---
license: cc-by-nc-nd-4.0
language:
- en
- de
metrics:
- accuracy
- code_eval
tags:
- '1.0'
---
# CANDefender – DoS Detection Model

**Model Summary**  
This model detects **DoS attacks** on the CAN bus. It was trained on approximately **4.6 million** real CAN frames (both normal traffic and DoS data). The core is an **LSTM** architecture that processes the CAN ID and the 8-byte payload to classify each frame as either “DoS” or “Normal.”

---

## Performance

**Test Accuracy**: ~94.06%  
**Confusion Matrix** (DoS vs. Normal):

| True \ Pred | DoS (pred) | Normal (pred) |
|:-----------:|:----------:|:-------------:|
| **DoS**     | 3,632,463  | 2,120         |
| **Normal**  | 272,327    | 716,544       |

- **Recall (DoS)**: ~99.94%  
- **Recall (Normal)**: ~72%  

_Interpretation:_ Almost no DoS frames are missed, but ~28% of normal traffic is misclassified as DoS (higher false alarms).

---

## Intended Use

- **Goal**: Real-time DoS detection on CAN bus data.  
- **Limitations**:  
  - Focus on DoS only (other attack types like Fuzzy, Gear, RPM not covered).  
  - Tends to over-classify normal frames as DoS (False Positives around 28%).  

---

## How to Use

```python
import torch
import numpy as np
from can_defender_dos import CANLSTM  # replace with your actual import

# Example frame: [CAN_ID, b0, b1, ..., b7]
frame = [0x315, 0x12, 0x4F, 0xA2, 0x00, 0x00, 0x78, 0x1C, 0xAA]

# Convert to the same shape as the model expects: (batch_size, seq_len, features)
x_np = np.array(frame, dtype=np.float32).reshape(1, 1, 9)

model = CANLSTM(input_dim=9, hidden_dim=64, num_classes=2)
model.load_state_dict(torch.load("candefender_dos_final.pt"))
model.eval()

with torch.no_grad():
    logits = model(torch.from_numpy(x_np))
    pred = torch.argmax(logits, dim=1).item()
    print("Prediction:", "DoS" if pred == 0 else "Normal")
```


## Training Configuration
 - Architecture: LSTM (64 hidden units) + final linear output
 - Optimizer: Adam, LR=1e-3
 - Epochs: ~20 (stopped when performance saturated)
 - Dataset: 4.6 million CAN frames, including normal + DoS

## Limitations & Next Steps
- False Positives: ~28% of normal frames labeled as DoS. Might be acceptable for high security environments, but can be reduced via further tuning or additional features (time windows, frequency, etc.).
- Focus on DoS: Future expansions for multi-class detection (Fuzzy, Gear, RPM) are possible.
- Potential Enhancements: Weighted loss for normal class, real-time deployment with window-based sequences, or transformer-based architectures.

## License & Contact
- License: cc-by-nc-nd-4.0
- Author: Keyvan Hardani
- Contact: https://www.linkedin.com/in/keyvanhardani/