IEEE INTERNET OF THINGS JOURNAL, VOL. 10, NO.

24, 15 DECEMBER 2023 22111

CANShield: Deep-Learning-Based Intrusion

Detection Framework for Controller
Area Networks at the Signal Level
Md Hasan Shahriar , Student Member, IEEE, Yang Xiao , Member, IEEE,
Pablo Moriano , Senior Member, IEEE, Wenjing Lou , Fellow, IEEE,
and Y. Thomas Hou , Fellow, IEEE

Abstract—Modern vehicles rely on a fleet of electronic con- I. I NTRODUCTION

trol units (ECUs) connected through controller area network
ODERN vehicles are becoming increasingly comput-
(CAN) buses for critical vehicular control. With the expansion of
advanced connectivity features in automobiles and the elevated
risks of internal system exposure, the CAN bus is increasingly
M erized to ensure driver’s safety and convenience. The
fusion of multimodal data from different types of sen-
prone to intrusions and injection attacks. As ordinary injection sors enables vehicles to recognize the driving context and
attacks disrupt the typical timing properties of the CAN data make crucial decisions. The majority of the vehicles’ crit-
stream, rule-based intrusion detection systems (IDS) can easily
detect them. However, advanced attackers can inject false data ical functionalities, including acceleration, braking, steer-
to the signal/semantic level, while looking innocuous by the pat- ing, engine control, etc., involve dedicated microcontroller
tern/frequency of the CAN messages. The rule-based IDS, as modules, known as electronic control units (ECUs), which
well as the anomaly-based IDS, are built merely on the sequence are connected by one or more automotive communication
of CAN messages IDs or just the binary payload data and are
less effective in detecting such attacks. Therefore, to detect such
buses running standardized protocols. Controller area network
intelligent attacks, we propose CANShield, a deep learning-based (CAN), also known as the CAN bus protocol, is the de
signal-level intrusion detection framework for the CAN bus. facto automobile communication standard for safety-critical
CANShield consists of three modules: 1) a data preprocessing ECUs [1]. More recently, CAN bus enables vehicles to imple-
module that handles the high-dimensional CAN data stream at ment advanced driver assistance systems (ADAS), one of the
the signal level and parses them into time series suitable for a
deep learning model; 2) a data analyzer module consisting of fastest-growing applications in the automotive sector, pro-
multiple deep autoencoder (AE) networks, each analyzing the viding enhanced passenger experience and safety. Moreover,
time-series data from a different temporal scale and granularity; advancements in wireless communication technology (e.g., 5G
and 3) finally an attack detection module that uses an ensem- and V2X) have enabled the interface to connect with the
ble method to make the final decision. Evaluation results on two
internal ECUs from the outside network to conduct diagnostics
high-fidelity signal-based CAN attack data sets show the high
accuracy and responsiveness of CANShield in detecting advanced or update firmware over-the-air (FOTA) remotely, rather than
intrusion attacks. visiting a service facility [2]. Infotainment features, such as
Index Terms—Controller area networks (CANs), deep learning, Bluetooth, Wi-Fi, and other smart interfaces, are also becom-
ensemble method, intrusion detection systems (IDS). ing prevalent in automobiles to add more convenience to the
passengers [1]. Besides, the integration of Internet of Things
(IoT) technology in the automotive industry, also known as
Automotive IoT presents huge opportunities [3], such as opti-
Manuscript received 9 May 2023; revised 1 July 2023; accepted mizing the vehicles’ performance, improving transportation
26 July 2023. Date of publication 8 August 2023; date of current version management, and enhancing vehicle safety through predictive
7 December 2023. This work was supported in part by the U.S. National
Science Foundation (NSF) under Grant CNS-1837519 and Grant CNS- maintenance, AI-powered driving assistance, connectivity, etc.
2235232; in part by the Virginia Commonwealth Cyber Initiative (CCI); and The increased connectivity of modern vehicles as well
in part by the Laboratory Directed Research and Development Program of as Automotive IoT technologies nonetheless increases the
Oak Ridge National Laboratory (ORNL), managed by UT-Battelle, LLC, for
the U.S. Department of Energy. (Corresponding author: Md Hasan Shahriar.) susceptibility of vehicular systems to remote attacks and mes-
Md Hasan Shahriar and Wenjing Lou are with the Department of Computer sage injections. The ability to hijack an ECU and inject
Science, Virginia Polytechnic Institute and State University, Blacksburg, VA stealthy messages into the vehicles’ internal communica-
24061 USA (e-mail: hshahriar@[Link]; wjlou@[Link]).
Yang Xiao is with the Department of Computer Science, University of tion systems allows attackers to circumvent a wide array of
Kentucky, Lexington, KY 40506 USA (e-mail: xiaoy@[Link]). safety-critical systems and control a wide range of vehicu-
Pablo Moriano is with the Computer Science and Mathematics Division,
Oak Ridge National Laboratory, Oak Ridge, TN 37930 USA (e-mail:
lar functions. Researchers discovered several remote access
moriano@[Link]). points on connected vehicles and demonstrated that attackers
Y. Thomas Hou is with the Bradley Department of Electrical and Computer could remotely exploit them to take control of the vehi-
Engineering, Virginia Polytechnic Institute and State University, Blacksburg,
VA 24061 USA (e-mail: thou@[Link]).
cles, including disabling the brakes, braking individual wheels,
Digital Object Identifier 10.1109/JIOT.2023.3303271 stopping the engine, and so on [4], [5]. For instance, Miller [6]

c 2023 The Authors. This work is licensed under a Creative Commons Attribution 4.0 License.
For more information, see [Link]
22112 IEEE INTERNET OF THINGS JOURNAL, VOL. 10, NO. 24, 15 DECEMBER 2023

remotely compromised a Jeep and transmitted malicious CAN The second category of CAN IDS analyzes anomalies in
messages, which led to the vehicle malfunctioning on the high- the CAN data frame. The message IDs and the binary pay-
way. Later, Chrysler recalled 1.4 million vehicles that can be loads are the main sources of data utilized in such IDSs [24].
remotely hacked over the Internet [7]. Despite the notable advancement in anomaly-based CAN IDS
Despite the CAN protocol’s widespread implementation and research in recent years, it is still significantly hampered by
high reliability, it remains vulnerable to intruders due to the several factors [25]. First, CAN message in light-duty vehi-
absence of basic security mechanisms as they introduce delays cles are obfuscated by the original equipment manufacturers
in message transmission or increase bus traffic [8]. Although (OEMs) for security and privacy reasons. Different vehicle
there are a few works on implementing message authentication models encode their signals using different semantic rules,
code (MAC) on the CAN bus to authenticate the sender ECU even under the same OEM. Furthermore, in passenger vehicles,
and prevent different attacks, they are costly and only achieve a single payload usually contains several signals, even encoded
limited cryptographic strength [9], [10]. Moreover, it is diffi- in different formats, along with some unused bits [26]. Due to
cult to insert the MAC along with the CAN message because this semantic gap, the anomaly-based IDSs built directly on
of the limited payload length. As a result, only the plaintext such obfuscated complex binary CAN payloads tend to suffer
message is broadcast over the CAN bus. Hence, CAN proto- high false-positive rates and lack of explainability.
col does not include a way to verify where the message comes Besides, any machine learning (ML)-based IDS running on
from or its integrity [8]. Due to this security deficiency, vehi- raw payload data will have challenges if needing to scale with
cles using the CAN protocol remains insecure, and attackers the CAN FD (flexible data-rate) technology where the payload
could, for instance, instigate sudden braking, or accelera- field can be 512 bits long (instead of 64 bits) [27].
tion, rendering the lives of passengers and pedestrians at On the other hand, the conversion of high-dimensional
risk [6]. binary payload data to decimal signals has several bene-
In response, an intrusion detection system (IDS) is usu- fits [25]. First, it reduces the dimensionality of the data as
ally regarded as the second (and most practical) line of many bits are combined into a single physically meaningful
defense, given that an attacker can hack into the vehi- number. Further, it reduces the inherent noise of the binary
cle’s internal communication. In general, there are two types bits, which may seem patternless cryptic fluctuations in the
of vehicular IDSs—signature-based [11], [12] and anomaly- raw data but becomes meaningful if appropriately decoded.
based [13], [14]. A signature-based IDS typically formulates Therefore, to achieve a more robust and semantically con-
detection rules based on the system’s normal behavior and cise defense against CAN intrusions, it is imperative to design
known attacks. Any violations of these rules are regarded IDS schemes at the signal level, instead of only focusing
as anomalies. In CAN bus, these rules can be based on the on the temporal/ID patterns and binary payload. Meanwhile,
frequency of the messages, sequence of message IDs, inter- there are very few concrete proposals for the signal-level CAN
frame time differences, signal values, etc. High-dimensional IDS [15], [28], [29], [30]. Most of these considered individ-
CAN data flow, such as broadcasting different signals/IDs ual deep learning models per CAN ID to track the associated
at different frequencies, makes it difficult for the models to time-series signals, making them impractical for modern vehi-
extract the effective rules [15]. Moreover, due to the limita- cles with many CAN IDs. Moreover, as these IDSs have
tions in the rules, these IDSs tend to show a high false-negative attack-specific designs, they lack a comprehensive detection
rate in detecting advanced attacks and, thus, require frequent performance against diverse types of attacks.
updates of the known-attack database as they are only effec- Thus, in this article, we propose a deep learning-based
tive against known attack footprints [14]. Moreover, a clever intrusion detection framework, CANShield, which can handle
attacker can even keep the sequences of the malicious CAN high-dimensional vehicular CAN bus data at the signal level
message benign by turning off the actual ECU through a and detect advanced and stealthy attacks, including fabrication,
well-known bus-off attack [16], [17] and sending crafted mes- suspension, and masquerading attacks with high accuracy and
sages simultaneously on behalf of the victim ECU. Although responsiveness. This framework working at the signal level
a few of the works on ECU fingerprinting [18], [19] pro- also adds transparency to the detection process.
vided potential ways to verify the source of the CAN message We make the following contributions to this article.
by analyzing the physical-layer attributes of the ECU and 1) We propose a deep learning-based intrusion detection
detecting such impersonation attacks, the assumption of the framework, CANShield, to detect advanced and stealthy
uniqueness of such physical properties is proven invalid by attacks from signal-level CAN data. It features a data
a recent study [20]. Moreover, an attacker can also remotely processing technique (pipeline) for the high-dimensional
manipulate CAN messages at the data link layer, bypassing the CAN signal stream by creating a temporary data queue
protocol’s rules and enabling stealthy link-layer attacks [21]. and using the forward-filling mechanism to fill the miss-
Some attacks are even possible due to the limitations in the ing data. This pipeline prepares the data stream suitable
physical layer [22], such as different sample-point settings of for the training and testing in the ML-based IDS.
ECUs [23]. Therefore, only analyzing the sequence of the 2) To make the detection effective on multidimensional
CAN messages is not sufficient for the IDS. Rather, the only time-series data of different temporal scales, we convert
effective way to detect advanced masquerade attacks, includ- the 2-D data queues to multiple images and consider the
ing injection attacks, is to analyze the payload of the messages detection as a computer vision-like problem. We con-
and check for abnormalities within their contents. sider multiple convolution neural network (CNN)-based
SHAHRIAR et al.: CANShield: DEEP-LEARNING-BASED INTRUSION DETECTION FRAMEWORK 22113

be extended to 29 bits. Every ECU broadcasts its message to

the CAN bus. However, only one ECU can transmit at a time
and the rest stay synchronized to receive the data correctly. The
message arbitration mechanism detects and resolves collisions
of messages. A message with a higher priority contains a lower
binary-encoded CAN ID. When any ECU detects a higher
priority transmission during arbitration, it waits until the end
of that message, and the channel is available to use. Due to
different priorities, different CAN IDs usually appear in the
Fig. 1. (Top) CAN data frame syntax. (Bottom) An example of the decoded CAN bus at different frequencies.
signals that are encoded in the data field of four consecutive messages. Signal-Level Representation of CAN Data: The binary pay-
load can be decoded to the signal level using the specific car’s
database for CAN (DBC) file [32]. The DBC file is a pro-
autoencoder (AE) models to learn the various tempo- prietary format, which is quite challenging to get. However,
ral (short-term and long-term) and spatial (signal-wise) any reverse engineering-based CAN decoder, such as the
dependencies. Violations in either the temporal or spa- CAN-D [26], can provide an approximate DBC file. Such
tial pattern can be detected during the reconstruction decoding converts the binary payloads to real-valued signals
process. Such data preprocessing avoids the need for and gives a time-series representation. We define the time of
individual ML models per CAN ID. each signal appearance as a one-time step. Thus, there is one
3) We propose a three-step analysis of the structured CAN message at each time step, which may contain one or
reconstruction loss of CANShield’s AE models on the more associated signals along with some unused bits. The
selection of detection thresholds for the optimal accu- lower part of Fig. 1 shows some samples of signal-level rep-
racy, followed by an ensemble-based detector that boosts resentation of a few consecutive payloads. To prepare data
the overall detection performance by combining the input to an ML-based detector, a straightforward idea is to
insights from all the AEs. We also utilized transfer learn- create a structured representation of such data stream, where
ing to reduce the cost of training multiple AE and ensure the columns indicate different signals and rows show each
transferability. time step. As such a data structure contains many missing
4) We evaluate CANShield against advanced signal-level entries [15], it cannot be directly fed to the ML-based IDS
attacks using SynCAN [15] and ROAD [25] data sets models. Thus, designing an appropriate data preprocessing
and compare the results with a baseline model to show pipeline to account for the missing signal entries is one of
the improvements. The results show high effectiveness the critical challenges in building a signal-level CAN IDS, as
and responsiveness of CANShield against a wide range we will address in Section IV-B1.
of fabrication, masquerade, and suspension attacks on
the CAN bus. We also make the source code publicly
available.1 B. Autoencoder
The remainder of this article is organized as follows. We AE is an artificial neural network that can learn efficient
introduce necessary background information in Section II. codings of input data through unsupervised learning [33]. It
An overview of the proposed CANShield framework and consists of two parts: 1) an encoder that maps an input to a
the attack model is presented in Section III. The technical lower dimensional code and 2) a decoder that reconstructs the
details are shown in Section IV. We provide an experimental closest form of the input from that code. In the reconstruction
setup and implementation details in Section V. The evalua- step, encoding parameters are refined so that the decoder can
tion results are analyzed in Section VI. The related works are recover the data while retaining only the most relevant fea-
discussed in Section VII. Finally, we conclude this article in tures. Hence, a bottleneck in the middle of the network can
Section VIII. determine the estimated states of the system in a lower dimen-
sion. Let us define the function of encoder and decoder as φ
II. P RELIMINARIES and ψ that takes the input X and F, respectively, such that
A. Controller Area Network φ : X → F, ψ : F → X
Robert Bosch GmbH introduced CAN as an automotive φ, ψ = arg minX − (ψ ◦ φ)X 2 .
communication bus with the latest version (2.0) released in φ,ψ
1991 [31].
CAN Frame Format: A CAN message frame falls into four In intrusion detection applications AE plays a vital role.
types: 1) data frame; 2) remote frame; 3) error frame; and An AE network is first trained on the normal data so that it
4) overload frame, with data frame being the default mode for learns how to reconstruct with minimum loss. The fundamen-
data transmission. The top portion of Fig. 1 illustrates the data tal hypothesis of using AE is that intrusions are sufficiently
frame format of CAN. CAN data frame supports up to 8 bytes anomalous with respect to the underlying distribution of the
of payloads with 11 bits of arbitration ID (CAN ID), which can training data so that the AE will yield a high reconstruction
loss (X − (ψ ◦ φ)X ), pointing to a high probability of
1 [Link] attack.
22114 IEEE INTERNET OF THINGS JOURNAL, VOL. 10, NO. 24, 15 DECEMBER 2023

C. Convolutional Neural Network CANShield is preloaded with the vehicle’s DBC file, either
Convolutional neural network (CNN) is a class of deep neu- from OEM or CAN-D, allowing continuous decoding of the
ral networks mostly used to analyze image data sets [34]. binary payloads, creating a data queue of multidimension time-
The network uses small kernels or filters that slide along the series signals, and tracking their changes in near real-time.
input data and map the complex relationship among the fea- As is shown in Fig. 2, CANShield contains three modules:
tures. CNNs can be considered the regularized versions of 1) the data preprocessing module that creates multiple data
multilayer perceptions and takes the advantage of the hierar- views of the same data queue of signal-level CAN data; 2) the
chical data structure. Small filters help them learn the local and data analyzing module that employs multiple CNN-based AEs
straightforward patterns first and then combine them into more for analyzing the data views and generating reconstruction
complicated patterns. Therefore, CNN is an extremely power- losses; and 3) the attack detection module that calculates
ful tool with a very low degree of connectivity and complexity. the anomaly scores and makes the final detection decision.
We build the AE networks using CNN due to the observation CANShield has two phases of operation: 1) training and
that each view is a 2-D data item, and CNN is widely proven 2) deployment. Some of the modules play additional/slightly
to work efficiently on 2-D data with minimum complexity. different roles during each of the two phases. During the train-
ing phase, the data analyzing module needs to train deep
learning models. However, as the onboard devices are typi-
D. Transfer Learning cally lightweight and not suitable for effective training of the
Transfer learning refers to reusing a model trained for one deep learning models, we consider two potential solutions for
task as the starting point for another. The pretrained deep that. CANShield can have a secure connection to the cloud
learning models are often used as starting points for new with model training capabilities or train the models on a local
models if they are learning similar feature spaces and are computer with CANShield running on that. Hence, during the
working on similar data sets. Therefore, transferring knowl- training phase, the normal CAN traces are stored on the local
edge saves time and cost during the training phase of deep memory first and then periodically sent to the cloud or local
learning [35]. Transfer learning has two basic terms: 1) domain computer for model training. As the AEs have the same tasks
and 2) task. A domain D = {X , P(X)} consists of: a feature (signal reconstruction) but work on slightly different domains
space X and a marginal probability distribution P(X), where (data views), we utilize the transfer learning technique to trans-
X = {x1 , . . . , xn } ∈ X . Given a specific domain, D, a task fer the knowledge of one AE to the next one which is working
T = {Y, f (x)} consists of two components: 1) a label space on a higher sampling period. Once all the models are ade-
Y and 2) a predictive function f : X → Y. The function f is quately trained, CANShield loads the trained models into the
used to predict the corresponding label or a representation f (x) onboard device and begins the deployment phase, which goes
of an instance x. This task is learned from the training data through the three modules in a feedforward fashion and out-
consisting of pairs {xi , yi }, where xi ∈ X and yi ∈ Y. puts the detection result in near real-time. It is noted that
Given a source domain DS and learning task TS , a target CANShield detects attacks at the data queue level rather than
domain DT and learning task TT , where DS = DT , or TS = at the message level.
TT , transfer learning aims to help improve the learning of the
target predictive function fT (·) in DT using the knowledge in
DS and TS . Out of different ways, one of the most common B. Attack Model
approaches is to initiate the weights of fT (·) using the trained We assume that the intruder can access the CAN bus through
parameters of fS (·). The idea is that the basic structure and an exposed interface, such as V2X, infotainment, ADAS
knowledge saved in the source model is a good start for the systems, OBD-II port, etc. Moreover, we also assume that the
target model; hence, initializing fT (·) with the parameters of attacker is capable of turning off any ECU [16] and/or inject-
fS (·) will reduce the initial cost. As in this work, we consider ing arbitrarily malicious messages. CANShield is designed to
the AE-based models, f (·) will have the function of an AE. protect the vehicles from the different levels of attacks in
a holistic manner. In particular, according to the attacker’s
objective, the attacks typically fall into the following three
III. S YSTEM M ODEL
categories.
A. CANShield Overview 1) Fabrication attacks, wherein a compromised ECU
The main component of CANShield is a software system injects malicious IDs and data to the CAN bus. However,
that can read a vehicle’s CAN messages in real-time. It is all the legitimate ECUs are still active and also send their
loaded either on an onboard computing device connected to the original data. This is the most prevalent and straightfor-
OBD-II Port (e.g., laptop and Raspberry Pi) or instantiated in ward type of attack that is quick and easy to launch, as
an existing ECU with a relatively powerful processor, such as the attacker does not need to hijack any ECU.
the gateway ECU. For the former case, the onboard computing 2) Suspension attacks, wherein a legitimate ECU is turned
device includes a CAN protocol stack, allowing monitoring off/incapacitated by the adversary. This attack is also
and recording of the raw CAN messages. This can be achieved called suppress attack, where the messages from the
with open-sourced implementations, such as Seeed CAN-BUS targeted ECU disappear for a while. To achieve this,
Shield [36] and SocketCAN [37] or commercial CAN data the attacker can disconnect the ECU from the in-vehicle
loggers, such as CANalyzer [38], and VehicleSpy [39], etc. network to prevent it from communicating.
SHAHRIAR et al.: CANShield: DEEP-LEARNING-BASED INTRUSION DETECTION FRAMEWORK 22115

3) Masquerade attacks are the most advanced, stealthi- enable more effective learning. To facilitate the learning of
est, and destructive attacks. This is the combination of the intersensor correlations, CANShield calculates the Pearson
fabrication and suspension attacks, where the attacker correlation matrix of the time-series signal data set [40].
silences a legitimate ECU, and spoofs it in the continu- Interpreting the correlation coefficient as the distance between
ing operation while injecting malicious messages. a pair of signals, CANShield utilizes a hierarchical agglomer-
In evaluation, we will use a well-known CAN attack data ative clustering algorithm with complete linkage method [41]
set, SynCAN [15] and an emergent realistic CAN data set, to find compact clusters of highly correlated signals. Later,
ROAD [25] covering specific forms of the above attacks to we use the sequence of clustered signals to build the 2-D
test the efficacy of CANShield. images (queue) so that learning the signal-to-signal correlation
becomes effective for the small filters of the convolutional lay-
C. Design Objectives ers. Therefore, if one signal starts reporting abnormal values,
The design objectives of the CANShield are as follows. the CNN model will easily detect anomalies by comparing
1) Detecting Advanced Attacks: The foremost objective them with the nearby highly correlated signals. More details
of CANShield is to leverage established patterns and on the implementation are in Section VI-A. Notably, the two
correlations of various ECU/signal states during nor- tasks, signal selection, and correlation-based clustering are
mal driving and design a single IDS that can detect done only once during the initialization of the training pro-
a variety of CAN message injection and manipulation cess (i.e., off-line with recorded data) and are not parts of
attacks considered in the literature to date, particularly the detection (deployment) pipeline. The following sections
those advanced stealthy attacks that existing ID- or elaborate on the three core modules of CANShield.
payload-based IDSs have shown ineffective in detecting.
2) Near Real-Time Detection With Low False Positives B. Data Preprocessing Module
(FPs): The IDS should respond to intrusions accurately,
The data preprocessing module prepares formatted 2-D
with low false-positive rates, and quickly, at the same
inputs to the AEs of the data analyzing module. It contains
order of magnitude as the CAN message intervals, to
the following two steps.
help the vehicle avoid catastrophes.
1) Creating and Maintaining Data Queue: First of all,
the data preprocessing module continuously records the CAN
IV. CANS HIELD D ETAILED D ESIGN
trace and decodes the binary payloads containing the selected
This section elaborates on CANShield’s two initializing m signals. Then, a first-in–first-out data queue Q is created
tasks and three core modules in detail. with the historical time-series signal data for the last q time
steps, where q is large enough for Q to encompass the tempo-
A. Critical Signal Selection and Clustering ral pattern of different signals. Thus, every new CAN message
As modern vehicles have hundreds of ECUs, they contain a is a new entry in Q, where the signal values only associated
lot of CAN IDs and numerous associated signals. Securing all with that incoming CAN ID are updated. For the rest sig-
of them with IDS comes with great implementation and com- nals, which are not updated by the new message, we adopt
putation costs. On the other hand, securing only a handful a forward-filling technique, whereas, at every time step, the
of important signals from the critical subsystem of the vehi- missing/unreported signals are copied from the previous time
cle, such as the power train, engine, coolant system, etc., will step. We assume that until an ECU sends a further CAN mes-
reduce complexity and render feasible solutions for real-time sage, its signals are still the same as the latest reported ones.
detection. A practical challenge arises in designing an effective Thus, as time passes, the sensor data for the last q time steps
detection pipeline with a select group of signals. Accordingly, are always stored in Q.
we consider CANShield to keep track of only m preselected 2) Creating Multiple Views: To learn the various temporal
high-priority signals. To find the shortlisted signals, we assume (short-term and long-term) patterns of different signals with
that the defender has the semantic knowledge of the signals, different reporting periods and identify abnormality, the data
at least on the critical signals to secure. To make the detection analyzing module needs to train and deploy the AE networks
more effective and robust CANShield adds additional signals on different views (short-term and long-term) of the data queue
based on the correlation coefficient, starting from the ones Q. As different CAN IDs have different reporting periods,
with the highest correlation with the critical signals. However, only the first w (<<q) messages or time steps (columns)
adding too many signals will increase the size of the input of Q may not be enough to represent the recognizable tem-
image of the AEs, leading to an expensive and ineffective poral trend for all the signals, especially for the ones with
system. Therefore, m is a design parameter and depends on longer reporting cycles. On the other hand, considering a high
the defender. For the rest of this article, we will use the term value for w (≈q) makes the input image too large. As a
“signals” to indicate only the preselected m signals. result, the AE models become more complex. This challenge
The order of the signals in the created 2-D input image boils down to how to effectively learn the temporal pattern
could also impact the learning efficacy. Compared to random of all the signals, especially of the ones with long reporting
placement, placements that bring out stronger spatial (cor- periods, while still using a small time window during image
relations) patterns of the signals in the resulting image will generation.
22116 IEEE INTERNET OF THINGS JOURNAL, VOL. 10, NO. 24, 15 DECEMBER 2023

Fig. 2. CANShield workflow. CANShield has two phases of operation: “training” and “deployment.” CANShield contains three modules: i) the data
preprocessing module that creates multiple data views of the same data queue of signal-level CAN data, ii) the data analyzing module that employs multiple
CNN-based AEs for analyzing the data views and generating reconstruction losses, and iii) the attack detection module that calculates the anomaly scores and
makes the final detection decision.

C. Data Analyzing Module

The data analyzing module utilizes multiple AE models:
def
{AEi }i∈[n] (we define [n] = {1, 2, . . . , n}). Each of the models
is associated with each of the views of Q and thus learns differ-
ent (and complementary) perspectives of Q. We build the AE
networks using CNN due to the observation that each view is a
2-D data item, and CNN is widely proven to work efficiently
on 2-D data with minimum complexity. The motivation for
Fig. 3. Generation of different views of Q with multiple samplings at time using AE is that, as there are neither explicitly defined states
step t. For the visualization, we have transposed the original image, where
the signals associated with each CAN ID are presented as a single row, and of the vehicle, nor any analytical model for that, we use a data-
the columns indicate the time steps. The changes in the colors indicate the driven approach to find the states out of a small window of the
updates in the signal values associated with the CAN IDs. Thus, we select the historical signal data. Thus, the data in an AE’s central (bottle-
first w columns from Q at every T1 , T2 , . . . , Tn time steps, respectively. Here,
T1 , T2 , . . . , Tn are the sampling periods to create the views D1 , D2 , . . . , Dn , neck) layer represents the vehicle’s state in a lower dimension.
respectively, of the same Q. Without the loss of generality, here we assume In contrast, the decoder part tries to predict the vehicle’s his-
T1 < T2 < · · · < Tn . Therefore, D1 has a more detailed view but contains a torical signal data by looking at the state’s information. If the
very limited historical trend, capturing short-term, or fast-changing patterns.
On the other hand, Dn has most of the temporal trend, capturing long-term vehicle is running in a normal state, as mostly seen in the train-
or slow-changing patterns, but with the lowest details. ing data, the decoder should predict accurately. Otherwise, an
abnormal state will lead to an erroneous prediction, therefore,
a high reconstruction loss. Moreover, as our considered model
learns the relationship among all the signals, especially the
We achieve these two conflicting goals by creating n differ- nearby highly correlated ones if at least one signal deviates
ent views of Q with n different sampling periods (seeing more from the regular pattern, CANShield will recognize it from
with a less complex model). Fig. 3 illustrates such sampling the reconstruction loss.
process at time step t that uses sampling periods T1 , T2 , . . . ,Tn As shown in Fig. 2, during the training phase, each AEx
to create the views D1 , D2 , . . . ,Dn , respectively, of the same takes a data view Dx ∈ Rm×w as an input image and learns
Q. The forward-filling mechanism helps to preserve the short- to reconstruct almost the same D̂x ∈ Rm×w image ∀x ∈ [n].
term or fast-changing attributes in this long-term view. Despite Meanwhile, as CANShield trains different AEs for different
having different sampling periods, CANShield keeps the num- views, the training cost would be linear to the number of
ber of samples (w) within each data view the same. As there views. Thus, a practical challenge lies in how to reduce the
are total m signals, each data view will have a dimension of cost of training multiple AEs. As the views are created from
m×w. This allows CANShield to use the same architecture for the same data queue Q, they contain inherent similarities in
all the AE models working on each data view. The multiview their structure.
design has benefits in the system’s accuracy and scalability. First, the spatial dependencies (correlations) along the fea-
On the other hand, each of these views has different primary tures are still almost the same, as all the signals in each of the
targeted signals, but collectively they cover temporal trends views are sampled with the same sampling periods. On the
of variable lengths. This allows more effective and accurate other hand, the temporal patterns in different views are just
detection of abnormal signals, regardless of attacking message the expanded/shrunk versions. Hence, instead of training all
frequency and duration. the models from scratch, we consider training the first model
SHAHRIAR et al.: CANShield: DEEP-LEARNING-BASED INTRUSION DETECTION FRAMEWORK 22117

AE1 thoroughly. Then, we use the transfer learning technique Algorithm 1: Thresholds Selection for AEx
to initialize the parameters of the next model, AE2 , which only Input: Stack of reconstruction losses L ∈ Rt×m×w , system hyperparameters
needs to fine-tune the parameters instead of learning every- p, q, r
Variables: B ← 0t×m×w , V , S ← 0t×m ,
thing from scratch. Thus, we initialize any tth model AEt with Output: Thresholds: RLoss , RTime ∈ Rm , RSignal ∈ R
the preceding trained model AEt−1 . Such a technique reduces /* Step 1 */
the training cost (see Section VI-D), which will be most effec- ∀i ∈ [m] : RLoss
i ← pth % ∀j, k ∈ [w], [t] Lki,j 3
tive if, in the future, the model is trained in a peripheral device
like Raspberry Pi for a new vehicle. k ← 1 if Lk > RLoss
∀i, j, k ∈ [m], [w], [t] : Bi,j i,j i 4
Once the training is done, the deployment phase is initiated,
and the trained models are loaded in CANShield. At the end /* Step 2 */
of the training phase and during the deployment phase, the 
w
∀i, k ∈ [m], [t] : Vik ← k
Bi,j 5
AEs are tested on the corresponding data stream and try to j=1
reconstruct the same image. For AEx , the absolute difference ∀i ∈ [m] : RTime ← qth % ∀k ∈ [t] Vik 6
i
between the original image and the reconstructed image is the
/* Step 3 */
reconstruction loss Lx ∈ Rm×w is calculated as follows:
  ∀i, k ∈ [m], [t] : Sik ← 1 if Vik > RTime
i 7
Lx = abs Dx − D̂x . (1)
1  k
m
∀k ∈ [t] : Pk ← Si 8
Each element contains the corresponding signal’s reconstruc- m
i=1
tion loss at a certain time step, where the row and columns RSignal ← rth % ∀k ∈ [t] Pk 9
indicate the signal and time steps, respectively.

D. Thresholds Selection and Attack Detection Module

In this part, we discuss how to interpret a 2-D reconstruction indices where the reconstruction losses are higher than the
loss Lx into an anomaly score Px (i.e., attack probabil- allowed threshold RLoss for every ith signal (4). Second, we
i
ity) for every data view Dx and use the results for attack find the total number of such time step violations Vi for each
detection. signal by summing over all the w time steps (5) for all the t
For a normal computer vision problem, the common prac- instances. We evaluate the distribution of the signal-wise total
tice would be to consider the mean value of all the elements time step violations and consider the qth-percentile value as
of the absolute reconstruction loss matrix L as the anomaly the time step violation threshold RTime (6).
i
score P As the third step, we check if any specific signal has
1 
m w
more time step violations than RTime i and flag that signals
P← Li,j . (2) as compromised (7) in each instance. Now, we have the list
m×w
i=1 j=1 of the violating signals S in each data view, and we con-
Compared to a normal computer vision problem, our input sider the average value of S as the anomaly score P for
image (and reconstruction loss Lx ) has a concrete structure, the AE (8). Considering the false-positive requirement of the
which gives space for tweaking the detection thresholds for system, we set rth percentile value of all Ps of the consid-
better accuracy. Thus, instead of taking the average value, we ered samples, as the total signal violation threshold RSignal (9).
exploit the structural knowledge of Lx to interpret the Px . We After running all the steps, CANShield stores RLoss x , RTime
x ,
Signal
define three types of thresholds for attack detection at each and Rx for each of the AEx , and consider the aver-
Signal Signal
AEx . age of all Rx s as the threshold Rens for the ensemble
1) Signal-wise reconstruction loss thresholds RLoss x ∈ Rm . model.
2) Signal-wise time step violation thresholds Rx Time ∈ Rm . During the deployment phase, these thresholds are
Signal
3) An overall signal violation threshold Rx ∈ R. preloaded from the memory and Algorithm 2 is used to detect
Next, we demonstrate a three-step analysis on Lx to facili- any violation. Although the tasks in (10)–(13) are simi-
tate the selection of these thresholds and attack detection, as is lar as Algorithm 1, CANShield runs them on individual test
shown in Algorithms 1 and 2, respectively. For convenience, reconstruction loss L and check for potential threats using
we have obviated the AE index x for the thresholds and L as the ensemble model. Here, an anomaly score is assigned
this approach will be applied independently to each AE. We on each of the reconstruction losses on the data views,
also use three system hyperparameters p, q, r as confidence i.e., P1 , P2 , · · · , Pn . CANShield then uses the ensemble
percentiles for these thresholds, which is subject to optimal anomaly score Pens (14) as the final score. In the case of
Signal
tuning in practice (see Section VI-B1). Pens > Rens , the IDS tags Q as anomalous and raises the
First, Algorithm 1 shows how we select the thresholds from alarm in the system (15). Compared to the mean absolute
the 3-D reconstruction loss matrix L from randomly selected value method (2), this three-step method gives CANShield
t training data queues. First, we find the RLoss
i for every signal finer decomposition of L and improves the detection efficacy
i ∈ [m] on the normal training data by taking the pth percentile against stealthy attacks. Fig. 4 shows a simplified visual-
values of elements in the i th rows of all the L (3). Later, we ization of Algorithm 2 with a 5 × 5 reconstruction loss
map the 3-D matrix L to a binary 3-D matrix B to find the matrix.
22118 IEEE INTERNET OF THINGS JOURNAL, VOL. 10, NO. 24, 15 DECEMBER 2023

Algorithm 2: Ensemble-Based Detection

Input: Reconstruction loss L ∈ Rm×w ,
Thresholds: RLoss , RTime ∈ Rm , RSignal ∈ R
Variables: B ← 0m×w , V , S ← 0m
Output: Attack decision: attack ∈ R
/* Step 1 */
∀i, j ∈ [m], [w] : Bi,j ← 1 if Li,j > RLoss
i 10

/* Step 2 */

w
∀i ∈ [m] : Vi ← Bi,j 11
j=1

∀i ∈ [m] : Si ← 1 if Vi > RTime

i 12

/* Step 3 */
1 
m
Px ← Si 13
m
i=1
/* Ensemble */
1
n
Pens ← Px 14
n
x=1
Signal
attack ← 1 if Pens > Rens 15

V. I MPLEMENTATION AND E VALUATION Fig. 4. Simplified visual illustration of three-step attack detection
A. Data Sets and Attacks (Algorithm 2) for individual AE with 5×5 reconstruction loss matrix. (a) 3-D
visualization of 2-D reconstruction loss matrix L showing the loss violations
We implement CANShield on both the SynCAN data set (L > RLoss ) in blue. (b) Binary 2-D matrix B showing the indices of loss
and ROAD data set. SynCAN data set [15] (Synthetic CAN violation [top view of (a)]. (c) Signal-wise total loss violations V [counting
only the blue bars in (b)]. Orange colors show where V violates time-step
Bus Data) is a widely used CAN attack data set released by threshold RTime . (d) Binary 1-D array S showing if any signal violates RTime
ETAS (a subsidiary of Robert Bosch Gmbh) covering stealthy [top view of (c)]. (e) Anomaly score/total signal violations P showing the
signal-level CAN attacks. ROAD data set [25] was released total number of time-step violating signals [counting only the orange bars in
(d)]. The red color shows if P exceeds the threshold RSignal , indicating a
by Oak Ridge National Laboratory and is the most realistic potential attack; otherwise, the final prediction will be benign. For simplifica-
CAN attack data set to date.2 Next, we introduce the details tion, we show the total counts in the bar plots instead of using the percentage,
of each data set and the attacks covered. which is used in the actual algorithm.
1) SynCAN: The SynCAN data set is built on actual CAN
traces, emulating the characteristics of the real CAN traffic, TABLE I
with hundreds of advanced attack scenarios. It contains a total D ESCRIPTION OF ATTACKS IN S YN CAN DATA S ET
of 20 signals, including physical values, counters, and flags.
There are 24 h of logged data, of which 16.5 h are for training
and 7.5 h are for testing with five types of advanced attacks,
which resembles the three stealthy forms of attack models
mentioned in Sections III-B.
The attacks in SynCAN data sets are summarized in Table I.
In a flooding attack, the attacker frequently broadcasts high-
priority messages to delay the legitimate ECUs’ transmission
(similar as DoS attack). In a suppress attack, the attacker turns from the actual ones. Such small changes can initially look
off the corresponding ECU of the targeted signal(s) or prevents realistic and bypass IDS. Finally, in a playback attack, the
it from sending further messages. Based on the time-series attacker replays a series of previously recorded data for the
nature of the injected data, there are three types of masquerade targeted signal to make it more realistic.
attacks. In a plateau attack, the attacker broadcasts the same 2) ROAD: The ROAD data set provides the highest-fidelity
constant value of any signal over a long period of time. The CAN traces with physically verified most realistic CAN
impact of such an attack depends on the extent of the leap and attacks. It contains a significant amount of training data cov-
the duration of the attack. In a continuous attack, the signals ering the different contexts of driving. We obtained the raw
are overwritten with continuously changing values that shift ROAD data set and extracted signals from the CAN messages
2 To the best of our knowledge, the SynCAN data set (available at using CAN-D. There are 3.5 h of logged data, of which 3 h
[Link] was the only publicly available signal-level are for training and 30 min are for testing with five types of
CAN data set with advanced attacks at the time of writing this article. ROAD advanced masquerade attacks targeting the engine coolant tem-
data set (available at [Link] was obfuscated and did not have perature, engine RPM, brake light, and wheel speed sensors.
signal-level interpretation in its initial release in early 2021. We obtained the
raw ROAD data set by directly contacting ORNL. Partially motivated by our The injected message manipulates only the specific portion of
work, ORNL has recently released a signal-level ROAD data set. the data fields containing the targeted signals.
SHAHRIAR et al.: CANShield: DEEP-LEARNING-BASED INTRUSION DETECTION FRAMEWORK 22119

TABLE II
D ESCRIPTION OF M ASQUERADE ATTACKS IN ROAD DATA S ET

Fig. 5. Attack detection and event detection latency in a single attack event.

Whereas the attacks in the SynCAN are created by post-

processing (replacing original ones) on the normal driving
Attack Detection: Any injection or modification of any CAN
data, the attack traces in the ROAD traces were collected from message, as is described in the attack model in Section III-B, is
a real vehicle under the real injection attacks. Such attack
considered an attack. Attack detection is defined as the detec-
traces provide not only the injected messages but also the
tion of any malicious data view. If any view of the data queue
response from the vehicle under such attacks, which makes the contains one or more malicious injections, we consider the
ROAD data set the most realistic one. The attacks in the ROAD
label of the queue view as malicious.
data set are summarized in Table II. In light of the model’s
Event Detection Latency: Depending on the type of attack,
complexity, one single IDS is not a feasible option to track all there could be a delay between the first injected message and
the hundreds of decoded signals within the ROAD data set.
the first correct detection during any attack event. Such a delay
Thus, in the implementation of CANShield on the ROAD data
is defined as the event detection latency. Fig. 5 shows the event
set, we consider seven primary signals, which were compro- detection latency for a single attack event.
mised during the attacks, to be of primary importance and add
Hardware Processing Latency: We evaluate CANShield’s
two highly correlated signals for each to make the IDS more performance by implementing it on a standard computer as
robust, as detailed in Section IV-A. well as a lightweight edge device and benchmark the inference
time, showing the near real-time performance in hardware.
B. Evaluation Setup 3) Evaluation Metrics: For any binary classifier, there are
1) CANShield Software Implementation: We use Python four possible outcomes. True positive (TP), and true negative
3.7.3 with Keras 2.2.4 [42] for training and evaluation of (TN) are the outcomes where the model correctly predicts
CANShield. The pipeline for the AE model contains the the positive (attack) and negative (benign) classes, respec-
combinations of the convolutional layer, activation layer tively. An FP and false negative (FN) are the outcomes
(LeakyRelu), max pooling, and up-sampling layers [34]. Using where the model incorrectly predicts the positive classes
min–max scaling, we keep the values of each signal between 0 and negative classes, respectively. Based on these outcomes,
and 1. We used a five-layer network, where the convolutional we evaluate CANShield’s performance using the following
layers have 3 × 3 filters, and the numbers filters in each layer metrics.
are 32, 16, 16, 32, and 1. We utilized leakyRelu as the acti- 1) Precision is defined as the ratio between the correctly
vation function with a parameter of 0.2, except for the output predicted positive data views to a total number of
layer, which has a sigmoid activation function. The decoder predicted positive views (TP/[TP + FP]).
part contains up-sampling layers with 2 × 2 filters. We use the 2) Recall or TP Rate (TPR) is calculated as the ratio
Adam optimizer with a learning rate of 0.0002 to train the between the number of positive views correctly clas-
models and mean square error as the loss function. Using a sified as positive to the total number of actual positive
batch size of 128, we train each model for 100 epochs. The fol- views (TP/[TP + FN]).
lowing section explains the impact of different parameters in 3) FPR is the proportion of negative views incorrectly
attack detection and illustrates the effectiveness of CANShield. identified as positives (FP/[FP + TN]).
2) Evaluation Settings: To evaluate CANShield, we con- 4) F1 Score is the harmonic mean of precision and recall
sider w as 25, 50, and 100, and five sampling periods (Tx ) as 1, (2 × ([Precision × Recall]/[Precision + Recall]). For an
5, 10, 20, and 50 for each of the data sets. After training the AE imbalanced data set, F1 score is mostly used to evaluate
models, we select a random 10% of the samples from the train- the model’s performance.
ing data and determine the reconstruction losses using (1) and 5) ROC Curve, PR Curve, and AUC Scores indicate
time step violations for each AE. We also study the compara- the classifiers performance with varying discrimination
tive analysis of the effectiveness of different sampling periods thresholds [43]. The ROC curve plots TPRs and FPRs,
against different attacks. We do an extensive grid search with and the PR curve plot precisions and recalls for differ-
all the combinations of threshold ranging from 90% to 99.99% ent thresholds. The area under the ROC and PR curves
as p, q, and r to find RLoss , and RTime , and RSignal , respectively, are represented as AUROC and AUPRC, respectively,
as mentioned in (3), (6), and (9), to evaluate CANShield and which indicate the robustness of the detectors. An ideal
maximize detection performance. Moreover, we evaluate dif- detector has both AUROC and AUPRC scores of 1.00.
ferent detection scenarios by setting 0.1%, 0.5%, and 1% as 4) Baseline Models: We consider CANShield with only
the maximum threshold for the FP rate (FPR) in the system. one AE with sampling periods Tx as CANShield-Tx and
With these settings, we evaluate CANShield’s performance the full-fledged multi-AE-based CANShield as CANShield-
in the following three aspects. Ensemble (or CANShield-Ens).
22120 IEEE INTERNET OF THINGS JOURNAL, VOL. 10, NO. 24, 15 DECEMBER 2023

Fig. 6. Hierarchical clustering of the signals in SynCAN data set based on the correlation matrix and rearranging them in clusters.

This part describes the four baseline models that we con- A. Correlation-Based Clustering
sider for the performance comparison. As discussed in Section IV-A, in the initialization of the
1) CANShield-Base: We consider CANShield-Base, a sim- training phase, CANShield analyzes the Pearson correlations
plified version of CANShield to represent the existing matrix of the data set to create clusters of signals and rear-
approaches in CNN-AE-based IDS working on windows range them so that highly correlated signals stay together in
of multidimensional time-series data [44]. We consider the data queue Q. The left panel of Fig. 6 shows the heat
CANShield-Base to have only one AE working with a map of the correlation matrix of the SynCAN data set, with
sampling period of 1 using the conventional one-step the original orders of the signals as appeared in the data set.
mean absolute value of reconstruction loss (as (2)) to It is clear from the figure that some of the highly corre-
calculate the anomaly score. Hence, the performance lated signal pairs, for example, S:1_ID:02, and S:1_ID:07,
comparison between CANShield-Ens and CANShield- have a correlation of around unity but originally, they are
Base justifies the significance of multiple AEs and a placed far apart. Such placement makes it harder for the small
three-step analysis of reconstruction losses. CNN filters to learn their dependencies. The middle panel of
2) CANet: CANet [15] is the IDS specifically designed Fig. 6 shows the dendrograms after correlation-based cluster-
for high-dimensional CAN data structure, employing ing, which also indicates the existence of multiple clusters of
one long short-term memory (LSTM) model for each highly correlated signals. For example, in the SynCAN data
CAN IDS and merging their output to create a fully set, S:1_ID:10 and S:1_ID:09 form a cluster of two signals,
connected AE network. The authors evaluated CANet and S:2_ID:03, S:1_ID:07, and S:1_ID:02 form another clus-
on the SynCAN data set and made the data set pub- ter. The right panel of the figure shows the heat map of the
lic [45]. As we are also utilizing the SynCAN data correlation matrix after the signal reordering. Therefore, such
set, CANet becomes the most relevant baseline for grouping and reordering make data queue Q generation more
CANShield-Ens. interpretable and effective.
3) Reconstructive: The fundamental approach of the
reconstructive baseline is similar to CANShield-
Base. Whereas CANShield-Base feeds all the signals B. Attack Detection
in one single AE model, reconstructive baseline
1) Optimizing Design Hyperparameters: We first show
uses different AE models for different signals [46].
how we optimize CANShield’s system hyperparameters to
Therefore, although it can learn the temporal dynam-
achieve the best performance on the SynCAN data set. We
ics, there is no way to learn the signal-wise
assess the contribution of each feature of CANShield in attack
correlations.
detection in the three following steps.
4) Predictive: In the predictive baseline, there are individ-
Effectiveness of Three-Step Analysis: As the first version of
ual LSTM models for each CAN ID that predicts the
CANShield, we consider CANShield-1, which uses only one
signals associated with the CAN ID for the next time-
AE working on a sampling period of 1 and a data view length
step [47]. Hence, whereas all the reconstruction-based
of 50. Thus, the three-step analysis of reconstruction loss is the
methods, including CANShield and CANet, rely on the
only difference between CANShield-1 and CANShield-Base.
reconstruction of the input that contains the past and cur-
Hence, we demonstrate the efficacy of the three-step analy-
rent values, the predictive baseline forecasts the future
sis of reconstruction loss (in CANShield-1) over the mean
values from the given input and compares them with the
absolute loss (in CANShield-Base) by selecting different val-
reported ones.
ues for thresholds RLoss , RTime , and RSignal , respectively. The
captions in Fig. 7 show the AUROC score of CANShield-
VI. E VALUATION R ESULTS AND D ISCUSSION Base for each attack type, while different pixels indicate
This section, first, explains why correlation-based cluster- the improvements in the AUROC scores of CANShield-1
ing is effective for CANShield; and later shows CANShield’s over CANShield-Base for different combinations of RLoss
performance on the different aspects. and RTime .
SHAHRIAR et al.: CANShield: DEEP-LEARNING-BASED INTRUSION DETECTION FRAMEWORK 22121

Fig. 7. Effectiveness of three-step loss analysis in CANShield over the Fig. 9. Optimizing CANShield-Ens’s architecture. Best AUROC score for
mean absolute loss in CANShield-Base. The values within the [ ] show the different window size w ({25, 50, 100}) and AEs.
AUROC scores of CANShield-Base, whereas the colors of the pixels show
the improvements in the AUROC scores for different RLoss and RTime .

period of 1 is the best performing one against the continuous,

and playback attacks. Hence, unlike fabrication and suspen-
sion attacks, the lower sampling periods (≤ 5) are, in general,
the most effective ones against the masquerades attacks as
short-term views of the data queue provide a detailed look at
the time-series abnormalities. Therefore, only one AE work-
Fig. 8. Anomaly scores of CANShield with different sampling periods on
malicious samples. Higher anomaly scores on malicious samples make the
ing on only one type of data representation is not enough
IDS more effective. to detect diverse attacks. This finding motivates the design
of CANShield-Ens, combining multiple AEs into a single
decision model to further increase the robustness of the IDS.
The figure shows whereas the proposed three-step analy- Effectiveness of Ensemble Model: To design the final ensem-
sis has limited contributions on the flooding and suppress ble model, we studied different combinations of AEs working
attacks (first two panels), it provides a better representation with different sizes of data views. Here, we consider the stan-
of violations and improves the detection performance of the dard ensemble technique of averaging multiple anomaly scores
stealthy masquerade attacks (last three panels) compared to to a single score (attack probability) as mentioned in (14) and
CANShield-Base. As the violations in the fabrication and use that to evaluate the detection performance.
suspension attacks are more evident and do not involve any To search for the final ensemble model, we studied differ-
modification of signals, mean absolute loss itself suffices to ent window sizes and different combinations of AEs, starting
give a decent detection performance (AUROC scores of 0.958, from one AEs up to five AEs. As Fig. 9 shows, CANShield
and 0.877, respectively). However, setting RLoss and RTime to with only one AE has limited performance (AUROC score
95-percentile and 99-percentile, respectively, helps better ana- < 0.93) regardless of the window size w. When more AEs
lyze the nuanced violations created by the masquerade attacks are ensembled, the performance improves. Although w = 25
and provides the improvements (0.02–0.03 in AUROC scores) shows promising performance, it still underperforms that of
over CANShield-Base. This evaluation shows adding a three- w = 50 even having more AEs. Besides, we observe that
step analysis improves the detection rate even when one AE is w = 100 tends to make the model overly complicated and
used. In the following paragraphs, we will discuss how adding yield performance degradation. From the figure, it is evident
more AEs, and combining them into an ensemble detector, that, on average, CANShield-Ens performs the best on the
CANShield-Ens further improves the detection performance. SynCAN data set when w = 50 and there are three AEs work-
Effectiveness of Different Sampling Periods: Here, we ing. We further find that out of various combinations of three
demonstrate the effectiveness of learning from multiple views sampling periods, the ensemble of 1, 5, and 10 gives the best
with multiple AEs working with different sampling periods performance.
in detecting attacks. Fig. 8 illustrates the performance com- We note that although the above results are derived from
parison of CANShield-Tx , where Tx ∈ {1, 5, 10, 20, 50}. We the SynCAN data set, the ROAD data set also shows a similar
analyze the effectiveness of CANShield-Tx by plotting the dis- result. Therefore, for the simplicity of the analysis, we use w as
tributions of anomaly scores of the malicious data queues. As 50, three AEs (with sampling periods 1, 5, and 10), and RLoss
the anomaly scores on the benign data queues are mostly zeros, and RTime as 95th-percentile and 99th-percentile, respectively,
we only show the anomaly scores on malicious data queues. for both the SynCAN and ROAD data sets in the following
The first two panels of the figure show that for both flood- evaluations.
ing and suppress attacks, the anomaly scores of the malicious 2) Attack Visualization and AUROC Scores: In this part, we
data queues increase for higher sampling periods, making the visualize the anomaly scores for all the individual and ensem-
detection easier as these attacks are more detectable looking ble detectors along with the ROC curves for both SynCAN
at the long-term sequential pattern. As higher anomaly scores and ROAD data sets.
on malicious data queues make the classification task eas- SynCAN Data Set: Fig. 10(a) shows the CANShield’s
ier, it increases the TPR while lowering the FPR. Therefore, anomaly scores, and the left panel of Table III summarizes
AE working on a higher sampling period (≥ 5) is the most AUROC scores for different attacks on the SynCAN data
effective against fabrication and suspension attacks. set. Different AEs (CANShield-Tx ) show different perfor-
On the other hand, a sampling period of 5 seems to be the mances on each of the attacks. However, the CANShield-Ens
most suitable choice against plateau attacks, and a sampling yields more stable and consistent performance, leading to
22122 IEEE INTERNET OF THINGS JOURNAL, VOL. 10, NO. 24, 15 DECEMBER 2023

TABLE III
P ERFORMANCE C OMPARISON W ITH D IFFERENT CANS HIELD A RCHITECTURES AND BASELINE D ETECTORS ON S YN CAN DATA S ET

the individual and ensemble models show high performance

in detecting the attacks. There are a few cases where the
performance degrades a little bit, but CANShield-Ens miti-
gates such issues and detects all the attacks on the ROAD
data set with an AUROC score of ∼1.00.
3) Precision, Recall, and F1 Score: In this part, we study
the impact of the signal violation thresholds RSignal on
CANShield-Ens’s precision, recall, and F1 score for dif-
ferent attacks in both the SynCAN and ROAD data set.
The first panel of Fig. 11(a), which shows the PR curve
along with the AUPRC scores on the SynCAN data set,
demonstrates that CANShield-Ens is highly effective against
fabrication and suspension attacks (AUPRC ≥0.92) and
moderate performance against advanced masquerade attacks
(AUPRC≈ 0.65−0.88). Moreover, the values of RSignal within
the range of 0.05 to 0.2 provide a decent performance maxi-
mizing the F1 scores for different attacks, as shown in the right
panel of the figure. Considering CANShield’s goal of having
a low FPR, we recommend a higher value for RSignal , which
results in high precision (>0.9) for all the attacks. Similarly,
the evaluation results in Fig. 11(b) on the ROAD data set
show that CANShield-Ens achieves perfect precision, recall,
and F1 score (AUPRC≈1.00) with an appropriate threshold
(0.2 − 0.3).
Comparison With Baseline Models: Whereas we demon-
strate the improvements of CANShield-Ens over the individual
models, this part includes the performance comparison with
Fig. 10. Attack visualization with different models for both data sets.
(a) SynCAN data set. (b) ROAD data set. the other baseline detectors as well. Table III illustrates such
comparison, which indicates 1.84% and 11.67% improve-
ments in the AUROC of flooding and suppress attacks,
higher AUROC scores in all the attacks than the individual respectively, compared to the closest baseline CANet. Unlike
CANShield-Tx . In the case of continuous and playback attacks, CANet, CANShield-Ens considers both the sequence of CAN
the signals start to deviate gradually from the original values, IDs and the time-series signal values to create the data
which takes some time to create the recognizable deviation queue and provides effective detection of such practical
for the IDS. Hence, a lower AUROC score in the CANShield- attacks. Even though CANet performs slightly better against
Ens is not unexpected, especially against continuous attacks. advanced masquerade attacks, CANShield-Ens also shows
However, CANShield-Ens can detect the violations almost decent performance. The right panel of Table III shows the
instantly for the rest of the attacks (AUROC scores of TPR and FPR of different CANShield architectures along
0.95−1.00). Whereas the individual AEs are attack-specific, with the baselines. Similar to the AUROC, CANShield shows
the ensemble model takes the best out of every model, gener- promising performance against fabrication and suspension
alizes the process, and detects most attacks with the highest attacks, while CANet performs better against masquerade
AUROC scores. attacks. Furthermore, CANShield is considerably lighter than
ROAD Data Set: Fig. 10(b) shows the anomaly scores of CANet. While CANet consumes 8718 kB of memory [28],
the attacks on the ROAD data set. Same as the SynCAN, CANShield only utilizes 525 kB, making it suitable for edge
CANShield-Ens also shows stable performance in the anomaly devices. Overall, as Table III shows, CANShield-Ens outper-
score. As all the attacks in the ROAD data set are closely forms all of the baselines on average, showing the proposed
aligned with the plateau attack in the SynCAN data set, both framework’s effectiveness.
SHAHRIAR et al.: CANShield: DEEP-LEARNING-BASED INTRUSION DETECTION FRAMEWORK 22123

(a) (b)

Fig. 11. CANShield-Ens’s precision-recall (PR) curve with AUPRC and F1 Scores for different thresholds on both the (a) SynCAN and (b) ROAD data sets.

Fig. 12. Tradeoff between event detection latencies and maximum FPR thresholds against different attacks in the SynCAN data set.

C. Event Detection Latency

Fig. 12 illustrates the attack-wise event detection latency for
three cases of maximally allowed FPR for the SynCAN data
set. As each attack manipulates the signal at different paces,
the time to observe a potential deviation varies. Hence, similar
to the previous discussion, certain AEs are more responsive
against certain types of attacks. As the first two panels of
Fig. 12 show that in the case of fabrication and suspen-
sion attacks, CANShield-1 has slightly higher event detection (a) (b)
latency, whereas CANShield-Ens reduces the detection latency
Fig. 13. Effectiveness of transfer learning during model training. (a) Cost
for the ensemble model. On the other hand, the masquerade of training. (b) Validation loss after training.
attacks are the most challenging to detect, and CANShield-
Ens reduces the FPs by taking the mean of the final anomaly
scores. Therefore, as a tradeoff, it increases the latency by a
small factor compared to the individual models. However, the
that without any knowledge transfer, the number of training
latency is still within a small range to cause any devastating
epochs to reach the early stopping criteria, which is a steady
impact. It is noted again that in the SynCAN data set, the
validation loss, increases by up to 100% of the initial training
attacks were created in post-processing without any physical
for different AEs. However, if the AE model’s parameters are
verification. Hence, some attacks may align with the actual
initialized as the pretrained AE with the immediate lower Tx ,
data and lose the malicious property leading to low-detection
the number of training epochs gets reduced by approximately
performance and high-detection latency.
30% in most cases. Besides, as Fig. 13(b) shows, such initial-
Furthermore, the figures also illustrate the impact of max-
ization does not impact the performance of the final models
imum FPR on the event detection latency. Although some
as the validation loss of the final AE models remains almost
individual model suffers from high latency with low FPR
the same regardless of the weight initialization. Therefore,
(i.e., 0.1%), CANShield-Ens provides a lower event detection
CANShield-Ens reduces the training cost of consecutive AEs
latency. However, allowing more FPs (max FPR of 0.5%−1%)
significantly by transferring the weights to the next AE without
into the system further reduces latency. Whereas in case some
any performance tradeoff.
advanced SynCAN attacks CANShield takes up to a couple
Hardware Processing Latency: We trained and evaluated
of seconds to detect, all the attack events in the ROAD data
CANShield on a laptop with a 2.3 GHz 8-Core Intel i9 proces-
set are detected almost instantly [see Fig. 10(b)]. Therefore,
sor with 32 GB of RAM and AMD Radeon Pro 5500M 8 GB
our evaluation shows that CANShield improves detection
of graphics and also deployed on a Raspberry Pi with 1.5 GHz
performance, reduces overall detection latency, and makes the
64-bit quad-core CPU and 4 GB of RAM to benchmark
system more robust.
CANShield prediction speed. To reduce the inference time and
the size of AE models, we convert the TensorFlow model into
D. Implementation and Processing Latency TensorFlow Lite [48] models, which quantizes the weights.
Transfer Learning: Here, we explain the computational ben- Results show each CANShield process takes around 1 ms on
efit of transferring knowledge from the trained AE models the laptop, which satisfies our design objective (<2 ms), and
working on lower Tx to AEs with higher Tx . Fig. 13(a) shows 10 ms on the Raspberry Pi, which is low for an attack to
22124 IEEE INTERNET OF THINGS JOURNAL, VOL. 10, NO. 24, 15 DECEMBER 2023

cause catastrophe to the targeted vehicle. Our extensive test- A few works predicted the next CAN ID with individ-
ing and validation demonstrate that the quantized AE-based ual LSTM or gated recurrent unit (GRU) models and used
CANShield provides no degradation in performance and yields log loss and a predefined threshold to detect malicious
the same detection results as the original ones. injections [59]. Similarly, one-class support vector machine
(OCSVM) [60], isolation forest [61] are also studied. Along
with unsupervised methods, self-supervised method-based IDS
E. Limitations and Discussions are also studied [62]. A few works converted the sequences
Here, we discuss two key challenges of CANShield, which of CAN IDs into 2-D images and trained generative adversar-
are common for any DL-based signal-level CAN IDS. ial networks (GANs) in an unsupervised fashion [63], [64].
1) The first challenge is to get the DBC files from the OEM Recently, motivated by natural language processing, some
or have an efficient reverse engineering tool to create the researchers considered the sequence of CAN IDs as a sen-
signal-level representation of the CAN data set. Hence, tence and utilized world embedding and language models to
we assume that the defender is OEM who has direct build the CAN IDS [65], [66]. The fundamental drawback of
access to the DBC file or a third party with an efficient the CAN ID-based IDSs is that they are only effective against
reverse engineering tool. injection attacks that explicitly change the sequence of IDs.
2) The collection of sufficient training data and generaliz- However, advanced masquerade attacks can manipulate the
ing the training of the AE models is another challenge. payload without disrupting the ID sequences/frequencies and
To overcome these issues, CANShield is assumed to easily evade such IDSs [6].
be trained on a very dynamic high-fidelity data set, Payload-Based Detection: The advanced attacks can not
including a diverse range of driving patterns and various only change the CAN IDs but also modify the payloads of
driving scenarios, to ensure that it can detect anomalies the messages. The attacker can replay prerecorded values or
regardless of the driving context and driver’s behavior. change the actual values. Hence, there has been a good amount
of work learning the pattern in the payload sequences and
using it to detect potential cyberattacks. Extracting usable fea-
VII. R ELATED W ORK tures from the binary payloads is a challenging task. The mode
There has been a good amount of work on CAN IDS, which and value information is commonly used to extract features
can be divided into the following general categories. and implement DNN-based IDS [67]. A few works proposed
Physical Characteristics-Based IDS: One line of research in a continuous field classification (CFC) algorithm to identify
CAN IDS utilized the physical layer attributes of the CAN bus the payload value alignments and used a deep learning-based
communications to fingerprint the ECUs and verify the source approach to identify the anomalous fields [68]. Moreover,
of each message. Since the physical signals generated from the different k-nearest neighbor classifiers are also used to iden-
ECUs solely depend on the ECUs’ hardware characteristics, tify different attacks [69]. Considering the sequence of CAN
it is assumed to be unique; hence, a malicious ECU cannot messages as time-series data, a few works implemented unsu-
controllably modify it. Therefore, such defense has been con- pervised ML models based on LSTM [70], [71] and OCSVM
sidered effective in detecting injection attacks. Out of different to build the payload-based CAN IDS [72].
attributes, clock skews [19], voltage profile [49], [50], electri- Signal-Level Detection: Compared to the IDSs mentioned
cal CAN signal characteristics [18], [51], etc., are widely used above, IDSs working at the time-series signal level can extract
in fingerprinting and building physical characteristics-based the most useful information and build an efficient and context-
IDS. However, the assumption of the uniqueness of such phys- aware decision model. Moriano et al. [30] hypothesized that
ical properties is proven invalid by a recent study [20], which masquerade attacks alter the correlations among the signals
proposed a voltage corruption tactic that can modify the phys- and the clustering behaviors and proposed a technique to detect
ical attributes of the victim ECU and impersonate the targeted such attacks by comparing the clustering similarity of test
ECU. Therefore, such IDSs cannot provide a comprehensive data with and without attack traces. Recent works proposed
security guarantee against a wide range of cyberattacks. DNN-based signal-level CAN IDS, where the extracted sen-
CAN ID-Based IDS: A vast portion of the attacks, especially sor values are used as separate features for IDS [73]. Other
fabrication and suspension attacks, consider exploiting the research efforts also proposed the RNN/LSTM-based models
sequences of CAN IDs to disrupt regular services. Therefore, with an embedding layer working on CAN payload values
some IDSs extract features from the series of CAN IDs to in [47], [74], and [75]. A few similar approaches in CAN IDS
learn the usual pattern and detect abnormalities. Given the research used GRU, LSTM, and temporal CNN-based AEs
labeled data sets, some works utilized different types of super- for each CAN ID [28], [29], [74], [75], [76], [77]. All of
vised learning models, based on CNN [52], [53], LSTM [54], these IDSs [28], [29], [74], [75], [76], [77] processed ID-wise
support vector machine, k-nearest neighbors, decision tree, data independently and utilized individual models for each ID,
random forest, and XGBoost [55], [56], [57] etc., to build the which ignored the signal-wise correlations and fail to detect
IDSs. Different unsupervised ML algorithms are also stud- attack collectively.
ied in CAN ID-based IDS research. Various features, such CANet [15] is one of the closest works to our proposed
as message timing information per CAN ID and window- method. It employed one LSTM model for the signals with
wise ID-counting, are used as the underlying features for the each CAN ID and used AE-based reconstruction to predict
IDSs [58]. the anomaly score. However, in practice, LSTM networks are
SHAHRIAR et al.: CANShield: DEEP-LEARNING-BASED INTRUSION DETECTION FRAMEWORK 22125

costly to train, and one LSTM for each IDS will make it [3] R. Kumar, P. Kumar, R. Tripathi, G. P. Gupta, S. Garg, and
impractical for a vehicle with many CAN IDs. Moreover, due M. M. Hassan, “BDTwin: An integrated framework for enhancing secu-
rity and privacy in cybertwin-driven automotive Industrial Internet of
to the complicated architecture, CANet shows low-detection Things,” IEEE Internet Things J., vol. 9, no. 18, pp. 17110–17119,
performance on suppress attacks, a form of the well-known Sep. 2022.
bus-off attack that can be easily launched due to the CAN pro- [4] K. Koscher et al., “Experimental security analysis of a modern automo-
bile,” in Proc. IEEE Symp. Security Privacy, 2010, pp. 447–462.
tocol’s limitations. Novikova et al. [78] proposed to manually [5] S. Woo, H. J. Jo, and D. H. Lee, “A practical wireless attack on the
group the highly correlated signals into smaller subgroups and connected car and security protocol for in-vehicle CAN,” IEEE Trans.
use AE for each subgroup. However, such manual clustering Intell. Transp. Syst., vol. 16, no. 2, pp. 993–1006, Apr. 2015.
is not feasible for real vehicles with lots of signals. [6] C. Miller, “Lessons learned from hacking a car,” IEEE Design Test,
vol. 36, no. 6, pp. 7–9, Dec. 2019.
[7] G. David. “Chrysler recalls 1.4 million hackable cars.” Accessed:
VIII. C ONCLUSION Jun. 21, 2021. [Online]. Available: [Link]
[8] H. J. Jo and W. Choi, “A survey of attacks on controller area networks
As modern vehicles become more connected to external and corresponding countermeasures,” IEEE Trans. Intell. Transp. Syst.,
networks, the attack surface of the CAN bus system grows vol. 23, no. 7, pp. 6123–6141, Jul. 2022.
[9] Y. Xiao, S. Shi, N. Zhang, W. Lou, and Y. T. Hou, “Session key distri-
drastically. To secure the CAN bus from advanced intrusion bution made practical for can and CAN-FD message authentication,” in
attacks, we propose a signal-level intrusion detection frame- Proc. Annu. Comput. Security Appl. Conf., 2020, pp. 681–693.
work, CANShield. With the capability of handling a high- [10] J. Schmandt, A. T. Sherman, and N. Banerjee, “Mini-MAC: Raising
dimensional CAN data stream, CANShield trains multiple the bar for vehicular security with a lightweight message authentication
protocol,” Veh. Commun., vol. 9, pp. 188–196, Jul. 2017.
CNN-based AE models to work on different views of the [11] S. Jin, J.-G. Chung, and Y. Xu, “Signature-based intrusion detection
data stream across different temporal scales, performs a three- system (IDS) for in-vehicle CAN bus network,” in Proc. IEEE Int. Symp.
step structural analysis of the reconstruction losses, and finally Circuits Syst. (ISCAS), 2021, pp. 1–5.
[12] H. Olufowobi, C. Young, J. Zambreno, and G. Bloom, “SAIDuCANT:
ensembles them to obtain the final anomaly score. Evaluation Specification-based automotive intrusion detection using controller area
results on both the SynCAN and ROAD data sets show network (CAN) timing,” IEEE Trans. Veh. Technol., vol. 69, no. 2,
CANShield’s robustness and responsiveness against different pp. 1484–1494, Feb. 2020.
[13] S. Halder, M. Conti, and S. K. Das, “COIDS: A clock offset based
advanced attacks. The proposed three-step analysis of the intrusion detection system for controller area networks,” in Proc. 21st
reconstruction loss improves the overall AUROC by 6.40% Int. Conf. Distrib. Comput. Netw., 2020, pp. 1–10.
than the conventional mean average method. The aggregation [14] W. Wu et al., “A survey of intrusion detection for in-vehicle
of data with different temporal scales reduces variance in infer- networks,” IEEE Trans. Intell. Transp. Syst., vol. 21, no. 3, pp. 919–933,
Mar. 2020.
ence and increases the AUROC by at least 2.19% compared to [15] M. Hanselmann, T. Strauss, K. Dormann, and H. Ulmer, “CANET: An
any single AE-based framework. Moreover, CANShield out- unsupervised intrusion detection system for high dimensional CAN bus
performs all the baselines against practical fabrication and sus- data,” IEEE Access, vol. 8, pp. 58194–58205, 2020.
[16] K.-T. Cho and K. G. Shin, “Error handling of in-vehicle networks makes
pension attacks while still performing well against advanced them vulnerable,” in Proc. ACM SIGSAC Conf. Comput. Commun.
masquerade attacks. By combining the strengths of CAN ID- Security, 2016, pp. 1044–1055.
based IDS and signal-level IDS, CANShield offers a scalable [17] G. Bloom, “WeepingCAN: A stealthy CAN bus-off attack,” in Proc.
Workshop Autom. Auton. Veh. Security, 2021, pp. 1–6.
and efficient solution and advances the state-of-the-art.
[18] W. Choi, H. J. Jo, S. Woo, J. Y. Chun, J. Park, and D. H. Lee,
“Identifying ECUs using inimitable characteristics of signals in con-
ACKNOWLEDGMENT troller area networks,” IEEE Trans. Veh. Technol., vol. 67, no. 6,
pp. 4757–4770, Jun. 2018.
The authors are thankful to Robert A. Bridges from ORNL [19] K.-T. Cho and K. G. Shin, “Fingerprinting electronic control units for
for his insightful comments on this article. This manuscript vehicle intrusion detection,” in Proc. 25th USENIX Security Symp., 2016,
pp. 911–927.
has been coauthored by UT-Battelle, LLC, under Contract [20] R. Bhatia, V. Kumar, K. Serag, Z. B. Celik, M. Payer, and D. Xu,
DE-AC05-00OR22725 with the U.S. Department of Energy “Evading voltage-based intrusion detection on automotive CAN,” in
(DOE). The U.S. Government retains and the publisher, by Proc. NDSS, 2021, pp. 1–17.
accepting the article for publication, acknowledges that the [21] A. de Faveri Tron, S. Longari, M. Carminati, M. Polino, and S. Zanero,
“CANFlict: Exploiting peripheral conflicts for data-link layer attacks on
U.S. Government retains a nonexclusive, paid-up, irrevoca- automotive networks,” in Proc. ACM SIGSAC Conf. Comput. Commun.
ble, worldwide license to publish or reproduce the published Security, 2022, pp. 711–723.
form of this manuscript, or allow others to do so, for U.S. [22] A. Z. Mohammed, Y. Man, R. Gerdes, M. Li, and Z. B. Celik, “Physical
layer data manipulation attacks on the CAN bus,” in Proc. Int. Workshop
Government purposes. DOE will provide public access to these Autom. Auton. Veh. Security (AutoSec), 2022, pp. 1–5.
results of federally sponsored research in accordance with the [23] L. Yue, Z. Li, T. Yin, and C. Zhang, “CANCloak: Deceiving two
DOE Public Access Plan ([Link] ECUs with one frame,” in Proc. Workshop Autom. Auton. Veh. Security
(AutoSec), 2021, pp. 1–6.
public-access-plan). [24] S.-F. Lokman, A. T. Othman, and M.-H. Abu-Bakar, “Intrusion detec-
tion system for automotive controller area network (CAN) bus system:
A review,” EURASIP J. Wireless Commun. Netw., vol. 2019, no. 1,
R EFERENCES pp. 1–17, 2019.
[1] Z. El-Rewini, K. Sadatsharan, D. F. Selvaraj, S. J. Plathottam, and [25] M. E. Verma et al., “Addressing the lack of comparability & testing in
P. Ranganathan, “Cybersecurity challenges in vehicular communica- can intrusion detection research: A comprehensive guide to CAN IDS
tions,” Veh. Commun., vol. 23, Jun. 2020, Art. no. 100214. data & introduction of the road dataset, 2022, arXiv:2012.14600.
[2] C. E. Andrade et al., “Managing massive firmware-over-the-air [26] M. E. Verma, R. A. Bridges, J. J. Sosnowski, S. C. Hollifield, and
updates for connected cars in cellular networks,” in Proc. 2nd ACM M. D. Iannacone, “CAN-D: A modular four-step pipeline for com-
Int. Workshop Smart, Auton., Connected Veh. Syst. Services, 2017, prehensively decoding controller area network data,” IEEE Trans. Veh.
pp. 65–72. Technol., vol. 70, no. 10, pp. 9685–9700, Oct. 2021.
22126 IEEE INTERNET OF THINGS JOURNAL, VOL. 10, NO. 24, 15 DECEMBER 2023

[27] J. W. Shin, J. H. Oh, S. M. Lee, and S. E. Lee, “Can FD controller [54] M. Jedh, L. B. Othmane, N. Ahmed, and B. Bhargava, “Detection of
for in-vehicle system,” in Proc. Int. SoC Design Conf. (ISOCC), 2016, message injection attacks onto the CAN bus using similarities of suc-
pp. 227–228. cessive messages-sequence graphs,” IEEE Trans. Inf. Forensics Security,
[28] V. K. Kukkala, S. V. Thiruloga, and S. Pasricha, “INDRA: Intrusion vol. 16, pp. 4133–4146, 2021.
detection using recurrent autoencoders in automotive embedded [55] R. U. D. Refat, A. A. Elkhail, A. Hafeez, and H. Malik, “Detecting
systems,” IEEE Trans. Comput.-Aided Design Integr. Circuits Syst., CAN bus intrusion by applying machine learning method to graph based
vol. 39, no. 11, pp. 3698–3710, Nov. 2020. features,” in Proc. SAI Intell. Syst. Conf., 2021, pp. 730–748.
[29] V. K. Kukkala, S. V. Thiruloga, and S. Pasricha, “LATTE: LSTM [56] M. L. Han, B. I. Kwak, and H. K. Kim, “Event-triggered interval-based
self-attention based anomaly detection in embedded automotive plat- anomaly detection and attack identification methods for an in-vehicle
forms,” ACM Trans. Embedded Comput. Syst., vol. 20, no. 5S, pp. 1–23, network,” IEEE Trans. Inf. Forensics Security, vol. 16, pp. 2941–2956,
2021. 2021.
[30] P. Moriano, R. A. Bridges, and M. D. Iannacone, “Detecting can mas-
querade attacks with signal clustering similarity,” in Proc. Workshop [57] I. Aliyu, M. C. Feliciano, S. Van Engelenburg, D. O. Kim, and
Autom. Auton. Veh. Security (AutoSec), 2022, pp. 1–8. C. G. Lim, “A blockchain-based federated forest for SDN-enabled
[31] M. Di Natale, H. Zeng, P. Giusto, and G. Arkadeb, Understanding and in-vehicle network intrusion detection system,” IEEE Access, vol. 9,
Using the Controller Area Network Communication Protocol: Theory pp. 102593–102608, 2021.
and Practice. New York, NY, USA: Springer, 2012. [58] D. H. Blevins, P. Moriano, R. A. Bridges, M. E. Verma, M. D. Iannacone,
[32] M. D. Pesé, T. Stacer, C. A. Campos, E. Newberry, D. Chen, and and S. C. Hollifield, “Time-based CAN intrusion detection bench-
K. G. Shin, “LibreCAN: Automated can message translator,” in Proc. mark,” in Proc. Workshop Autom. Auton. Veh. Security (AutoSec), 2021,
ACM SIGSAC Conf. Comput. Commun. Security, 2019, pp. 2283–2300. pp. 1–7.
[33] D. S. Berman, A. L. Buczak, J. S. Chavis, and C. L. Corbett, “A survey [59] S. Rajapaksha, H. Kalutarage, M. O. Al-Kadri, G. Madzudzo, and
of deep learning methods for cyber security,” Information, vol. 10, no. 4, A. V. Petrovski. “Keep the moving vehicle secure: Context-aware intru-
p. 122, 2019. sion detection system for in-vehicle CAN bus security,” in Proc. 14th
[34] S. Albawi, T. A. Mohammed, and S. Al-Zawi, “Understanding of a Int. Conf. Cyber Conflict Keep Moving! (CyCon), vol. 700, 2022,
convolutional neural network,” in Proc. Int. Conf. Eng. Technol. (ICET), pp. 309–330.
2017, pp. 1–6. [60] M. Al-Saud, A. M. Eltamaly, M. A. Mohamed, and A. Kavousi-Fard,
[35] L. Torrey and J. Shavlik, “Transfer learning,” in Handbook of Research “An intelligent data-driven model to secure intravehicle communications
on Machine Learning Applications and Trends: Algorithms, Methods, based on machine learning,” IEEE Trans. Ind. Electron., vol. 67, no. 6,
and Techniques, Hershey, PA, USA: IGI Global, 2010, pp. 242–264. pp. 5112–5119, Jun. 2020.
[36] “Seeed Arduino CAN.” 2021. [Online]. Available: [Link] [61] S. Sharmin and H. Mansor, “Intrusion detection on the in-vehicle
Seeed-Studio network using machine learning,” in Proc. 3rd Int. Cyber Resilience
[37] “SocketCAN.” Accessed: Dec. 10, 2021. [Online]. Available: https:// Conf. (CRC), 2021, pp. 1–6.
[Link]/en/master/interfaces/[Link]
[38] “CANalyzer.” 2021. [Online]. Available: [Link] [62] H. M. Song and H. K. Kim, “Self-supervised anomaly detection for
products/products-a-z/software/canalyzer/ in-vehicle network using noised pseudo normal data,” IEEE Trans. Veh.
[39] “VehicleSpy.” 2021. [Online]. Available: [Link] Technol., vol. 70, no. 2, pp. 1098–1108, Feb. 2021.
software/vehicle-spy/ [63] E. Seo, H. M. Song, and H. K. Kim, “GIDS: GAN based intrusion
[40] J. Benesty, J. Chen, Y. Huang, and I. Cohen, “Pearson correlation detection system for in-vehicle network,” in Proc. 16th Annu. Conf.
coefficient,” in Noise Reduction in Speech Processing. Heidelberg, Privacy, Security Trust (PST), 2018, pp. 1–6.
Germany: Springer, 2009, pp. 37–40. [Online]. Available: [Link] [64] Q. Zhao, M. Chen, Z. Gu, S. Luan, H. Zeng, and S. Chakrabory, “CAN
org/10.1007/978-3-642-00296-0_5 bus intrusion detection based on auxiliary classifier GAN and out-of-
[41] J. H. Ward Jr., “Hierarchical grouping to optimize an objective func- distribution detection,” ACM Trans. Embedded Comput. Syst., vol. 21,
tion,” J. Amer. Stat. Assoc., vol. 58, no. 301, pp. 236–244, 1963. no. 4, pp. 1–30, 2022.
[42] “Keras team.” Keras. 2015. [Online]. Available: [Link] [65] D. Shi, M. Xu, T. Wu, and L. Kou, “Intrusion detecting system based on
team/keras temporal convolutional network for in-vehicle CAN networks,” Mobile
[43] J. A. Hanley and B. J. McNeil. “The meaning and use of the area under Inf. Syst., vol. 2021, Sep. 2021, Art. no. 1440259.
a receiver operating characteristic (ROC) curve,” Radiology, vol. 43, [66] G. Baldini, “Intrusion detection systems in in-vehicle networks based on
no. 1, pp. 29–36, 1982. bag-of-words,” in Proc. 5th Cyber Security Netw. Conf. (CSNet), 2021,
[44] Z. Chen, C. K. Yeo, B. S. Lee, and C. T. Lau, “Autoencoder-based pp. 41–48.
network anomaly detection,” in Proc. Wireless Telecommun. Symposium
(WTS), 2018, pp. 1–5. [67] M.-J. Kang and J.-W. Kang, “Intrusion detection system using deep
[45] “SynCAN.” Accessed: Jun. 21, 2021. [Online]. Available: [Link] neural network for in-vehicle network security,” PLoS ONE, vol. 11,
com/etas/SynCAN no. 6, 2016, Art. no. e0155781.
[46] M. Weber, G. Wolf, E. Sax, and B. Zimmer, “Online detection of anoma- [68] F. Fenzl, R. Rieke, Y. Chevalier, A. Dominik, and I. Kotenko,
lies in vehicle signals using replicator neural networks,” in Proc. 6th “Continuous fields: Enhanced in-vehicle anomaly detection using
Escar USA, 2018, pp. 1–14. machine learning models,” Simulat. Model. Pract. Theory, vol. 105,
[47] A. Taylor, S. Leblanc, and N. Japkowicz, “Anomaly detection in auto- Dec. 2020, Art. no. 102143.
mobile control network data with long short-term memory networks,” in [69] F. Martinelli, F. Mercaldo, V. Nardone, and A. Santone, “Car hacking
Proc. IEEE Int. Conf. Data Sci. Adv. Anal. (DSAA), 2016, pp. 130–139. identification through fuzzy logic algorithms,” in Proc. IEEE Int. Conf.
[48] “Tensorflow lite.” 2022. [Online]. Available: [Link] Fuzzy Syst. (FUZZ-IEEE), 2017, pp. 1–7.
lite [70] Y. Wang, D. W. M. Chia, and Y. Ha, “Vulnerability of deep learning
[49] K.-T. Cho and K. G. Shin, “Viden: Attacker identification on in-vehicle model based anomaly detection in vehicle network,” in Proc. IEEE 63rd
networks,” in Proc. ACM SIGSAC Conf. Comput. Commun. Security, Int. Midwest Symp. Circuits Syst. (MWSCAS), 2020, pp. 293–296.
2017, pp. 1109–1123. [71] Z. Khan, M. Chowdhury, M. Islam, C.-Y. Huang, and M. Rahman,
[50] W. Choi, K. Joo, H. J. Jo, M. C. Park, and D. H. Lee, “VoltageIDS: Low- “In-vehicle false information attack detection and mitigation frame-
level communication characteristics for automotive intrusion detection work using machine learning and software defined networking,” 2019,
system,” IEEE Trans. Inf. Forensics Security, vol. 13, pp. 2114–2129, arXiv:1906.10203.
2018.
[51] M. Kneib and C. Huth, “Scission: Signal characteristic-based sender [72] V. Chockalingam, I. Larson, D. Lin, and S. Nofzinger, “Detecting attacks
identification and intrusion detection in automotive networks,” in Proc. on the CAN protocol with machine learning,” Annu. EECS, vol. 558,
ACM SIGSAC Conf. Comput. Commun. Security, 2018, pp. 787–800. no. 7, pp. 1–8, 2016.
[52] H. M. Song, J. Woo, and H. K. Kim, “In-vehicle network intrusion detec- [73] J. Zhang, F. Li, H. Zhang, R. Li, and Y. Li, “Intrusion detection system
tion using deep convolutional neural network,” Veh. Commun., vol. 21, using deep learning for in-vehicle security,” Ad Hoc Netw., vol. 95,
Jan. 2020, Art. no. 100198. Dec. 2019, Art. no. 101974.
[53] A. Desta, S. Ohira, I. Arai, and K. Fujikawa, “REC-CNN: In-vehicle [74] V. Tanksale, “Anomaly detection for controller area networks using
networks intrusion detection using convolutional neural networks trained long short-term memory,” IEEE Open J. Intell. Transp. Syst., vol. 1,
on recurrence plots,” Veh. Commun., vol. 35, Jun. 2022, Art. no. 100470. pp. 253–265, 2020.
SHAHRIAR et al.: CANShield: DEEP-LEARNING-BASED INTRUSION DETECTION FRAMEWORK 22127

[75] J. Ashraf, A. D. Bakhshi, N. Moustafa, H. Khurshid, A. Javed, Wenjing Lou (Fellow, IEEE) received the Ph.D.
and A. Beheshti, “Novel deep learning-enabled LSTM autoencoder degree in electrical and computer engineering from
architecture for discovering anomalous events from intelligent trans- the University of Florida, Gainesville, FL, USA, in
portation systems,” IEEE Trans. Intell. Transp. Syst., vol. 22, no. 7, 2003.
pp. 4507–4518, Jul. 2021. She is currently a W. C. English Endowed
[76] S. Longari, D. H. N. Valcarcel, M. Zago, M. Carminati, and S. Zanero, Professor of Computer Science with Virginia Tech,
“CANnolo: An anomaly detection system based on LSTM autoencoders Arlington, VA, USA. Her research interests cover
for controller area network,” IEEE Trans. Netw. Service Manag., vol. 18, many topics in the cybersecurity field, with her cur-
no. 2, pp. 1913–1924, Jun. 2021. rent research interest focusing on wireless network
[77] S. V. Thiruloga, V. K. Kukkala, and S. Pasricha, “TENET: Temporal security, trustworthy AI, blockchain, and security
CNN with attention for anomaly detection in automotive cyber-physical and privacy problems in the Internet of Things (IoT)
systems,” in Proc. 27th Asia–South Pacific Design Autom. Conf. (ASP- systems.
DAC), 2022, pp. 326–331. Prof. Lou is a highly cited researcher by the Web of Science Group. She
[78] E. Novikova, V. Le, M. Yutin, M. Weber, and C. Anderson, “Autoencoder received the Virginia Tech Alumni Award for Research Excellence in 2018.
anomaly detection on large CAN bus data,” in Proc. DLP-KDD, 2020, She received the INFOCOM Test-of-Time paper award in 2020. She was the
pp. 1–9. TPC chair for IEEE INFOCOM 2019 and ACM WiSec 2020. She was the
Steering Committee Chair for IEEE CNS conference from 2013 to 2020. She
is currently a steering committee member of IEEE INFOCOM and IEEE
T RANSACTIONS ON M OBILE C OMPUTING. She served as a program director
Md Hasan Shahriar (Student Member, IEEE)
at the US National Science Foundation (NSF) from 2014 to 2017.
received the [Link]. degree in electrical and elec-
tronic engineering from Bangladesh University of
Engineering and Technology, Dhaka, Bangladesh, in
2016, and the M.S. degree in computer engineer-
ing from Florida International University, Miami,
FL, USA, in 2020. He is currently pursuing the
Ph.D. degree in computer science with Virginia
Tech, Arlington, VA, USA, under the supervision
of Prof. W. Lou.
His research interests include automotive cyberse-
curity, cyber–physical systems, and machine learning.

Yang Xiao (Member, IEEE) received the B.S. degree

from the School of Electrical and Information
Engineering, Shanghai Jiao Tong University,
Shanghai, China, in 2014, the M.S. degree from
the Electrical Engineering and Computer Science
Department, University of Michigan, Ann Arbor,
MI, USA, in 2017, and the Ph.D. degree from the
Bradley Department of Electrical and Computer
Engineering, Virginia Tech, Arlington, VA, USA,
in 2022, supervised by Prof. W. Lou. Y. Thomas Hou (Fellow, IEEE) received the
He is an Assistant Professor with the Department Ph.D. degree from the NYU Tandon School of
of Computer Science, University of Kentucky, Lexington, KY, USA. His Engineering, Brooklyn, NY, USA, in 1998.
research interests lie in network security, blockchain and distributed system He is currently a Bradley Distinguished Professor
security, and wireless network security. of Electrical and Computer Engineering with
Virginia Tech, Blacksburg, VA, USA, which he
joined in 2002. He was a member of Research Staff
Pablo Moriano (Senior Member, IEEE) received with the Fujitsu Laboratories of America, Sunnyvale,
the B.S. and M.S. degrees in electrical engineer- CA, USA, from 1997 to 2002. He has published over
ing from Pontificia Universidad Javeriana, Bogotá, 350 papers in IEEE/ACM journals and conferences.
Colombian, 2008 and 2011, respectively, and the He holds six U.S. patents. He authored/coauthored
M.S. and Ph.D. degrees in informatics from Indiana two graduate textbooks: Applied Optimization Methods for Wireless Networks
University Bloomington, Bloomington, IN, USA, in (Cambridge University Press, 2014) and Cognitive Radio Communications and
2017 and 2019, respectively. Networks: Principles and Practices (Academic Press/Elsevier, 2009). His cur-
He is a Research Scientist with the Computer rent research focuses on developing innovative real-time solutions to complex
Science and Mathematics Division, Oak Ridge science and engineering problems arising from wireless and mobile networks.
National Laboratory, Oak Ridge, TN, USA. His He is also interested in wireless security.
research lies at the intersection of data science, Prof. Hou was/is on the editorial boards of a number of IEEE and
network science, and cybersecurity. In particular, he uses data-driven and ACM transactions and journals. His papers were recognized by ten best
computational methods to discover and understand critical security issues paper awards from IEEE and ACM, including an IEEE INFOCOM Test of
in large-scale networked systems. Applications of his research range across Time Paper Award in 2023. He was a Steering Committee Chair of IEEE
multiple disciplines, including, the detection of exceptional events in social INFOCOM conference and a member of the IEEE Communications Society
media, Internet route hijacking, and insider threat behavior in version control Board of Governors. He was also a Distinguished Lecturer of the IEEE
systems. Communications Society. He was named an IEEE Fellow for contributions to
Dr. Moriano is a member of ACM and SIAM. modeling and optimization of wireless networks.