GUARD-CAN: Graph-Understanding and Recurrent Architecture for CAN Anomaly Detection

TL;DR

GUARD-CAN is a novel framework that combines graph learning and recurrent neural networks to detect various CAN bus cyber-attacks effectively without complex feature engineering.

Contribution

It introduces a graph-based, time-aware anomaly detection method for CAN networks using autoencoders, GCNs, and GRUs, with multi-level evaluation.

Findings

Detects four types of CAN attacks effectively

Operates without complex feature engineering

Analyzes window size importance via Shannon entropy

Abstract

Modern in-vehicle networks face various cyber threats due to the lack of encryption and authentication in the Controller Area Network (CAN). To address this security issue, this paper presents GUARD-CAN, an anomaly detection framework that combines graph-based representation learning with time-series modeling. GUARD-CAN splits CAN messages into fixed-length windows and converts each window into a graph that preserves message order. To detect anomalies in the timeaware and structure-aware context at the same window, GUARD-CAN takes advantage of the overcomplete Autoencoder (AE) and Graph Convolutional Network (GCN) to generate graph embedding vectors. The model groups these vectors into sequences and feeds them into the Gated Recurrent Unit (GRU) to detect temporal anomaly patterns across the graphs. GUARD-CAN performs anomaly detection at both the sequence level and the window level, and this allows multi-perspective performance evaluation. The model also verifies the importance of window size selection through an analysis based on Shannon entropy. As a result, GUARD-CAN shows that the proposed model detects four types of CAN attacks (flooding, fuzzing, replay and spoofing attacks) effectively without relying on complex feature engineering.