| | --- |
| | license: cc-by-nc-nd-4.0 |
| | language: |
| | - en |
| | - de |
| | tags: |
| | - automotive |
| | - IDS |
| | - CAN |
| | - CANIDS |
| | - AutomotiveSecurity |
| | - Cybersecurity |
| | --- |
| | |
| | # CANDefender – Fuzzy Attack Detection Model |
| |
|
| | **Model Summary** |
| | This model detects **Fuzzy attacks** on the CAN bus. It was trained on **4.73 million** real CAN frames, including normal data and Fuzzy-labeled data. The model uses an LSTM architecture that processes the CAN ID and 8-byte payload to classify each frame as either “Fuzzy” or “Normal.” |
| |
|
| | --- |
| |
|
| | ## Performance |
| |
|
| | **Test Accuracy**: ~94.09% |
| | **Confusion Matrix** (Fuzzy vs. Normal): |
| |
|
| | | True \ Pred | Fuzzy (pred) | Normal (pred) | |
| | |:-----------:|:-------------:|:-------------:| |
| | | **Fuzzy** | 3,737,645 | 13,379 | |
| | | **Normal** | 266,808 | 722,063 | |
| |
|
| | - **Recall (Fuzzy)**: ~99.6% (very few Fuzzy frames missed) |
| | - **Recall (Normal)**: ~73% (about 27% false positives on Normal) |
| |
|
| | --- |
| |
|
| | ## Intended Use |
| |
|
| | - **Goal**: Real-time detection of **Fuzzy attacks** on the CAN bus. |
| | - **Limitations**: |
| | - Focused on Fuzzy vs. Normal classification only (other attacks handled in separate models). |
| | - Tends to misclassify ~27% of normal frames as Fuzzy (relatively high false alarms). |
| |
|
| | --- |
| |
|
| | ## How to Use |
| |
|
| | ```python |
| | import torch |
| | import numpy as np |
| | from can_defender_fuzzy import CANLSTM # Adjust import name |
| | |
| | # Example frame => [CAN_ID, b0..b7] |
| | frame = [0x315, 0x12, 0x4F, 0xA2, 0x00, 0x00, 0x78, 0x1C, 0xAA] |
| | |
| | x_np = np.array(frame, dtype=np.float32).reshape(1,1,9) |
| | |
| | model = CANLSTM(input_dim=9, hidden_dim=64, num_classes=2) |
| | model.load_state_dict(torch.load("can_lstm_model_final.pt")) |
| | model.eval() |
| | |
| | with torch.no_grad(): |
| | logits = model(torch.from_numpy(x_np)) |
| | pred = torch.argmax(logits, dim=1).item() |
| | print("Prediction:", "Fuzzy" if pred == 0 else "Normal") |
| | ``` |
| |
|
| | ## Training Configuration |
| | - Architecture: LSTM (64 hidden units), final linear layer → 2 classes (Fuzzy vs. Normal) |
| | - Optimizer: Adam (lr=1e-3) |
| | - Epochs: ~30 (stopped once performance stabilized) |
| | - Dataset: 4.73 million CAN frames |
| | ## Limitations & Next Steps |
| | - False Positives: ~27% of normal frames get labeled as Fuzzy. Acceptable for high-sensitivity scenarios, but can be improved (weighted loss, time-window approach, etc.). |
| | - Scope: Only focuses on Fuzzy detection. Other attacks (DoS, Gear, RPM) are separate. |
| | # Potential Enhancements: |
| | - Weighted training or additional features (delta-time, frequency) |
| | - Window-based LSTM or transformers for sequence data |
| |
|
| | ## License & Contact |
| | - License: cc-by-nc-nd-4.0 |
| | - Author: Keyvan Hardani |
| | - Contact: https://www.linkedin.com/in/keyvanhardani/ |
