|
--- |
|
license: cc-by-nc-nd-4.0 |
|
language: |
|
- en |
|
- de |
|
metrics: |
|
- accuracy |
|
- code_eval |
|
tags: |
|
- '1.0' |
|
--- |
|
# CANDefender – DoS Detection Model |
|
|
|
**Model Summary** |
|
This model detects **DoS attacks** on the CAN bus. It was trained on approximately **4.6 million** real CAN frames (both normal traffic and DoS data). The core is an **LSTM** architecture that processes the CAN ID and the 8-byte payload to classify each frame as either “DoS” or “Normal.” |
|
|
|
--- |
|
|
|
## Performance |
|
|
|
**Test Accuracy**: ~94.06% |
|
**Confusion Matrix** (DoS vs. Normal): |
|
|
|
| True \ Pred | DoS (pred) | Normal (pred) | |
|
|:-----------:|:----------:|:-------------:| |
|
| **DoS** | 3,632,463 | 2,120 | |
|
| **Normal** | 272,327 | 716,544 | |
|
|
|
- **Recall (DoS)**: ~99.94% |
|
- **Recall (Normal)**: ~72% |
|
|
|
_Interpretation:_ Almost no DoS frames are missed, but ~28% of normal traffic is misclassified as DoS (higher false alarms). |
|
|
|
--- |
|
|
|
## Intended Use |
|
|
|
- **Goal**: Real-time DoS detection on CAN bus data. |
|
- **Limitations**: |
|
- Focus on DoS only (other attack types like Fuzzy, Gear, RPM not covered). |
|
- Tends to over-classify normal frames as DoS (False Positives around 28%). |
|
|
|
--- |
|
|
|
## How to Use |
|
|
|
```python |
|
import torch |
|
import numpy as np |
|
from can_defender_dos import CANLSTM # replace with your actual import |
|
|
|
# Example frame: [CAN_ID, b0, b1, ..., b7] |
|
frame = [0x315, 0x12, 0x4F, 0xA2, 0x00, 0x00, 0x78, 0x1C, 0xAA] |
|
|
|
# Convert to the same shape as the model expects: (batch_size, seq_len, features) |
|
x_np = np.array(frame, dtype=np.float32).reshape(1, 1, 9) |
|
|
|
model = CANLSTM(input_dim=9, hidden_dim=64, num_classes=2) |
|
model.load_state_dict(torch.load("candefender_dos_final.pt")) |
|
model.eval() |
|
|
|
with torch.no_grad(): |
|
logits = model(torch.from_numpy(x_np)) |
|
pred = torch.argmax(logits, dim=1).item() |
|
print("Prediction:", "DoS" if pred == 0 else "Normal") |
|
``` |
|
|
|
|
|
## Training Configuration |
|
- Architecture: LSTM (64 hidden units) + final linear output |
|
- Optimizer: Adam, LR=1e-3 |
|
- Epochs: ~20 (stopped when performance saturated) |
|
- Dataset: 4.6 million CAN frames, including normal + DoS |
|
|
|
## Limitations & Next Steps |
|
- False Positives: ~28% of normal frames labeled as DoS. Might be acceptable for high security environments, but can be reduced via further tuning or additional features (time windows, frequency, etc.). |
|
- Focus on DoS: Future expansions for multi-class detection (Fuzzy, Gear, RPM) are possible. |
|
- Potential Enhancements: Weighted loss for normal class, real-time deployment with window-based sequences, or transformer-based architectures. |
|
|
|
## License & Contact |
|
- License: cc-by-nc-nd-4.0 |
|
- Author: Keyvan Hardani |
|
- Contact: https://www.linkedin.com/in/keyvanhardani/ |
