Search papers, labs, and topics across Lattice.
This paper introduces the Mamba Intrusion Detection System (MIDS), designed to detect sophisticated masquerade and tampering attacks on the Controller Area Network (CAN) protocol, which is critical for vehicle communication. Unlike traditional systems that focus on more straightforward attack types, MIDS employs a dual-stream framework that analyzes CAN identifiers and payloads in parallel to effectively reconstruct their temporal semantics. The system achieves a remarkable F1 score of 96.94% on a dataset derived from a Tesla Model 3, significantly outperforming existing baselines while maintaining low inference latency suitable for real-time applications.
MIDS outperforms existing intrusion detection systems by over 8 percentage points in detecting stealthy masquerade attacks on vehicle networks.
The Controller Area Network (CAN) protocol is the primary communication standard for Electronic Control Units (ECUs) in modern vehicles, but its lack of encryption and authentication exposes it to a range of security threats. Existing intrusion detection systems are largely tuned to fabrication-style attacks (DoS, fuzzing, ID spoofing realised by frame injection), in which detection signals such as per-ID inter-arrival statistics are readily available. We instead address the harder \emph{masquerade} setting~\cite{b37}, in which an internal adversary substitutes a legitimate frame in-situ at its original transmission slot, preserving traffic periodicity and rendering traffic-statistic defences ineffective. We propose the Mamba Intrusion Detection System (MIDS), an innovative dual-stream framework that processes CAN identifiers and payloads in parallel and reconstructs their joint temporal semantics through bidirectional selective state-space modelling. To evaluate MIDS, we collected over 100 million CAN frames from a physical Tesla Model 3 across three driving regimes and synthesised 54 masquerade attack variants spanning ID-only, data-only, and combined modifications. MIDS attains an F1 of 96.94\% on this dataset, exceeding the strongest reproducible baseline by more than 8 percentage points, while sustaining a 1.147~ms single-window inference latency -- ample headroom for real-time onboard deployment. To verify generalisation, we further evaluate MIDS on four public benchmarks (ROAD, CrySyS, OTIDS, CT\&T) covering both masquerade and injection scenarios; MIDS attains F1 from 93.70\% to 99.61\%, outperforming the strongest of eight reproduced baselines by up to 13.94 percentage points under a unified 5-fold protocol.
