Explainable AI for Network Intrusion Detection in Modern In-Vehicle Networks - An explainability pipeline for deep learning based intrusion detection systems for in-vehicle networks

Hämtar...
Bild (thumbnail)

Publicerad

Typ

Examensarbete för masterexamen
Master's Thesis

Modellbyggare

Tidskriftstitel

ISSN

Volymtitel

Utgivare

Sammanfattning

Deep learning–based network intrusion detection systems (NIDS) have been widely adopted for detecting attacks in Controller Area Network (CAN) traffic due to their superior performance over traditional approaches. However, their black-box nature makes the underlying decision-making process difficult to interpret, limiting their suitability for safety-critical automotive environments. Existing studies on CAN NIDS have largely focused on detection performance and model design; limited work has examined shortcut learning through explanations or used explanations to improve the models. This thesis develops an explainable artificial intelligence (XAI) pipeline for DL-based CAN NIDS. Raw CAN fields are combined with explicit temporal and statistical features. Multilayer perceptron (MLP) classifiers are evaluated on the CAN-MIRGU and can-train-and-test datasets, and the autoencoder is evaluated on the CAN-MIRGU dataset. SHAP, LIME, Integrated Gradients, Trustee, and AE-p-values are used for behavior analysis, while Right for the Right Reasons (RRR) supervision and Gini-based attribution priors are applied to guide training. The MLP achieves high F1-scores on CAN-MIRGU, but its performance decreases substantially under unseen attacks and cross-vehicle tests in can-train and-test. Explanations show both meaningful use of timing-related features and reliance on dataset-specific payload patterns. For the autoencoder, p-value representations improve attack clustering over raw inputs. Moreover, p-values reveal that in the CAN-MIRGU dataset, DoS and fuzzing attacks are distinguishable, whereas spoofing and replay attacks remain difficult to separate. RRR increases the F1-score for non-zero-payload DoS attacks under distribution shift from 0 to 0.61. Gini-based regularization increases explanation sparsity while maintaining high predictive performance. These results show that explanation analysis is necessary for identifying shortcuts, assessing generalization, and developing more reliable CAN NIDS.

Beskrivning

Ämne/nyckelord

In-Vehicle Network Security, Network Intrusion Detection System (NIDS), Explainable AI (XAI), Explanation-Guided Learning (EGL)

Citation

Arkitekt (konstruktör)

Geografisk plats

Byggnad (typ)

Byggår

Modelltyp

Skala

Teknik / material

Index

Endorsement

Review

Supplemented By

Referenced By