pith. sign in

arxiv: 2606.23236 · v1 · pith:LD6SMXS6new · submitted 2026-06-22 · 💻 cs.CR · cs.SY· eess.SY

A Hybrid Intrusion Detection System for Electric Vehicle Charging Infrastructure

Charukeshi Joglekar , Chijioke Eze , Danni Xiang , Antonello Monti This is my paper

Pith reviewed 2026-06-26 07:53 UTC · model grok-4.3

classification 💻 cs.CR cs.SYeess.SY
keywords intrusion detection systemelectric vehicle charging stationhybrid IDSNIDSHIDSfalse data injection attacksmart grid cybersecurityEVCS security
0
0 comments X

The pith

A hybrid intrusion detection system combining network and host monitoring detects cyberattacks on electric vehicle charging stations with 99.99% and 83.47% accuracy.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper proposes a hybrid IDS for EV charging infrastructure that integrates network-based and host-based detection to cover both cyber and physical layers. It applies multiclass classification to the CICEVSE2024 dataset covering false data injection, denial of service, reconnaissance, backdoor, and cryptojacking attacks. The dual-layer method is shown to outperform prior single-source detectors in the reported experiments. A sympathetic reader would care because EVCS integration with the smart grid expands the attack surface, and better detection could limit disruptions to power systems and vehicles.

Core claim

The proposed hybrid IDS utilizes a dual-layer integration method combining NIDS and HIDS for comprehensive monitoring, performs multiclass classification on the CICEVSE2024 dataset across FDIAs, reconnaissance, DoS, backdoor, and cryptojacking attacks, and achieves 99.99% accuracy in the NIDS component for network-based attacks while the HIDS component reaches 83.47% accuracy on FDIA, cryptojacking, backdoor, all DoS, and all Recon except Slowloris Scan attacks, significantly outperforming single-source detection approaches.

What carries the argument

The dual-layer integration method that combines network-based IDS (NIDS) and host-based IDS (HIDS) to monitor network traffic and host-level activities in EVCS ecosystems.

If this is right

  • The hybrid approach enables multiclass classification across FDIAs, reconnaissance, denial of service, backdoor, and cryptojacking attacks.
  • NIDS provides near-perfect detection for network-based attacks while HIDS adds coverage for host-level threats.
  • The dual-layer design addresses gaps in existing single-source EVCS IDS methods.
  • Comprehensive monitoring of both cyber and physical layers becomes feasible within interconnected EVCS ecosystems.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • If the accuracies generalize, operators could integrate the system into smart-grid control centers to limit the spread of attacks from compromised chargers to the broader power network.
  • The method could be extended to other distributed energy resources that share similar network-host attack surfaces.
  • Real-time retraining mechanisms would be needed if novel attack variants emerge after deployment.

Load-bearing premise

The CICEVSE2024 dataset and the selected attack types are representative of real-world EVCS threats so that the reported accuracies will hold in live systems.

What would settle it

Deploying the system on an operational EVCS network and measuring a substantial drop in accuracy when facing attack variants absent from the CICEVSE2024 dataset would falsify the generalization of the reported detection rates.

Figures

Figures reproduced from arXiv: 2606.23236 by Antonello Monti, Charukeshi Joglekar, Chijioke Eze, Danni Xiang.

Figure 1
Figure 1. Figure 1: EV Charging ecosystems The two primary actors in this ecosystem are: Charging Point Operators (CPOs), who own and operate the charging stations; and EV drivers, who use the charging services. These components and actors interact through various communica￾tion protocols. The communication between the CSMS, which is managed by CPO and the EVCS uses the Open Charge Point Protocol (OCPP), whereas the communica… view at source ↗
Figure 2
Figure 2. Figure 2: The Conceptual Hybrid IDS Architecture This coordinated approach enables comprehensive detection at both the network and host levels, effectively addressing threats towards the cyber-physical system. This is particularly important, as attacks such as denial of service attacks at the network layer can result in abnormal activities at the host level, for example, interruption of charging and ultimately power… view at source ↗
Figure 3
Figure 3. Figure 3: Confusion Matrix for Network-based Detection using [PITH_FULL_IMAGE:figures/full_fig_p006_3.png] view at source ↗
read the original abstract

The integration of Electric Vehicle Charging Stations (EVCSs) into the smart grid necessitates sophisticated digital infrastructure for their management and coordination, which expands the attack surface and makes both the power grid and EVCSs vulnerable to cyberattacks. This research addresses critical gaps in existing EVCS Intrusion Detection Systems (IDS) by proposing a hybrid IDS that integrates attack detection on both the cyber and physical layer of the EVCS ecosystem. The proposed hybrid IDS utilizes a dual-layer integration method, which combines network-based IDS (NIDS) and host-based IDS (HIDS). This approach facilitates for comprehensive monitoring of both network traffic through the NIDS and host-level activities via the HIDS, effectively addressing the unique challenges posed by the interconnected nature of EVCS ecosystems. Utilizing the recent CICEVSE2024 dataset, the IDS presented in this work performs multiclass classification across various attack types, including False Data Injection Attacks (FDIAs), reconnaissance, denial of service, backdoor, and cryptojacking attacks. Experimental results demonstrate that our approach achieves excellent detection accuracy, with the NIDS component reaching 99.99\% accuracy for network-based attacks and the HIDS component achieving 83.47\% accuracy on FDIA, cryptojacking, backdoor, all DoS, all Recon except Slowloris Scan attacks. This dual-layer detection significantly outperforms single-source detection approaches previously presented in literature.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper proposes a hybrid intrusion detection system for electric vehicle charging infrastructure that integrates network-based (NIDS) and host-based (HIDS) detection using the CICEVSE2024 dataset. It performs multiclass classification on attacks such as false data injection, reconnaissance, denial of service, backdoor, and cryptojacking, reporting 99.99% accuracy for the NIDS component on network-based attacks and 83.47% accuracy for the HIDS component on FDIA, cryptojacking, backdoor, all DoS, and all Recon except Slowloris Scan attacks, claiming to outperform previous single-source methods.

Significance. If the results are supported by rigorous methodology and the dataset is representative, this work could be significant for enhancing security in EV charging systems by addressing both cyber and physical layers. The use of a recent dataset is a positive element, but the lack of detailed experimental setup limits the ability to gauge its contribution to the field.

major comments (2)
  1. Abstract: The abstract states high accuracies but provides no information on model architectures, training procedures, cross-validation, baseline comparisons, or error analysis. This omission is load-bearing for the central claim that the approach achieves excellent detection accuracy and outperforms prior methods.
  2. Results section: The manuscript does not describe the provenance of the CICEVSE2024 dataset, whether attacks are synthetic or real, presence of realistic background traffic, class balance, or any temporal aspects that would support testing for concept drift. These details are necessary to substantiate the generalizability of the reported accuracies to live systems.
minor comments (2)
  1. Abstract: The sentence 'This approach facilitates for comprehensive monitoring' contains a grammatical issue; it should be 'facilitates comprehensive monitoring'.
  2. Abstract: The description of HIDS accuracy ('on FDIA, cryptojacking, backdoor, all DoS, all Recon except Slowloris Scan attacks') is ambiguous and should be clarified for precision.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback on our manuscript. We address the major comments point by point below, agreeing where additional details will strengthen the work and outlining the planned revisions.

read point-by-point responses

  1. Referee: Abstract: The abstract states high accuracies but provides no information on model architectures, training procedures, cross-validation, baseline comparisons, or error analysis. This omission is load-bearing for the central claim that the approach achieves excellent detection accuracy and outperforms prior methods.

    Authors: We agree the abstract is concise and omits these specifics. The full manuscript details the NIDS and HIDS model architectures (including the specific classifiers employed), the use of cross-validation, and direct comparisons to single-source baselines from prior literature. Error analysis appears in the results. We will revise the abstract to concisely reference the hybrid methodology, cross-validation approach, and outperformance of baselines while preserving length limits. revision: yes

  2. Referee: Results section: The manuscript does not describe the provenance of the CICEVSE2024 dataset, whether attacks are synthetic or real, presence of realistic background traffic, class balance, or any temporal aspects that would support testing for concept drift. These details are necessary to substantiate the generalizability of the reported accuracies to live systems.

    Authors: The manuscript cites the CICEVSE2024 source paper for provenance and notes that the dataset derives from a real EVCS testbed with emulated attacks and background traffic. Class balance is handled via the experimental protocol described. We will add an explicit subsection in the results to summarize dataset characteristics, attack generation (synthetic and emulated), traffic realism, class distributions, and a limitations discussion noting the lack of concept-drift experiments as an area for future work. revision: yes

Circularity Check

0 steps flagged

No circularity: empirical accuracies reported from dataset experiments, no derivations or self-referential reductions

full rationale

The paper's central claims consist of experimental classification accuracies (99.99% NIDS, 83.47% HIDS) obtained by applying standard ML techniques to the CICEVSE2024 dataset for listed attack types. No equations, parameter-fitting steps, uniqueness theorems, or ansatzes appear in the provided text. The results are presented as direct experimental outcomes rather than quantities derived from or equivalent to the inputs by construction. No self-citation chains or renamings of known results are load-bearing for the accuracy figures. This is the expected non-finding for an applied ML evaluation paper.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract-only review; no explicit free parameters, axioms, or invented entities are stated. The approach implicitly assumes standard supervised ML classification on the cited dataset without detailing any custom modeling choices.

pith-pipeline@v0.9.1-grok · 5791 in / 1061 out tokens · 21062 ms · 2026-06-26T07:53:45.708628+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

21 extracted references · 4 canonical work pages

  1. [1]

    Global stock of public charging points by speed, 2018-2024,

    International Energy Agency, “Global stock of public charging points by speed, 2018-2024,” https://www.iea.org/data-and-statistics/charts/ global-stock-of-public-charging-points-by-speed-2018-2024, 2025

    2018

  2. [2]

    MaDEVIoT: Cyberattacks on EV charging can disrupt power grid operation,

    S. Acharya, H. A. U. Khan, R. Karri, and Y . Dvorkin, “MaDEVIoT: Cyberattacks on EV charging can disrupt power grid operation,” in 2024 IEEE Power & Energy Society Innovative Smart Grid Technologies Conference (ISGT), 2024, pp. 1–5

    2024

  3. [3]

    Artificial intelligence- augmented smart grid architecture for cyber intrusion detection and mitigation in electric vehicle charging infrastructure,

    A. Sharma, S. Rani, and M. Shabaz, “Artificial intelligence- augmented smart grid architecture for cyber intrusion detection and mitigation in electric vehicle charging infrastructure,”Scientific Reports, vol. 15, p. 21653, 2025. [Online]. Available: https: //doi.org/10.1038/s41598-025-04984-4

    work page doi:10.1038/s41598-025-04984-4 2025

  4. [4]

    A machine learning-based intrusion detection system for iot electric vehicle charging stations (evcss),

    M. ElKashlan, M. S. Elsayed, A. D. Jurcut, and M. Azer, “A machine learning-based intrusion detection system for iot electric vehicle charging stations (evcss),”Electronics, vol. 12, no. 4, 2023. [Online]. Available: https://www.mdpi.com/2079-9292/12/4/1044

    2023

  5. [5]

    Deep learning-based intrusion detection system for electric vehicle charging station,

    M. Basnet and M. Hasan Ali, “Deep learning-based intrusion detection system for electric vehicle charging station,” in2020 2nd International Conference on Smart Power & Internet Energy Systems (SPIES), 2020, pp. 408–413

    2020

  6. [6]

    Detection of anomalies in electric vehicle charging sessions,

    D. Kern, C. Krauß, and M. Hollick, “Detection of anomalies in electric vehicle charging sessions,” inProceedings of the 39th Annual Computer Security Applications Conference, ser. ACSAC ’23. New York, NY , USA: Association for Computing Machinery, 2023, p. 298–309. [Online]. Available: https://doi.org/10.1145/3627106.3627127

    work page doi:10.1145/3627106.3627127 2023

  7. [7]

    Hidden markov models- based anomaly correlations for the cyber-physical security of ev charging stations,

    M. Girdhar, J. Hong, H. Lee, and T.-J. Song, “Hidden markov models- based anomaly correlations for the cyber-physical security of ev charging stations,”IEEE Transactions on Smart Grid, vol. 13, no. 5, pp. 3903– 3914, 2022

    2022

  8. [8]

    Multi-view graph contrastive represen- tative learning for intrusion detection in ev charging station,

    Y . Li, G. Chen, and Z. Dong, “Multi-view graph contrastive represen- tative learning for intrusion detection in ev charging station,”Applied Energy, vol. 385, p. 125439, 2025

    2025

  9. [9]

    Advanced temporal convolutional network framework for intrusion detection in electric vehicle charging stations,

    I. Benfarhat, V . T. Goh, C. L. Siow, I. E. Lee, M. Sheraz, E. E. Ngu, and T. C. Chuah, “Advanced temporal convolutional network framework for intrusion detection in electric vehicle charging stations,”IEEE Open Journal of Vehicular Technology, 2025

    2025

  10. [10]

    En- hancing ev charging station security using a multi-dimensional dataset: Cicevse2024,

    E. D. Buedi, A. A. Ghorbani, S. Dadkhah, and R. L. Ferreira, “En- hancing ev charging station security using a multi-dimensional dataset: Cicevse2024,” inData and Applications Security and Privacy XXXVIII, A. L. Ferrara and R. Krishnan, Eds. Cham: Springer Nature Switzer- land, 2024, pp. 171–190

    2024

  11. [11]

    Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains,

    E. M. Hutchins, M. J. Cloppert, R. M. Aminet al., “Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains,”Leading Issues in Information Warfare & Security Research, vol. 1, no. 1, p. 80, 2011

    2011

  12. [12]

    Local power grids at risk – an experimental and simulation-based analysis of attacks on vehicle-to-grid communication,

    M. Zhdanova, J. Urbansky, A. Hagemeier, D. Zelle, I. Herrmann, and D. H ¨offner, “Local power grids at risk – an experimental and simulation-based analysis of attacks on vehicle-to-grid communication,” inProceedings of the 38th Annual Computer Security Applications Conference, ser. ACSAC ’22. New York, NY , USA: Association for Computing Machinery, 2022, ...

    work page doi:10.1145/3564625.3568136 2022

  13. [13]

    Impact of cyber-attacks on ev charging coordination: The case of single point of failure,

    E. Gumrukcu, A. Arsalan, G. Muriithi, C. Joglekar, A. Aboulebdeh, M. Alparslan Zehir, B. Papari, and A. Monti, “Impact of cyber-attacks on ev charging coordination: The case of single point of failure,” in2022 4th Global Power, Energy and Communication Conference (GPECOM), 2022, pp. 506–511

    2022

  14. [14]

    Dynamic capacity sharing for cyber–physical resilience of EV charging,

    E. G ¨umr¨ukc¨u, C. Joglekar, G. Muriithi, A. Arsalan, A. Aboulebdeh, B. Papari, A. Zehir, F. Ponci, and A. Monti, “Dynamic capacity sharing for cyber–physical resilience of EV charging,”Energies, vol. 17, no. 24, p. 6277, 2024

    2024

  15. [15]

    Early detection of cyber–physical attacks on fast charging stations using machine learning considering vehicle-to-grid operation in microgrids,

    Z. Warraich and W. Morsi, “Early detection of cyber–physical attacks on fast charging stations using machine learning considering vehicle-to-grid operation in microgrids,”Sustainable Energy, Grids and Networks, vol. 34, p. 101027, 2023. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S2352467723000358

    2023

  16. [16]

    IoT-23: A labeled dataset with malicious and benign IoT network traffic,

    S. Garcia, A. Parmisano, and M. J. Erquiaga, “IoT-23: A labeled dataset with malicious and benign IoT network traffic (Version 1.0.0),” https: //doi.org/10.5281/zenodo.4743746, 2020, zenodo. [Data set]

    work page doi:10.5281/zenodo.4743746 2020

  17. [17]

    A knowledge distillation enhanced semi-supervised federated learning framework for intrusion detection in ev charging networks,

    L. Jiang, Q. li, X. Che, and X. Chen, “A knowledge distillation enhanced semi-supervised federated learning framework for intrusion detection in ev charging networks,”IEEE Internet of Things Journal, vol. 12, no. 16, pp. 34 360–34 373, 2025

    2025

  18. [18]

    ACN-Data: Analysis and Applications of an Open EV Charging Dataset,

    Z. J. Lee, T. Li, and S. H. Low, “ACN-Data: Analysis and Applications of an Open EV Charging Dataset,” inProceedings of the Tenth Inter- national Conference on Future Energy Systems, ser. e-Energy ’19, Jun. 2019

    2019

  19. [19]

    ElaadNL Open EV Charging Transactions,

    ElaadNL, “ElaadNL Open EV Charging Transactions,” https://platform. elaad.io/download-data/, 2019, accessed: 2025-07-16. [Data set]

    2019

  20. [20]

    Enhancing ev charging station security: A multi-stage approach,

    E. D. Buedi, “Enhancing ev charging station security: A multi-stage approach,” 2024, master’s thesis

    2024

  21. [21]

    Fl-evcs: Federated learning based anomaly detection for ev charging ecosystem,

    S. Purohit and M. Govindarasu, “Fl-evcs: Federated learning based anomaly detection for ev charging ecosystem,” in2024 33rd Interna- tional Conference on Computer Communications and Networks (IC- CCN), 2024, pp. 1–9

    2024