MIDS: Detecting Stealthy Masquerade and Tampering Attacks on CAN Bus via Bidirectional Mamba

📅 2026-06-16
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work addresses the challenge that existing CAN intrusion detection methods based on traffic statistics struggle to detect stealthy attacks that replace legitimate frames in situ while preserving message periodicity. To overcome this limitation, we propose MIDS, a dual-stream framework that introduces the bidirectional selective state space model (Mamba) into automotive security for the first time. MIDS concurrently models long-range dependencies and dynamic interactions between CAN identifiers and payloads to reconstruct their joint temporal semantics, enabling effective detection of both spoofing and tampering attacks. Evaluated on real-world data from a Tesla Model 3, our method achieves an F1 score of 96.94%, surpassing the strongest reproducible baseline by over 8 percentage points. Across four public benchmarks, it attains F1 scores ranging from 93.70% to 99.61%, with an inference latency of only 1.147 ms, meeting the stringent requirements for real-time deployment.
📝 Abstract
The Controller Area Network (CAN) protocol is the primary communication standard for Electronic Control Units (ECUs) in modern vehicles, but its lack of encryption and authentication exposes it to a range of security threats. Existing intrusion detection systems are largely tuned to fabrication-style attacks (DoS, fuzzing, ID spoofing realised by frame injection), in which detection signals such as per-ID inter-arrival statistics are readily available. We instead address the harder \emph{masquerade} setting~\cite{b37}, in which an internal adversary substitutes a legitimate frame in-situ at its original transmission slot, preserving traffic periodicity and rendering traffic-statistic defences ineffective. We propose the Mamba Intrusion Detection System (MIDS), an innovative dual-stream framework that processes CAN identifiers and payloads in parallel and reconstructs their joint temporal semantics through bidirectional selective state-space modelling. To evaluate MIDS, we collected over 100 million CAN frames from a physical Tesla Model 3 across three driving regimes and synthesised 54 masquerade attack variants spanning ID-only, data-only, and combined modifications. MIDS attains an F1 of 96.94\% on this dataset, exceeding the strongest reproducible baseline by more than 8 percentage points, while sustaining a 1.147~ms single-window inference latency -- ample headroom for real-time onboard deployment. To verify generalisation, we further evaluate MIDS on four public benchmarks (ROAD, CrySyS, OTIDS, CT\&T) covering both masquerade and injection scenarios; MIDS attains F1 from 93.70\% to 99.61\%, outperforming the strongest of eight reproduced baselines by up to 13.94 percentage points under a unified 5-fold protocol.
Problem

Research questions and friction points this paper is trying to address.

masquerade attack
CAN bus security
intrusion detection
stealthy attack
automotive cybersecurity
Innovation

Methods, ideas, or system contributions that make the work stand out.

masquerade attack
CAN bus security
bidirectional Mamba
state-space model
intrusion detection system
🔎 Similar Papers
2024-08-10IEEE Transactions on Information Forensics and SecurityCitations: 4
Q
Qiqi Liu
Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China; School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China
R
Runhan Song
Zhongguancun Laboratory, Beijing, China
L
Lei Cui
Zhongguancun Laboratory, Beijing, China
H
Heng Zhang
Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China; School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China
Y
Yuyan Sun
Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China
Limin Sun
Limin Sun
University of Chinese Academy of Sciences