Explainable AI for Network Intrusion Detection in Modern In-Vehicle Networks - An explainability pipeline for deep learning based intrusion detection systems for in-vehicle networks

dc.contributor.authorTian, Wenjun
dc.contributor.authorWang, Yexiao
dc.contributor.departmentChalmers tekniska högskola / Institutionen för data och informationstekniksv
dc.contributor.departmentChalmers University of Technology / Department of Computer Science and Engineeringen
dc.contributor.examinerAlmgren, Magnus
dc.contributor.supervisorHashim Changrampadi, Mohamed
dc.date.accessioned2026-07-07T11:44:05Z
dc.date.issued2026
dc.date.submitted
dc.description.abstractDeep learning–based network intrusion detection systems (NIDS) have been widely adopted for detecting attacks in Controller Area Network (CAN) traffic due to their superior performance over traditional approaches. However, their black-box nature makes the underlying decision-making process difficult to interpret, limiting their suitability for safety-critical automotive environments. Existing studies on CAN NIDS have largely focused on detection performance and model design; limited work has examined shortcut learning through explanations or used explanations to improve the models. This thesis develops an explainable artificial intelligence (XAI) pipeline for DL-based CAN NIDS. Raw CAN fields are combined with explicit temporal and statistical features. Multilayer perceptron (MLP) classifiers are evaluated on the CAN-MIRGU and can-train-and-test datasets, and the autoencoder is evaluated on the CAN-MIRGU dataset. SHAP, LIME, Integrated Gradients, Trustee, and AE-p-values are used for behavior analysis, while Right for the Right Reasons (RRR) supervision and Gini-based attribution priors are applied to guide training. The MLP achieves high F1-scores on CAN-MIRGU, but its performance decreases substantially under unseen attacks and cross-vehicle tests in can-train and-test. Explanations show both meaningful use of timing-related features and reliance on dataset-specific payload patterns. For the autoencoder, p-value representations improve attack clustering over raw inputs. Moreover, p-values reveal that in the CAN-MIRGU dataset, DoS and fuzzing attacks are distinguishable, whereas spoofing and replay attacks remain difficult to separate. RRR increases the F1-score for non-zero-payload DoS attacks under distribution shift from 0 to 0.61. Gini-based regularization increases explanation sparsity while maintaining high predictive performance. These results show that explanation analysis is necessary for identifying shortcuts, assessing generalization, and developing more reliable CAN NIDS.
dc.identifier.urihttps://hdl.handle.net/20.500.12380/311913
dc.language.isoeng
dc.setspec.uppsokTechnology
dc.subjectIn-Vehicle Network Security, Network Intrusion Detection System (NIDS), Explainable AI (XAI), Explanation-Guided Learning (EGL)
dc.titleExplainable AI for Network Intrusion Detection in Modern In-Vehicle Networks - An explainability pipeline for deep learning based intrusion detection systems for in-vehicle networks
dc.type.degreeExamensarbete för masterexamensv
dc.type.degreeMaster's Thesisen
dc.type.uppsokH
local.programmeComputer systems and networks (MPCSN), MSc

Ladda ner

Original bundle

Visar 1 - 1 av 1
Hämtar...
Bild (thumbnail)
Namn:
CSE 26-67 WT YW.pdf
Size:
5.33 MB
Format:
Adobe Portable Document Format

License bundle

Visar 1 - 1 av 1
Hämtar...
Bild (thumbnail)
Namn:
license.txt
Size:
2.35 KB
Format:
Item-specific license agreed upon to submission
Description: