Multi-Stage Knowledge-Distilled VGAE and GAT for Robust Controller-Area-Network Intrusion Detection
This work addresses cybersecurity vulnerabilities in in-vehicle communication systems, offering a robust solution for detecting attacks on CAN protocols, though it is incremental as it builds on existing graph learning and knowledge distillation techniques.
The paper tackles intrusion detection in automotive Controller Area Networks (CAN) by proposing a multi-stage framework that combines a Variational Graph Autoencoder for anomaly detection and a Knowledge-Distilled Graph Attention Network for classification, achieving an average 16.2% improvement in F1-score over existing methods.
The Controller Area Network (CAN) protocol is a standard for in-vehicle communication but remains susceptible to cyber-attacks due to its lack of built-in security. This paper presents a multi-stage intrusion detection framework leveraging unsupervised anomaly detection and supervised graph learning tailored for automotive CAN traffic. Our architecture combines a Variational Graph Autoencoder (VGAE) for structural anomaly detection with a Knowledge-Distilled Graph Attention Network (KD-GAT) for robust attack classification. CAN bus activity is encoded as graph sequences to model temporal and relational dependencies. The pipeline applies VGAE-based selective undersampling to address class imbalance, followed by GAT classification with optional score-level fusion. The compact student GAT achieves 96% parameter reduction compared to the teacher model while maintaining strong predictive performance. Experiments on six public CAN intrusion datasets--Car-Hacking, Car-Survival, and can-train-and-test--demonstrate competitive accuracy and efficiency, with average improvements of 16.2% in F1-score over existing methods, particularly excelling on highly imbalanced datasets with up to 55% F1-score improvements.