Papers
Topics
Authors
Recent
Search
2000 character limit reached

CANet: Neural Intrusion Detection for CAN Traffic

Updated 6 July 2026
  • The paper introduces CANet, an unsupervised deep learning IDS that uses per-ID LSTM subnetworks to accurately reconstruct and monitor normal CAN signal behavior.
  • CANet is trained solely on normal driving data using reconstruction error to detect both known and unseen anomalies in real time.
  • The approach outperforms traditional baselines by effectively modeling heterogeneous, asynchronous CAN messages and cross-signal dependencies.

CANet is an unsupervised neural-network intrusion detection system for in-vehicle Controller Area Network (CAN) traffic, introduced to address the heterogeneous, asynchronous, and high-dimensional structure of decoded CAN signal streams. It is designed for the setting in which an attacker has already gained access to the CAN bus and may inject, suppress, replay, or manipulate messages. Rather than relying on labeled attack examples, CANet is trained only on normal driving data and detects anomalies through reconstruction error, with the stated goal of identifying both known and previously unseen intrusions while evaluating each message at the moment it is received (Hanselmann et al., 2019).

1. Scope, threat model, and problem formulation

The system is defined in the signal space rather than on raw payload bits. It assumes that CAN payload bytes have already been decoded into signal values using a CAN matrix. This assumption is operationally important: CANet does not itself solve signal decoding, but operates on semantically meaningful variables once decoding is available (Hanselmann et al., 2019).

The underlying difficulty is structural. A vehicle CAN bus carries a stream of messages emitted by many ECUs, where each CAN ID has its own payload format, number of associated signals, and transmission frequency. Consecutive messages therefore usually belong to different IDs, have different dimensionalities, and arrive asynchronously. In this setting, a monolithic recurrent model over the full stream is poorly aligned with the data-generating process.

Let A={A1,,AK}\mathbf{A}=\{A_1,\dots,A_K\} denote the set of considered CAN IDs. If ID AA has nAn_A associated signals, then the total number of signals is

N=AnA.N=\sum_A n_A.

When ID AA appears at time step tt, its decoded payload is represented as

st,ARnA.s_{t,A}\in\mathbb{R}^{n_A}.

The detection objective is one-class anomaly detection: learn normal multi-ID traffic structure from normal driving alone, then flag signal values that deviate from expected behavior or violate functional or physical relationships with other signals.

The attack model considered by the paper includes plateau attack, continuous change attack, playback or replay attack, suppress attack, and flooding attack. Plateau, continuous change, and especially playback are emphasized as difficult cases for rule-based methods or single-signal models, because they may preserve marginal signal plausibility while violating cross-signal dependencies.

2. Per-ID recurrent modeling and the joint latent vector

The central architectural decision is to avoid forcing all IDs into a single recurrent sequence. CANet instead allocates a separate LSTM subnetwork to each CAN ID. For ID AiA_i, the corresponding LSTM has input size nAin_{A_i} and hidden size nAihscalen_{A_i}\cdot h_{\text{scale}}, where AA0 controls capacity (Hanselmann et al., 2019).

Whenever a new message with ID AA1 arrives, only the LSTM for AA2 is updated using AA3. Its hidden representation replaces the segment of a global joint latent vector assigned to that ID. The joint latent vector is the concatenation of the current hidden representations of all per-ID LSTMs, and therefore has total dimension

AA4

This vector represents the current state of the whole CAN traffic even though only one message is observed at a given instant.

A key design point is that the joint latent vector does not explicitly encode which ID was processed last. Temporal structure is stored inside the individual per-ID LSTMs. This makes the model much less sensitive to small variations in interleaving or ordering of different IDs, which occur naturally on real CAN buses.

The joint latent vector is passed to a feedforward decoder with fully connected ELU layers of sizes AA5, AA6, and AA7. The output is interpreted as reconstructions of the signal values for all possible IDs. When the current message belongs to ID AA8, the model produces

AA9

At reception time, only the reconstruction corresponding to the actually observed ID, nAn_A0, is compared against the received signal vector nAn_A1. This is what allows immediate online evaluation of each incoming message.

This architecture differs from earlier neural CAN intrusion detectors that model only one signal or one ID at a time. CANet maintains separate temporal memories for each ID while combining them into a joint state of the full bus, thereby modeling heterogeneous IDs with different payload dimensions and asynchronous frequencies without requiring a synchronized multivariate time series.

3. One-class training, optimization, and anomaly scoring

Training is unsupervised in the one-class sense. The network is trained only on normal driving traffic, with quadratic reconstruction loss on the currently received message:

nAn_A2

The intended effect is straightforward: normal messages should reconstruct well, whereas anomalous messages should yield larger errors (Hanselmann et al., 2019).

The implementation uses PyTorch, Adam, and an initial learning rate of nAn_A3. Signals are scaled individually to nAn_A4. Training runs for 1000 epochs with batch size 25. Each batch element is a sequence of 5000 consecutive CAN messages sampled from a random start position in the training set. At the start of each epoch, all LSTM hidden and cell states are zero-initialized, and truncated backpropagation through time is applied every 250 time steps.

To avoid frequent IDs dominating the objective, the loss is multiplied by an ID-specific fixed scalar that decreases linearly with that ID’s frequency in the training set. This reweights rare IDs upward relative to common ones. During backpropagation for a message of ID nAn_A5, only the weights of the corresponding LSTM and the decoder weights relevant to nAn_A6 require gradients, which the authors present as both computationally efficient and structurally consistent with the per-ID design.

Detection is also one-class. For each signal, CANet computes the nAn_A7 percentile of reconstruction errors on a held-out normal validation set and uses it as a signal-specific threshold. If signal nAn_A8 has squared reconstruction error nAn_A9 at time N=AnA.N=\sum_A n_A.0, then its anomaly indicator is

N=AnA.N=\sum_A n_A.1

where N=AnA.N=\sum_A n_A.2 is that signal’s threshold. When a message of some ID is processed, the indicators of that ID’s signals are updated. The global anomaly score is then

N=AnA.N=\sum_A n_A.3

Thus the detector raises an alarm if any stored signal indicator is active.

This aggregation rule is intentionally simple, but the paper notes a limitation: as the number of signals grows, the “OR over signals” mechanism can suffer from a multiple-testing effect and may reduce true negatives. The authors also caution that practical in-vehicle deployment may require essentially N=AnA.N=\sum_A n_A.4 true negative rate, because false alarms are costly.

4. Datasets, attack scenarios, and evaluation protocol

The empirical study uses both real and synthetic CAN traffic (Hanselmann et al., 2019). The real dataset was collected on a test vehicle and contains 13 IDs with 20 total signals chosen so that each signal has at least one functional dependency with another. About 13 hours were recorded, with 12.5 hours used for training and 0.5 hours for testing; only normal driving mode was used, excluding engine start and stop. The synthetic benchmark, released as SynCAN, contains 10 IDs and 20 total signals with varying noisy message frequencies, counters, physical values, and dependencies among signals. It includes about 16.5 hours for training and 7.5 hours for testing.

In both datasets, test data were split into six equal-duration subsets: one normal subset and five attack subsets. The attack scenarios are plateau, continuous change, playback or replay, suppress, and flooding. Typical attack intervals last 2–4 seconds; each synthetic attack test set contains about 100 attack intervals, and each real attack test set about 10.

The baselines are adaptations of previous neural CAN IDS methods to signal-space inputs. One is predictive, based on per-ID next-payload prediction with an LSTM. The other is autoencoder-based, using per-signal sliding-window reconstruction. For fairness, thresholding for the baselines uses the same signal-wise N=AnA.N=\sum_A n_A.5 percentile rule.

Evaluation is reported using pointwise accuracy on normal data and pointwise true positive rate (TPR) and true negative rate (TNR) on attack data. The paper also reports an interval-based metric in which an attack interval counts as detected if at least N=AnA.N=\sum_A n_A.6 of its points are flagged. This second view is important because operational usefulness depends not only on pointwise labels but on whether entire malicious episodes are caught.

5. Empirical performance and comparative results

CANet substantially outperforms both baselines on both datasets. On synthetic data, the best-performing setting is roughly N=AnA.N=\sum_A n_A.7 or 20. For N=AnA.N=\sum_A n_A.8, normal accuracy is N=AnA.N=\sum_A n_A.9, and attack-wise TPR/TNR values are as follows (Hanselmann et al., 2019).

Attack Synthetic TPR/TNR Real TPR/TNR
Plateau 0.955 / 0.975 0.913 / 0.988
Continuous change 0.765 / 0.994 0.701 / 0.985
Playback 0.905 / 0.996 0.878 / 0.977
Suppress 0.613 / 0.996 0.176 / 0.989
Flooding 0.901 / 0.996 0.802 / 0.996

On the real dataset, for the same AA0 setting, normal accuracy is AA1. Across settings, CANet typically achieves true negative rates around or above AA2 on normal or mostly normal traffic.

The margin over the baselines is especially pronounced for subtle manipulations. On synthetic data, the predictive baseline reaches only AA3 plateau TPR, AA4 continuous-change TPR, and AA5 playback TPR, while the autoencoder baseline reaches AA6, AA7, and AA8 on the same attacks. On real data, the predictive baseline reaches only AA9 plateau TPR and tt0 playback TPR; the autoencoder baseline reaches tt1 and tt2. Interval-based plots further show that CANet detects far more attack intervals than the baselines even when only a modest fraction of an interval must be flagged.

The strongest qualitative interpretation offered by the paper is architectural alignment with CAN bus structure. Earlier methods exploit mainly within-signal or within-ID temporal regularity. CANet, by contrast, learns cross-ID functional and physical dependencies while preserving separate temporal memories for asynchronous message streams. This is presented as the main reason it performs substantially better on playback and subtle signal manipulations.

6. Significance, limitations, and deployment considerations

CANet is presented as, to the authors’ knowledge, the first deep-learning IDS that handles messages from multiple IDs simultaneously in signal space while evaluating each message at reception time (Hanselmann et al., 2019). In practical terms, that means it supports online anomaly detection without forcing asynchronous CAN traffic onto a single global clocked recurrent model.

Its strengths are clear. It is one-class rather than attack-specific, so it can detect previously unseen manipulations from normal traffic alone. It handles heterogeneous IDs with different dimensionalities and frequencies. It models cross-signal dependencies, which is precisely what makes replay, plateau, and continuous-change attacks difficult for simpler methods. The paper also notes that relatively small models, such as tt3, already perform well, which suggests possible embedded deployment.

Its limitations are equally central to its interpretation. The method assumes decoded signals obtained via a CAN matrix, which may not always be available. It depends on representative normal driving data and excludes nonstationary operating modes such as startup and shutdown unless those modes are modeled separately. It does not use timestamps directly, which likely explains its weakness on suppress attacks and means its flooding performance is not due to explicit timing modeling. The anomaly aggregation rule may not scale gracefully to larger signal sets. The output is not highly interpretable, which may complicate automated response. The paper also notes that neural models are more computationally expensive than simple rule-based IDSs and may be vulnerable to adversarial manipulation.

A plausible implication is that CANet is most compelling where signal decoding is available, cross-signal dependencies are rich, and the operational requirement is online detection of semantically subtle manipulations rather than only protocol-level anomalies. Within that scope, it established a distinctive formulation of CAN intrusion detection: per-ID temporal modeling combined with global latent-state reconstruction, trained entirely from normal vehicle traffic.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (1)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to CANet.