Modern Controller Area Network (CAN) buses lack native security, leaving vehicles exposed to spoofing, replay, and injection attacks, especially zero-day or unseen variants that evade traditional IDSs. We present CANalyze-AI, an edge-optimized hybrid IDS combining Random Forest and XGBoost with a 4-bit, LoRA-adapted GPT-2 to add semantic reasoning under strict resource budgets. Upon flagging anomalous 50-frame windows, the LLM produces concise, human-readable rationales and drafts Sigma rules that pass schema checks before use. On a composite CAN dataset, CANalyze-AI completes detection-plus-explanation in under 100 ms per window, fits within a \(\le \) 4 GB RAM envelope, and improves \(F_1\) by +0.9% over XGBoost and +2.2% over Random Forest. Under evasion, true-positive rate degrades by 7.1%, as compared to \(\ge \) 12% for the baselines. Ablations show adaptive routing and LoRA adapters are key to performance and interpretability. We discuss practical guardrails against prompt-level attacks and limits arising from synthetic “zero-day” generation, and outline paths to real-fleet validation.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

CANalyze-AI: Semantic Zero-Day Detection and Rule Synthesis via LoRA-Fine-Tuned LLM for CAN Security

  • Awais Bilal,
  • Liehuang Zhu,
  • Kashif Sharif,
  • Fan Li,
  • Sadaf Bukhari

摘要

Modern Controller Area Network (CAN) buses lack native security, leaving vehicles exposed to spoofing, replay, and injection attacks, especially zero-day or unseen variants that evade traditional IDSs. We present CANalyze-AI, an edge-optimized hybrid IDS combining Random Forest and XGBoost with a 4-bit, LoRA-adapted GPT-2 to add semantic reasoning under strict resource budgets. Upon flagging anomalous 50-frame windows, the LLM produces concise, human-readable rationales and drafts Sigma rules that pass schema checks before use. On a composite CAN dataset, CANalyze-AI completes detection-plus-explanation in under 100 ms per window, fits within a \(\le \) 4 GB RAM envelope, and improves \(F_1\) by +0.9% over XGBoost and +2.2% over Random Forest. Under evasion, true-positive rate degrades by 7.1%, as compared to \(\ge \) 12% for the baselines. Ablations show adaptive routing and LoRA adapters are key to performance and interpretability. We discuss practical guardrails against prompt-level attacks and limits arising from synthetic “zero-day” generation, and outline paths to real-fleet validation.