CANet: Neural Intrusion Detection for CAN Traffic
- The paper introduces CANet, an unsupervised deep learning IDS that uses per-ID LSTM subnetworks to accurately reconstruct and monitor normal CAN signal behavior.
- CANet is trained solely on normal driving data using reconstruction error to detect both known and unseen anomalies in real time.
- The approach outperforms traditional baselines by effectively modeling heterogeneous, asynchronous CAN messages and cross-signal dependencies.
CANet is an unsupervised neural-network intrusion detection system for in-vehicle Controller Area Network (CAN) traffic, introduced to address the heterogeneous, asynchronous, and high-dimensional structure of decoded CAN signal streams. It is designed for the setting in which an attacker has already gained access to the CAN bus and may inject, suppress, replay, or manipulate messages. Rather than relying on labeled attack examples, CANet is trained only on normal driving data and detects anomalies through reconstruction error, with the stated goal of identifying both known and previously unseen intrusions while evaluating each message at the moment it is received (Hanselmann et al., 2019).
1. Scope, threat model, and problem formulation
The system is defined in the signal space rather than on raw payload bits. It assumes that CAN payload bytes have already been decoded into signal values using a CAN matrix. This assumption is operationally important: CANet does not itself solve signal decoding, but operates on semantically meaningful variables once decoding is available (Hanselmann et al., 2019).
The underlying difficulty is structural. A vehicle CAN bus carries a stream of messages emitted by many ECUs, where each CAN ID has its own payload format, number of associated signals, and transmission frequency. Consecutive messages therefore usually belong to different IDs, have different dimensionalities, and arrive asynchronously. In this setting, a monolithic recurrent model over the full stream is poorly aligned with the data-generating process.
Let denote the set of considered CAN IDs. If ID has associated signals, then the total number of signals is
When ID appears at time step , its decoded payload is represented as
The detection objective is one-class anomaly detection: learn normal multi-ID traffic structure from normal driving alone, then flag signal values that deviate from expected behavior or violate functional or physical relationships with other signals.
The attack model considered by the paper includes plateau attack, continuous change attack, playback or replay attack, suppress attack, and flooding attack. Plateau, continuous change, and especially playback are emphasized as difficult cases for rule-based methods or single-signal models, because they may preserve marginal signal plausibility while violating cross-signal dependencies.
2. Per-ID recurrent modeling and the joint latent vector
The central architectural decision is to avoid forcing all IDs into a single recurrent sequence. CANet instead allocates a separate LSTM subnetwork to each CAN ID. For ID , the corresponding LSTM has input size and hidden size , where 0 controls capacity (Hanselmann et al., 2019).
Whenever a new message with ID 1 arrives, only the LSTM for 2 is updated using 3. Its hidden representation replaces the segment of a global joint latent vector assigned to that ID. The joint latent vector is the concatenation of the current hidden representations of all per-ID LSTMs, and therefore has total dimension
4
This vector represents the current state of the whole CAN traffic even though only one message is observed at a given instant.
A key design point is that the joint latent vector does not explicitly encode which ID was processed last. Temporal structure is stored inside the individual per-ID LSTMs. This makes the model much less sensitive to small variations in interleaving or ordering of different IDs, which occur naturally on real CAN buses.
The joint latent vector is passed to a feedforward decoder with fully connected ELU layers of sizes 5, 6, and 7. The output is interpreted as reconstructions of the signal values for all possible IDs. When the current message belongs to ID 8, the model produces
9
At reception time, only the reconstruction corresponding to the actually observed ID, 0, is compared against the received signal vector 1. This is what allows immediate online evaluation of each incoming message.
This architecture differs from earlier neural CAN intrusion detectors that model only one signal or one ID at a time. CANet maintains separate temporal memories for each ID while combining them into a joint state of the full bus, thereby modeling heterogeneous IDs with different payload dimensions and asynchronous frequencies without requiring a synchronized multivariate time series.
3. One-class training, optimization, and anomaly scoring
Training is unsupervised in the one-class sense. The network is trained only on normal driving traffic, with quadratic reconstruction loss on the currently received message:
2
The intended effect is straightforward: normal messages should reconstruct well, whereas anomalous messages should yield larger errors (Hanselmann et al., 2019).
The implementation uses PyTorch, Adam, and an initial learning rate of 3. Signals are scaled individually to 4. Training runs for 1000 epochs with batch size 25. Each batch element is a sequence of 5000 consecutive CAN messages sampled from a random start position in the training set. At the start of each epoch, all LSTM hidden and cell states are zero-initialized, and truncated backpropagation through time is applied every 250 time steps.
To avoid frequent IDs dominating the objective, the loss is multiplied by an ID-specific fixed scalar that decreases linearly with that ID’s frequency in the training set. This reweights rare IDs upward relative to common ones. During backpropagation for a message of ID 5, only the weights of the corresponding LSTM and the decoder weights relevant to 6 require gradients, which the authors present as both computationally efficient and structurally consistent with the per-ID design.
Detection is also one-class. For each signal, CANet computes the 7 percentile of reconstruction errors on a held-out normal validation set and uses it as a signal-specific threshold. If signal 8 has squared reconstruction error 9 at time 0, then its anomaly indicator is
1
where 2 is that signal’s threshold. When a message of some ID is processed, the indicators of that ID’s signals are updated. The global anomaly score is then
3
Thus the detector raises an alarm if any stored signal indicator is active.
This aggregation rule is intentionally simple, but the paper notes a limitation: as the number of signals grows, the “OR over signals” mechanism can suffer from a multiple-testing effect and may reduce true negatives. The authors also caution that practical in-vehicle deployment may require essentially 4 true negative rate, because false alarms are costly.
4. Datasets, attack scenarios, and evaluation protocol
The empirical study uses both real and synthetic CAN traffic (Hanselmann et al., 2019). The real dataset was collected on a test vehicle and contains 13 IDs with 20 total signals chosen so that each signal has at least one functional dependency with another. About 13 hours were recorded, with 12.5 hours used for training and 0.5 hours for testing; only normal driving mode was used, excluding engine start and stop. The synthetic benchmark, released as SynCAN, contains 10 IDs and 20 total signals with varying noisy message frequencies, counters, physical values, and dependencies among signals. It includes about 16.5 hours for training and 7.5 hours for testing.
In both datasets, test data were split into six equal-duration subsets: one normal subset and five attack subsets. The attack scenarios are plateau, continuous change, playback or replay, suppress, and flooding. Typical attack intervals last 2–4 seconds; each synthetic attack test set contains about 100 attack intervals, and each real attack test set about 10.
The baselines are adaptations of previous neural CAN IDS methods to signal-space inputs. One is predictive, based on per-ID next-payload prediction with an LSTM. The other is autoencoder-based, using per-signal sliding-window reconstruction. For fairness, thresholding for the baselines uses the same signal-wise 5 percentile rule.
Evaluation is reported using pointwise accuracy on normal data and pointwise true positive rate (TPR) and true negative rate (TNR) on attack data. The paper also reports an interval-based metric in which an attack interval counts as detected if at least 6 of its points are flagged. This second view is important because operational usefulness depends not only on pointwise labels but on whether entire malicious episodes are caught.
5. Empirical performance and comparative results
CANet substantially outperforms both baselines on both datasets. On synthetic data, the best-performing setting is roughly 7 or 20. For 8, normal accuracy is 9, and attack-wise TPR/TNR values are as follows (Hanselmann et al., 2019).
| Attack | Synthetic TPR/TNR | Real TPR/TNR |
|---|---|---|
| Plateau | 0.955 / 0.975 | 0.913 / 0.988 |
| Continuous change | 0.765 / 0.994 | 0.701 / 0.985 |
| Playback | 0.905 / 0.996 | 0.878 / 0.977 |
| Suppress | 0.613 / 0.996 | 0.176 / 0.989 |
| Flooding | 0.901 / 0.996 | 0.802 / 0.996 |
On the real dataset, for the same 0 setting, normal accuracy is 1. Across settings, CANet typically achieves true negative rates around or above 2 on normal or mostly normal traffic.
The margin over the baselines is especially pronounced for subtle manipulations. On synthetic data, the predictive baseline reaches only 3 plateau TPR, 4 continuous-change TPR, and 5 playback TPR, while the autoencoder baseline reaches 6, 7, and 8 on the same attacks. On real data, the predictive baseline reaches only 9 plateau TPR and 0 playback TPR; the autoencoder baseline reaches 1 and 2. Interval-based plots further show that CANet detects far more attack intervals than the baselines even when only a modest fraction of an interval must be flagged.
The strongest qualitative interpretation offered by the paper is architectural alignment with CAN bus structure. Earlier methods exploit mainly within-signal or within-ID temporal regularity. CANet, by contrast, learns cross-ID functional and physical dependencies while preserving separate temporal memories for asynchronous message streams. This is presented as the main reason it performs substantially better on playback and subtle signal manipulations.
6. Significance, limitations, and deployment considerations
CANet is presented as, to the authors’ knowledge, the first deep-learning IDS that handles messages from multiple IDs simultaneously in signal space while evaluating each message at reception time (Hanselmann et al., 2019). In practical terms, that means it supports online anomaly detection without forcing asynchronous CAN traffic onto a single global clocked recurrent model.
Its strengths are clear. It is one-class rather than attack-specific, so it can detect previously unseen manipulations from normal traffic alone. It handles heterogeneous IDs with different dimensionalities and frequencies. It models cross-signal dependencies, which is precisely what makes replay, plateau, and continuous-change attacks difficult for simpler methods. The paper also notes that relatively small models, such as 3, already perform well, which suggests possible embedded deployment.
Its limitations are equally central to its interpretation. The method assumes decoded signals obtained via a CAN matrix, which may not always be available. It depends on representative normal driving data and excludes nonstationary operating modes such as startup and shutdown unless those modes are modeled separately. It does not use timestamps directly, which likely explains its weakness on suppress attacks and means its flooding performance is not due to explicit timing modeling. The anomaly aggregation rule may not scale gracefully to larger signal sets. The output is not highly interpretable, which may complicate automated response. The paper also notes that neural models are more computationally expensive than simple rule-based IDSs and may be vulnerable to adversarial manipulation.
A plausible implication is that CANet is most compelling where signal decoding is available, cross-signal dependencies are rich, and the operational requirement is online detection of semantically subtle manipulations rather than only protocol-level anomalies. Within that scope, it established a distinctive formulation of CAN intrusion detection: per-ID temporal modeling combined with global latent-state reconstruction, trained entirely from normal vehicle traffic.