| | --- |
| | license: cc-by-nc-nd-4.0 |
| | language: |
| | - en |
| | - de |
| | metrics: |
| | - accuracy |
| | - code_eval |
| | tags: |
| | - '1.0' |
| | --- |
| | # CANDefender – DoS Detection Model |
| |
|
| | **Model Summary** |
| | This model detects **DoS attacks** on the CAN bus. It was trained on approximately **4.6 million** real CAN frames (both normal traffic and DoS data). The core is an **LSTM** architecture that processes the CAN ID and the 8-byte payload to classify each frame as either “DoS” or “Normal.” |
| |
|
| | --- |
| |
|
| | ## Performance |
| |
|
| | **Test Accuracy**: ~94.06% |
| | **Confusion Matrix** (DoS vs. Normal): |
| |
|
| | | True \ Pred | DoS (pred) | Normal (pred) | |
| | |:-----------:|:----------:|:-------------:| |
| | | **DoS** | 3,632,463 | 2,120 | |
| | | **Normal** | 272,327 | 716,544 | |
| |
|
| | - **Recall (DoS)**: ~99.94% |
| | - **Recall (Normal)**: ~72% |
| |
|
| | _Interpretation:_ Almost no DoS frames are missed, but ~28% of normal traffic is misclassified as DoS (higher false alarms). |
| |
|
| | --- |
| |
|
| | ## Intended Use |
| |
|
| | - **Goal**: Real-time DoS detection on CAN bus data. |
| | - **Limitations**: |
| | - Focus on DoS only (other attack types like Fuzzy, Gear, RPM not covered). |
| | - Tends to over-classify normal frames as DoS (False Positives around 28%). |
| |
|
| | --- |
| |
|
| | ## How to Use |
| |
|
| | ```python |
| | import torch |
| | import numpy as np |
| | from can_defender_dos import CANLSTM # replace with your actual import |
| | |
| | # Example frame: [CAN_ID, b0, b1, ..., b7] |
| | frame = [0x315, 0x12, 0x4F, 0xA2, 0x00, 0x00, 0x78, 0x1C, 0xAA] |
| | |
| | # Convert to the same shape as the model expects: (batch_size, seq_len, features) |
| | x_np = np.array(frame, dtype=np.float32).reshape(1, 1, 9) |
| | |
| | model = CANLSTM(input_dim=9, hidden_dim=64, num_classes=2) |
| | model.load_state_dict(torch.load("candefender_dos_final.pt")) |
| | model.eval() |
| | |
| | with torch.no_grad(): |
| | logits = model(torch.from_numpy(x_np)) |
| | pred = torch.argmax(logits, dim=1).item() |
| | print("Prediction:", "DoS" if pred == 0 else "Normal") |
| | ``` |
| |
|
| |
|
| | ## Training Configuration |
| | - Architecture: LSTM (64 hidden units) + final linear output |
| | - Optimizer: Adam, LR=1e-3 |
| | - Epochs: ~20 (stopped when performance saturated) |
| | - Dataset: 4.6 million CAN frames, including normal + DoS |
| |
|
| | ## Limitations & Next Steps |
| | - False Positives: ~28% of normal frames labeled as DoS. Might be acceptable for high security environments, but can be reduced via further tuning or additional features (time windows, frequency, etc.). |
| | - Focus on DoS: Future expansions for multi-class detection (Fuzzy, Gear, RPM) are possible. |
| | - Potential Enhancements: Weighted loss for normal class, real-time deployment with window-based sequences, or transformer-based architectures. |
| |
|
| | ## License & Contact |
| | - License: cc-by-nc-nd-4.0 |
| | - Author: Keyvan Hardani |
| | - Contact: https://www.linkedin.com/in/keyvanhardani/ |
