Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

AntibotV: A Multilevel Behaviour-based Framework for Botnets Detection in Vehicular Networks

Rabah Rahal, Abdelaziz Amara Korba, Nacira Ghoualmi-Zine, Yacine Challal, Mohamed Yacine Ghamri-Doudane

TL;DR

AntibotV addresses vehicular botnet threats by introducing a multilevel behavior-based detection framework that jointly analyzes network traffic and in-vehicle CAN activity. It employs two decision-tree–based classifiers trained on engineered features to detect DDoS, information theft, and in-vehicle attacks, including two zero-day WSMP flood variants. The system is protocol-agnostic and modular (traffic collection, analyzer, manager) with cloud-assisted retraining and automated labeling via ensemble methods. Experimental results on synthetic VANET and in-vehicle datasets show detection rates above 97% and false positive rates below 0.14%, outperforming prior vehicular botnet detectors. The work demonstrates a scalable, practical approach for real-time botnet defense in connected cars, with implications for safer and more secure autonomous fleets.

Abstract

Connected cars offer safety and efficiency for both individuals and fleets of private vehicles and public transportation companies. However, equipping vehicles with information and communication technologies raises privacy and security concerns, which significantly threaten the user's data and life. Using bot malware, a hacker may compromise a vehicle and control it remotely, for instance, he can disable breaks or start the engine remotely. In this paper, besides in-vehicle attacks existing in the literature, we consider new zeroday bot malware attacks specific to the vehicular context, WSMP-Flood, and Geo-WSMP Flood. Then, we propose AntibotV, a multilevel behaviour-based framework for vehicular botnets detection in vehicular networks. The proposed framework combines two main modules for attack detection, the first one monitors the vehicle's activity at the network level, whereas the second one monitors the in-vehicle activity. The two intrusion detection modules have been trained on a historical network and in-vehicle communication using decision tree algorithms. The experimental results showed that the proposed framework outperforms existing solutions, it achieves a detection rate higher than 97% and a false positive rate lower than 0.14%.

AntibotV: A Multilevel Behaviour-based Framework for Botnets Detection in Vehicular Networks

TL;DR

AntibotV addresses vehicular botnet threats by introducing a multilevel behavior-based detection framework that jointly analyzes network traffic and in-vehicle CAN activity. It employs two decision-tree–based classifiers trained on engineered features to detect DDoS, information theft, and in-vehicle attacks, including two zero-day WSMP flood variants. The system is protocol-agnostic and modular (traffic collection, analyzer, manager) with cloud-assisted retraining and automated labeling via ensemble methods. Experimental results on synthetic VANET and in-vehicle datasets show detection rates above 97% and false positive rates below 0.14%, outperforming prior vehicular botnet detectors. The work demonstrates a scalable, practical approach for real-time botnet defense in connected cars, with implications for safer and more secure autonomous fleets.

Abstract

Connected cars offer safety and efficiency for both individuals and fleets of private vehicles and public transportation companies. However, equipping vehicles with information and communication technologies raises privacy and security concerns, which significantly threaten the user's data and life. Using bot malware, a hacker may compromise a vehicle and control it remotely, for instance, he can disable breaks or start the engine remotely. In this paper, besides in-vehicle attacks existing in the literature, we consider new zeroday bot malware attacks specific to the vehicular context, WSMP-Flood, and Geo-WSMP Flood. Then, we propose AntibotV, a multilevel behaviour-based framework for vehicular botnets detection in vehicular networks. The proposed framework combines two main modules for attack detection, the first one monitors the vehicle's activity at the network level, whereas the second one monitors the in-vehicle activity. The two intrusion detection modules have been trained on a historical network and in-vehicle communication using decision tree algorithms. The experimental results showed that the proposed framework outperforms existing solutions, it achieves a detection rate higher than 97% and a false positive rate lower than 0.14%.
Paper Structure (30 sections, 6 equations, 15 figures, 14 tables, 3 algorithms)

This paper contains 30 sections, 6 equations, 15 figures, 14 tables, 3 algorithms.

Table of Contents

  1. Introduction
  2. Background
  3. The architecture of vehicular networks
  4. Network stack architecture
  5. In-Vehicle architecture
  6. Botnets
  7. Related Work
  8. Threat Models
  9. DDoS attacks
  10. Theft of information
  11. In-Vehicle attacks
  12. AntibotV Framework
  13. AntibotV overview
  14. Traffic collection module
  15. Network traffic collector
  16. ...and 15 more sections

Figures (15)

  • Figure 1: TCP vs DSRC stack
  • Figure 2: WAVE radio channels
  • Figure 3: In-vehicle network
  • Figure 4: Vehicular Botnets
  • Figure 5: WSM frame
  • ...and 10 more figures