GDT-IDS: graph-based decision tree intrusion detection system for controller area network

With the rapid development of automotive technology, the security of in-vehicle networks (IVN) has received increasing attention. The controller area network (CAN), widely used for in-vehicle communication, faces significant security risks due to its inherent vulnerabilities. These risks can lead to attacks, data leakage, and abnormal functioning of vehicle systems. Currently, the mainstream security approach is the intrusion detection system (IDS). Graph-based IDSs have been widely studied for their ability to represent the relationships between CAN messages through nodes and edges, providing an intuitive and structured analysis that enables effective detection of various types of attacks. However, existing graph-based methods rely on basic features, such as the number of nodes, edges, and the maximum degree, which are insufficient for capturing the complex characteristics of spoofing and replay attacks, resulting in suboptimal detection accuracy. To address this, we propose a graph-based decision tree IDS, named GDT-IDS, specifically tailored to the characteristics of spoofing and replay attacks. By analyzing these attack types, we introduce three novel graph-based features-time difference, betweenness centrality, and graph density-that significantly enhance detection accuracy. Moreover, our method can perform multi-class classification, effectively handling mixed attack scenarios. The use of a decision tree model ensures the process remains lightweight and interpretable, making it suitable for resource-constrained systems like vehicles.