AdverSec
Hardening neural IDS against FGSM and PGD attacks on the CAN bus.
Modern vehicles run on the Controller Area Network (CAN) bus — a protocol built for reliability, not security, with no native encryption or authentication. Deep-learning intrusion detection is the leading defence, but it inherits two crippling weaknesses. It is fragile under adversarial attack: imperceptible noise added to network traffic can flip a malicious packet to "benign". And it is data-hungry — recent work showed that once the CICIoV2024 benchmark is stripped of its ~99.75% duplicate records to reflect realistic forensic conditions, a 1D-CNN collapses to F1 < 0.55 while a lightweight Random Forest stays stable.
AdverSec asks a contrarian question: can the very technique used to attack these models be repurposed to fix them? The hypothesis is that adversarial training — folding FGSM- and PGD-crafted examples back into the training set — acts as a targeted data-augmentation strategy, manufacturing the "hard" unique examples that strict de-duplication removes, and finally letting a deep model outperform the Random Forest baseline in realistic, data-scarce conditions.
The pipeline processes CICIoV2024 with strict de-duplication, trains a 1D-CNN against a Random Forest baseline, and stress-tests both with FGSM and PGD evasion attacks generated through the Adversarial Robustness Toolbox (ART). A Multi-Strategy Adversarial Training regime is then evaluated across attack budgets on four axes — clean accuracy, adversarial accuracy, false-positive rate, and computational cost — with stratified K-fold cross-validation to keep rare attack classes represented.
Beyond vehicles, a positive result offers a blueprint for deep learning in any data-sensitive domain where privacy law forces strict de-duplication, such as medical and financial forensics, and it speaks to automotive standards like UN Regulation No. 155. The work forms the basis of my MSc dissertation; the code and findings are to be open-sourced and submitted to peer-reviewed venues.
What it involved
- Strict data hygiene — de-duplicate CICIoV2024 down to unique CAN-bus attack signatures, recreating the realistic, data-scarce regime where deep models are known to fail (F1 < 0.55)
- Baselines — quantify how far a 1D-CNN degrades against a Random Forest once denied redundant training data
- Adversarial stress tests — generate FGSM and PGD evasion attacks with the Adversarial Robustness Toolbox (ART)
- Adversarial augmentation — a Multi-Strategy Adversarial Training framework that reuses the attacks as "hard" training examples
- Robustness & superiority — measure clean accuracy, adversarial accuracy, false-positive rate and compute cost to test whether the defence restores deep learning's edge