Towards Practical Automotive Intrusion Detection Systems: An Adaptive Rule-Based Approach

Lucien Kiven Tamo; Brooke Kidmose; Weizhi Meng; Thanassis Giannetsos

doi:10.1007/978-981-95-6419-4_14

Towards Practical Automotive Intrusion Detection Systems: An Adaptive Rule-Based Approach

Lucien Kiven Tamo
, Brooke Kidmose
, Weizhi Meng
, Thanassis Giannetsos

Research output: Chapter in Book/Report/Conference proceeding › Article in proceedings › Research › peer-review

Abstract

As modern vehicles become increasingly connected and software-driven, securing their in-vehicle networks (IVNs)—especially the ubiquitous, vulnerable Controller Area Network (CAN)—has become paramount. However, contemporary automotive intrusion detection systems (IDSs) suffer from elevated false positive rates that significantly impact their practical effectiveness. This work aims to address these limitations by developing an enhanced rule-based IDS that incorporates adaptive pattern recognition mechanisms. We propose two novel detection rules that leverage attack-free traffic analysis to establish baseline behavioral patterns for the CAN bus. More specifically, Rule #1 analyzes message data field lengths against “normal” patterns derived from attack-free network traffic, and Rule #2 employs field classification to categorize message types for each arbitration ID, distinguishing between constant values, counters, multi-values, and sensor data. Our experimental evaluation demonstrates that the proposed detection rules achieve superior accuracy metrics while significantly reducing false positive rates compared to conventional approaches.

Original language	English
Title of host publication	19th International Conference on Network and System Security, NSS 2025
Volume	16326
Publication date	2026
Pages	231-252
ISBN (Print)	978-981-95-6418-7
ISBN (Electronic)	978-981-95-6419-4
DOIs	https://doi.org/10.1007/978-981-95-6419-4_14
Publication status	Published - 2026
Event	19th International Conference on Network and System Security - Wuhan, China Duration: 5 Dec 2025 → 7 Dec 2025

Conference

Conference	19th International Conference on Network and System Security
Country/Territory	China
City	Wuhan
Period	05/12/2025 → 07/12/2025

Keywords

Controller Area Network
False Positive
In-Vehicle Network
Intrusion Detection System
Modern Automobile
Rule-based

Access to Document

10.1007/978-981-95-6419-4_14

OpenUrl availability

Full text

Cite this

@inproceedings{6f888282d27d41829f2f0526bfc74261,

title = "Towards Practical Automotive Intrusion Detection Systems: An Adaptive Rule-Based Approach",

abstract = "As modern vehicles become increasingly connected and software-driven, securing their in-vehicle networks (IVNs)—especially the ubiquitous, vulnerable Controller Area Network (CAN)—has become paramount. However, contemporary automotive intrusion detection systems (IDSs) suffer from elevated false positive rates that significantly impact their practical effectiveness. This work aims to address these limitations by developing an enhanced rule-based IDS that incorporates adaptive pattern recognition mechanisms. We propose two novel detection rules that leverage attack-free traffic analysis to establish baseline behavioral patterns for the CAN bus. More specifically, Rule \#1 analyzes message data field lengths against “normal” patterns derived from attack-free network traffic, and Rule \#2 employs field classification to categorize message types for each arbitration ID, distinguishing between constant values, counters, multi-values, and sensor data. Our experimental evaluation demonstrates that the proposed detection rules achieve superior accuracy metrics while significantly reducing false positive rates compared to conventional approaches.",

keywords = "Controller Area Network, False Positive, In-Vehicle Network, Intrusion Detection System, Modern Automobile, Rule-based",

author = "Tamo, \{Lucien Kiven\} and Brooke Kidmose and Weizhi Meng and Thanassis Giannetsos",

year = "2026",

doi = "10.1007/978-981-95-6419-4\_14",

language = "English",

isbn = "978-981-95-6418-7",

volume = "16326",

pages = "231--252",

booktitle = "19th International Conference on Network and System Security, NSS 2025",

note = "19th International Conference on Network and System Security, NSS ; Conference date: 05-12-2025 Through 07-12-2025",

}

Tamo, LK, Kidmose, B, Meng, W & Giannetsos, T 2026, Towards Practical Automotive Intrusion Detection Systems: An Adaptive Rule-Based Approach. in 19th International Conference on Network and System Security, NSS 2025 . vol. 16326, pp. 231-252, 19th International Conference on Network and System Security, Wuhan, China, 05/12/2025. https://doi.org/10.1007/978-981-95-6419-4_14

TY - GEN

T1 - Towards Practical Automotive Intrusion Detection Systems: An Adaptive Rule-Based Approach

AU - Tamo, Lucien Kiven

AU - Kidmose, Brooke

AU - Meng, Weizhi

AU - Giannetsos, Thanassis

PY - 2026

Y1 - 2026

N2 - As modern vehicles become increasingly connected and software-driven, securing their in-vehicle networks (IVNs)—especially the ubiquitous, vulnerable Controller Area Network (CAN)—has become paramount. However, contemporary automotive intrusion detection systems (IDSs) suffer from elevated false positive rates that significantly impact their practical effectiveness. This work aims to address these limitations by developing an enhanced rule-based IDS that incorporates adaptive pattern recognition mechanisms. We propose two novel detection rules that leverage attack-free traffic analysis to establish baseline behavioral patterns for the CAN bus. More specifically, Rule #1 analyzes message data field lengths against “normal” patterns derived from attack-free network traffic, and Rule #2 employs field classification to categorize message types for each arbitration ID, distinguishing between constant values, counters, multi-values, and sensor data. Our experimental evaluation demonstrates that the proposed detection rules achieve superior accuracy metrics while significantly reducing false positive rates compared to conventional approaches.

AB - As modern vehicles become increasingly connected and software-driven, securing their in-vehicle networks (IVNs)—especially the ubiquitous, vulnerable Controller Area Network (CAN)—has become paramount. However, contemporary automotive intrusion detection systems (IDSs) suffer from elevated false positive rates that significantly impact their practical effectiveness. This work aims to address these limitations by developing an enhanced rule-based IDS that incorporates adaptive pattern recognition mechanisms. We propose two novel detection rules that leverage attack-free traffic analysis to establish baseline behavioral patterns for the CAN bus. More specifically, Rule #1 analyzes message data field lengths against “normal” patterns derived from attack-free network traffic, and Rule #2 employs field classification to categorize message types for each arbitration ID, distinguishing between constant values, counters, multi-values, and sensor data. Our experimental evaluation demonstrates that the proposed detection rules achieve superior accuracy metrics while significantly reducing false positive rates compared to conventional approaches.

KW - Controller Area Network

KW - False Positive

KW - In-Vehicle Network

KW - Intrusion Detection System

KW - Modern Automobile

KW - Rule-based

U2 - 10.1007/978-981-95-6419-4_14

DO - 10.1007/978-981-95-6419-4_14

M3 - Article in proceedings

SN - 978-981-95-6418-7

VL - 16326

SP - 231

EP - 252

BT - 19th International Conference on Network and System Security, NSS 2025

T2 - 19th International Conference on Network and System Security

Y2 - 5 December 2025 through 7 December 2025

ER -

Towards Practical Automotive Intrusion Detection Systems: An Adaptive Rule-Based Approach

Abstract

Conference

Keywords

Access to Document

OpenUrl availability

Fingerprint

Cite this