CANDefender – DoS Detection Model
Model Summary
This model detects DoS attacks on the CAN bus. It was trained on approximately 4.6 million real CAN frames (both normal traffic and DoS data). The core is an LSTM architecture that processes the CAN ID and the 8-byte payload to classify each frame as either “DoS” or “Normal.”
Performance
Test Accuracy: ~94.06%
Confusion Matrix (DoS vs. Normal):
True \ Pred | DoS (pred) | Normal (pred) |
---|---|---|
DoS | 3,632,463 | 2,120 |
Normal | 272,327 | 716,544 |
- Recall (DoS): ~99.94%
- Recall (Normal): ~72%
Interpretation: Almost no DoS frames are missed, but ~28% of normal traffic is misclassified as DoS (higher false alarms).
Intended Use
- Goal: Real-time DoS detection on CAN bus data.
- Limitations:
- Focus on DoS only (other attack types like Fuzzy, Gear, RPM not covered).
- Tends to over-classify normal frames as DoS (False Positives around 28%).
How to Use
import torch
import numpy as np
from can_defender_dos import CANLSTM # replace with your actual import
# Example frame: [CAN_ID, b0, b1, ..., b7]
frame = [0x315, 0x12, 0x4F, 0xA2, 0x00, 0x00, 0x78, 0x1C, 0xAA]
# Convert to the same shape as the model expects: (batch_size, seq_len, features)
x_np = np.array(frame, dtype=np.float32).reshape(1, 1, 9)
model = CANLSTM(input_dim=9, hidden_dim=64, num_classes=2)
model.load_state_dict(torch.load("candefender_dos_final.pt"))
model.eval()
with torch.no_grad():
logits = model(torch.from_numpy(x_np))
pred = torch.argmax(logits, dim=1).item()
print("Prediction:", "DoS" if pred == 0 else "Normal")
Training Configuration
- Architecture: LSTM (64 hidden units) + final linear output
- Optimizer: Adam, LR=1e-3
- Epochs: ~20 (stopped when performance saturated)
- Dataset: 4.6 million CAN frames, including normal + DoS
Limitations & Next Steps
- False Positives: ~28% of normal frames labeled as DoS. Might be acceptable for high security environments, but can be reduced via further tuning or additional features (time windows, frequency, etc.).
- Focus on DoS: Future expansions for multi-class detection (Fuzzy, Gear, RPM) are possible.
- Potential Enhancements: Weighted loss for normal class, real-time deployment with window-based sequences, or transformer-based architectures.
License & Contact
- License: cc-by-nc-nd-4.0
- Author: Keyvan Hardani
- Contact: https://www.linkedin.com/in/keyvanhardani/
Inference Providers
NEW
This model is not currently available via any of the supported Inference Providers.
The model cannot be deployed to the HF Inference API:
The model has no library tag.