Presentation Date: Feb 14, 2026
AGSA Abstract
On today’s roads, modern vehicles (autonomous vehicles) rely on the Controller Area Network (CAN) to communicate safety-critical functions among a distributed network of electronic control units (ECUs). However, CAN provides neither message authentication, encryption, nor integrity protection. This makes it susceptible to spoofing, replay, and denial-of-service attacks. Although machine-learning-based intrusion detection systems (IDS) have shown promise for securing CAN, most prior work remains limited to offline evaluation on public datasets and does not demonstrate real-time deployment practicality on embedded automotive hardware. This project presents an unsupervised CAN intrusion detection system designed for live deployment on the Resistant Automotive Miniature Network (RAMN), an open-source hardware platform that emulates in-vehicle networks. We integrate RAMN with the CARLA autonomous driving simulator to form a hybrid cyber-physical testbed, enabling reproducible attack injection and a closed-loop evaluation of IDS behavior under realistic driving scenarios. The proposed system employs a 100ms sliding- window feature extraction pipeline combined with a multi-detector ensemble comprising statistical (PCA) and rate-based anomaly detectors. We first train and tune the detectors on benign CAN traffic and evaluate them across five attack types (DoS, Flooding, Fuzzing, Injection, Replay) captured from the physical can0 interface that is connected to the RAMN hardware, reflecting the CARLA simulation. The ensemble achieves a 100% detection rate with a 0% false positive rate on 3,361 feature windows (1,126 attack, 2,235 normal), with end-to-end detection latency under 100ms, satisfying a 400ms real-time requirement. The results demonstrate that unsupervised anomaly detection, combined with carefully engineered features and a multi-detector design, can provide practical and reproducible CAN IDS capabilities on low- cost automotive hardware.
