Explainable AI for Network Intrusion Detection in Modern In-Vehicle Networks - An explainability pipeline for deep learning based intrusion detection systems for in-vehicle networks
Hämtar...
Ladda ner
Publicerad
Författare
Typ
Examensarbete för masterexamen
Master's Thesis
Master's Thesis
Modellbyggare
Tidskriftstitel
ISSN
Volymtitel
Utgivare
Sammanfattning
Deep learning–based network intrusion detection systems (NIDS) have been widely
adopted for detecting attacks in Controller Area Network (CAN) traffic due to their
superior performance over traditional approaches. However, their black-box nature
makes the underlying decision-making process difficult to interpret, limiting their
suitability for safety-critical automotive environments. Existing studies on CAN
NIDS have largely focused on detection performance and model design; limited
work has examined shortcut learning through explanations or used explanations to
improve the models. This thesis develops an explainable artificial intelligence (XAI)
pipeline for DL-based CAN NIDS. Raw CAN fields are combined with explicit temporal and statistical features. Multilayer perceptron (MLP) classifiers are evaluated on the CAN-MIRGU and can-train-and-test datasets, and the autoencoder
is evaluated on the CAN-MIRGU dataset. SHAP, LIME, Integrated Gradients,
Trustee, and AE-p-values are used for behavior analysis, while Right for the Right
Reasons (RRR) supervision and Gini-based attribution priors are applied to guide
training. The MLP achieves high F1-scores on CAN-MIRGU, but its performance
decreases substantially under unseen attacks and cross-vehicle tests in can-train
and-test. Explanations show both meaningful use of timing-related features and
reliance on dataset-specific payload patterns. For the autoencoder, p-value representations improve attack clustering over raw inputs. Moreover, p-values reveal that
in the CAN-MIRGU dataset, DoS and fuzzing attacks are distinguishable, whereas
spoofing and replay attacks remain difficult to separate. RRR increases the F1-score
for non-zero-payload DoS attacks under distribution shift from 0 to 0.61. Gini-based
regularization increases explanation sparsity while maintaining high predictive performance. These results show that explanation analysis is necessary for identifying
shortcuts, assessing generalization, and developing more reliable CAN NIDS.
Beskrivning
Ämne/nyckelord
In-Vehicle Network Security, Network Intrusion Detection System (NIDS), Explainable AI (XAI), Explanation-Guided Learning (EGL)
