README.md

---
license: cc-by-nc-nd-4.0
language:
- en
- de
tags:
- automotive
- IDS
- CAN
- CANIDS
- AutomotiveSecurity
- Cybersecurity
---

# CANDefender – Fuzzy Attack Detection Model

**Model Summary**  
This model detects **Fuzzy attacks** on the CAN bus. It was trained on **4.73 million** real CAN frames, including normal data and Fuzzy-labeled data. The model uses an LSTM architecture that processes the CAN ID and 8-byte payload to classify each frame as either “Fuzzy” or “Normal.”

---

## Performance

**Test Accuracy**: ~94.09%  
**Confusion Matrix** (Fuzzy vs. Normal):

| True \ Pred | Fuzzy (pred)  | Normal (pred) |
|:-----------:|:-------------:|:-------------:|
| **Fuzzy**   | 3,737,645     | 13,379        |
| **Normal**  | 266,808       | 722,063       |

- **Recall (Fuzzy)**: ~99.6% (very few Fuzzy frames missed)  
- **Recall (Normal)**: ~73% (about 27% false positives on Normal)

---

## Intended Use

- **Goal**: Real-time detection of **Fuzzy attacks** on the CAN bus.  
- **Limitations**:  
  - Focused on Fuzzy vs. Normal classification only (other attacks handled in separate models).  
  - Tends to misclassify ~27% of normal frames as Fuzzy (relatively high false alarms).

---

## How to Use

```python
import torch
import numpy as np
from can_defender_fuzzy import CANLSTM  # Adjust import name

# Example frame => [CAN_ID, b0..b7]
frame = [0x315, 0x12, 0x4F, 0xA2, 0x00, 0x00, 0x78, 0x1C, 0xAA]

x_np = np.array(frame, dtype=np.float32).reshape(1,1,9)

model = CANLSTM(input_dim=9, hidden_dim=64, num_classes=2)
model.load_state_dict(torch.load("can_lstm_model_final.pt"))
model.eval()

with torch.no_grad():
    logits = model(torch.from_numpy(x_np))
    pred = torch.argmax(logits, dim=1).item()
    print("Prediction:", "Fuzzy" if pred == 0 else "Normal")
```

## Training Configuration
- Architecture: LSTM (64 hidden units), final linear layer → 2 classes (Fuzzy vs. Normal)
- Optimizer: Adam (lr=1e-3)
- Epochs: ~30 (stopped once performance stabilized)
- Dataset: 4.73 million CAN frames
## Limitations & Next Steps
- False Positives: ~27% of normal frames get labeled as Fuzzy. Acceptable for high-sensitivity scenarios, but can be improved (weighted loss, time-window approach, etc.).
- Scope: Only focuses on Fuzzy detection. Other attacks (DoS, Gear, RPM) are separate.
# Potential Enhancements:
 - Weighted training or additional features (delta-time, frequency)
 - Window-based LSTM or transformers for sequence data

## License & Contact
- License: cc-by-nc-nd-4.0
- Author: Keyvan Hardani
- Contact: https://www.linkedin.com/in/keyvanhardani/