A Robust Multi-Stage Intrusion Detection System for In-Vehicle Network Security using Hierarchical Federated Learning
Muzun Althunayyan, Amir Javed, Omer Rana
TL;DR
This paper tackles the security gaps in in-vehicle CAN networks by proposing a robust, lightweight, two-stage intrusion detection system that detects seen attacks via an Artificial Neural Network and unseen attacks via an LSTM Autoencoder. It further introduces a Hierarchical Federated Learning framework to enable privacy-preserving, distributed training across diverse driving scenarios, enhancing robustness to novel attacks. Empirical results on a real-world CAN dataset show near-perfect detection for seen attacks (F1≈1.0) and high robustness to unseen attacks (DR≈99.99%, F1≈0.95, FAR≈0.016%), while maintaining a small footprint (~2.98 MB). The work demonstrates the practicality of deploying DL-based IDS in resource-constrained vehicles and highlights the value of H-FL in improving generalization across heterogeneous driving environments.
Abstract
As connected and autonomous vehicles proliferate, the Controller Area Network (CAN) bus has become the predominant communication standard for in-vehicle networks due to its speed and efficiency. However, the CAN bus lacks basic security measures such as authentication and encryption, making it highly vulnerable to cyberattacks. To ensure in-vehicle security, intrusion detection systems (IDSs) must detect seen attacks and provide a robust defense against new, unseen attacks while remaining lightweight for practical deployment. Previous work has relied solely on the CAN ID feature or has used traditional machine learning (ML) approaches with manual feature extraction. These approaches overlook other exploitable features, making it challenging to adapt to new unseen attack variants and compromising security. This paper introduces a cutting-edge, novel, lightweight, in-vehicle, IDS-leveraging, deep learning (DL) algorithm to address these limitations. The proposed IDS employs a multi-stage approach: an artificial neural network (ANN) in the first stage to detect seen attacks, and a Long Short-Term Memory (LSTM) autoencoder in the second stage to detect new, unseen attacks. To understand and analyze diverse driving behaviors, update the model with the latest attack patterns, and preserve data privacy, we propose a theoretical framework to deploy our IDS in a hierarchical federated learning (H-FL) environment. Experimental results demonstrate that our IDS achieves an F1-score exceeding 0.99 for seen attacks and exceeding 0.95 for novel attacks, with a detection rate of 99.99%. Additionally, the false alarm rate (FAR) is exceptionally low at 0.016%, minimizing false alarms. Despite using DL algorithms known for their effectiveness in identifying sophisticated and zero-day attacks, the IDS remains lightweight, ensuring its feasibility for real-world deployment.