Detecting Masquerade Attacks in Controller Area Networks Using Graph Machine Learning

TL;DR

The paper tackles masquerade attacks on CAN by proposing a graph-ML framework that combines Message Sequence Graphs with time-series–based node annotations. By enriching MSG nodes with mean and variance of decoded signals and applying node2vec embeddings, the authors fuse structural and temporal information to detect stealthy intrusions. Evaluations on the ROAD dataset show that the hybrid approach consistently outperforms graph-only baselines, achieving near-perfect AUC-ROC across five masquerade scenarios and significant statistical validation. The work offers a practical pathway toward real-time CAN intrusion detection, while acknowledging limitations and outlining future avenues for online deployment and hardware optimization.

Abstract

Modern vehicles rely on a myriad of electronic control units (ECUs) interconnected via controller area networks (CANs) for critical operations. Despite their ubiquitous use and reliability, CANs are susceptible to sophisticated cyberattacks, particularly masquerade attacks, which inject false data that mimic legitimate messages at the expected frequency. These attacks pose severe risks such as unintended acceleration, brake deactivation, and rogue steering. Traditional intrusion detection systems (IDS) often struggle to detect these subtle intrusions due to their seamless integration into normal traffic. This paper introduces a novel framework for detecting masquerade attacks in the CAN bus using graph machine learning (ML). We hypothesize that the integration of shallow graph embeddings with time series features derived from CAN frames enhances the detection of masquerade attacks. We show that by representing CAN bus frames as message sequence graphs (MSGs) and enriching each node with contextual statistical attributes from time series, we can enhance detection capabilities across various attack patterns compared to using graph-based features only. Our method ensures a comprehensive and dynamic analysis of CAN frame interactions, improving robustness and efficiency. Extensive experiments on the ROAD dataset validate the effectiveness of our approach, demonstrating statistically significant improvements in the detection rates of masquerade attacks compared to a baseline that uses graph-based features only as confirmed by Mann-Whitney U and Kolmogorov-Smirnov tests p < 0.05.

Figures (8)

• Figure 1: CAN protocol frame with 8-byte payload. The full structure is presented for comprehensive understanding, with a specific focus on the ID and payload fields for our analysis.
• Figure 2: Proposed data-driven framework for masquerade attack detection in CAN using graph ML.
• Figure 3: Sliding window partitioning of CAN messages (left) and resulting MSG subgraph (right). Top five nodes by connectivity are highlighted; edges are weighted.
• Figure 4: Speed signals of four wheels encoded in node ID 1760. X-axis: Time (ms); Y-axis: Signal value.
• Figure 5: Illustration of graph annotation with statistical attributes in CAN. Each node represents a CAN ID and is annotated with the mean ($\mu$) and standard deviation ($\sigma$) of each signal associated with it. Note that the number of signals may vary per node.