The TinyML-based intrusion detection system leverages convolutional neural networks to enhance security in in-vehicle networks, specifically targeting controller area network (CAN) communications. Designed for resource-constrained embedded devices, this model efficiently detects malicious messages while maintaining low computational demands. The system utilizes feature extraction from CAN ID sequences and data fields, achieving high detection performance with minimal resource usage. Ideal for automotive cybersecurity applications, this research provides a robust solution for preventing vehicle cyberattacks.

Key Points

  • Proposes a low-complexity CNN-based intrusion detection system for CAN communications in vehicles.
  • Utilizes feature extraction from CAN ID sequences and data fields for effective attack detection.
  • Demonstrates superior detection performance with significantly lower computational load compared to existing models.
  • Successfully deployed on an nRF52840 microcontroller, showcasing its applicability in resource-constrained environments.
Tirtharaj Kar
4 pages
Biology
Tirtharaj Kar
4 pages
Biology
197
/ 4
IEEE EMBEDDED SYSTEMS LETTERS, VOL. 17, NO. 2, APRIL 2025 67
TinyML-Based Intrusion Detection System for
In-Vehicle Network Using Convolutional Neural
Network on Embedded Devices
Hyungchul Im , Graduate Student Member, IEEE, and Seongsoo Lee , Member, IEEE
Abstract—This letter proposes a novel model for effectively
detecting malicious messages in controller area network (CAN)
communication, which is widely used in automotive networks.
Because in-vehicle networks operate in resource-constrained
environments, an intrusion detection system (IDS) must simul-
taneously provide a low computational load and excellent
detection performance. However, existing models are unsuitable
for deployment on low-power embedded devices owing to their
high computational requirements. This letter presents a low-
complexity convolutional neural network (CNN)-based IDS for
deployment on embedded edge devices. The proposed model
applies CNN operations separately to the CAN ID sequence
and the data field of the CAN frame to extract features
and concatenate them for feature fusion. Experimental results
demonstrate that this approach requires considerably less com-
putational load and provides superior detection performance.
Furthermore, the proposed model is deployed on a resource-
constrained nRF52840 microcontroller using TensorFlow Lite for
Microcontrollers with 20.44-kB flash memory and 26.44-kB RAM
without quantization.
Index Terms—Controller area network (CAN), convolutional
neural network (CNN), edge devices, intrusion detection system
(IDS), tiny machine learning (TinyML).
I. INTRODUCTION
R
ECENTLY, electronic control device applications have
increased in the automotive industry, and vehicle-to-
vehicle (V2V) and vehicle-to-infrastructure (V2I) technologies
are developing, increasing the potential for vehicle cyberat-
tacks [1]. Controller area network (CAN) communication is
the most widely used method because it efficiently manages
data transmission between electronic control units (ECUs)
and offers flexibility through its multimaster structure, allow-
ing any node to initiate data transmission. However, CAN
communication lacks security mechanisms, such as message
encryption and authentication, making it vulnerable to attacks.
Therefore, attackers can easily inject manipulated messages
Received 21 August 2024; revised 13 September 2024; accepted
30 September 2024. Date of publication 7 October 2024; date of current
version 18 April 2025. This work was supported in part by the Research
and Development Program of the Ministry of Trade, Industry, and Energy
(MOTIE) and Korea Evaluation Institute of Industrial Technology (KEIT)
under Grant RS-2022-00155731 and Grant RS-2022-00154973, and in part
by the Korea Institute for Advancement of Technology (KIAT) Grant funded
by the Korea Government (MOTIE) under Grant P0012451. This manuscript
was recommended for publication by C. Yang. (Corresponding author:
Seongsoo Lee.)
The authors are with the Department of Intelligent Semiconductors,
Soongsil University, Seoul 06978, Republic of Korea (e-mail: tory@
soongsil.ac.kr; sslee@ssu.ac.kr).
Digital Object Identifier 10.1109/LES.2024.3475470
from inside and outside a vehicle, giving them control over
the vehicle regardless of the driver’s intention [2], [3]. Such
vulnerabilities in CAN communication can lead to extremely
dangerous situations while driving, making it essential to
monitor the internal systems of vehicles and detect attacks.
Various approaches for ML-based intrusion detection systems
(IDSs) have been proposed, leveraging their capability to
process substantial data volumes without necessitating domain-
specific expertise. Among them, the deep convolutional neural
network (DCNN) IDS proposed by Song et al. [4] is a prominent
convolutional neural network (CNN)-based IDS. The DCNN
effectively simplifies the inception-ResNet model. Similarly,
Desta et al. [5] proposed the Rec-CNN model that generates data
by combining recurrent plots to add temporal dependencies of
sequences to the input data. Furthermore, the HyDL-IDS model
was proposed, which combines a CNN and an LSTM to learn
spatial and temporal sequences in CAN traffic [6]. Seo et al. [7]
proposed a generative adversarial network (GAN)-based model
that can detect new attacks that have not been used in training.
Agrawaletal.[8] developed the NovelADS model to address the
typically lower detection performance of unsupervised learning-
based IDS than that of supervised learning-based IDS. Owing to
the limited computing resources of automotive devices, CanNet
was designed as a lightweight detection method [9]. However,
CanNet still requires a high computational load, which is not
suitable for deployment on edge devices.
The main contributions of this letter are summarized as
follows.
1) We propose a low-complexity intrusion detection system
(LC-IDS) for deployment on resource-constrained
devices as a tiny machine learning (TinyML) solution.
The floating-point operations (FLOPs) demonstrate that
the complexity of this model is significantly lower than
that of existing models.
2) Based on experimental results, the proposed LC-IDS
model performs significantly well in attack detection.
Additionally, it detects attacks on a per-frame basis.
3) We investigate the LC-IDS in terms of RAM and
flash usage, as well as energy consumption, for its
applicability in deployment on low-power platforms.
II. P
ROPOSED INTRUSION DETECTION SYSTEM
A. Feature Extraction
To train the LC-IDS, the appearance patterns of CAN IDs
occurring on the CAN bus and the data field of the “last frame”
are used as features, as shown in Fig. 1. The term “last frame”
1943-0671
c
2024 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: MCKV Institute of Engineering. Downloaded on April 15,2026 at 05:56:36 UTC from IEEE Xplore. Restrictions apply.
68 IEEE EMBEDDED SYSTEMS LETTERS, VOL. 17, NO. 2, APRIL 2025
Fig. 1. Feature extraction method for low-complexity IDS.
Fig. 2. Architecture of the proposed LC-IDS network.
denotes the most recent CAN frame that occurred on the CAN
bus. Hence, the LC-IDS is designed to assess the normality
or anomalies based on the sequence of CAN IDs and the data
field of the most recent frame within this sequence. For frame-
by-frame attack detection, the ID patterns and data fields of
the last frame are extracted using sliding window method.
Consider a dataset where n represents the number of CAN
frames. The features of the first training input consist of
an ID sequence Feature
1,1
= (ID
1
, ID
2
, ID
3
,...,ID
n
) and
Feature
2,1
= DATA
n
, with the corresponding label based
on the nth CAN frame. Similarly, the features of the sec-
ond training input consist of an ID sequence Feature
1,2
=
(ID
2
, ID
3
, ID
4
,...,ID
n+1
) and Feature
2,2
= DATA
n+1
, with
the label based on the (n + 1)th CAN frame. The ID sequence
Feature
1
is converted into a binary image of size n × 29 × 1,
considering that the maximum number of ID bits in a CAN
frame can be 29. If the ID is less than 29 bits, the remaining
bits are filled with 0. Likewise, as the data area in a CAN frame
can be up to 64 bits, Feature
2
is converted into an 8 × 8 × 1
binary image, and if it is less than 64 bits, the remaining bits
are filled with 0.
B. Low-Complexity Intrusion Detection System
This letter proposes a lightweight structure for LC-IDS, as
showninFig.2. CNN operations are performed separately on
the CAN ID sequences and the data field of the last frame.
The output of the MaxPooling layer is flattened and connected
to the fully connected (FC) layers, which are then combined
through concatenation. This method efficiently extracts and
links important information from the CAN ID sequence and
data field of the last CAN frame. This model can be considered
a function that takes two binary images as inputs and outputs
the class label. The function can be expressed as follows:
y = f
(
X
1
, X
2
)
(1)
where y denotes the output label, which indicates whether it is
a normal message or an attack, X
1
and X
2
represent Feature
1
and Feature
2
, respectively, θ represents the model parameters,
and the function f denotes the LC-IDS model.
C. FLOPs Calculation Mechanism
Calculating FLOPs is crucial for assessing model complex-
ity [10]. FLOPs help evaluate the computational efficiency
of a model and the scale of computing resources required.
Therefore, FLOPs are important for determining whether a
model is suitable for real-time applications or can effectively
operate on resource-constrained hardware.
FLOPs in the CNN layers can be calculated by considering
various factors, such as the filter size k
h
× k
w
and dimensions
of the output feature map O
h
× O
w
, which are determined as
follows:
FLOPs
CNN
= k
h
× k
w
× C
in
× C
out
× O
h
× O
w
(2)
where C
in
and C
out
denote the number of input and output
channels and filters, respectively. Although bias considerations
are important for accurate calculations, they are often omitted
because of their relatively minor proportion of the overall
operations. Typically, CNN operations significantly influence
the complexity of models [11]. Therefore, to minimize the
computational demand, the output dimensions O
h
×O
w
result-
ing from the CNN operations must be kept as small as
possible. When the input size is I
h
× I
w
, O
h
and O
w
are
determined using (3) and (4), respectively
O
h
=
I
h
+ 2p
h
k
h
s
+ 1(3)
O
w
=
I
w
+ 2p
w
k
w
s
+ 1(4)
where p
h
and p
w
denote the amount of zero padding on the
borders of the input feature map and s denotes the stride.
To evaluate the overall complexity of a model, FLOPs in
the FC layers need to be calculated. In FC layers, all neurons
are interconnected between their inputs and outputs, and their
operations mainly rely on the dot product of their weight
and input vectors. Therefore, FLOPs in FC layers can be
calculated by considering the input and output sizes, which
are determined as follows:
FLOPs
FC
= U
in
× U
out
(5)
where U
in
and U
out
denote the FC layer’s input and output
sizes, respectively. Finally, the MaxPooling layer and activa-
tion functions were omitted from the calculation of FLOPs
since they occupy a small proportion of all network operations.
III. E
XPERIMENTAL RESULTS AND ANALYSIS
A. Dataset and Existing Models
In this study, we used the publicly available Car Hacking
dataset [12], which is widely used in vehicle security research.
The dataset includes the CAN traffic recorded through the
OBD-II port of actual vehicles and four types of attacks:
1) denial of service (DoS); 2) fuzzing; 3) RPM spoofing;
and 4) gear spoofing. DoS attacks disrupt the transmission of
CAN frames with lower-priority message IDs by occupying
the CAN bus and sending CAN frames with high-priority
Authorized licensed use limited to: MCKV Institute of Engineering. Downloaded on April 15,2026 at 05:56:36 UTC from IEEE Xplore. Restrictions apply.
IM AND LEE: TinyML-BASED IDS FOR IN-VEHICLE NETWORK USING CNN 69
TABLE I
M
ODEL PERFORMANCE BASED ON DIFFERENT TRAINING FEATURES
TABLE II
S
UMMARY OF THE PROPOSED LC-IDS AND EXISTING IDS MODELS
message IDs. Fuzzing attacks occupy the bus or cause ECU
malfunctions. Spoofing attacks inject CAN frames with IDs
related to specific devices, such as engine RPM or drive gears,
to cause malfunctions.
Note that the performance metrics of the existing models
were directly taken from the original papers, as they were
evaluated on the same dataset that we used. We attempted
to accurately replicate the CanNet model based on the
descriptions provided in this letter since it only reported
detection performance in DoS attack scenarios. To achieve
optimal performance in other attack scenarios, we set the
hyperparameters according to the original paper.
B. Experimental Setup
The filter size in (2) was set to 2 × 2 to reduce complexity.
According to (3) and (4), the stride was set to one without
padding. Increasing the stride size can reduce the output
size, which decreases FLOPs. According to (2), output size
significantly affects FLOPs. Because the input size determines
the output size, choosing an appropriate length for the CAN
ID sequence is important.
If the length of the ID sequence is even, the output
shape following CNN operations will be odd × even, which
could degrade performance because the last row is omitted
during the MaxPooling operation. A notable difference in
performance between odd and even sequence lengths was
observed, indicating the significance of the information in the
last row in the output following CNN operations because of
labeling based on the last frame during training. The detection
accuracy for all types of attacks increased as the ID sequence
length increased to seven. Therefore, the ID sequence length
n was set to seven. During the training of Feature
2
,theCNN
operation was performed using 3 × 3 filter size, as opposed
to the training of Feature
1
. This is related to the fixed 8 × 8
input shape of Feature
2
.Usinga2× 2 filter size would result
ina7× 7 output size, and subsequently applying 2 × 2
MaxPooling would lead to data loss.
In the experiments, other hyperparameters, such as the num-
ber of CNN filters and units in the FC layers, were carefully
adjusted to ensure that the LC-IDS model achieved optimal
performance. Furthermore, an early stopping mechanism was
TABLE III
P
ERFORMANCE COMPARISON OF LC-IDS WITH EXISTING IDS MODELS
applied during training to prevent overfitting, and the network
structure was simplified as much as possible.
C. Experimental Results
Table I demonstrates that each model’s performance, when
trained separately on ID sequences (Feature
1
) or the DATA
field (Feature
2
), exhibited certain limitations. Conversely, the
proposed LC-IDS, which combines both features, achieved
approximately 100% detection performance. Table II summa-
rizes the existing IDS models, and Table III compares the
detection performance of LC-IDS with that of existing IDS
models.
Applying the DCNN [4] and NovelADS [8] models in
resource-constrained environments is challenging owing to
their relatively high FLOPs and parameters. These complex
models require the use of powerful devices, such as GPUs.
Compared to HyDL-IDS [6], the proposed LC-IDS requires
approximately 8.8% of the FLOPs and 3.3% of the parameters.
CanNet [9] offers low memory usage because of its lightweight
design. However, it exhibits higher FLOPs and parameters
Authorized licensed use limited to: MCKV Institute of Engineering. Downloaded on April 15,2026 at 05:56:36 UTC from IEEE Xplore. Restrictions apply.
/ 4
End of Document
197

You May Also Like

FAQs

What is the main purpose of the TinyML-based intrusion detection system?
The main purpose of the TinyML-based intrusion detection system is to enhance the security of in-vehicle networks by effectively detecting malicious messages within controller area network (CAN) communications. The system addresses vulnerabilities in CAN communication, which lacks built-in security mechanisms, making it susceptible to cyberattacks. By utilizing convolutional neural networks, the model can process data efficiently while operating on low-power embedded devices, ensuring real-time monitoring and protection against potential threats.
How does the proposed system extract features for detection?
The proposed system extracts features by analyzing the sequence of CAN IDs and the data fields of the most recent CAN frames. This involves converting the ID sequences into binary images and applying convolutional neural network operations to identify patterns indicative of normal or anomalous behavior. The model assesses the data field of the last frame in conjunction with the ID sequence to enhance detection accuracy, allowing it to identify various types of attacks effectively.
What are the advantages of using a low-complexity CNN for intrusion detection?
Using a low-complexity convolutional neural network (CNN) for intrusion detection offers several advantages, particularly in resource-constrained environments like automotive systems. The model significantly reduces computational load while maintaining high detection performance, making it suitable for deployment on embedded devices. This efficiency allows for real-time monitoring without the need for powerful hardware, which is often a limitation in traditional machine learning models. Additionally, the lightweight design ensures lower energy consumption, making it ideal for automotive applications.
What types of attacks can the system detect?
The system is designed to detect various types of attacks that target in-vehicle networks, including denial of service (DoS), fuzzing, RPM spoofing, and gear spoofing. Each of these attack types poses unique threats to vehicle functionality and safety. By analyzing CAN traffic patterns, the intrusion detection system can identify anomalies that suggest malicious activity, thereby enabling timely responses to prevent potential vehicle control issues.
What hardware is the intrusion detection system deployed on?
The intrusion detection system is deployed on the nRF52840 microcontroller, which features 256 kB of RAM and 1 MB of flash memory. This microcontroller is part of the Arduino Nano 33 BLE Sense platform, providing a suitable environment for running the low-complexity model. The deployment on such a resource-constrained device demonstrates the system's efficiency and effectiveness in real-world automotive applications, ensuring that it can operate within the limitations of embedded systems.

Related