A hybrid deep learning and residual connection-based architecture for intrusion detection in autonomous vehicles

Hareem Kibriya; Ayesha Siddiqa; Saad Alahmari; Wazir Zada Khan; Saad Nasser Altamimi; Atta ur Rehman Khan

doi:10.1371/journal.pone.0338079

Abstract

The emergence of Autonomous and Connected Autonomous Vehicles (CAVs) has transformed the automotive landscape drastically over the past few years by offering enhanced features in the vehicles for drivers’ safety and convenience. These developments have introduced various features in AVs i.e., lane-keeping, cruise control, etc. These features are mainly powered by the Electronic Control Units (ECUs) that communicate using the Controller Area Network (CAN) bus protocol. The components in the AVs communicate with each other by sending and receiving messages via the CAN bus. However, despite increased connectivity, these vehicles have become vulnerable to cyber attacks, as malicious actors can exploit the CAN protocol to manipulate vehicle behavior, which can not only threaten the safety of the passengers but public as well. Hence, several Intrusion Detection Systems (IDS) have been proposed, however, these systems struggle with computational complexity, limited effectiveness against sophisticated attack types, and a lack of interpretability and transparency of detection mechanisms. To address challenges in the existing systems, this paper presents a novel hybrid Deep Learning (DL)-based IDS using DL components such as Convolutional layer and Long Short-Term Memory (LSTM) layers to capture complex patterns in the CAN messages. The proposed IDS uses a residual connection to enhance gradient flow and training stability. The system is evaluated on four common attack types, namely RPM Spoofing, Gear Spoofing, Fuzzy, and Denial of Service (DoS), achieving a detection accuracy of 99.99%. Finally, the outcomes of the proposed IDS are visually interpreted using the Explainable AI (XAI) technique called Local Interpretable Model-agnostic Explanations (LIME) to provide transparency into the model’s decision-making process, thus increasing trust in the system’s deployment in real-world AV environments.

Citation: Kibriya H, Siddiqa A, Alahmari S, Khan WZ, Altamimi SN, Khan AuR (2026) A hybrid deep learning and residual connection-based architecture for intrusion detection in autonomous vehicles. PLoS One 21(3): e0338079. https://doi.org/10.1371/journal.pone.0338079

Editor: Ayei Egu Ibor, University of Calabar, NIGERIA

Received: May 19, 2025; Accepted: November 18, 2025; Published: March 19, 2026

Copyright: © 2026 Kibriya et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.

Data Availability: This study exclusively uses a publicly available dataset, which is fully described in the manuscript and accessible through the referenced public repository (https://ocslab.hksecurity.net/Datasets/car-hacking-dataset).

Funding: This study was financially supported by the Deanship of Scientific Research at Northern Border University, Arar, KSA in the form of a grant provided to SA (NBU- FFR-2026-451-02).

Competing interests: The authors have declared that no competing interests exist.

Introduction

Still now passenger and driver safety remains a pressing global issue. In 2021 alone, almost 1.19 million people succumbed to road accidents worldwide, meaning almost 15 deaths per 0.1 million people. In 2019, road traffic injuries were ranked as the 12th leading cause of death globally, also a main cause of death among children and young adults aged between 5–29. According to a report by the WHO, by the time one finishes reading a single page of their report, at least five people will have lost their lives in road traffic crashes. These figures highlight the critical need for advanced and responsive safety systems to reduce the risk of traffic-related fatalities [1].

The automotive industry is going through a major change with the growth of autonomous vehicles (AVs). They offer workable ways to address long-standing concerns related to road safety and traffic flow. AVs rely on advanced sensing units and real-time data processing to read and respond to changes in the driving environment more consistently than human drivers. This change has lowered the effect of human error, still the leading cause of road accidents. Reliable AV operation depends on stable intra-vehicle communication systems that collect and share data from several sensors and On-Board Units (OBUs) [2]. These data streams support timely decisions and coordinated control actions [3,4].

The CAN bus protocol manages critical communication between components of AVs by facilitating real-time data exchange among ECUs, which are responsible for essential vehicular functions such as braking, acceleration, and steering [5–7]. However, the CAN protocol lacks basic security features to detect forged packets injected with a malicious intention to manipulate the vehicle, endanger the passengers, and also surrounding road users [8,9].

Hence, to overcome this limitation, numerous IDS have been proposed to enhance CAN bus security. These systems include rule-based, ML-based, and DL-based methods. Traditional rule-based IDSs are limited to manual feature engineering and rule definition, thus limiting their adaptability and scalability in a scenario of evolving attack patterns. DL based models are hence being developed to overcome limitations in the traditional IDS. These systems automate the process of feature engineering, learning, and classification directly from the data without predefined rules or human intervention. Hence, these systems are scalable to ever-changing attack scenarios [10]. Despite considerable advancements, these systems still face several critical limitations. One major challenge with the computational complexity of these algorithms is the high to be deploying them in AVs, as CAN protocol is designed for lightweight, real-time communication within resource-constrained environments. Hence, deployment of such a resource-demanding IDS may monopolize computational resources, therefore, may compromise the performance of other time-critical vehicle subsystems by resulting in delayed responses. Therefore, such memory-intensive models can impose significant pressure on the limited memory resources, thereby affecting the vehicle’s overall system reliability [11,12].

Many AI-based intrusion detection systems (IDSs) lack interpretability, another significant problem. Deep learning models, in particular, are sometimes referred to as black boxes since their fundamental logic is concealed. When the reasoning underlying a model’s output cannot be articulated, it gives rise to trust issues. These problems are significant, especially in autonomous driving, where every choice can have real-world consequences [7,13,14]. In order to address these deficiencies, we propose a lightweight explainable hybrid deep learning model that employs a residual connection to detect four types of cyber attacks in AV systems. The main contributions of our work are outlined below:

We propose an intrusion detection system for CAV that combines convolutional layers with hybrid LSTM–GRU units and residual connections. The proposed hybrid design captures both temporal and spatial patterns in CAN bus traffic while keeping the parameter count to around ≈ 24K.
Due to its lightweight design and low computational overhead, the proposed model is suitable for resource resource-constrained environment
We utilized a multi-seed data splitting approach to ensure the proposed model’s reliability
We perform extensive ablation studies to find the best architectural setup and hyperparameter settings
Local Interpretable Model-Agnostic Explanations (LIME) visualization is incorporated

The rest of the paper is structured as follows: The Related Work section reviews existing research. The Proposed Method section provides details of the proposed IDS system. The Results and Discussion section covers experimental setup, evaluation metrics, multi-seed data splitting analysis, ablation results, and XAI visualizations. Finally, we conclude the study.

Related Work

Intrusion detection for CAN communication has evolved significantly over the last decade. Research ranges from traditional threshold-based methods to deep learning, federated learning, and explainable AI frameworks. In this section, we grouped prior work into four categories: (A) traditional and statistical IDS techniques for CAN bus security, (B) deep and transfer learning-based IDS models, (C) federated and collaborative intrusion detection frameworks, and (D) explainable and emerging intelligent IDS systems. Table 1 summarizes representative methods. While classical methods offer transparency and efficiency, deep and collaborative learning models provide stronger adaptability but often at the cost of interpretability, an issue that motivates our lightweight, explainable IDS approach.

Download:

Table 1. Overview of intrusion detection techniques in CAN.

https://doi.org/10.1371/journal.pone.0338079.t001

A. Traditional and Statistical IDS

A threshold-based anomaly detection scheme is proposed by Lee et al. [15]. They introduced an Offset ratio and Time interval-based Intrusion Detection System (OTIDS). The offset ratio and time intervals between request and response messages were analyzed. Their approach effectively detected message injection and impersonation node attacks by identifying deviations from normal response patterns. OTIDS maintained a high instant reply ratio (around 100%) under normal conditions, which dropped significantly during attacks, such as DoS, to about 10–20%. The lost reply ratio increased from less than 0.1% in attack-free states to over 1% during attacks. The correlation coefficient between offsets and time intervals was near 1 in normal conditions but dropped significantly during an attack to indicate anomalies [16]. The authors implemented their prototype with a Raspberry Pi3. Lee et al. [15] released their dataset named OTIDS for intrusion detection in CAN with four attack types. Their dataset is publicly available on the website of the Hacking and Countermeasures Research Lab (HCRL).

SIDuDTW framework for detecting malicious messages in CAN bus traffic uses Dynamic Time Warping (DTW) to compare CAN ID sequences [17]. SIDuDTW focuses on finding recurring patterns in the data. It also uses wave splitting techniques to improve detection efficiency. It was tested using publicly available Car Hacking datasets and real vehicle data. On the Car Hacking datasets, SIDuDTW achieved a detection accuracy of 96.67%, a G-mean of 97.15%, and an F1-Score of 94.88%. These results were consistent across five different types of attacks in real vehicle environments. SIDuDTW could not eliminate false positives due to the inherent noise in CAN bus traffic and due to the occasional misclassification of normal waves as attacks. It is designed to detect malicious messages in wave sequences.

B. Deep and Transfer Learning-based IDS

In this subsection, we reviewed recent deep learning-based frameworks that are capable of capturing the nonlinear temporal-spatial dependencies in CAN traffic. For instance, CANTransfer [18] employs a deep learning approach with transfer learning to detect both known and new types of attacks. It analyzes the spatial and temporal patterns in CAN traffic. CANTransfer addresses the challenge of detecting unknown attacks with limited data by employing one-shot learning to adapt to new intrusion types. It was evaluated using datasets from the KIA Soul and Hyundai Sonata. It outperformed baseline models as it obtained an F1-score of 95.25% for known attacks and 88.47% for unknown attacks. CANTransfer demonstrated sufficient processing speed for real-time operation. It maintained low loss and improved accuracy across multiple trials. Its improved performance was due to transfer learning, which enables it to be more robust and adaptive intrusion detection for CAN systems compared to OTIDS.

Amato et al. [7] utilized neural networks and Multi-Layer Perceptrons (MLPs) to classify CAN messages. The features used for classification are derived from the data bytes of CAN packets. It involves creating a feature vector from these data bytes to distinguish between normal and malicious messages. The method is validated using four real-world datasets, with attacks including DoS, Fuzzy attacks, Gear spoofing, and RPM spoofing. MLP models with 1 and 3 hidden layers performed best, and they achieved the highest precision up to 97.4% and recall up to 96.5% in detecting attacks. It demonstrated that the MLP model is effective in detecting four types of CAN bus attacks. The approach is tested against a limited number of attacks.

CANintelliIDS, as proposed by Javed et al. [19], integrates the advantages of feature extraction via Convolutional Neural Networks (CNN) and sequence learning through Gated Recurrent Units (GRU) enhanced by an attention mechanism. It possesses the capability to identify individual intrusion types (e.g., Denial of Service, Fuzzy, and Impersonation attacks) as well as composite intrusion scenarios wherein multiple attack types are perpetrated concurrently. The performance of CANintelliIDS was evaluated using balanced and imbalanced datasets taken from real-world car CAN bus data with a wide range of attack scenarios. The system obtained an average F1-Score of almost 94% for individual attacks and 93.79% for combined attacks. Its effectiveness could be increased by enhancing its ability to detect new, previously unknown attacks. On the other hand, Wang et al. [20] detected stealthy attacks on AV systems including Adaptive Cruise Control and Cooperative Adaptive Cruise Control. They created three types of stealthy attacks. These attacks could fool standard rule-based detection methods. The attacks threatened important system functions like collision avoidance and vehicle-following distance. To address these threats, the authors developed two deep learning models. The first is the Predictor-based model (PDT). It uses LSTM networks to predict normal behavior from time-series data. The second is the Encoder-Decoder model (EDC). It uses an LSTM-based encoder-decoder to reconstruct time-series data. The PDT model reached 97% accuracy when no attacks were present. It also showed strong detection performance, with F1-Scores between 67% and 91% across different attacks. Both models were trained without attacker-specific data. It could affect their performance on new attacks not seen during training. Alsulami et al. [21] explored transfer learning for detecting cyberattacks in autonomous vehicle cyber-physical systems (AV-CPS). They implemented the CAN communication protocol using Simulink’s Vehicle Network Toolbox. This protocol was integrated into an AV simulation model. They converted sensor data from the simulation into images. These images represented both normal and attack scenarios. Eight pre-trained CNNs were trained on this image dataset. Among them, GoogLeNet gave the best results. It achieved an F1 score of 99. 47%. While Hassan et al. [3] presented a hybrid intrusion detection system for autonomous vehicles. The system combines Recursive Feature Elimination (RFE) for selecting features with Principal Component Analysis (PCA) for reducing dimensionality. They used a Deep Neural Network (DNN) for classification. They attained an F1-score of 98.5% on a publicly available Car-Hacking dataset. They did not integrate any XAI techniques, which could limit user trust in their model in real-world deployments.

C. Federated and Collaborative IDS Frameworks

To address privacy and generalization challenges, several studies have employed federated and collaborative learning paradigms. For instance, Yu et al. [12] introduced a federated learning-based approach for intrusion detection. Their method exploits the periodicity of CAN message IDs to build a predictive model. The prediction of message IDs is used as a basis for network intrusion detection by recognizing deviations from expected patterns. Abnormalities in network messages are detected by comparing predicted message IDs against actual received IDs. The LSTM model is trained on an attack-free dataset of CAN messages from HCRL. For testing, the dataset was generated with abnormal values to mimic four types of attacks, i.e., Spoofing, replay, drop, and DoS attacks. F1-Score of 90%, 89.4%, 92.2%, and 96.9% is achieved in case of spoofing, replay, drop, and DoS attacks, respectively. The federated-LSTM-based intrusion detection method achieved over 90% accuracy in identifying four types of malicious network attacks. The simulation results are based on a specific dataset and generated attack models.

Hoang et al. [22] introduced CANPerFL, a framework designed to enhance the performance of in-vehicle IDS by sharing knowledge across multiple vehicles. CANPerFL employs federated learning to allow multiple vehicles to collaboratively train a global model while keeping their data local. Real CAN data was collected from three different car models: KIA, BMW, and Tesla. Data includes both normal operations and attack scenarios (fuzzy and replay attacks). The system performs well with at least 30k samples per car model with F1-Scores of above 90%. Wang et al. [11] proposed a Transfer Learning-based Self-Learning Intrusion Detection System (TLSIDS). It operates through a cascade detection approach comprising four modules. The basic detection module uses DenseNet to quickly filter known attacks. The advanced detection module employs a GAN-based model to identify unknown attacks hidden within normal traffic. The unknown attacks classification module classifies and tags these unknown attacks to generate new training data. The self learning module updates the model using transfer learning techniques to improve detection performance. It is tested on the Car Hacking dataset from HCRL, containing samples of DoS, Gear, RPM attacks, and normal traffic. Recall of 99.97%, precision of 99.90%, and F1-Score of 99.93% were reported.

D. Explainability and Emerging Intelligent IDS Models

Explainability and cross-domain intelligence are important to enhance trust and interpretability in IDS for AVs.

Wickramasinghe et al. [23] presented a ResNet autoencoder-based eXplainable Anomaly Detection System (RX-ADS). It combined interpretability with adversarial machine learning techniques. The RX-ADS framework integrates three key components. A window-based feature extraction mechanism is used to analyze CAN frame data. Autoencoder-based architecture is utilized for anomaly detection. Explanations of detected anomalies are generated using an adversarial machine learning module. The system was tested on two benchmark datasets, OTIDS and Car Hacking from HCRL. It examined various time windows for feature extraction to get the best results in terms of anomaly detection. RX-ADS showed an F1-score of 99.67% and 99.51% in detecting DoS and Fuzzy attacks, respectively.

The Intelligent Intrusion Detection System (IIDS) proposed by Anbalagan et al. [24] addressed vulnerabilities within the Internet of Vehicles (IoV) by using a modified CNN enhanced with hyperparameter optimization. It detects and categorizes malicious AVs within a 5G Vehicle-to-Everything (V2X) environment. The evaluation of IIDS is carried out through simulations using Network Simulator-2 (NS2) and Simulation of Urban Mobility (SUMO). The F1 score, precision, and recall of 98% are reported for IIDS in the simulation results. IIDS’s performance is evaluated using simulations in NS2 and SUMO. Complementary works such as SDNTruth [25] and MF2S-CID [26] extended explainable and adaptive detection mechanisms to vehicular networks. SDNTruth utilizes the centralized control of Software-Defined Networking (SDN) and entropy analysis for DDoS mitigation, while MF2S-CID provides a generalized and interpretable IDS with dynamic classifier selection for multiple attack types.

Proposed Method

This paper proposes a lightweight, AI-based IDS designed to detect cyberattacks in AVs through analysis of CAN bus messages. As illustrated in Fig 1, the proposed IDS comprises five key stages: (1) Dataset acquisition and preprocessing (2) training of the deep learning model after extensive architectural modifications (3) prediction of potential attacks, and (4) visualization of model outputs using XAI techniques. The system is trained and evaluated using a publicly available, benchmark Car Hacking dataset provided by the Hacking and Countermeasure Research Lab (HCRL), which includes four major attack categories, i.e., Denial of Service (DoS), Fuzzy, RPM Spoofing, and Gear Spoofing—alongside one normal class.

Download:

Fig 1. Workflow Diagram of the Proposed IDS.

https://doi.org/10.1371/journal.pone.0338079.g001

Algorithm 1 presents an overview of the steps performed in this study.

Algorithm 1 Proposed IDS for cyber attack detection on CAN bus with explainability

1: Input: Set of CAN bus attack datasets

2: Output: Prediction P for each dataset and LIME-based explanations VR

3: For each in do

4:

5:

6:

7:

8: eStore predicted class label § Generate LIME explanations for prediction :

9:

10: Store LIME visualization

11: End For

12: Return: Predictions and their corresponding LIME visualizations

A. Problem Formulation

The CAN bus is a critical communication protocol in modern vehicles, enabling real-time data exchange between Electronic Control Units (ECUs). However, due to its lack of built-in security mechanisms, the CAN bus is highly susceptible to various forms of cyberattacks. This study aims to develop a lightweight and robust IDS capable of identifying malicious CAN messages using a benchmark dataset provided by the HCRL. The dataset contains different attributes for each: timestamp (t), CAN ID (ID), Data Length Code (DLC), data bytes (), and a flag (Flag) to classify between injected () and normal class samples (). The injected (malicious) messages comprise four well-known attack types: Fuzzy Attack, RPM Spoofing Attack, Gear Spoofing Attack, and DoS Attack.

Let the set of CAN messages be defined as:

(1)

(2)

where each represents a single CAN message.

Given the labeled dataset , the goal is to accurately classify and assign a label to each message , such that:

(3)

B. Dataset Acquisition and Preprocessing

This study utilizes a state-of-the-art HRCL dataset that is acquired from the Hyundai YF Sonata by connecting a Y-cable to the vehicle’s OBD-II port located beneath the steering wheel. A Raspberry Pi 3 is then used to interface with the CAN bus, while a laptop computer is connected to the Raspberry Pi via WiFi for data acquisition [27].

The dataset contains four types of cyber-attacks targeting the CAN bus, namely: Fuzzy Attack, RPM Spoofing Attack, Gear Spoofing Attack, and DoS Attack. Each attack scenario file (in .csv format) contains both normal and malicious traffic. The details of the dataset, such as its description and number of samples/messages, are summarized in Table 2. Each CAN message in the dataset contains several key attributes: timestamp, CAN ID, Data Length Code (DLC), data payload (DATA[0]–DATA [7]), and a flag. The timestamp records the exact time in seconds when the message was captured. The CAN ID, represented in hexadecimal (e.g., 043f), identifies the type of message on the CAN bus. The DLC indicates the number of data bytes, ranging from 0 to 8. The DATA[0]–DATA [7] fields store the actual message content in byte format. The flag denotes the message type, where “T” indicates an injected (attack) message and “R” represents a regular (benign) message. The acquired dataset is preprocessed by converting hexadecimal values into their corresponding decimal format.

Download:

Table 2. Description of Car Hacking Dataset.

https://doi.org/10.1371/journal.pone.0338079.t002

C. Proposed Deep Learning Architecture

In this subsection, the detail of our proposed IDS is presented. The proposed IDS architecture consists of four blocks. Each block is optimized for efficient feature learning and classification. The input data after preprocessing is passed into the first block of the proposed model, as illustrated in Fig 2. The first block includes a convolutional layer activated by the GeLU function, followed by pooling layers to reduce spatial dimensions and enhance generalization. The second and third blocks are composed of three LSTM layers and three GRU layers, respectively, to capture temporal dependencies in sequential CAN data. A residual connection is employed between the second and fourth blocks to improve gradient flow and training stability. The fourth block performs classification using addition, normalization, flattening, and two fully connected (dense) layers.

Download:

Fig 2. Proposed DL and Residual Connection based IDS for AV Attack Detection.

https://doi.org/10.1371/journal.pone.0338079.g002

The proposed IDS takes an input of 10 features, including the Time Stamp, CAN ID, and DATA fields . These input features encapsulate the temporal, identifier, and payload characteristics of each CAN message. The feature vector can be mathematically represented as: (4):

(4)

where represent each feature in the database.

The input feature vector is initially passed through a one-dimensional (1D) Convolutional layer to extract both spatial and temporal patterns from the sequential CAN bus data. This layer comprises 64 filters, each with a kernel size of 3, that slide over the input sequence to compute dot products between the filter weights and local input regions. The Convolutional layer employs the GeLU activation function [28], which introduces non-linearity by modulating input values based on the cumulative distribution function (CDF) of a standard normal distribution. This probabilistic activation function enhances model training by smoothing the transition between positive and negative activations to improve convergence and performance. The activation of the j-th neuron in the Convolutional layer is computed as:

(5)

where denotes the weight of the i-th element of the convolutional filter, is the bias term, represents the kernel size, and corresponds to the input elements covered by the filter at position j. The resulting activation is then forwarded to the next layers for further feature extraction.

Next, the features acquired from the Conv1D layer are passed to the Max Pool 1D layer that reduces the dimensionality and computational complexity by selecting the maximum value from a sliding window of size 2. By selecting a maximum value of 2, this operation helps in reducing the number of parameters while retaining the necessary features. The max pooling operation can be described using Eq. (6):

(6)

where represents the activation after pooling.

Afterwards, the data is passed to an LSTM layer to extract spatial and temporal dependencies between the data. These layers are beneficial as they can retain long-range dependencies captured within the data. The LSTM cell contains four gates, i.e., forget gate, input gate, cell gate (also called candidate gate), and output gate. These gates are responsible for storing important information while discarding unnecessary information from the cell. The study deploys a stack of three LSTM layers. The output obtained from the final LSTM layer is then passed to GRU layers. This study uses three GRU layers with 32, 16, and 8 neurons, respectively. GRUs operate like LSTMs, but are simpler in terms of architecture and parameters. This makes these computationally efficient will still effective at capturing dependencies in the data.

The proposed IDS incorporates a residual connection between the final LSTM layer and the output of the last GRU layer that bypasses the intermediate layers. This connection (depicted as a dotted red arrow) helps in better gradient flow and enhances the learning process of the DL model. Residual connections are known for maintaining long-range dependencies in the data and aid the model during training by preserving important information and minimizing the vanishing gradients problem, or the risk of important information loss. Mathematically, the residual connection is defined as:

(7)

Here, is the input from layer l, represents the transformation applied across n intermediate layers, and is the final output. The addition of to allows the network to retain earlier information and simplifies learning by enabling identity mappings when needed. We applied a Normalization layer to standardize the output across the feature dimensions, which enhances the model’s stability and convergence during the training phase. The normalization process is defined by Eq. (8):

(8)

Here, μ represents the mean, is the variance, and ε is a small constant introduced to ensure numerical stability. It adjusts each feature to have a zero mean and unit variance, which improves the efficiency and reliability of the training process.

The normalized output is passed through a Flatten layer (containing 40 neurons) to reshape the data into a one-dimensional vector. Next, a Dense layer with 8 neurons is employed that applies a linear transformation, as defined in Eq. (9):

(9)

Here, W is the weight matrix, x is the input, and b is the bias. A GELU activation function is applied to introduce non-linearity.

The output layer (Dense) contains 2 neurons that correspond to the two classes, i.e., normal message and attack message. A softmax activation function is applied to transform the raw outputs into probabilities. The softmax function is defined in Eq. (10) as:

(10)

Here, represents the probability of the input belonging to class i, and is the raw score (logit) for class i. The class with the highest probability is selected as the predicted output. Detailed configuration of the proposed IDS in terms of layer configuration and number of parameters is depicted in Table 3. The proposed IDS contains only 24,026 learnable parameters; hence, it is very lightweight. Moreover, the residual connection used in this study enhances the model’s learning capability and helps manage gradient flow effectively.

Download:

Table 3. Layer-wise specifications of the proposed IDS architecture.

https://doi.org/10.1371/journal.pone.0338079.t003

Results and discussion

This section presents a detailed discussion of the results obtained from the proposed IDS. Moreover, this section also includes a comprehensive comparison with existing systems and an evaluation using XAI techniques.

A. Experimental Setup and Evaluation Metrics

All experiments reported in this section are conducted on the Kaggle platform with a P100 GPU. The car hacking dataset mentioned in Table 2 is used for training, validation, and testing of the proposed system. We used 70% of the dataset for training the models, whereas 20% dataset was used for validation purposes and 10% for testing. For statistical analysis on data splitting, we conducted experiments using three random seed points, i.e., 11, 42, and 99. Ablation analysis is also performed for optimization of the proposed architecture and hyperparameters.

The proposed IDS is evaluated on accuracy, precision, recall, and F1-Score. Accuracy measures the performance of the proposed model in terms of correct predictions. A higher accuracy indicates the model’s ability to distinguish between positive and negative classes. The accuracy can be calculated by using Eq. (11).

(11)

The True Negative Rate determines the ability of the model in the detection of benign or attack-free packets. A low False Negative Rate (FNR) shows that a few malicious packets were missed by the model, or there might have been no false detections by the model. The False Positive Rate (FPR), however, indicates that the model wrongly classified attack-free packets as malicious. A robust classification model is expected to have a low FPR.

However, accuracy alone is insufficient to evaluate automated systems; hence, we employed precision, recall, and the F1-score to assess the performance of the proposed IDS. Precision evaluates the effectiveness of a model in correctly identifying positive predictions by representing the proportion of true positives out of all predicted positives. Precision is measured as the ratio of TP_attack predictions to the sum of true positive and FP_attack predictions. The metric is calculated in Eq. (12).

(12)

Recall is a widely recognized performance metric used in classification tasks to evaluate a model’s ability to correctly identify all positive cases in a dataset. It is also known as sensitivity or the true positive rate. It is calculated as the ratio of TP_attack predictions to the sum of TP_attack and FN_normal predictions. Recall is calculated in Eq. (13).

(13)

F1-Score is a performance metric to combines both precision and recall into a single metric, thus achieving a balance between the two. The F1-Score is defined as a harmonic mean of precision and recall, with values ranging between 0 and 1, where 1 is the highest attainable score, denoting a perfect recall and precision. F1-score is calculated in Eq. (14).

(14)

B. Performance of the Proposed Method

This subsection presents the results obtained from the proposed IDS. The IDS was trained and validated using a publicly available dataset comprising four well-known automotive cyberattack types: DoS, Fuzzy, RPM Spoofing, and Gear Spoofing attacks.

Fig 3 displays the confusion matrices for each class, which are used to assess the performance of the proposed trained models by showcasing their ability to differentiate between positive and negative class samples. The four quadrants of a confusion matrix correspond to true negatives (correctly predicted negatives), false positives (negatives misclassified as positives), false negatives (positives misclassified as negatives), and true positives (correctly predicted positives). It compares the actual class labels in the dataset with the model’s predictions. The first confusion matrix depicts the performance of the proposed IDS on the DoS class, which shows that the model correctly identified 309,730 instances as true negatives and 58,647 instances as true positives. There are no false positives or false negatives, meaning that the model did not make any mistakes in either predicting negative cases as positive or positive cases as negative, indicating a 100% accuracy. It is observed from the confusion matrix obtained from the Fuzzy class that the proposed model correctly identified 334,786 instances as true negatives and 49,080 instances as true positives. However, 10 false positive and 10 false negative cases were also observed, meaning the model misclassified 10 negative instances as positive and 10 positive instances as negative. Considering the large dataset size, these small errors are minimal, and the overall performance remains strong. The confusion matrix for the RPM Spoofing class shows that the model performs extremely well, as it correctly predicted 400,000 instances as true negatives and 61,132 instances as true positives. There is only one false positive, meaning that the model incorrectly classified one negative instance as positive. There are no false negatives in this matrix, indicating that all positive instances were correctly identified. Our proposed model is reliable due to its high detection accuracy. It is observed by the confusion matrix of the Gear Spoofing class that the proposed model correctly classified 384,414 instances as true negatives and 60,000 instances as true positives with no false positives or false negatives. These results are proof of the proposed framework’s exceptional detection performance.

Download:

Fig 3. Confusion matrix of the proposed IDS illustrating classification performance across different attack classes.

https://doi.org/10.1371/journal.pone.0338079.g003

The performance of the proposed IDS can be seen in terms of precision, recall, F1-Score, and accuracy against DoS, Fuzzy, RPM Spoofing, and Gear Spoofing attacks in Fig 4. The observed results show that the proposed model obtained a perfect F1-score, Recall, and Precision of 1.0 in detecting DoS, RPM Spoofing, and Gear Spoofing attacks. It indicates that all the instances were correctly detected. The proposed model attained an F1-score, Precision, and Recall of 0.99 against the Fuzzy attack. It indicates that the proposed model made only a small number of errors. These results suggest that the model’s performance remains strong and reliable, with only slight deviations from optimal performance. These observed results reflect that the proposed model performed exceptionally in detecting four attack types, and its performance was consistent (Fig 5).

Download:

Fig 4. Precision, Recall, F1-Score, and Accuracy Metrics for different attack classes obtained by the proposed IDS.

https://doi.org/10.1371/journal.pone.0338079.g004

Download:

Fig 5. Learning curves showing training and validation accuracy (left) and loss (right) of the proposed IDS.

https://doi.org/10.1371/journal.pone.0338079.g005

Fig 6 shows four ROC (Receiver Operating Characteristic) curves corresponding to different attack classes: DoS, Fuzzy, Gear Spoofing, and RPM Spoofing. Each subplot contains two ROC curves, one for Class 0 (normal class) and one for Class 1 (attack class), and they evaluate the performance of a binary classification model for each type of attack. The ROC curve plots the true positive rate (sensitivity or recall) against the false positive rate at various threshold settings. A perfect classifier will have an ROC curve that touches the top-left corner of the plot, representing a high true positive rate with a low false positive rate. The area under the ROC curve (AUC) quantifies the overall ability of the model to discriminate between positive and negative classes, with an AUC of 1.0 indicating perfect classification. ROC curves for all the attack categories, i.e., DoS, Fuzzy, Gear Spoofing, and RPM Spoofing, show ROC perfect curves for Class 0 and Class 1, with an AUC of 1.0. The curves are represented as horizontal lines at the top of the plot, indicating that the model perfectly distinguishes between the two classes without making any false positive or false negative errors. The true positive rate reaches 1.0 immediately, and the false positive rate remains at 0. The results show the efficacy and robustness of the proposed IDS for the task of cyber attack detection in the CAN bus of AVs.

Download:

Fig 6. ROC curves of the proposed IDS for various attack classes evaluated at different decision thresholds.

https://doi.org/10.1371/journal.pone.0338079.g006

Table 4 presents the accuracy and loss values of the proposed IDS on four distinct attack types, evaluated during both training and testing phases. The proposed IDS obtained an accuracy of 0.99% on RPM Spoofing and Fuzzy attack classes during both training and evaluation phases. Whereas, the DoS and Gear Spoofing attained a perfect accuracy of 1.0, which indicates a flawless classification performance.

Download:

Table 4. Training and Testing Accuracy and Loss of the Proposed IDS Across Various Attack Classes.

https://doi.org/10.1371/journal.pone.0338079.t004

Table 5 shows the performance of the proposed IDS on the validation set. The system attained perfect precision, recall, and F1-scores across all classes, depicting a robust performance on unseen samples.

Download:

Table 5. Performance Metrics of the Proposed IDS on the Validation Dataset Across Various Attack Classes.

https://doi.org/10.1371/journal.pone.0338079.t005

C. Analysis of Data Splitting and Multi-Seed Reproducibility

We utilized multiple seed points to see the effect of dataset splitting on the performance of our proposed model. For each seed point, we created separate train, validation, and test splits for each attack file using the HCRL Car-Hacking dataset. The dataset provides separate CSV files for each attack type (DoS, Fuzzy, RPM Spoofing, Gear Spoofing). Each file was sorted by timestamp to keep the natural temporal order of CAN messages. Then, we applied a deterministic stratified splitting method that allocated 70% of the data to training, 20% to validation, and 10% to testing. Table 6 summarizes the dataset composition for each seed and split. The attack-to-normal ratio stays consistently between 10% and 20% across all seeds, confirming that the stratified, time-ordered splits maintain class balance and dataset size. We used three random seeds (11, 42, and 99) which resulted in twelve independent model trainings (four attack types multiplied by three seeds).

Download:

Table 6. Per-seed/per-split class counts and attack rates on the HCRL Car Hacking dataset.

https://doi.org/10.1371/journal.pone.0338079.t006

For each seed, we trained the models from scratch and tested on the corresponding test splits. Table 7 presents the aggregated test results as mean ± standard deviation including accuracy, precision, recall, F1-score, and ROC-AUC for each attack. The minimal variability between seeds shows that the proposed lightweight IDS delivers consistent performance regardless of random initialization or data split differences. We utilized an early stopping strategy during training so that the performance of the proposed model converges without overfitting. The confusion matrices in Fig 7, corresponding to the test splits in Table 6, remain strongly diagonal across seeds, and it shows that the model generalizes well to unseen CAN frames.

Download:

Table 7. Summary of model performance averaged across three random seeds (11, 42, 99) for each attack type in the HCRL Car-Hacking dataset. Values represent mean ± standard deviation over independently trained models, showing consistent near-perfect detection performance and negligible inter-seed variance.

https://doi.org/10.1371/journal.pone.0338079.t007

Download:

Fig 7. Confusion matrices for test splits across multiple seeds and attack types.

https://doi.org/10.1371/journal.pone.0338079.g007

Although the dataset is synthetically generated under controlled in-vehicle conditions, the stable multi-seed results demonstrate that our model’s performance reflects true separation between normal and attack traffic rather than data leakage artifacts.

D. Robustness and Statistical Validation

To assess the stability and statistical reliability of the proposed IDS, additional robustness checks were performed beyond the multi-seed reproducibility analysis.

Input perturbation (time and CAN jitter): To mimic real-world sensor or timing noise, controlled Gaussian perturbations were added to the Timestamp and CAN ID fields, while individual DATA bytes were jittered by ±1 within the [0,255] range. Table 8 shows that deviations in accuracy and F1-score were negligible (<0.001), confirming the robustness of the IDS to input-level disturbances.

Download:

Table 8. Robustness of the proposed IDS under test-time input perturbations (seed = 11). Gaussian noise was added to timestamps, CAN IDs were shifted by ±1, and DATA bytes were jittered by ±1 within [0,255].

https://doi.org/10.1371/journal.pone.0338079.t008

Bootstrap confidence intervals: To quantify statistical uncertainty on the test set, we computed non-parametric 95% bootstrap Confidence Intervals (CIs) (B = 1000 resamples) for F1 (computed from hard labels vs. hard predictions) and ROC-AUC (labels vs. soft probabilities) using seed 11. Results were extremely tight across all attacks as shown in Table 9. These intervals corroborate the stability of the observed near-perfect performance on the held-out test splits.

Download:

Table 9. Bootstrap 95% confidence intervals (B = 1000) for F1 and ROC–AUC on the held-out test set (seed = 11).

https://doi.org/10.1371/journal.pone.0338079.t009

E. Ablation Analysis and Parameter Optimization

In this work, we also conducted ablation analysis in order to assess the contribution of each component of our proposed architecture. The analysis involved four distinct architectural configurations, designated as four experiments, which can be observed in Table 10). In each experiment, we removed or added specific layers to assess their effect on detection performance. Each row in the table corresponds to a different experiment conducted on the Fuzzy Attack dataset, where certain layers or components of the model are either included (indicated by a checkmark) or omitted (indicated by a cross). The final column displays the resulting model accuracy for each configuration.

Download:

Table 10. Results of Ablation analysis of the proposed architecture for cyber attack detection in CAV.

https://doi.org/10.1371/journal.pone.0338079.t010

In the first experiment, all components of the IDS architecture are included, including Conv1D, Max Pooling, three LSTM layers, three GRU layers, Residual Connection, and Dense layer. With all components present, the proposed IDS achieved an accuracy of 99.99%. In the second experiment, removal of the third LSTM and GRU layers resulted in 99.96% accuracy. In the third experiment, removal of Conv1D and Max Pooling layers resulted in 99.95% accuracy. In the fourth experiment, when all the components were included except for the residual connection, the model attained a 99.91% overall accuracy. The ablation experiments show that, when all the components were included, the proposed IDS attained the highest performance, thus proving the usability of the components in the accurate classification of cyber attacks in AVs.

Along with the ablation study, extensive hyperparameter tuning is performed to find the optimal training parameters for the architecture. A random selection strategy was used to find and finalize the parameters. These parameters include learning rate, batch size, and number of layers, activation functions, etc. Table 11 depicts a detailed set of hyperparameters and their respective values that were evaluated during the optimization process for training a machine learning model. Bold text indicates the final values used for the model. During this parameter tuning process, we evaluated the performance of the proposed IDS by varying the values of epochs, batch size, learning rates, optimization function, no. of convolutional layers, neurons in LSTM/GRU layers, and the total number of LSTM, GRU, Convolutional layer, and Max Pooling layer. Furthermore, different optimization and activation functions were also tested to find the optimal set.

Download:

Table 11. Optimized hyperparameters and their corresponding values used in the proposed IDS.

https://doi.org/10.1371/journal.pone.0338079.t011

F. Comparative Evaluation Against Existing Approaches

Table 12 provides a comparative analysis of the proposed IDS against existing systems in terms of F1-Score. The results demonstrate that the proposed IDS achieved an F1-score of 100% for DoS, Gear Spoofing, and RPM attacks, respectively, and 99.99% in the Fuzzy attacks database. In comparison, Amato et al. [7] obtained an F1-Score of 98.2%, 99.6%, and 100% on DoS, Fuzzy, Gear, and RPM Spoofing, respectively. Wang et al. [11] reported more than 99% F1-Score on different attacks, but their IDS did not cover Fuzzy attacks, whereas the proposed IDS detects four attacks with a remarkable performance. On the other hand, Sun et al. [17] reported very low F1-Scores on DoS and Fuzzy attack types. In comparison, the proposed IDS detects four well-known CAN bus attacks with remarkable performance compared to existing systems. The proposed IDS not only achieved phenomenal detection performance but is also very lightweight and robust due to a limited number of parameters.

Download:

Table 12. F1-Score comparison of the proposed IDS with existing state-of-the-art methods on the Car Hacking dataset across four major attack types.

https://doi.org/10.1371/journal.pone.0338079.t012

A comparison of the proposed IDS with existing IDS systems in terms of parameters is shown in Table 13. The CAN protocol is built for real-time communication in environments with limited resources, it is unsuitable for handling computationally heavy or overly complex IDS. Given the constrained processing power and memory of automotive ECUs, an effective CAN-based IDS must be both lightweight and efficient, minimizing latency and resource consumption while still achieving high detection accuracy.

Download:

Table 13. Comparison of the proposed IDS with existing techniques in terms of model complexity (number of trainable parameters).

https://doi.org/10.1371/journal.pone.0338079.t013

Computationally expensive IDSs alot are not suitable to be deployed in the AVs as they might consume alot of resources that might be required for other critical car functions, thus leading to accidents. Hence, the proposed IDS is very lightweight and robust to accurately and swiftly flag any malicious message. The results showcase the applicability of the proposed IDS in the evolving landscape of cyber threats in the automotive domain. Hence, the proposed IDS is reliable, robust, and lightweight for the task.

G. Insights into Proposed Model Behavior through Explainable AI

LIME is utilized to interpret the predictions of the proposed deep approach for the detection of different types of attacks on the CAN bus. LIME generates local explanations by perturbing the input data and observing how the predictions change. This helps in identifying which features are most influential in making a particular prediction. By analyzing these perturbations, LIME can provide insights into the importance of each feature for a specific prediction, helping identify which aspects of the CAN bus data (e.g., message IDs, data length, data values, timestamp) contribute most to classifying a message as an attack or normal behavior.

The proposed model identifies anomalies in the CAN ID and DATA fields to make its predictions. LIME explanations for instances where attacks were detected (Class 1) are observed in Fig 8. The detailed explanation of the features driving the proposed model’s decision to classify these instances as attacks can be seen clearly. LIME visualizations show features contributing to the attack classification highlighted in orange. For the DoS attack instance observed in Fig 8a, multiple DATA fields (like DATA [3], DATA [5], and others) show abnormal values, which suggest traffic congestion or high volume, typical characteristics of a DoS attack. In the case of Fuzzy attacks, certain DATA fields exhibit unusual, possibly random, values indicative of manipulated or corrupted data (Fig 8b). For the RMP attack, the CAN ID and other fields contribute to the detection, which indicates remote manipulation of the bus data and it can be observed in Fig 8c). Gear Spoofing attacks involve abnormal values in the DATA fields related to gear control, where the manipulation of these fields leads to the detection of the attack as observed in Fig 8d). LIME explanations show that certain fields, like CAN ID and specific DATA fields, are key indicators of attack activity. This highlights the proposed model’s capacity to capture subtle deviations in the CAN bus messages caused by different attack vectors.

Download:

Fig 8. LIME-based interpretability visualizations for attack instances classified as Class 1 by the proposed IDS.

https://doi.org/10.1371/journal.pone.0338079.g008

It can be observed from these visualizations that the model relies on the stability of key data attributes such as the CAN ID and DATA field to classify instances as normal/attack-free.

LIME explanations for instances when no attacks were detected, i.e., Class 0, are observed in Fig 9. It shows four subplots, each representing a distinct form of attack: DoS, Fuzzy, RMP, and Gear Spoofing. It can be easily observed in each of these subplots of LIME explanation, how the proposed model predicts no attack (Class 0) using CAN bus data properties. The blue bars represent characteristics that help predict normal behavior. It is observed from these visualizations that our proposed model relies on the consistency of specific data (such as the CAN ID and DATA fields) to classify situations as non-attacked.

Download:

Fig 9. LIME visual observations highlighting influential features for attack-free (Class 0) instances detected by the proposed IDS.

https://doi.org/10.1371/journal.pone.0338079.g009

LIME’s perturbation mechanism inherently enables ‘what-if’ sensitivity analysis by systematically modifying CAN message attributes and observing shifts in our proposed model predictions. Future work may extend this toward an interactive dashboard in order to allow practitioners to simulate and visualize system behavior under varying network or sensor conditions. It would support real-time diagnostic insights in AVs.

H. Strengths and Limitations of the Proposed IDS

From the reported results, it is clear that the proposed IDS has key strengths. Our proposed IDS combines convolutional layers with LSTM and GRU units. We combined the hybrid models with the intention to improve the detection of intricate and sequential attack behaviors that are typical in AVs communications. Adding a residual connection between the recurrent layers was a deliberate choice to make training more stable and efficient. We can say that our system performed quite well based on the reported results as it achieves an accuracy of around 99.99% across four attack types, such as DoS, Fuzzy, RPM Spoofing, and Gear Spoofing. We also incorporated an explainability technique to give us insights into how the model makes its decisions. It is important for trust and transparency in AVs. It is worth considering that despite our model’s relatively small size (about 24K parameters or 94 KB), deploying it within CAV will introduce challenges related to inference latency, memory usage, and the realities of distributed embedded environments. We plan to investigate compression techniques, such as quantization and pruning, to further minimize resource demands. Exploring federated learning strategies could enable collaboration between ECUs without compromising raw CAN data privacy. These efforts aim to ensure IDS can be practically deployed on automotive microcontrollers and gateway units, which face strict requirements for both latency and safety.

Conclusion and Future Work

Our proposed lightweight explainable IDS performs the detection of four types of cyber attacks in AVs with high detection accuracy. The proposed hybrid architecture is composed of convolutional layers with GeLU activation, followed by LSTM and GRU layers to effectively capture dependencies in the data. A residual connection is introduced between the LSTM and GRU blocks to improve gradient flow and training stability. We finalized this design after exhaustive hyperparameter tuning and ablation studies. The proposed IDS achieved 99.99% accuracy on a publicly available benchmark Car Hacking dataset containing well-known attacks, i.e., DoS, Fuzzy, and Spoofing. It is observed that the proposed IDS has significantly lower computational complexity compared to existing methods. The importance of integrating LSTM and GRU layers with residual connections can be observed from the results in improving the performance of the proposed model. Finally, the use of the XAI technique called LIME has increased the proposed model’s transparency and trustworthiness in its decision-making. Future work may involve extending this framework to include emerging attack types to better adapt to the evolving and dynamic threat landscape in AVs.

References

1. World Health Organization. Global Status Report on Road Safety 2023. 2023. https://www.who.int/publications/i/item/9789240086517
2. Fu Y, Li C, Yu FR, Luan TH, Zhang Y. A Survey of Driving Safety With Sensing, Vehicular Communications, and Artificial Intelligence-Based Collision Avoidance. IEEE Trans Intell Transport Syst. 2022;23(7):6142–63.
- View Article
- Google Scholar
3. Hassan F, Syed ZS, Memon AA, Alqahtany SS, Ahmed N, Reshan MSA, et al. A hybrid approach for intrusion detection in vehicular networks using feature selection and dimensionality reduction with optimized deep learning. PLoS One. 2025;20(2):e0312752. pmid:39913503
- View Article
- PubMed/NCBI
- Google Scholar
4. Elassy M, Al-Hattab M, Takruri M, Badawi S. Intelligent transportation systems for sustainable smart cities. Transportation Engineering. 2024;16:100252.
- View Article
- Google Scholar
5. Buscemi A, Turcanu I, Castignani G, Panchenko A, Engel T, Shin KG. A Survey on Controller Area Network Reverse Engineering. IEEE Commun Surv Tutorials. 2023;25(3):1445–81.
- View Article
- Google Scholar
6. Hoang T-N, Kim D. Supervised contrastive ResNet and transfer learning for the in-vehicle intrusion detection system. Expert Systems with Applications. 2024;238:122181.
- View Article
- Google Scholar
7. Amato F, Coppolino L, Mercaldo F, Moscato F, Nardone R, Santone A. CAN-Bus Attack Detection With Deep Learning. IEEE Trans Intell Transport Syst. 2021;22(8):5081–90.
- View Article
- Google Scholar
8. Ryan M. The Future of Transportation: Ethical, Legal, Social and Economic Impacts of Self-driving Vehicles in the Year 2025. Sci Eng Ethics. 2020;26(3):1185–208. pmid:31482471
- View Article
- PubMed/NCBI
- Google Scholar
9. Saravanan S, Balasubramanian UM. An Adaptive Scalable Data Pipeline for Multiclass Attack Classification in Large-Scale IoT Networks. Big Data Min Anal. 2024;7(2):500–11.
- View Article
- Google Scholar
10. Ashraf J, Bakhshi AD, Moustafa N, Khurshid H, Javed A, Beheshti A. Novel Deep Learning-Enabled LSTM Autoencoder Architecture for Discovering Anomalous Events From Intelligent Transportation Systems. IEEE Trans Intell Transport Syst. 2021;22(7):4507–18.
- View Article
- Google Scholar
11. Wang Y, Lai Y, Chen Y, Wei J, Zhang Z. Transfer learning-based self-learning intrusion detection system for in-vehicle networks. Neural Comput & Applic. 2023;35(14):10257–73.
- View Article
- Google Scholar
12. Yu T, Hua G, Wang H, Yang J, Hu J. Federated-LSTM based Network Intrusion Detection Method for Intelligent Connected Vehicles. In: ICC 2022 - IEEE International Conference on Communications, 2022. 4324–9. https://doi.org/10.1109/icc45855.2022.9838655
13. Rai R, Grover J, Sharma P, Pareek A. Securing the CAN bus using deep learning for intrusion detection in vehicles. Sci Rep. 2025;15(1):13820. pmid:40258975
- View Article
- PubMed/NCBI
- Google Scholar
14. Wang K, Sun Z, Wang B, Fan Q, Li M, Zhang H. ATHENA: An In-vehicle CAN Intrusion Detection Framework Based on Physical Characteristics of Vehicle Systems. 2025.
- View Article
- Google Scholar
15. Lee H, Jeong SH, Kim HK. OTIDS: A Novel Intrusion Detection System for In-vehicle Network by Using Remote Frame. In: 2017 15th Annual Conference on Privacy, Security and Trust (PST), 2017. 57–5709. https://doi.org/10.1109/pst.2017.00017
16. Amin J, Anjum MA, Ibrar K, Sharif M, Kadry S, Crespo RG. Detection of anomaly in surveillance videos using quantum convolutional neural networks. Image and Vision Computing. 2023;135:104710.
- View Article
- Google Scholar
17. Sun H, Sun M, Weng J, Liu Z. Analysis of ID Sequences Similarity Using DTW in Intrusion Detection for CAN Bus. IEEE Trans Veh Technol. 2022;71(10):10426–41.
- View Article
- Google Scholar
18. Tariq S, Lee S, Woo SS. CANTransfer: Transfer learning based intrusion detection on a controller area network using convolutional LSTM network. In: Proceedings of the 35th annual ACM symposium on applied computing, 2020. 1048–55.
19. Javed AR, Rehman S ur, Khan MU, Alazab M, G TR. CANintelliIDS: Detecting In-Vehicle Intrusion Attacks on a Controller Area Network Using CNN and Attention-Based GRU. IEEE Trans Netw Sci Eng. 2021;8(2):1456–66.
- View Article
- Google Scholar
20. Wang S-L, Wu S-Y, Lin C-C, Boddupalli S, Chang P-J, Lin C-W, et al. Deep-Learning-Based Intrusion Detection for Autonomous Vehicle-Following Systems. In: 2021 IEEE International Intelligent Transportation Systems Conference (ITSC), 2021. 865–72. https://doi.org/10.1109/itsc48978.2021.9564677
21. Alsulami AA, Al-Haija QA, Alturki B, Alqahtani A, Alsini R. Security strategy for autonomous vehicle cyber-physical systems using transfer learning. J Cloud Comp. 2023;12(1).
- View Article
- Google Scholar
22. Hoang T-N, Islam MR, Yim K, Kim D. CANPerFL: Improve In-Vehicle Intrusion Detection Performance by Sharing Knowledge. Applied Sciences. 2023;13(11):6369.
- View Article
- Google Scholar
23. Wickramasinghe CS, Marino DL, Mavikumbure HS, Cobilean V, Pennington TD, Varghese BJ, et al. RX-ADS: Interpretable Anomaly Detection Using Adversarial ML for Electric Vehicle CAN Data. IEEE Trans Intell Transport Syst. 2023;24(12):14051–63.
- View Article
- Google Scholar
24. Anbalagan S, Raja G, Gurumoorthy S, Suresh RD, Dev K. IIDS: Intelligent Intrusion Detection System for Sustainable Development in Autonomous Vehicles. IEEE Trans Intell Transport Syst. 2023;24(12):15866–75.
- View Article
- Google Scholar
25. Linhares T, Patel A, Barros AL, Fernandez M. SDNTruth: Innovative DDoS Detection Scheme for Software-Defined Networks (SDN). J Netw Syst Manage. 2023;31(3).
- View Article
- Google Scholar
26. Farhat S, Patel A, Barros ALB, Bamhdi AM. MF2S-CID: A dynamic multi-model framework for scalable and interpretable intrusion detection. Int J Inf Secur. 2025;24(4).
- View Article
- Google Scholar
27. Seo E, Song HM, Kim HK. GIDS: GAN based intrusion detection system for in-vehicle network. In: 2018 16th annual conference on privacy, security and trust (PST), 2018. 1–6.
28. Hendrycks D, Gimpel K. Gaussian error linear units (gelus). In: 2016. https://arxiv.org/abs/1606.08415

[ref1] 1. World Health Organization. Global Status Report on Road Safety 2023. 2023. https://www.who.int/publications/i/item/9789240086517

[ref2] 2. Fu Y, Li C, Yu FR, Luan TH, Zhang Y. A Survey of Driving Safety With Sensing, Vehicular Communications, and Artificial Intelligence-Based Collision Avoidance. IEEE Trans Intell Transport Syst. 2022;23(7):6142–63.
View Article
Google Scholar

[3] View Article

[4] Google Scholar

[ref3] 3. Hassan F, Syed ZS, Memon AA, Alqahtany SS, Ahmed N, Reshan MSA, et al. A hybrid approach for intrusion detection in vehicular networks using feature selection and dimensionality reduction with optimized deep learning. PLoS One. 2025;20(2):e0312752. pmid:39913503
View Article
PubMed/NCBI
Google Scholar

[6] View Article

[7] PubMed/NCBI

[8] Google Scholar

[ref4] 4. Elassy M, Al-Hattab M, Takruri M, Badawi S. Intelligent transportation systems for sustainable smart cities. Transportation Engineering. 2024;16:100252.
View Article
Google Scholar

[10] View Article

[11] Google Scholar

[ref5] 5. Buscemi A, Turcanu I, Castignani G, Panchenko A, Engel T, Shin KG. A Survey on Controller Area Network Reverse Engineering. IEEE Commun Surv Tutorials. 2023;25(3):1445–81.
View Article
Google Scholar

[13] View Article

[14] Google Scholar

[ref6] 6. Hoang T-N, Kim D. Supervised contrastive ResNet and transfer learning for the in-vehicle intrusion detection system. Expert Systems with Applications. 2024;238:122181.
View Article
Google Scholar

[16] View Article

[17] Google Scholar

[ref7] 7. Amato F, Coppolino L, Mercaldo F, Moscato F, Nardone R, Santone A. CAN-Bus Attack Detection With Deep Learning. IEEE Trans Intell Transport Syst. 2021;22(8):5081–90.
View Article
Google Scholar

[19] View Article

[20] Google Scholar

[ref8] 8. Ryan M. The Future of Transportation: Ethical, Legal, Social and Economic Impacts of Self-driving Vehicles in the Year 2025. Sci Eng Ethics. 2020;26(3):1185–208. pmid:31482471
View Article
PubMed/NCBI
Google Scholar

[22] View Article

[23] PubMed/NCBI

[24] Google Scholar

[ref9] 9. Saravanan S, Balasubramanian UM. An Adaptive Scalable Data Pipeline for Multiclass Attack Classification in Large-Scale IoT Networks. Big Data Min Anal. 2024;7(2):500–11.
View Article
Google Scholar

[26] View Article

[27] Google Scholar

[ref10] 10. Ashraf J, Bakhshi AD, Moustafa N, Khurshid H, Javed A, Beheshti A. Novel Deep Learning-Enabled LSTM Autoencoder Architecture for Discovering Anomalous Events From Intelligent Transportation Systems. IEEE Trans Intell Transport Syst. 2021;22(7):4507–18.
View Article
Google Scholar

[29] View Article

[30] Google Scholar

[ref11] 11. Wang Y, Lai Y, Chen Y, Wei J, Zhang Z. Transfer learning-based self-learning intrusion detection system for in-vehicle networks. Neural Comput & Applic. 2023;35(14):10257–73.
View Article
Google Scholar

[32] View Article

[33] Google Scholar

[ref12] 12. Yu T, Hua G, Wang H, Yang J, Hu J. Federated-LSTM based Network Intrusion Detection Method for Intelligent Connected Vehicles. In: ICC 2022 - IEEE International Conference on Communications, 2022. 4324–9. https://doi.org/10.1109/icc45855.2022.9838655

[ref13] 13. Rai R, Grover J, Sharma P, Pareek A. Securing the CAN bus using deep learning for intrusion detection in vehicles. Sci Rep. 2025;15(1):13820. pmid:40258975
View Article
PubMed/NCBI
Google Scholar

[36] View Article

[37] PubMed/NCBI

[38] Google Scholar

[ref14] 14. Wang K, Sun Z, Wang B, Fan Q, Li M, Zhang H. ATHENA: An In-vehicle CAN Intrusion Detection Framework Based on Physical Characteristics of Vehicle Systems. 2025.
View Article
Google Scholar

[40] View Article

[41] Google Scholar

[ref15] 15. Lee H, Jeong SH, Kim HK. OTIDS: A Novel Intrusion Detection System for In-vehicle Network by Using Remote Frame. In: 2017 15th Annual Conference on Privacy, Security and Trust (PST), 2017. 57–5709. https://doi.org/10.1109/pst.2017.00017

[ref16] 16. Amin J, Anjum MA, Ibrar K, Sharif M, Kadry S, Crespo RG. Detection of anomaly in surveillance videos using quantum convolutional neural networks. Image and Vision Computing. 2023;135:104710.
View Article
Google Scholar

[44] View Article

[45] Google Scholar

[ref17] 17. Sun H, Sun M, Weng J, Liu Z. Analysis of ID Sequences Similarity Using DTW in Intrusion Detection for CAN Bus. IEEE Trans Veh Technol. 2022;71(10):10426–41.
View Article
Google Scholar

[47] View Article

[48] Google Scholar

[ref18] 18. Tariq S, Lee S, Woo SS. CANTransfer: Transfer learning based intrusion detection on a controller area network using convolutional LSTM network. In: Proceedings of the 35th annual ACM symposium on applied computing, 2020. 1048–55.

[ref19] 19. Javed AR, Rehman S ur, Khan MU, Alazab M, G TR. CANintelliIDS: Detecting In-Vehicle Intrusion Attacks on a Controller Area Network Using CNN and Attention-Based GRU. IEEE Trans Netw Sci Eng. 2021;8(2):1456–66.
View Article
Google Scholar

[51] View Article

[52] Google Scholar

[ref20] 20. Wang S-L, Wu S-Y, Lin C-C, Boddupalli S, Chang P-J, Lin C-W, et al. Deep-Learning-Based Intrusion Detection for Autonomous Vehicle-Following Systems. In: 2021 IEEE International Intelligent Transportation Systems Conference (ITSC), 2021. 865–72. https://doi.org/10.1109/itsc48978.2021.9564677

[ref21] 21. Alsulami AA, Al-Haija QA, Alturki B, Alqahtani A, Alsini R. Security strategy for autonomous vehicle cyber-physical systems using transfer learning. J Cloud Comp. 2023;12(1).
View Article
Google Scholar

[55] View Article

[56] Google Scholar

[ref22] 22. Hoang T-N, Islam MR, Yim K, Kim D. CANPerFL: Improve In-Vehicle Intrusion Detection Performance by Sharing Knowledge. Applied Sciences. 2023;13(11):6369.
View Article
Google Scholar

[58] View Article

[59] Google Scholar

[ref23] 23. Wickramasinghe CS, Marino DL, Mavikumbure HS, Cobilean V, Pennington TD, Varghese BJ, et al. RX-ADS: Interpretable Anomaly Detection Using Adversarial ML for Electric Vehicle CAN Data. IEEE Trans Intell Transport Syst. 2023;24(12):14051–63.
View Article
Google Scholar

[61] View Article

[62] Google Scholar

[ref24] 24. Anbalagan S, Raja G, Gurumoorthy S, Suresh RD, Dev K. IIDS: Intelligent Intrusion Detection System for Sustainable Development in Autonomous Vehicles. IEEE Trans Intell Transport Syst. 2023;24(12):15866–75.
View Article
Google Scholar

[64] View Article

[65] Google Scholar

[ref25] 25. Linhares T, Patel A, Barros AL, Fernandez M. SDNTruth: Innovative DDoS Detection Scheme for Software-Defined Networks (SDN). J Netw Syst Manage. 2023;31(3).
View Article
Google Scholar

[67] View Article

[68] Google Scholar

[ref26] 26. Farhat S, Patel A, Barros ALB, Bamhdi AM. MF2S-CID: A dynamic multi-model framework for scalable and interpretable intrusion detection. Int J Inf Secur. 2025;24(4).
View Article
Google Scholar

[70] View Article

[71] Google Scholar

[ref27] 27. Seo E, Song HM, Kim HK. GIDS: GAN based intrusion detection system for in-vehicle network. In: 2018 16th annual conference on privacy, security and trust (PST), 2018. 1–6.

[ref28] 28. Hendrycks D, Gimpel K. Gaussian error linear units (gelus). In: 2016. https://arxiv.org/abs/1606.08415

Figures

Abstract

Introduction

Related Work

A. Traditional and Statistical IDS

B. Deep and Transfer Learning-based IDS

C. Federated and Collaborative IDS Frameworks

D. Explainability and Emerging Intelligent IDS Models

Proposed Method

A. Problem Formulation

B. Dataset Acquisition and Preprocessing

C. Proposed Deep Learning Architecture

Results and discussion

A. Experimental Setup and Evaluation Metrics

B. Performance of the Proposed Method

C. Analysis of Data Splitting and Multi-Seed Reproducibility

D. Robustness and Statistical Validation

E. Ablation Analysis and Parameter Optimization

F. Comparative Evaluation Against Existing Approaches

G. Insights into Proposed Model Behavior through Explainable AI

H. Strengths and Limitations of the Proposed IDS

Conclusion and Future Work

References