Relational Modeling for Automotive Cybersecurity: Structural Transition and Graph Topology-Based CAN Intrusion Detection

Statistical traffic descriptors used by many controller area network (CAN) intrusion detection systems include message timing patterns, identifier distribution, and payload statistics. Although such statistical methods have been successful in achieving high detection rates in controlled evaluation environments with similar types of attacks, little is known about how well they will perform in more complex cross-attack situations. In order to assess whether capturing relational dependencies between CAN messages improves the robustness of intrusion detection relative to mere statistical aggregation, we developed a lightweight intrusion detection system that incorporates a combination of statistical traffic descriptors, structural identifier transition features, and graph topology representations based on the CAN communications windows. Our experimental assessment using the HCRL Car-Hacking and the ROAD dataset shows that while statistical features are highly effective in detecting DoS attacks, they are nearly useless in detecting spoofing attacks such as RPM manipulation when those attacks are transferred into an environment where the training data was based on DoS attacks. In contrast, structural transition features and graph topology representations provide consistently high levels of detection effectiveness across all types of attacks tested. Finally, our additional experiments demonstrate that the hybrid representation of statistical, structural, and graph-based features provides the best average level of detection effectiveness among the different representations tested. Furthermore, the increased detection effectiveness was consistent across multiple different machine learning classifiers including logistic regression, support vector machines, random forests, gradient boosting, decision trees, and k-nearest neighbors, although decision tree classifiers exhibited instability when combined with hybrid feature representations. These findings suggest that the primary source of the performance improvement is due to the proposed relational feature representations and not because of a specific classifier used. Therefore, the findings demonstrate the need for modeling relational communication in developing robust and deployable automotive intrusion detection systems that can generalize across multiple types of attack behavior.