PFMeta-IDS: Personalized Federated Meta-Learning Automotive Intrusion Detection System with Collaboratively Adaptive and Learnable

1. Introduction

The Internet of Vehicles (IoV) is increasingly recognized as a vital component of Intelligent Transportation Systems (ITS), driving advancements in efficiency and intelligence [1]. At the core of IoV are in-vehicle networks (IVNs), which comprise numerous Electronic Control Units (ECUs) that communicate through the Controller Area Network (CAN). The CAN protocol, widely adopted for its broadcast capabilities, efficient data transmission, and cost-effectiveness, forms the backbone of these networks. However, despite its widespread use, the CAN protocol is frequently criticized for its inherent lack of security mechanisms, such as authentication, encryption, and segmentation. These limitations expose it to significant vulnerabilities, making it a prime target for cyberattacks [2]. Attackers can exploit various interfaces, including USB ports, Bluetooth connections, and onboard diagnostic (OBD)-II ports, to gain unauthorized access to IVNs. Once an entry point is compromised, they can inject malicious messages into the network, facilitating a range of attacks that threaten both vehicle safety and user privacy [3].

Intrusion detection systems (IDSs) have demonstrated their effectiveness in addressing these challenges [4]. While traditional IDSs rely heavily on regular updates to databases of known attacks, a limitation that is well recognized, recent research has increasingly shifted towards machine learning-based IDSs. These systems offer high accuracy and adaptability to a wide range of attack types [5,6]. However, most existing works fail to address the need for rapid adaptability across diverse attack scenarios. They typically rely on models trained on large, static datasets, which hinders their ability to adapt quickly to new or evolving attack environments [7,8].

Quickly adapting to various attack scenarios for intrusion detection can be framed as a few-shot learning problem. Meta-learning has emerged as an effective approach to address it [9]. Among the various meta-learning frameworks, Model-Agnostic Meta-Learning (MAML), introduced by Finn et al., is an optimization-based method that has been successfully applied to classification, regression, and other tasks in few-shot scenarios [10]. MAML aims to learn an optimal set of initial model parameters (meta-parameters), which enables rapid adaptation to new tasks through a dual optimization process involving inner-level and outer-level updates [15]. To mitigate the high computational and memory overhead associated with the second-order gradient calculations in MAML, we employ First-Order MAML in this work.

While meta-learning provides a promising approach for enabling IDSs to quickly adapt to various attack scenarios, it faces limitations when applied across data from different vehicle manufacturers, potentially hindering its generalization to more complex attack scenarios. Beyond business considerations, manufacturers may be reluctant to share their data due to stringent data protection regulations such as the General Data Protection Regulation (GDPR), introduced in 2017. These regulations impose strict constraints on data aggregation and usage [12]. Specifically, as vehicle owner information collected by manufacturers may include sensitive details, aggregating communication traffic data raises significant privacy concerns, often resulting in data silos. Additionally, differences in vehicle configurations and communication protocols across manufacturers can lead to non-independent and identically distributed (Non-IID) data, further complicating the application of traditional meta-learning techniques [13].

To address these challenges, we propose the Personalized Federated Meta-Learning Intrusion Detection System (PFMeta-IDS). At the core of this system is a novel personalized federated meta-learning algorithm, PFMetaSWR, which employs a similarity-weighted aggregation mechanism. This algorithm aggregates personalized global meta-parameters for each manufacturer by weighting updates uploaded by manufacturers to a central aggregator. Within this framework, the aggregator orchestrates the process, while each manufacturer functions as a client, updating its local meta-parameters using First-Order Model-Agnostic Meta-Learning. A regularized loss function is introduced to enable the local models, to partially learn from the personalized global model and its corresponding global meta-parameters. This design effectively balances personalization and generalization. Additionally, each local model is capable of rapidly adapting to diverse attack scenarios through few-shot learning on training datasets tailored to those scenarios. Beyond addressing the challenge of quick adaptation to various attack scenarios in IDSs for IVNs, PFMeta-IDS further enhances the generalization capabilities of IDSs while maintaining data privacy across different manufacturers. The main contributions of our work are summarized as follows:

1)

We propose a Personalized Federated Meta-Learning Intrusion Detection System (PFMeta-IDS) designed to rapidly adapt to diverse attack scenarios and accurately detect intrusions, all while preserving data privacy across different manufacturers.

2)

We introduce a novel Personalized Federated Meta-Learning algorithm, FedSWR, which enables the central aggregator to aggregate personalized global models for each client and facilitates the training of personalized local models at each client. These local models learn partially from the personalized global models, ensuring a balance between generalization and personalization.

3)

We propose a novel feature engineering method, KMCS-IG, which integrates k-means-based cluster sampling (KMCS) with the Information Gain (IG) method to enhance feature selection and representation.

4)

We evaluate the performance of PFMeta-IDS using a novel fundamental model that we constructed, LDwCBN, conducting experiments on the state-of-the-art dataset, Car-Hacking dataset. The results demonstrate its quick adaptability to various attack scenarios, achieving high accuracy and F1-score compared with existing works.

The remainder of this paper is organized as follows: Section 2 reviews the related work. Section 3 presents the detailed design of PFMeta-IDS, Section 4 shows experimental results, followed by conclusions in Section 5.

2. Related Works

The field of IDS for automotive has seen significant advancements in recent years. This section aims to provide a comprehensive overview of the key areas related to our research. We first review the state-of-the-art works in machine learning-based intrusion detection systems tailored for automotive networks. Next, we explore the application of federated learning within Intelligent Transportation Systems (ITS). Finally, we discuss the role of meta-learning in enabling rapid adaptation to diverse scenarios and summarize its limitations.

2.1. Machine Learning-Based IDSs for Automotive

With the advancements in Machine Learning (ML) techniques, research on ML-based Intrusion Detection Systems (IDSs) has seen significant growth in recent years due to their remarkable performance [16]. ML-based IDSs can generally be categorized into traditional ML-based IDSs and Deep Learning (DL)-based IDSs.

Traditional ML-based IDSs often employ fundamental algorithms such as support vector machines (SVMs), tree-based models, gradient boosting, and probabilistic classifiers like Naive Bayes. Al-Saud et al. [17] proposed an OCSVM-based Anomaly Detection Model (ADM), which optimizes the parameter settings for SVM and uses ID frequencies as features for detection. Kalkan et al. [18] demonstrated the excellent performance of a Decision Tree (DT)-based model on the Car-Hacking dataset. Similarly, Anjum et al. [19] employed Extreme Gradient Boosting (XGBoost) to classify unexpected events in CAN data payloads, achieving high accuracy across different attack scenarios. Islam et al. [20] introduced the Graph-Based Gaussian Naive Bayes (GGNB) algorithm, which incorporates graph properties and PageRank-related features to identify a wide range of attack types. Nair et al. [21] utilized blockchain to store traffic data in a decentralized manner while employing the Gaussian Naive Bayes algorithm to analyze CAN traffic properties, classifying communication windows as normal or abnormal.

Deep Learning (DL)-based IDSs have shown significant potential to achieve superior performance compared to traditional methods. Baldini et al. [22] employed a bag-of-words methodology to identify intrusions in in-vehicle networks (IVNs), leveraging the sequential patterns of CAN data to detect atypical behavior. Song et al. [5] introduced a Deep Convolutional Neural Network (DCNN)-based IDS, which utilized specific properties to protect the CAN bus against cyber threats. Their results demonstrated that the DCNN model outperformed baseline methods across all attack types. Boumiza et al. [23] proposed an IDS using Deep Neural Networks (DNNs) with Rectified Linear Units (ReLU) activation functions. This approach avoids saturation and promotes better gradient flow, enhancing the model’s learning capabilities. Their evaluation showed superior performance compared to existing algorithms. Fenzl et al. [24] presented a continuous field classification algorithm to detect misaligned payload values, followed by a DL methodology to identify atypical fields. Their work highlighted the effectiveness of genetic programming for capturing complex relationships between sensor values, which are critical for classifying targeted attacks. Additionally, Kang et al. [25] proposed the NaDS framework, which combines Long Short-Term Memory (LSTM) networks with Generative Adversarial Networks (GANs). Synthetic frames generated by the GAN were used to train the LSTM. Their experimental results demonstrate that NaDS significantly enhances abnormal message detection accuracy compared to existing methods.

2.2. Federated Learning in ITS

The development of Intelligent Transportation Systems (ITS) has significantly enhanced urban traffic information, improving daily convenience, road efficiency, and sustainable urban living. However, many existing ITS applications rely on a centralized training approach that requires a cloud server with substantial computing power for management and centralized training [26]. This centralized framework faces several limitations, including poor real-time performance, data silos, and challenges in ensuring data privacy.

To address these issues, federated learning (FL) has emerged as a promising alternative, gaining widespread attention due to its strong privacy-preserving capabilities and scalability. Jallepalli et al. [27] demonstrated through simulations that the FL architecture can identify detection targets that are unrecognizable through local training on a single vehicle. Zhou et al. applied the hierarchical structure of FL within ITS to achieve superior training results in vehicle object recognition scenarios supported by 6G technology. Liu et al. [28] utilized FL for power line image detection tasks using the YOLO v5 model, showing that FL training across multiple power companies produces models with higher detection accuracy compared to locally trained models. Additionally, Gao et al. [29] proposed an FL-based method for vehicle position inference in closed areas, leveraging GPS data trained in open environments. Zou et al. [30] introduced a novel approach for urban UAV charging services by integrating FL with LSTM and stochastic game theory. Their findings highlight the superiority of this combined method, which achieved the lowest mean squared error and the highest energy satisfaction compared to benchmark approaches.

2.3. Application of Meta-Learning

Traditional AI learning methods often require large volumes of data to solve specific tasks, which can be impractical in scenarios where quick adaptation is crucial. To address these challenges, approaches like meta-learning and transfer learning have emerged as promising solutions. However, as demonstrated by Howard et al. [31], transfer learning via fine-tuning may not always be effective, especially when the target task dataset is very small or significantly different from the source tasks. In contrast, meta-learning offers the ability to learn a set of meta-parameters that enable efficient adaptation to new tasks with limited data by leveraging prior knowledge from related tasks [32].

Meta-learning has been applied successfully across diverse domains. Ruswurm et al. [33] implemented few-shot land cover classification using the Model-Agnostic Meta-Learning (MAML) algorithm on classification and segmentation tasks with globally and regionally distributed datasets. Their findings demonstrated that few-shot model adaptation outperforms standard pre-training with gradient descent and fine-tuning, particularly when the source and target domains differ. Wu et al. [34] proposed PROTOTRANSFORMER, where a meta-learner provides feedback to student code on new programming questions with only a few annotated examples. Nguyen et al. [35] explored the transferability of graph neural network (GNN) initializations learned via meta-learning for chemical property and activity prediction tasks. Their results showed that meta-learned initializations performed comparably to or better than multi-task pre-training baselines across most in-distribution tasks and all out-of-distribution tasks. In another application, Yu et al. [36] utilized a meta-learning algorithm to develop a highly transferable driving speed prediction model based on the visual road environment. Their experimental results demonstrated significantly high prediction accuracy, even with small sample sizes or when applied to new scenarios. However, the meta-learning methods used in existing works lack collaborative learning and data privacy protection.

Although existing Intrusion Detection Systems (IDSs) for vehicular networks have demonstrated high detection accuracy, they predominantly rely on learning methods trained on large datasets. This reliance limits their ability to quickly adapt to dynamic and evolving attack scenarios. To address these limitations, we proposed PFMeta-IDS, a system that integrates meta-learning with FL to enable rapid adaptation to various attack scenarios while maintaining strong generalization and ensuring data privacy across manufacturers.

3. Proposed PFMeta-IDS Framework

This section introduces the PFMeta-IDS framework, starting with an overview of its system architecture, followed by the FedSWR algorithm, data preprocessing, and the LDwCBN network. At its core, PFMeta-IDS relies on meta-models, defined by meta-parameters optimized for rapid adaptation across diverse tasks. Both global and local models are trained and updated based on these meta-parameters.

3.1. System Architechture

The proposed PFMeta-IDS architecture, illustrated in Figure 1, comprises three interconnected layers: the central aggregator layer, the manufacturer client layer, and the vehicle layer. This multi-layered design facilitates collaborative learning while ensuring data privacy and adaptability in intrusion detection.

At the Aggregator layer, the central aggregator layer serves as the coordination hub for the federated meta-learning process. Using the FedSWR algorithm, the aggregator performs similarity-weighted aggregation of meta-model updates received from manufacturer clients. The resulting personalized global meta-models are then distributed back to the clients, enabling them to enhance their local training processes. This layer promotes cross-client knowledge sharing while preserving data privacy, thereby improving the generalization capability of the models.

The Manufacturer Client layer represents manufacturers such as Tesla, Audi, and BMW. Each client retains its local data and computational resources, conducting local meta-training on task sets derived from its Non-IID dataset. These local meta-models partially learn from the personalized global meta-model, creating personalized local meta-models specific to the unique vehicular scenarios of each manufacturer. This personalized approach addresses the diversity in vehicular communication protocols and attack patterns across manufacturers.

The vehicle layer represents individual vehicles operating in diverse environments, including highways, urban traffic, and extreme weather conditions. Vehicles employ the updated local meta-models for scenario-specific intrusion detection, adapting rapidly to various attack scenarios through few-shot learning on relevant datasets. This layer ensures that intrusion detection systems remain effective in dynamic and evolving real-world contexts.

3.2. FedSWR Algorithm

The Federated Similarity-Weighted Regularization (FedSWR) algorithm is a core component of the proposed PFMeta-IDS framework. It integrates principles of federated learning with a similarity-based weighting mechanism to balance personalization and generalization. The iterative process of the algorithm is outlined in Algorithm 1, executed collaboratively by a central aggregator and multiple distributed clients. This approach ensures data privacy while facilitating effective model updates.

Algorithm 1 PFMetaSWR

1: Server Executes: 2: for $t=1,2,\dots ,T$ do 3:    for each client $k\in K$ do 4:       $\Delta {({\theta }_g)}_k^t,{({\theta }_p)}_k^{t+1}\leftarrow \mathrm{ClientUpdate}({({\theta }_g)}_k^t,{({\theta }_p)}_k^t)$ 5:    end for 6:    $S\leftarrow$ compute similarity-based weighting matrix according to Eqs. (6), (7), (8) 7:    for each client $k\in K$ do 8:       ${({\theta }_g)}_k^{t+1}\leftarrow {({\theta }_g)}_k^t-\beta *{\sum }_{j=1}^K{(m_{\theta })}_{k,j}·{(\Delta {\theta }_g)}_k^t$ 9:       The server aggregates the personalized models $\{{({\theta }_g)}_k^{t+1}\}$ based on the similarity weights and distributes them to client k 10:    end for 11: end for 12: ______________________________________________________________________________________________________________ 13: ClientUpdate $({({\theta }_g)}_k^t,{({\theta }_p)}_k^t):$ 14: ${\mathcal{L}}_g(f_{{({\theta }_g)}_k^t};b)\leftarrow {\displaystyle \frac{1}{|b|}}{\sum }_{(x,y)\in b}l(f_{{({\theta }_g)}_k^t};x,y)$ 15: ${\mathcal{L}}_p(f_{{({\theta }_p)}_k^t};b)\leftarrow {\displaystyle \frac{1}{|b|}}{\sum }_{(x,y)\in b}l(f_{{({\theta }_p)}_k^t};x,y)+{\displaystyle \frac{\lambda }{2}}{\parallel f_{{({\theta }_p)}_k^t}-f_{{({\theta }_g)}_k^t}\parallel }_2^2$ 16: for epoch $i=1,2,\dots ,E$ do 17:    for each batch of tasks $\mathcal{B}=\{{\tau }_1,\dots ,{\tau }_J\}$ from task distribution $\mathcal{P}(\mathcal{T})$ do 18:      for each task ${\tau }_j\in \mathcal{B}$ do 19:         Split data for task ${\tau }_j$ into support set ${\mathcal{S}}_{{\tau }_j}$ and query set ${\mathcal{Q}}_{{\tau }_j}$ 20:         Evaluate task-specific loss on support set ${\mathcal{L}}_g(f_{{({\theta }_g)}_k^t};{\mathcal{S}}_{{\tau }_j})$ 21:         Compute gradients on support set ${\nabla }_{{({\theta }_g)}_k^t}{\mathcal{L}}_g(f_{{({\theta }_g)}_k^t},{\mathcal{S}}_{{\tau }_j})$ 22:         Update task-specific parameters: ${({\theta }_g^{\prime })}_k^t\leftarrow {({\theta }_g)}_k^t-\alpha {\nabla }_{{({\theta }_g)}_k^t}{\mathcal{L}}_g(f_{{({\theta }_g)}_k^t},{\mathcal{S}}_{{\tau }_j})$ 23:         Evaluate task-specific loss on query set ${\mathcal{L}}_g(f_{{({\theta }_g^{\prime })}_k^t},{\mathcal{Q}}_{{\tau }_j})$ 24:         Compute gradients w.r.t. parameters on the query set ${\nabla }_{{({\theta }_g)}_k^t}{\mathcal{L}}_g(f_{{({\theta }_g^{\prime })}_k^t},{\mathcal{Q}}_{{\tau }_j})$ 25:         Sum batch gradients: $\Delta {({\theta }_g)}_k^t\leftarrow \Delta {({\theta }_g)}_k^t+{\nabla }_{{({\theta }_g^{\prime })}_k^t}{\mathcal{L}}_g(f_{{({\theta }_g^{\prime })}_k^t},{\mathcal{Q}}_{{\tau }_j})$ 26:      end for 27:      Update meta-parameters using total batch gradients: 28:      ${({\theta }_g)}_k^{t+1}\leftarrow {({\theta }_g)}_k^t-\beta \Delta {({\theta }_g)}_k^t$ 29:      for each task ${\tau }_j\in \mathcal{B}$ do 30:         Split data for task ${\tau }_j$ into support set ${\mathcal{S}}_{{\tau }_j}$ and query set ${\mathcal{Q}}_{{\tau }_j}$ 31:         Evaluate task-specific loss on support set ${\mathcal{L}}_p(f_{{({\theta }_p)}_k^t};{\mathcal{S}}_{{\tau }_j})$ 32:         Compute gradients on support set ${\nabla }_{{({\theta }_p)}_k^t}{\mathcal{L}}_p(f_{{({\theta }_p)}_k^t},{\mathcal{S}}_{{\tau }_j})$ 33:         Update task-specific parameters: ${({\theta }_p^{\prime })}_k^t\leftarrow {({\theta }_p)}_k^t-\alpha {\nabla }_{{({\theta }_p)}_k^t}{\mathcal{L}}_p(f_{{({\theta }_p)}_k^t},{\mathcal{S}}_{{\tau }_j})$ 34:         Evaluate task-specific loss on query set ${\mathcal{L}}_p(f_{{({\theta }_p^{\prime })}_k^t},{\mathcal{Q}}_{{\tau }_j})$ 35:         Compute gradients w.r.t. parameters on the query set ${\nabla }_{{({\theta }_p^{\prime })}_k^t}{\mathcal{L}}_p(f_{{({\theta }_p^{\prime })}_k^t},{\mathcal{Q}}_{{\tau }_j})$ 36:         Sum batch gradients: $\Delta {({\theta }_p)}_k^t\leftarrow \Delta {({\theta }_p)}_k^t+{\nabla }_{{({\theta }_p^{\prime })}_k^t}{\mathcal{L}}_p(f_{{({\theta }_p^{\prime })}_k^t},{\mathcal{Q}}_{{\tau }_j})$ 37:      end for 38:      Update meta-parameters using total batch gradients: 39:      ${({\theta }_p)}_k^{t+1}\leftarrow {({\theta }_p)}_k^t-\beta \Delta {({\theta }_p)}_k^t$ 40:    end for 41: end for 42: ${(\Delta {\theta }_g)}_k^t\leftarrow {({\theta }_g)}_k^{t+1}-{({\theta }_g)}_k^t$ 43: return ${(\Delta {\theta }_g)}_k^t,{({\theta }_p)}_k^{t+1}$

$$si{m}_{\theta }(k,j)={\displaystyle \frac{\Delta {\theta }_k^t·\Delta {\theta }_j^t}{|\Delta {\theta }_k^t|\times |\Delta {\theta }_j^t|}},j=1,\dots ,K$$

(1)

$${(m_{\theta })}_{k,j}={\displaystyle \frac{exp(si{m}_{\theta }(k,j))}{{\sum }_{i=1}^{K}exp(si{m}_{\theta }(k,i))}},j=1,\dots ,K$$

(2)

$$\mathit{S}=\left(\begin{array}{cccc}{m}_{1,1}& m_{1,2}& \cdots & m_{1,k}\\ m_{2,1}& m_{2,2}& \cdots & m_{2,k}\\ ⋮& ⋮& \ddots & ⋮\\ m_{k,1}& m_{k,2}& \cdots & m_{k,k}\end{array}\right)$$

(3)

At each communication round, the central aggregator receives updates from all clients and aggregates them using a similarity-weighted matrix S, computed with Equations 1, 2, 3. The matrix quantifies the similarity between client updates using cosine similarity, which measures the alignment of update directions. These similarity scores are normalized into weights ${(m_{\theta })}_{kj}$, determining each client’s contribution to the personalized global meta-model parameters. The central server applies these weights to update the global meta-parameters, as described by Equation 4, where $\beta$ (is set to 0.01) represents the learning rate. Once updated, the personalized global meta-models are distributed back to the clients to enhance their local training processes.

$${({\theta }_g)}_k^{t+1}={({\theta }_g)}_k^t-\beta \sum _{j=1}^K{(m_{\theta })}_{k,j}·\Delta {({\theta }_g)}_j^t$$

(4)

Each client performs local training using its private dataset, which is typically Non-IID. The training involves a bi-level optimization process:

1)

Global Meta-Model Update: The global meta-parameters ${({\theta }_p)}_k^t$ are optimized using the loss function ${\mathcal{L}}_g$ defined in Equation 5. This process enables task-specific learning from a global perspective.

2)

Personalized Local Meta-Model Update: Clients update their local meta-parameters ${({\theta }_p)}_k^t$ using the loss function ${\mathcal{L}}_p$, defined in Equation 6. This function includes a regularization term controlled by $\lambda$, which dictates the extent to which the local meta-model learns from the global meta-model.

$${\mathcal{L}}_g(f_{{({\theta }_g)}_k^t};b)={\displaystyle \frac{1}{|b|}}\sum _{(\mathit{x},y)\in b}l(f_{{({\theta }_g)}_k^t};\mathit{x},y)$$

(5)

$${\mathcal{L}}_p(f_{{({\theta }_p)}_k^t};b)={\displaystyle \frac{1}{|b|}}\sum _{(\mathit{x},y)\in b}l(f_{{({\theta }_p)}_k^t};\mathit{x},y)+{\displaystyle \frac{\lambda }{2}}{\parallel f_{{({\theta }_p)}_k^t}-f_{{({\theta }_g)}_k^t}\parallel }_2^2$$

(6)

After completing local training, clients compute the updates for global meta-parameters ${(\Delta {\theta }_g)}_k^t$ and personalized local meta-parameters ${({\theta }_p)}_k^{t+1}$. These updates are then sent back to the aggregator for the next communication round.

The personalized local meta-models are deployed to vehicles, enabling rapid adaptation to diverse attack scenarios through few-shot learning on small datasets. This ensures efficient and dynamic intrusion detection tailored to specific vehicular environments.

3.3. Data Preprocessing

Effective data preprocessing is essential for the success of intrusion detection systems in automotive networks. As shown in Figure 2, each CAN message in the dataset consists of four fields: Timestamp, CAN ID, DLC, and Data Payload. The CAN ID determines the priority of the message, where smaller values represent higher priority. The DLC field indicates the length (in bytes) of the Data Payload, which contains the actual information exchanged between nodes.

This section outlines the preprocessing methods employed to optimize the raw CAN messages for intrusion detection tasks. Specifically, we describe the Frame Converting approach used to transform raw data into an analyzable format and the Feature Engineering techniques designed to extract and select meaningful features for improved detection performance.

3.3.1. Frame Converting

The conversion process for each CAN message in the dataset is illustrated in Figure 3. The raw data is preprocessed to remove biases and inconsistencies, ensuring its suitability for intrusion detection tasks. This process involves the following steps:

1)

Timestamp Transformation: To eliminate the potential bias introduced by the strong correlation between the timestamp and the attack cycle, each message’s timestamp is replaced with the time interval between the current and the previous message. This transformation focuses on relative timing rather than absolute values, enhancing the robustness of the detection model.

2)

CAN ID Conversion: The CAN ID, which determines the priority of the message (with smaller IDs having higher priority), is converted from hexadecimal to decimal format. This conversion simplifies numerical computations and ensures consistency across the dataset.

3)

Data Payload Processing: The Data Payload, containing the transmitted information, undergoes two critical preprocessing steps:

• Base conversion: The hexadecimal data is transformed into decimal format to standardize numerical representation.
• Zero filling: Missing payloads are filled using the widely adopted zero-filling method, as recommended by prior studies [36,37]. This step ensures that all payloads have consistent lengths, allowing for uniform feature extraction.

4)

Z-score Normalization: Finally, all features of each message in the dataset are normalized using the Z-score method. Normalization plays a critical role in standardizing the dataset, ensuring that features are on a consistent scale. By rescaling data to have a mean of 0 and a standard deviation of 1, normalization reduces the influence of varying feature scales on model performance and accelerates the convergence of learning algorithms. The normalization formula is given by Equation 7:.

$$x_n={\displaystyle \frac{x-\mu }{\sigma }}$$

(7)

where $\mu$ denotes the original feature value, $\mu$ is the mean of the feature values, and $\sigma$ is their standard deviation.

3.3.2. Feature Engineering

Effective feature engineering plays a critical role in improving the quality of datasets, enabling more accurate and efficient model learning. To achieve this, the proposed system employs a comprehensive feature engineering method, KMCS-IG, which combines K-Means Clustering Sampling (KMCS) and Information Gain (IG). This approach eliminates irrelevant, redundant, and noisy features while retaining the most important ones.

Analyzing large-scale network traffic data is often impractical due to the computational cost, especially during hyperparameter tuning, which involves processing multiple large datasets from diverse attack scenarios [38]. To enhance efficiency, data sampling is applied to reduce the dataset’s size without losing critical information.

The proposed system employs a k-means-based cluster sampling (KMCS) method to obtain a highly representative subset of the original dataset. Cluster sampling groups data points into clusters, and a proportion of data is sampled from each cluster to form a subset. Unlike random sampling, which selects samples with equal probability, cluster sampling focuses on retaining diverse and representative data points, discarding mostly redundant ones. Among clustering algorithms, k-means is widely used due to its simplicity and computational efficiency [39].

In k-means clustering, data points are grouped into k clusters based on distance metrics such as Euclidean, Manhattan, or Mahalanobis distance. The algorithm minimizes the sum of squared distances between data points and their cluster centroids, as shown in Equation 8:

$$\sum _{i=0}^{n_k}mi{n}_{u_j\in C_k}{\left(x_i-u_j\right)}^2$$

(8)

where $({\mathbf{x}}_1,\dots ,{\mathbf{x}}_n)$ is the data matrix, $u_j$ is the centroid of cluster $C_k$, and $n_k$ is the total number of points in $C_k$.

After clustering, random sampling is applied to each cluster, selecting 10% of the data as the representative subset. This percentage can be adjusted based on the dataset’s scale and resource constraints.

To refine the dataset further, the Information Gain (IG) method is used to select the most important features. IG quantifies the amount of information a feature contributes to predicting the target variable by measuring the change in entropy [41]. IG is computationally efficient, with a complexity of $O(n)$, making it suitable for large datasets. The IG value for a feature X with respect to the target variable T is calculated as:

$$IG(T\mid X)=H(T)-H(T\mid X)$$

(9)

where $H(T)$ is the entropy of the target T, and $H(T\mid X)$ is the conditional entropy of T given X.

The IG value represents the importance of feature X in predicting T. A feature X is considered more important than another feature Y if $IG(T\mid X)>IG(T\mid Y)$.

To implement the IG-based feature selection:

1)

The importance of each feature is calculated using Equation 9.

2)

The importance values are normalized to sum to 1.0, representing their relative significance.

3)

Features are ranked by their importance, and the top features are selected until their cumulative importance reaches a correlation threshold $\alpha$, set to 0.9 in this work.

4)

Features with a total importance less than $1-\alpha$ are discarded as less relevant.

By combining KMCS and IG, the KMCS-IG method ensures that the feature-reduced dataset remains both representative and informative, enabling efficient and accurate meta-model training.

3.3.3. Class Balancing in Task

Class imbalance is a common issue in network traffic data, as normal samples often significantly outnumber attack samples in real-world scenarios. This imbalance can result in biased models and poor accuracy when detecting minority class samples [43]. To address this, the Synthetic Minority Oversampling Technique (SMOTE) is employed, as it is widely regarded as an effective method for handling class imbalance [44,45]. SMOTE generates high-quality synthetic instances based on the k-nearest neighbors (KNN) of existing minority class samples.

In the proposed IDS, SMOTE is applied to handle class imbalance for every client at two levels:

1)

Across the entire dataset for each training task.

2)

Within the training dataset for each test task.

For a minority class instance $\mathit{X}$, SMOTE generates a new synthetic instance ${\mathit{X}}_{\mathit{n}}$ by selecting a sample ${\mathit{X}}_{\mathit{i}}$ randomly from the k-nearest neighbors of $\mathit{X}$. The new instance ${\mathit{X}}_{\mathit{n}}$ is calculated using Equation 10:

$${\mathit{X}}_{\mathit{n}}=\mathit{X}+rand(0,1)({\mathit{X}}_{\mathit{i}}-\mathit{X}),i=1,2,\dots ,k$$

(10)

3.4. LDwCBN Network Structure

The Lightweight Depthwise Convolutional Bottleneck Network (LDwCBN) is a 1D deep learning architecture derived from the LW-CNN structure [42], designed to process preprocessed 1D data frames for anomaly detection tasks. While preserving the lightweight nature of LW-CNN, LDwCBN incorporates key enhancements, such as Batch Normalization (BN) and ReLU6 activation layers, to improve training stability and generalization without significantly increasing computational complexity. These design considerations were driven by the need to deploy the model in automotive environments, where computational and storage resources are highly constrained.

As illustrated in Figure 4, the LDwCBN network backbone consists of a standard 1D convolutional layer, two depthwise convolutional layers, and two bottleneck structures with residual connections. These residual connections enhance trainability and mitigate the degradation problem commonly encountered in deep networks.

To ensure consistency and efficiency, all computational units produce an output with 32 channels. The network starts with a 1D standard convolutional layer, which expands the channel dimension to 32. Depthwise convolution with a stride of 2 is used to reduce feature dimensions. The first depthwise convolutional layer (dwconv1) is enhanced with BN and ReLU6 layers, stabilizing training and accelerating convergence. Subsequent bottleneck structures consist of two pointwise convolutions and one depthwise convolution, interleaved with BN and activation layers. These bottleneck structures handle channel dimension transitions, specifically from 64 to 32 and from 128 to 32.

ReLU6 activation is used throughout the network due to its limited output range, making it particularly well-suited for resource-constrained embedded platforms. Additionally, global average pooling (GAP) replaces fully connected layers, efficiently summarizing feature information by computing the global average of each channel. GAP significantly reduces the number of parameters and computational overhead, making it ideal for real-time classification tasks. Finally, the network employs a Sigmoid function for binary classification to detect attacks.

4. Performance Evaluation

4.1. Experimental Settings and Datasets

To implement the proposed PFMeta-IDS framework, data processing and meta-learning algorithms were developed using the Pandas [46], Scikit-learn [47], and PyTorch [48] libraries in Python. 1 The experiments were conducted on a server equipped with an AMD EPYC 7542 (32-Core, 2.90 GHz) CPU, 256 GB of memory, and an NVIDIA GeForce RTX 3090 GPU.

The experiments utilized the established Car-Hacking dataset [5], a benchmark dataset in vehicular network security. This dataset, extensively used in automotive security research, includes four types of attacks: DoS, Fuzzy, RPM Spoofing, and Gear Spoofing [49]. The dataset is based on real-world traffic data, offering practical insights and enabling direct comparison with existing works using the same dataset.

Each CAN message in the dataset contains valuable attributes: Timestamp, CAN ID, DLC, Data Payload, and a flag indicating whether the message is normal or an attack. The features used (Timestamp, CAN ID, DLC, Data Payload) are described in Section 3.3. Table 1 summarizes the statistics for each traffic type.

4.2. Partitioning of Non-IID Data

To experiment in a cross-manufacturer environment with Non-IID data distribution, the Dirichlet distribution was employed, following the approach in previous works [50]. Specifically, $p_m\sim Di{r}_N(\alpha )$ was sampled to allocate $p_{m,i}$ proportion of the instances of class m to device i.

The concentration parameter $\alpha$ was set to $100,10,1$ for every attack type:

1)

$\alpha =100$: Represents a nearly IID context.

2)

$\alpha =10$: Represents a moderately Non-IID context.

3)

$\alpha =1$: Represents a significantly Non-IID context.

Figure 5, Figure 6, Figure 7, and Figure 8 illustrate the resulting data distributions among 20 clients for each attack type.

4.3. Evaluation Metrics

The performance of PFMeta-IDS was evaluated using standard metrics: accuracy, recall, precision, and F1-score. These metrics were calculated based on true positive (TP), true negative (TN), false positive (FP), and false negative (FN) values, as defined below:

$$Accuracy={\displaystyle \frac{TP+TN}{TP+TN+FP+FN}}$$

(11)

$$Recall={\displaystyle \frac{TP}{TP+FN}}$$

(12)

$$Precision={\displaystyle \frac{TP}{TP+FP}}$$

(13)

$$F1-score=2\times {\displaystyle \frac{precision\times recall}{precision+recall}}$$

(14)

4.4. The Performance of PFMeta-IDS

4.4.1. Convergence Performance

In the initial experiment, we evaluated the convergence performance of PFMeta-IDS by training and testing it under varying $\lambda$ and $\alpha$ settings. Figure 9, Figure 10, Figure 11 and Figure 12 illustrate the results with $\lambda =\{2.0,1.0,0.1,0.01\}$ and $\alpha =\{100.0,10.0,1.0\}$.

The results show distinct convergence patterns under varying levels of data heterogeneity:

1)

DoS Attack: For $\alpha =100.0$, convergence stabilizes after 51 rounds at the optimal F1-score ($\lambda =2.0$). When $\alpha =10.0$, stabilization occurs after 151 rounds ($\lambda =0.1$). For $\alpha =1.0$, stabilization is observed after fewer rounds ($\lambda =2.0$).

2)

Fuzzy Attack: With $\alpha =100.0$, performance stabilizes after 88 rounds ($\lambda =0.1$). For $\alpha =10.0$, stabilization takes 172 rounds ($\lambda =2.0$). In the highly Non-IID context ($\alpha =1.0$), stabilization occurs after 66 rounds ($\lambda =2.0$).

3)

Gear Spoofing Attack: Convergence stabilizes as early as 44 rounds for both $\alpha =100.0$ ($\lambda =1.0$) and $\alpha =10.0$ ($\lambda =0.1$). For $\alpha =1.0$, stabilization occurs after 43 rounds ($\lambda =0.01$).

4)

RPM Spoofing Attack: For $\alpha =100.0$, convergence is reached after 48 rounds ($\lambda =0.01$). For $\alpha =10.0$, stabilization occurs after 44 rounds ($\lambda =0.01$), while for $\alpha =1.0$, it takes 46 rounds ($\lambda =0.01$).

These findings confirm the robustness and adaptability of PFMeta-IDS across varying levels of data heterogeneity and attack scenarios, with convergence influenced by both $\lambda$ and $\alpha$. However, for the RPM Spoofing attack,the convergence performance remains stable across different $\alpha$ values. This may be because the features affected by RPM Spoofing attacks are relatively consistent across different clients. In such scenarios, the impact of $\alpha$ on the convergence process diminishes, as the model can efficiently aggregate gradients without significant conflicts, resulting in stable performance regardless of the $\alpha$ value. Furthermore, RPM Spoofing attacks might primarily target a narrower range of network behaviors or message types, simplifying the task of model adaptation and convergence.

4.4.2. Effect of Personalization

To evaluate the effect of personalization on the performance of PFMeta-IDS, we conducted experiments under varying values of $\lambda$ and $\alpha$. Here, $\lambda$ controls the degree to which the local meta-model learns from the global meta-model, influencing the level of personalization, while $\alpha$ defines the level of data heterogeneity across clients. The experimental results are summarized in Figure 13, which illustrates the F1-scores for different attack scenarios, including DoS, fuzzy, Gear Spoofing, and RPM Spoofing attacks.

The results indicate the following trends:

1)

DoS Attacks: PFMeta-IDS achieves the highest F1-scores with $\lambda =2.0$ for most $\alpha$ settings, suggesting that higher levels of global knowledge transfer are beneficial for detecting DoS attacks. For $\alpha =100.0$ and $1.0$, the performance stabilizes at over 0.98, demonstrating robustness in both high and low data heterogeneity. In contrast, at $\alpha =10.0$, the F1-score varies more, indicating a stronger dependence on personalization under moderate heterogeneity.

2)

Fuzzy Attacks: The performance exhibits significant variations with changing $\lambda$, suggesting that fuzzy attacks, being more context-dependent, benefit from fine-tuned personalization.

3)

Gear Spoofing Attacks: The highest F1-scores are achieved under $\lambda \le 1.0$ for both high and low heterogeneity ($\alpha =100.0$ and $1.0$). Even in moderate heterogeneity ($\alpha =10.0$), the F1-score remains relatively high at $\lambda =0.1$. This suggests that the patterns of Gear Spoofing attacks tend to be more personalized, making lower levels of global knowledge transfer more effective.

4)

RPM Spoofing Attacks: PFMeta-IDS achieves the highest F1-scores with $\lambda =0.01$ across all $\alpha$ settings, indicating that the patterns of RPM Spoofing attacks are highly personalized.

These findings demonstrate the importance of balancing global knowledge transfer and personalization in PFMeta-IDS, with the optimal $\lambda$ varying depending on the type of attack and level of data heterogeneity.

4.5. Comparison with Existing Works

To evaluate the effectiveness of PFMeta-IDS, we compare it with several state-of-the-art IDS for vehicular networks. The comparison focuses on three four aspects:

1)

Training Data Volume: We categorize the training datasets used in each work as low $(\le 300)$, medium $(300<size\le 1000)$, or high $(>1000)$ based on the number of samples.

2)

Data Privacy Measures: We examine whether the methods provide mechanisms to preserve the privacy of training data during the learning process.

3)

Collaborative Learning: We evaluate whether the methods utilize collaborative learning approaches to leverage data from multiple parties.

4)

Performance (F1-Score): We analyze the detection performance under different attack types to highlight the adaptability and robustness of each approach.

As shown in Table 2 and Table 3, PFMeta-IDS demonstrates clear advantages over existing works. Table 2 compares PFMeta-IDS with other IDSs based on training data volume, data privacy measures, and collaborative learning. Most existing works rely on large datasets (high training data volume) to achieve high detection performance, which limits their applicability in scenarios with restricted data availability or need quick adaptability. Additionally, none of these methods incorporate data privacy measures or collaborative learning mechanisms, leaving sensitive data exposed during the training process. In contrast, PFMeta-IDS operates effectively with low training data volumes due to its meta-learning framework, which facilitates rapid adaptation to new scenarios. It also ensures data privacy through federated learning, where raw data remains local to participants. Furthermore, PFMeta-IDS employs a collaborative learning approach, enabling it to leverage multi-party data while maintaining privacy. As shown in Table 3, PFMeta-IDS achieves competitive F1-scores compared to existing works. For DoS attacks, its score of 0.9846 is comparable to the highest score (0.9926) but surpasses other methods like CNN (0.9471). In fuzzy attacks, it achieves 0.9368, outperforming most methods except Anjum et al. (0.9963). For Gear Spoofing attacks, PFMeta-IDS delivers 0.9780, significantly higher than others. Notably, in RPM Spoofing attacks, PFMeta-IDS achieves a perfect score of 1.0000, outperforming all other works. These results demonstrate its exceptional adaptability and robustness with privacy-preserving capabilities.

5. Conclusions

In this work, we proposed PFMeta-IDS, a personalized federated meta-learning IDS tailored for vehicular networks. By integrating meta-learning with federated learning, PFMeta-IDS addresses the challenges of rapid adaptability, data heterogeneity, and data privacy. It proposed the FedSWR algorithm for balancing personalization and generalization, the lightweight LDwCBN network optimized for resource-constrained environments, and novel preprocessing techniques, KMC-IG, to enhance data processing. Experimental results on the Car-Hacking dataset demonstrate PFMeta-IDS’s superior performance across various attack scenarios, achieving high F1-scores while preserving data privacy and enabling collaborative learning across multiple parties. These findings highlight PFMeta-IDS as a scalable and secure solution for real-world applications. However, this work is limited by its evaluation in environments with relatively moderate heterogeneity, fixed client numbers, and static client participation. Future work will focus on exploring PFMeta-IDS’s effectiveness under more heterogeneous data distributions, larger and dynamically changing client populations, further enhancing its scalability and robustness in real-world applications.