KaioCAN: Knowledge-augmented Autoencoder for Intrusion detection over CAN

In recent years, the automotive industry has experienced a significant evolution and expansion, leading to increasingly more complex in-vehicle architectures. Nowadays, vehicles integrate dozens of Electronic Control Units (ECUs) interconnected through the Controller Area Network (CAN) bus, which remains the de facto standard for intra-vehicular communication. However, despite its efficiency and reliability, the CAN protocol was designed without intrinsic security mechanisms such as encryption, authentication, or message integrity verification. As a consequence of this, it is inherently vulnerable to a wide range of cyberattacks, including spoofing, replay, and denial of service (DoS) attacks. These threats can produce severe damages in operational, financial, privacy and safety domains. For these reasons, it has become necessary to introduce effective countermeasures to these threats to mitigate such risks. To address these challenges, the automotive industry and regulatory bodies, including UNECE R155 and ISO/SAE 21434, increasingly emphasize the need for mitigation solutions such as encryption, authentication and integrity protection mechanisms, access control techniques or monitoring systems. Intrusion Detection Systems (IDS) represent a possible defensive measure to ensure continuous monitoring to cyber threats. This thesis presents KaioCAN (Knowledge-Augmented Autoencoder for Intrusion detection Over CAN), an intelligent intrusion detection framework specifically designed for in-vehicle networks. The system is based on deep learning techniques and aims to detect anomalies in CAN traffic, combining features of neural architectures with knowledge derived from vehicular communication dynamics. In particular, KaioCAN integrates two different models: Convolutional Neural Networks (CNNs) and Long Short-Term Memory (LSTM) networks, each addressing different aspects of temporal and structural patterns in CAN data. KaioCAN operates through a linear pipeline composed of preprocessing, training, and evaluation stages. Raw CAN messages are first normalized and converted into structured temporal windows, enabling the extraction of statistical and temporal correlation features among message identifiers and payloads. The neural models, based on autoencoder architectures, are trained on legitimate traffic and learn to reproduce normal communication patterns, allowing the detection of deviations that indicate potential intrusions. Simulations were based on publicly available standard automotive datasets to evaluate performance under multiple attack scenarios. The results confirm the effectiveness of deep learning in automotive cybersecurity and demonstrate that KaioCAN achieves strong detection performance in most cases, while maintaining consistent behaviour even for complex and hard to be detected attacks, offering a promising foundation for future research in automotive cybersecurity.