB and a multiple perceptron, the final output of each model is the probability of the window being in either a normal state or a DDoS-attack state.

5. Experiments

5.1. Experimental Preparation

5.1.1. Dataset

The text describes the utilization of a mature SOME/IP generator [43], which has been widely applied in network attack detection [3,12,44]. This generator simulates the behavior of multiple clients (ECUs) and servers (ECUs), as well as various attacks by attackers.

A series of typical SOME/IP communication data is generated as normal data using the SOME/IP generator. The generated data are then processed through a data segmentation module, dividing the continuous data stream into different blocks. Subsequently, after data segmentation, the data are shuffled randomly, and simulated DDoS attacks are introduced. Each block is further subdivided into multiple windows of equal length (size 128), which are then assigned to corresponding storage buckets based on the categories of classification tasks. This process results in the formation of two storage buckets, each containing diversified windows, all having undergone the same attack simulation.

Table 3. Simulation data.

Time	src	dst	met	len	cl	se	pro	in	Message_Type	Err_Code
$t_1$	10.1.0.8	10.0.0.2	1	8	8	1	1	1	REQUEST	E_OK
$t_2$	10.1.0.5	10.0.0.1	273	14	5	1	1	1	REQUEST	E_OK
$t_3$	10.1.0.2	10.0.0.2	1	13	2	1	1	1	REQUEST	E_OK
$t_4$	10.1.0.1	10.0.0.1	273	25	1	1	1	1	REQUEST	E_OK
$t_5$	10.0.0.1	10.1.0.5	273	26	5	1	1	1	RESPONSE	E_OK
$t_6$	10.1.0.3	10.0.0.2	1	24	3	1	1	1	REQUEST	E_OK
$t_7$	10.1.0.8	10.0.0.2	1	22	8	2	1	1	REQUEST	E_OK
$t_8$	10.0.0.2	10.1.0.2	1	25	2	1	1	1	ERROR	E_NOT_READAY
$t_9$	10.1.0.5	10.0.0.1	273	18	5	2	1	1	REQUEST	E_OK
$t_{10}$	10.1.0.5	10.0.0.2	2	25	5	3	1	1	NOTIFICATION	E_OK
$t_{11}$	10.0.0.2	10.1.0.3	1	8	3	1	1	1	RESONSE	E_OK
$t_{12}$	10.1.0.7	10.0.0.7	2	16	7	2	1	1	RESPONSE	E_OK

src: Source addresses; dst: Destination addresses; met: Method; len: Length; cl: Client; se: Session; pro: Protocol; in: Interface.

presents the experimental data generated using the SOME/IP generator, where “time” represents timestamps, “src” and “dst”, respectively, represent source and destination addresses, and the subsequent field meanings are consistent with those indicated in Section 3.1.1. The numerical values in the “Client”, “Session”, “Protocol”, and “Interface” fields are used to distinguish communication entities and attributes.

Table 4. Sizes of datasets.

Class	Training Dataset	Test Dataset
Normal	7832*128	1958*128
Dos attack	7832*128	1958*128
Total	15,664*128	3916*128

shows the specific scale of our dataset. We generated a total of 19,580 windows with a size of 128 using the SOME/IP generator. After a series of preprocessing, the window data in each bucket are randomized and split into training and testing sets in a ratio of 8:2. Upon the completion of training, the model’s weights remain static, and no portion of the validation set is utilized for fine-tuning, thus ensuring the absolute reliability of the model’s inference outcomes.

5.1.2. Experimental Environment

Table 5. Inference equipment set.

CPU	System	Ubuntu 22.04
	Architecture	x86_64
	CPU op-mode(s)	32-bit, 64-bit
	Address sizes	48 bits physical, 48 bits virtual
	Byte Order	Little Endian
	CPU(s)	12
	Online CPU(s) list	0–11
	Vendor ID	AuthenticAMD
	Model name	AMD Ryzen 5 4600H with Radeon Graphics
	CPU family	23 Radeon
	Model	96
	Thread(s)per core	2
	Core()per socket	6
	Socket(s)	1
	Stepping	1
	CPUmax MHz	3000
	CPUmin MHz	1400
GPU	Model	GeForce RTX3090
	Memory	24,576 MiB

shows the experimental platform for testing our proposed method. The models were trained and inferred with the following equipment: Ubuntu 22.04, Intel(R)Xeon(R) Silver 4210 CPU @ 2.20 GHz, GeForce RTX3090 (Nvidia: Santa Clara, CA, United States). During the inference process, each window is linearly fed into the model (with a batch size of 1). To ensure the precision of our inference time statistics, we linearly inferred 1000 windowed data points, followed by calculating the mean value of these measurements.

5.1.3. Evaluation Metrics

The receiver operating characteristic (ROC) curve, which illustrates the relationship between the false positive rate and true positive rate across various thresholds, serves as a pivotal metric for assessing model performance within neural networks. A ROC curve positioned closer to the upper left corner signifies superior performance. Furthermore, in scenarios where ROC curves intersect, the area under the curve (AUC) value assumes significance in further appraising model performance. The AUC quantifies the area beneath the ROC curve on its right side [45]. Apart from the aforementioned metrics, additional considerations for evaluating model performance include the following:

• Accuracy: Accuracy refers to the proportion of correctly predicted samples to the total number of samples. It is one of the most intuitive performance metrics, calculated as follows:

  $$\mathrm{Accuracy}=\frac{\mathrm{TP}+\mathrm{TN}}{\mathrm{TP}+\mathrm{TN}+\mathrm{FP}+\mathrm{FN}}$$

  (18)

  where TP represents true positives (the number of samples correctly predicted as positive), TN represents true negatives (the number of samples correctly predicted as negative), FP represents false positives (the number of samples incorrectly predicted as positive), and FN represents false negatives (the number of samples incorrectly predicted as negative).
• Precision: Precision refers to the proportion of true positive samples among the samples predicted as positive. It measures the accuracy of the model in predicting positive samples, calculated as follows:

  $$\mathrm{Precision}=\frac{\mathrm{TP}}{\mathrm{TP}+\mathrm{FP}}$$

  (19)
• Recall: Recall refers to the proportion of true positive samples among the actual positive samples. It measures the model’s ability to identify positive samples, calculated as follows:

  $$\mathrm{Recall}=\frac{\mathrm{TP}}{\mathrm{TP}+\mathrm{FN}}$$

  (20)
• F1 Score: The F1 score is the harmonic mean of precision and recall, synthesizing the model’s accuracy and recall. It is calculated as follows:

  $$\mathrm{F}1\text{-}\mathrm{score}=\frac{2\times \mathrm{Precision}\times \mathrm{Recall}}{\mathrm{Precision}+\mathrm{Recall}}$$

  (21)

5.2. Experimental Results

5.2.1. Performance in Training

In Figure 6, we illustrate the comparative training processes of four HP-LSTM models, based on Equations (13)–(16), against the original LSTM model, based on Equation (12), on our DDoS attack dataset. It is imperative to first emphasize that each training session maintained identical parameters with fixed random seeds, as detailed in

Table 6. Training parameters.

Training Parameters	Value
batch size	128
epochs	200
learning rate	$5\times {10}^{-4}$
weight decay	$5\times {10}^{-4}$
random seed of torch	0
random seed of numpy	0

.

From the results, it can be observed that, post the 100-epoch mark, the HP-LSTM consistently identifies the patterns of DDoS attacks effectively, ultimately achieving a similar or even superior training accuracy compared to an LSTM model. However, a closer look at the training details reveals that each HP-LSTM variant possesses unique characteristics due to its structural features, which influence the training process positively or negatively.

Figure 6a showcases the training process comparison between HP-LSTM, based on Equation (13), and the original LSTM, where the deep blue and orange lines, respectively, represent the validation accuracy and training loss of the HP-LSTM and LSTM models. It is evident that the HP-LSTM, by judiciously utilizing the Hawkes parameters of various ECUs within the message flow data, accelerates model convergence. Notably, around the 50-epoch mark, the HP-LSTM exhibits a convergence acceleration phenomenon absent in the LSTM. This phenomenon is also observable in other HP-LSTM variants, offering substantial evidence that Hawkes parameters indeed contribute to the feature extraction from the message flow window.

Figure 6b contrasts the HP-LSTM models based on Equations (13) and (14). It can be noted that although Equation (14) introduces an additional bias term D to compute the Hawkes coefficients, ostensibly to enhance the neural network’s expressive power, the actual training process is nearly identical to that without the bias term D (as can be clearly seen by the substantial overlap of the dark and light lines). Therefore, it can be inferred that the bias D in Equation (14) has a negligible positive effect. Under equivalent conditions, the HP-LSTM described by Equation (13) is capable of operating with reduced computational power and memory consumption.

Figure 6c,d display two other HP-LSTM variants, based on Equations (15) and (16), respectively. Specifically, the “HP-LSTM ht-chm” model based on Equation (15) eliminates the exponential operation over $\beta T_{span}$ in the computation of Hawkes coefficients; the “HP-LSTM hte-chp” model based on Equation (16) opts for addition instead of multiplication when applying Hawkes coefficients to process cell values. The experimental results indicate that both of these modifications negatively affect model convergence in the initial stages of training, and only after a number of epochs does the model gradually learn the characteristics in the data. We believe that this is primarily due to the following two reasons:

• In the original Hawkes process, the $\beta$ parameter represents the intensity of stimulus decay over time and is treated with an exponential function. When simulating this process within a deep learning model, the exponential operation can appropriately reproduce the dynamics originally depicted by the Hawkes process, thus benefiting the model’s learning; conversely, removing it disrupts the stimulus pattern as depicted by the Hawkes process.
• Our proposed computation of the next moment’s cell values with Hawkes coefficients, when using multiplication, can constrain both the output of the forget gate and input gate, which aligns more closely with the initial design purpose of Hawkes coefficients. Addition, having a weaker constraining capability than multiplication, actually increases the learning burden on the model.

5.2.2. Model Evaluation

The bar chart in Figure 7 provides a comprehensive evaluation of the original LSTM and four variants of the HP-LSTM. We evaluated the performances of the five models based on four metrics: accuracy, precision, recall, and F1 score. Through Figure 7, it is visually evident that the HP-LSTM demonstrates superior capabilities compared to the other models. This is attributed to several factors. Firstly, the parameter $\beta$ in the Hawkes coefficient undergoes exponential operations, enabling a more accurate depiction of the dynamics described by the Hawkes process, thereby facilitating model learning. Secondly, when there is a multiplicative relationship between the Hawkes coefficient and the cell state of HP-LSTM, it better constrains the outputs of the forget gate and input gate, allowing the excitatory and decay characteristics of the Hawkes process to more effectively assist the neural network in learning patterns within the message window.

Table 7. Comprehensive evaluation of our models.

Class	Accuracy	Precision	Recall	F1-Score
HP-LSTM	0.993	0.993	0.993	0.993
LSTM	0.985	0.985	0.985	0.985
HP-LSTM hted-chm	0.992	0.992	0.992	0.992
HP-LSTM ht-chm	0.986	0.986	0.986	0.986
HP-LSTM hte-chp	0.990	0.990	0.990	0.990

elucidates the performances of the five models under study. The table is structured to highlight the highest metric values for each category using bold typeface. Although, numerically, the differences among the five models are minimal, the performances of the four variants of the HP-LSTM are generally superior to that of the LSTM, with the HP-LSTM model exhibiting the most pronounced superiority.

Figure 8 presents the confusion matrices of the five models. The analysis of these matrices revealed that all five models demonstrated high detection rates and low false positive rates. This occurrence primarily stems from the fact that all models are based on the HP-LSTM (or the original LSTM), which inherently possesses the capability to effectively capture and analyze the temporal dynamics inherent in DDoS attacks. The results indicate that all five models exhibit strong feature extraction capabilities in terms of time, with HP-LSTM and HP-LSTM hted-chm demonstrating superior performances in terms of detection rate.

Figure 9 shows the ROC curves and AUC values for the original LSTM and four variants of the HP-LSTM. It can be observed that the AUC values of all models reached 1. This indicates that all models are capable of perfectly distinguishing between positive and negative samples at all possible thresholds, suggesting their excellent performance. In fact, as illustrated in Table 7, the detection accuracy of the five models fluctuate around 0.99, demonstrating their outstanding ability to detect DDoS attacks.

Table 8. HP-LSTM’s time cost and params.

Model	Params	Params Size (MB)	Input Size (MB)	Time Cost (s)
HP-LSTM	2441351	9.75	0.01	0.000022
LSTM	2415239	9.66	0.01	0.000019
HP-LSTM hted-chm	2441863	9.76	0.01	0.000023
HP-LSTM ht-chm	2441351	9.75	0.01	0.000020
HP-LSTM hte-chp	2441351	9.75	0.01	0.000021

compares parameters and time costs among the LSTM and four variants of the HP-LSTM. It can be observed that due to the introduction of parameters from the Hawkes process, the HP-LSTM variants generally have more parameters and time costs compared to the traditional LSTM. Moreover, HP-LSTM hted-chm has more parameters and a slower detection speed than the other variants due to the introduction of an additional bias term D. In fact, all models are capable of meeting the traffic and real-time requirements defined in IEEE 802.1DG [14] (<1 ms), demonstrating the ability of the HP-LSTM to achieve real-time detection in practical vehicular environments.

6. Discussion

6.1. Application

Through extensive experimentation comparing four variations of the HP-LSTM structure with the LSTM, we identified the optimal HP-LSTM structure. Our experimental evaluations demonstrate the superiority of the proposed HP-LSTM model in detecting DDoS attacks based on Ethernet SOME/IP, compared to other detection models. The HP-LSTM model exhibited greater precision in capturing attacker behavior characteristics and more accurately detecting DDoS attacks. Additionally, we further validated the feasibility of the Hawkes process in detecting attacks in vehicular networks, filling a research gap in DDoS attacks targeting the SOME/IP.

We can integrate HP-LSTM as middleware into automotive communication networks to achieve the real-time monitoring of SOME/IP network activities. This middleware can operate in both local and cloud-connected modes. In a local environment, the middleware can be embedded directly into the vehicle system, ensuring the real-time monitoring and attack detection of the in-vehicle network while safeguarding the vehicle system’s security. In contrast, the cloud-connected mode allows the middleware to connect to cloud services, enabling the remote monitoring and management of vehicle network data. Local deployment maximizes real-time functionality, while cloud connectivity allows the middleware to receive updated model parameters and security policies from the cloud to address evolving security threats. Although detection time may be affected by factors such as model learning and cloud transmission speed.

The primary focus of this study was on addressing DDoS attacks on the novel in-vehicle Ethernet protocol, SOME/IP. Considering the complex vehicular communication environment and diverse attack methods, our future work will explore and experiment with various common and severe network attacks, including man-in-the-middle attacks, and assess the feasibility of applying the model to traditional in-vehicle communication protocols such as CAN and LIN.

6.2. Limitations

• Dataset generation: We utilized a mature SOME/IP generator to produce simulated datasets for experimentation. Due to SOME/IP being proposed by BMW and not widely deployed, researches regarding SOME/IP mostly rely on simulated data. Currently, there is a lack of open-source datasets, with most resources only providing generators or simulators. This leads to a lack of comparisons with benchmark datasets.
• Single attack: In real-world attack scenarios, attackers often employ more complex methods to achieve their objectives. Our detection model, targeting a single type of attack (DDoS), has its limitations. We intend to extend our model to cover a broader range of attacks in future research.
• Single-communication protocol: To achieve various functions, connected and autonomous vehicles often employ different communication protocols, such as CAN, MOST, FlexRay, LIN, Ethernet, etc. Attackers typically execute attacks involving multiple in-vehicle communication protocols within a comprehensive attack chain. Therefore, our focus on a single communication protocol, SOME/IP, may result in our model failing to capture anomalies that could be reflected in data from other communication protocols.
• Potential pitfalls: Due to limitations in available datasets, obtaining actual communication data from in-vehicle networks proved challenging. We needed to use a generator to produce simulated data for all our experiments. We employed a mature generator to simulate real attack scenarios to the best of our ability. On the other hand, the datasets utilized by researchers, including our own, were generated using open-source tools like the SOME/IP generator, potentially leading to sampling bias [46].

7. Conclusions

In this paper, we propose HP-LSTM, a novel detection method based on the Hawkes process and LSTM, to detect DDoS attacks on the SOME/IP. Extensive experiments and analyses on datasets produced by the SOME/IP generator substantiated that the proposed HP-LSTM variants surpass the original LSTM model in detection accuracy, thereby evidencing enhanced performance. Among the four structural variants of HP-LSTM, the HP-LSTM model exhibited a faster convergence speed and lower memory consumption, while achieving a detection accuracy of 0.993, surpassing other structures. Additionally, the Hawkes process possesses the capability to capture the temporal logic features of attackers, which can better assist neural networks in learning. Building upon our research on DDoS attacks, we intend to expand the scope to include attacks such as DoS attacks and man-in-the-middle attacks, with the aim of applying them to a wider range of attack detection scenarios, thus fostering the development of more comprehensive defense measures, supporting the establishment of robust security architectures, and improving the security of in-vehicle networks.