Indirect Exposure Training for Robust Time-Series Can Bus Intrusion Detection

초록

Controller Area Network (CAN) lacks built-in authentication, encryption, and integrity protection, which motivates data-driven anomaly detection techniques that learn nominal behavior and flag deviations. In this paper, we propose an anomaly detection framework for CAN traffic under a normal-only training setting, based on a center identifier (ID) prediction objective. Specifically, given a sliding-window context that excludes the center message, the model predicts the center ID, and an event is classified as anomalous when the ground-truth ID is not among the model's top-k hypotheses. We systematically compare two-dimensional message-window representations and one-dimensional flattened sequences across four input feature configurations: Full, Payload-only, ID-only, and Hybrid. Under an indirect-exposure setting, windows are constructed from the full stream while training uses only samples whose centers are normal, allowing the model to indirectly observe abnormal context without directly learning from attack labels, thereby stabilizing the decision boundary and reducing false positives. Consequently, experiments on three public datasets, Sonata, Soul, and Spark, demonstrate that a one-dimensional Transformer with Hybrid inputs, combined with a top-5 decision rule, achieves the best overall performance.

키워드