CAN-BiGRUBERT: unveiling automotive vehicle intruders by profiling and characterizing anomalies in controller area network

Sharmin, Shaila and Lashkari, Arash Habibi and Mansor, Hafizah and Abdul Kadir, Andi Fitriah (2026) CAN-BiGRUBERT: unveiling automotive vehicle intruders by profiling and characterizing anomalies in controller area network. Computer Networks, 276 (111963). pp. 1-23. ISSN 1389-1286

PDF - Published Version
Restricted to Registered users only
Download (3MB)

Official URL: https://doi.org/10.1016/j.comnet.2025.111963

Abstract

In-vehicle Controller Area Networks (CAN) are vulnerable to various injection attacks that can compromise the safety of vehicle occupants and result in financial losses. While a substantial body of work on CAN intrusion detection exists, it lacks multiclass attack classification models. Current multiclass models do not encompass all attack types or account for the vehicle’s state, i.e., whether the car is stationary or in motion. This work addresses these limitations by proposing CAN-BiGRUBERT, a multiclass CAN intrusion detection model that jointly predicts the vehicle state and attack class from CAN traffic windows. CAN-BiGRUBERT employs Bidirectional Encoder Representations from Transformers (BERT) to capture spatial dependencies within individual CAN frames, and a Bidirectional Gated Recurrent Unit (BiGRU) network to capture temporal dependencies across multiple frames in a window. For training and evaluating CAN BiGRUBERT, we comprehensively reviewed current CAN intrusion datasets to select the HCRL Attack & Defense dataset, which contains all injection attacks executed in both vehicle states. We implemented CAN-BiGRUBERT and compared its performance with other variants and state-of-the-art CAN attack classification models, based on individual CAN frames, arbitration identifier (AID) sequences, and windows of complete frames. Compared to the baseline models, the proposed model achieved higher accuracy and F1-score, indicating its superior ability to predict the vehicle state and attack class simultaneously. Specifically excelling in detecting replay attacks and discriminating between driving and stationary states, CAN-BiGRUBERT represents a promising enhanced, informative intrusion detection method for in-vehicle CAN.

Item Type:	Article (Journal)
Uncontrolled Keywords:	Controller Area Network, Intrusion Detection, Attack Classification
Subjects:	T Technology > T Technology (General)
Kulliyyahs/Centres/Divisions/Institutes (Can select more than one option. Press CONTROL button):	Kulliyyah of Information and Communication Technology > Department of Computer Science Kulliyyah of Information and Communication Technology > Department of Computer Science
Depositing User:	Hafizah Mansor
Date Deposited:	12 Jan 2026 11:15
Last Modified:	12 Jan 2026 11:15
Queue Number:	2026-01-Q1576
URI:	http://irep.iium.edu.my/id/eprint/126756

Actions (login required)

View Item

Download Statistics

Downloads

Downloads per month over past year