TY - GEN
T1 - CANalyze-AI
T2 - 21st International Conference on Information Security and Cryptology, Inscrypt 2025
AU - Bilal, Awais
AU - Zhu, Liehuang
AU - Sharif, Kashif
AU - Li, Fan
AU - Bukhari, Sadaf
N1 - Publisher Copyright:
© The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2026.
PY - 2026
Y1 - 2026
N2 - Modern Controller Area Network (CAN) buses lack native security, leaving vehicles exposed to spoofing, replay, and injection attacks, especially zero-day or unseen variants that evade traditional IDSs. We present CANalyze-AI, an edge-optimized hybrid IDS combining Random Forest and XGBoost with a 4-bit, LoRA-adapted GPT-2 to add semantic reasoning under strict resource budgets. Upon flagging anomalous 50-frame windows, the LLM produces concise, human-readable rationales and drafts Sigma rules that pass schema checks before use. On a composite CAN dataset, CANalyze-AI completes detection-plus-explanation in under 100 ms per window, fits within a ≤4 GB RAM envelope, and improves F1 by +0.9% over XGBoost and +2.2% over Random Forest. Under evasion, true-positive rate degrades by 7.1%, as compared to ≥12% for the baselines. Ablations show adaptive routing and LoRA adapters are key to performance and interpretability. We discuss practical guardrails against prompt-level attacks and limits arising from synthetic “zero-day” generation, and outline paths to real-fleet validation.
AB - Modern Controller Area Network (CAN) buses lack native security, leaving vehicles exposed to spoofing, replay, and injection attacks, especially zero-day or unseen variants that evade traditional IDSs. We present CANalyze-AI, an edge-optimized hybrid IDS combining Random Forest and XGBoost with a 4-bit, LoRA-adapted GPT-2 to add semantic reasoning under strict resource budgets. Upon flagging anomalous 50-frame windows, the LLM produces concise, human-readable rationales and drafts Sigma rules that pass schema checks before use. On a composite CAN dataset, CANalyze-AI completes detection-plus-explanation in under 100 ms per window, fits within a ≤4 GB RAM envelope, and improves F1 by +0.9% over XGBoost and +2.2% over Random Forest. Under evasion, true-positive rate degrades by 7.1%, as compared to ≥12% for the baselines. Ablations show adaptive routing and LoRA adapters are key to performance and interpretability. We discuss practical guardrails against prompt-level attacks and limits arising from synthetic “zero-day” generation, and outline paths to real-fleet validation.
KW - Controller area network
KW - Edge-optimized
KW - Hybrid IDS
UR - https://www.scopus.com/pages/publications/105028275783
U2 - 10.1007/978-981-95-6209-1_19
DO - 10.1007/978-981-95-6209-1_19
M3 - Conference contribution
AN - SCOPUS:105028275783
SN - 9789819562084
T3 - Lecture Notes in Computer Science
SP - 349
EP - 368
BT - Information Security and Cryptology - 21st International Conference, Inscrypt 2025, Revised Selected Papers
A2 - Chen, Rongmao
A2 - Deng, Robert H.
A2 - Yung, Moti
PB - Springer Science and Business Media Deutschland GmbH
Y2 - 19 October 2025 through 22 October 2025
ER -