|
|
--- |
|
|
license: cc-by-nc-nd-4.0 |
|
|
language: |
|
|
- en |
|
|
- de |
|
|
tags: |
|
|
- automotive |
|
|
- IDS |
|
|
- CAN |
|
|
- CANIDS |
|
|
- AutomotiveSecurity |
|
|
- Cybersecurity |
|
|
--- |
|
|
|
|
|
# CANDefender – Fuzzy Attack Detection Model |
|
|
|
|
|
**Model Summary** |
|
|
This model detects **Fuzzy attacks** on the CAN bus. It was trained on **4.73 million** real CAN frames, including normal data and Fuzzy-labeled data. The model uses an LSTM architecture that processes the CAN ID and 8-byte payload to classify each frame as either “Fuzzy” or “Normal.” |
|
|
|
|
|
--- |
|
|
|
|
|
## Performance |
|
|
|
|
|
**Test Accuracy**: ~94.09% |
|
|
**Confusion Matrix** (Fuzzy vs. Normal): |
|
|
|
|
|
| True \ Pred | Fuzzy (pred) | Normal (pred) | |
|
|
|:-----------:|:-------------:|:-------------:| |
|
|
| **Fuzzy** | 3,737,645 | 13,379 | |
|
|
| **Normal** | 266,808 | 722,063 | |
|
|
|
|
|
- **Recall (Fuzzy)**: ~99.6% (very few Fuzzy frames missed) |
|
|
- **Recall (Normal)**: ~73% (about 27% false positives on Normal) |
|
|
|
|
|
--- |
|
|
|
|
|
## Intended Use |
|
|
|
|
|
- **Goal**: Real-time detection of **Fuzzy attacks** on the CAN bus. |
|
|
- **Limitations**: |
|
|
- Focused on Fuzzy vs. Normal classification only (other attacks handled in separate models). |
|
|
- Tends to misclassify ~27% of normal frames as Fuzzy (relatively high false alarms). |
|
|
|
|
|
--- |
|
|
|
|
|
## How to Use |
|
|
|
|
|
```python |
|
|
import torch |
|
|
import numpy as np |
|
|
from can_defender_fuzzy import CANLSTM # Adjust import name |
|
|
|
|
|
# Example frame => [CAN_ID, b0..b7] |
|
|
frame = [0x315, 0x12, 0x4F, 0xA2, 0x00, 0x00, 0x78, 0x1C, 0xAA] |
|
|
|
|
|
x_np = np.array(frame, dtype=np.float32).reshape(1,1,9) |
|
|
|
|
|
model = CANLSTM(input_dim=9, hidden_dim=64, num_classes=2) |
|
|
model.load_state_dict(torch.load("can_lstm_model_final.pt")) |
|
|
model.eval() |
|
|
|
|
|
with torch.no_grad(): |
|
|
logits = model(torch.from_numpy(x_np)) |
|
|
pred = torch.argmax(logits, dim=1).item() |
|
|
print("Prediction:", "Fuzzy" if pred == 0 else "Normal") |
|
|
``` |
|
|
|
|
|
## Training Configuration |
|
|
- Architecture: LSTM (64 hidden units), final linear layer → 2 classes (Fuzzy vs. Normal) |
|
|
- Optimizer: Adam (lr=1e-3) |
|
|
- Epochs: ~30 (stopped once performance stabilized) |
|
|
- Dataset: 4.73 million CAN frames |
|
|
## Limitations & Next Steps |
|
|
- False Positives: ~27% of normal frames get labeled as Fuzzy. Acceptable for high-sensitivity scenarios, but can be improved (weighted loss, time-window approach, etc.). |
|
|
- Scope: Only focuses on Fuzzy detection. Other attacks (DoS, Gear, RPM) are separate. |
|
|
# Potential Enhancements: |
|
|
- Weighted training or additional features (delta-time, frequency) |
|
|
- Window-based LSTM or transformers for sequence data |
|
|
|
|
|
## License & Contact |
|
|
- License: cc-by-nc-nd-4.0 |
|
|
- Author: Keyvan Hardani |
|
|
- Contact: https://www.linkedin.com/in/keyvanhardani/ |
