Abstract: "As vehicles grow increasingly automated and connected, the security of their internal communication networks has become a pressing concern. The Controller Area Network (CAN) bus, the backbone of in-vehicle communication, was designed decades ago for reliability and speed, not security. It lacks authentication and encryption by design, leaving modern Connected and Automated Vehicles (CAVs) exposed to attacks such as Denial-of-Service, spoofing, and unauthorized data injection. While this challenge has received growing attention, most proposed solutions assume access to cloud infrastructure, GPUs, or dense urban connectivity, resources that are simply not available in rural environments, where CAV deployment is arguably most transformative and least studied.

This work addresses that gap. We introduce HCCL-EDAD (Hybrid Clustering and Classification Learning with Enhanced Data-Centric Anomaly Detection), a lightweight, on-device intrusion detection system built specifically around the realities of rural CAV deployment. Rather than scanning the entire CAN bus through a single global model, HCCL-EDAD assigns each CAN identifier its own dedicated detection profile, a design choice that keeps inference fast, memory footprint small, and computational demands well within embedded hardware limits. The result is faster inference, faster training, and lower memory usage compared to the CLA-DADA baseline, with end-to-end low latency ms per message and no GPU or cloud dependency.

Detection quality matches the efficiency gains. Evaluated on two independent datasets, the real-world GEM-CAN dataset collected from a GEM e6 autonomous electric vehicle and the established SONATA benchmark, HCCL-EDAD achieves 99.82% accuracy, 88.7% fewer false positives, and 100% recall across three of four attack scenarios, with consistent results across both datasets.

Looking ahead, we plan to extend the framework to cover replay, masquerade, and spoofing attacks, and to explore federated learning for privacy-preserving model updates across vehicle fleets. Ultimately, this line of work aims toward a Dual-Domain Hybrid IDS (DD-HIDS) that unifies CAN bus monitoring with V2X network security, offering a more complete picture of what end-to-end cybersecurity for rural CAVs could look like."