Abstract

Securing the connected vehicle is no longer optional; it is a prerequisite for safe, trustworthy mobility in the era of electric and autonomous transportation.

Keywords: Sustainable City, Electric Mobility, Intrusion Detection, Federated Graph Neural Networks, Centrality measures

The rapid growth of electric vehicles is accompanied by an increasing interconnection between vehicles, charging stations, digital platforms, supervision systems, and energy management devices. This evolution fosters the emergence of interoperable and data-driven smart mobility services, but it also exposes the entire ecosystem to growing cyber risks. In these distributed environments, where multiple stakeholders cooperate, security, resilience, and trust become essential prerequisites for the large-scale deployment of connected electric mobility.

In complement to the eTruckCharge project, which aims to develop a federated charging network and associated intelligent services, this doctoral project addresses a closely related scientific challenge: the collaborative detection of attacks and anomalies in connected electric mobility ecosystems. The objective is to design mechanisms capable of coping with a wide variety of threats, particularly distributed, coordinated, or emerging attacks that are difficult to identify using traditional signature-based approaches.

Although deep learning approaches have shown strong potential for intrusion detection, their centralized training raises significant limitations in terms of data privacy, data governance, robustness, and scalability. This thesis therefore proposes a distributed detection framework based on federated learning and Graph Neural Networks (GNNs), capable of modeling structural dependencies between the different components of an electric mobility system while keeping data locally at the level of the relevant stakeholders. Local models will be trained at the level of charging stations, vehicles, or edge nodes, and then aggregated collaboratively without any direct exchange of raw data.

The originality of this work lies in the combined use of federated learning, GNNs, and centrality measures from complex network theory to improve anomaly detection, enhance robustness in heterogeneous environments, and increase generalization to unseen or weakly represented attacks in the training data. Particular attention will be paid to detecting new attack patterns without explicit signatures, by analyzing topological dependencies, relational behaviors, and structural disruptions in interaction graphs.

Finally, in collaboration with ChargeMap, an innovative company based in Strasbourg and specialized in digital services for electric mobility, the approach will be evaluated through realistic scenarios related to charging infrastructures and associated services. The ambition is to propose a generic, distributed, and privacy-preserving methodological framework to strengthen the cybersecurity and resilience of future connected electric mobility systems.

Research Work

Scientific context  

The rapid growth of connected and electric vehicles is accompanied by an increasing interconnection between embedded cyber-physical systems, external communication interfaces, digital platforms, and energy management devices. While this evolution enables the emergence of new intelligent and interoperable mobility services, it also significantly expands the cyber attack surface of the entire automotive ecosystem [1,2]. In such distributed environments, where multiple stakeholders collaborate without necessarily sharing their data or infrastructures, security, resilience, and trust become critical enablers for the large-scale deployment of connected electric mobility.

Network Intrusion Detection Systems (NIDS) have emerged as an essential countermeasure for monitoring CPS traffic and detecting malicious activity [3]. Although deep learning-based NIDS have demonstrated promising detection performance, their centralized training raises significant concerns regarding data privacy, governance, robustness, and scalability that are incompatible with real-world automotive fleet deployments [4]. This thesis therefore addresses a closely related scientific challenge: the collaborative detection of attacks and anomalies in connected electric vehicle ecosystems. The objective is to design detection mechanisms capable of handling a wide range of threats, particularly distributed, coordinated, or emerging attacks that are difficult to identify using traditional signature-based approaches. Federated Learning (FL) has been proposed as a solution, enabling each node to train a model locally and share only model weights with a central aggregator, keeping sensitive data on-device while enabling collaborative learning at scale [5].

The originality of this work lies in the combined use of federated learning, GNNs, and centrality measures from complex network theory to enhance intrusion detection, improve robustness in heterogeneous environments, and increase generalization to unseen or weakly represented attacks [6-9]. A key limitation of conventional federated approaches is their inability to capture the graph-structured topology inherent to electric vehicle CPS networks, where components and their interactions form complex relational graphs. GNNs address this gap by explicitly modeling nodes and their dependencies, while centrality measures identify critical system components and structural disruptions within interaction graphs. This combined framework aims to deliver a more performant, distributed, and privacy-preserving intrusion detection solution, capable of strengthening the cybersecurity, resilience, and reliability of future connected electric mobility systems.

Subject

This thesis proposes the design, implementation, and evaluation of a federated GNN-based intrusion detection framework for connected electric vehicle cyber-physical systems. Its originality lies in the combination of three complementary dimensions: (i) federated learning specifically adapted to the constraints and heterogeneity of distributed electric mobility ecosystems, (ii) graph neural network architectures tailored to the topology of inter-component communication systems within electric vehicles and charging infrastructures, and (iii) the exploitation of complex network properties to enhance detection performance and generalization across heterogeneous environments. To support this objective, the work begins with a comprehensive state of the art on GNN-based federated intrusion detection systems for connected electric mobility cyber-physical systems, building on existing approaches in IoT and CPS while identifying key limitations and research opportunities specific to the eTruckCharge project and broader connected electric mobility environments.

A core contribution of the thesis will be the modelling of electric vehicle CPS networks as graph-structured systems, where components are represented as nodes and communication channels as edges. This includes extracting structural features such as centrality metrics and constructing realistic datasets that capture a wide spectrum of attack scenarios, including injection, spoofing, denial-of-service, and anomalies related to electric vehicle charging infrastructures. Building upon the dataset generation methodology introduced in [10], these datasets will be enriched with diverse complex network properties to ensure robustness and representativeness. In parallel, the thesis will focus on the design of a federated GNN aggregation method adapted to connected electric mobility ecosystems by extending architectures such as FedGATSage [11,12]. The proposed approach will address a critical limitation of prior work; namely the loss of structural information during parameter aggregation, by preserving both spatial (topological) and temporal (traffic sequence) dependencies across vehicles, charging stations, and edge nodes.

Finally, the thesis will investigate how complex network properties (such as centralities, community structure, and backbone extraction [13-15]) can be leveraged to improve detection accuracy and inference speed, which is essential for resource-constrained embedded environments within large-scale electric mobility deployments. In collaboration with ChargeMap company, with which a partnership agreement is already established, the proposed framework will be extensively evaluated through experimental benchmarking against state-of-the-art methods, using both public datasets and datasets generated in the context of realistic charging infrastructure scenarios. Performance will be assessed across multiple dimensions, including detection accuracy under diverse attack scenarios, privacy preservation, and communication efficiency within federated learning settings. The goal is to deliver a validated, distributed, and privacy-preserving intrusion detection building block contributing to the cybersecurity and resilience of the eTruckCharge federated charging network and future connected electric mobility systems.

Prior works in the laboratory

The contributions of this thesis project build directly on the research conducted by the CESI LINEACT team in collaboration with the Lebanese University through the joint supervision theses of Mortada Termos and Fouad Al Tfaily. Termos et al. introduced the GDLC framework, which integrates graph deep learning with centrality measures for intrusion detection in IoT networks [6], and subsequently extended this approach with an enhanced GraphSAGE embedding algorithm that further exploits centrality for node representation [8]. These contributions demonstrated that modelling network traffic as graphs and leveraging topological properties significantly outperforms classical deep learning methods for NIDS. More recently, Termos et al. showed that integrating centrality measures into FL-based NIDS substantially improves generalisation in heterogeneous federated environments [7-9], establishing the methodological foundation on which this thesis will build.

At the federated learning level, Al Tfaily et al. proposed FedGATSage, a federated architecture combining client-side Graph Attention Networks with server-side GraphSAGE through community abstraction, achieving near-centralized accuracy on NF-ToN-IoT and CIC-ToN-IoT benchmarks while preserving full data privacy [11,12]. Arbaoui et al. (a PhD student under the supervision of M. Amine Brahmia) provided a comprehensive multi-level taxonomy of FL aggregation techniques [5], while Brahmia et al. demonstrated adaptive attack prediction for CPS using ensemble machine learning [1]. The team has also investigated dataset diversity, showing that generating datasets with varied complex network properties is essential for reliable IDS evaluation. All these works converge naturally toward the automotive domain, which constitutes a new frontier for the team and the core application of this doctoral project.

Expected scientific/technical production

Phase 1 deliverable:

•          A benchmark dataset for connected electric mobility CPS intrusion detection, generated from realistic electric vehicle and charging infrastructure scenarios in collaboration with ChargeMap, intended for public release to the research community.

•          At least one conference paper at a venue such as IEEE WCNC, IEEE DASC, or IoTBDS.

Phase 2-3 deliverable:

•          An open-source implementation of the federated GNN-based IDS framework for connected electric mobility ecosystems.

•          At least two journal articles in IEEE Transactions on Vehicular Technology, IEEE Internet of Things Journal, or Computers & Security, covering (i) the federated GNN architecture for connected electric vehicle CPS and (ii) the centrality-enhanced intrusion detection method. The work will provide mobility operators, charging infrastructure providers, and service stakeholders with a privacy-preserving, scalable, and deployable IDS solution adapted to next-generation connected electric mobility platforms, contributing directly to the cybersecurity, resilience, and trustworthiness of the eTruckCharge federated charging network and broader connected electric mobility ecosystems.

Context

Lab presentation

CESI LINEACT (UR 7527), Laboratory for Digital Innovation for Businesses and Learning to Support the Competitiveness of Territories, anticipates and accompanies the technological mutations of sectors and services related to industry and construction. The historical proximity of CESI with companies is a determining element for our research activities. It has led us to focus our efforts on applied research close to companies and in partnership with them. A human-centered approach coupled with the use of technologies, as well as territorial networking and links with training, have enabled the construction of cross-cutting research; it puts humans, their needs and their uses, at the center of its issues and addresses the technological angle through these contributions.

Its research is organized according to two interdisciplinary scientific teams and several application areas.

•          Team 1 "Learning and Innovating" mainly concerns Cognitive Sciences, Social Sciences and Management Sciences, Training Techniques and those of Innovation. The main scientific objectives are the understanding of the effects of the environment, and more particularly of situations instrumented by technical objects (platforms, prototyping workshops, immersive systems...) on learning, creativity and innovation processes.

•          Team 2 "Engineering and Digital Tools" mainly concerns Digital Sciences and Engineering. The main scientific objectives focus on modeling, simulation, optimization and data analysis of cyber physical systems. Research work also focuses on decision support tools and on the study of human-system interactions in particular through digital twins coupled with virtual or augmented environments.

These two teams develop and cross their research in application areas such as

•          Industry 5.0,

•          Construction 4.0 and Sustainable City,

•          Digital Services.

Areas supported by research platforms, mainly that in Rouen dedicated to Factory 5.0 and those in Nanterre dedicated to Factory 5.0 and Construction 4.0.

Links to the research axes of the research team involved

This doctoral project is fully aligned with the scientific research axes of the Engineering and Digital Tools team at the CESI LINEACT laboratory, and more specifically with the “Resilient and Secure Systems” research theme. This theme focuses on designing systems capable of ensuring reliable, secure, and robust operation in complex, distributed, and uncertain environments, addressing the challenges of the cities of the future.

In this context, the proposed PhD topic directly contributes to these objectives by addressing the cybersecurity of connected electric mobility ecosystems, which constitute highly critical distributed cyber-physical systems. By leveraging federated learning and Graph Neural Networks (GNN) approaches, the research aims to develop intrusion detection mechanisms capable of operating in heterogeneous, decentralized, and resource-constrained environments, while ensuring data privacy and robustness against advanced attacks.

Furthermore, the proposed work builds upon ongoing research within this theme, particularly in the areas of federated learning optimization and anomaly detection, by incorporating key aspects such as security, privacy, and adaptation to infrastructure heterogeneity. It also extends previous work conducted by the laboratory in collaboration with the Lebanese University, whose promising results open up significant research opportunities, especially in improving distributed learning approaches, detecting emerging attacks, and exploiting structural relationships within connected systems.

Finally, this project is fully consistent with the mission of CESI LINEACT to develop applied research at the interface between digital and physical systems, addressing major industrial and territorial challenges, particularly in the fields of sustainable cities, digital services, and intelligent systems. By contributing to enhancing the security and resilience of electric mobility infrastructures, this research actively supports the digital and environmental transformations promoted by the laboratory.

Skills

Scientific and technical skills: AI (deep learning, GNNs, federated learning), cybersecurity of distributed systems and networks (intrusion detection, anomaly detection, cyber-physical systems security), Python programming (PyTorch, TensorFlow, PyG), and scientific writing.
 Knowledge of vehicular networks will be particularly appreciated.

Soft skills: Scientific rigor, autonomy, teamwork, critical thinking, project management, communication, and the ability to work in an interdisciplinary research environment.

Organisation

Funding: Projet Interreg Rhin Supérieur “Etruckcharge”

Location: Strasbourg

Starting date: 01/09/2026

Duration: 36 mois

Supervisor(s):

Amine Brahmia, Enseignant chercheur HDR, Directeur de thèse

Mourad Zghal, Enseignant chercheur HDR, Co-Directeur de thèse

Zakariya Ghalmane, Enseignant chercheur, Encadrant

Bibliography:

[1] R. Abreu, F. Branco, M. J. C. S. Reis and C. Serôdio, "Cybersecurity in Connected and Autonomous Vehicles: A Systematic Review of Automotive Security," in IEEE Access, vol. 13, pp. 116818-116855, 2025, doi: 10.1109/ACCESS.2025.3584649.

[2] Tawfiq Aljohani, Abdulaziz Almutairi, A comprehensive survey of cyberattacks on EVs: Research domains, attacks, defensive mechanisms, and verification methods, Defence Technology, Volume 42, 2024, Pages 31-58.

[3] Chouikhi, S., & Khoukhi, L. (2025, December). A Stackelberg Game Security Model Against Botnets in Electric Vehicle Systems. In GLOBECOM 2025-2025 IEEE Global Communications Conference (pp. 770-774). IEEE.

[4] Baahmed, A. R., Dollinger, J. F., Brahmia, M.-E.-A., & Zghal, M. (2026). HiFEL-OCKT: Hierarchical Federated Edge Learning with Objective Congruence and Multi-Level Knowledge Transfer for IoT Ecosystems. Internet of Things, 101868.

[5] Arbaoui, M., Brahmia, M.-E.-A., Rahmoun, A. & Zghal, M. Federated learning survey: A multi-level taxonomy of aggregation techniques, experimental insights, and future frontiers. ACM Transactions on Intelligent Systems and Technology 15, 1–69 (2024).

[6] Termos, M., Ghalmane, Z., Brahmia, M.-E.-A., Fadlallah, A., Jaber, A. & Zghal, M. GDLC: A new graph deep learning framework based on centrality measures for intrusion detection in IoT networks. Internet of Things 26, 101214 (2024).

[7] Jianping, W., Guangqiu, Q., Chunming, W., Weiwei, J., & Jiahe, J. (2024). Federated learning for network attack detection using attention-based graph neural networks. Scientific Reports, 14(1), 19088.

[8] Termos, M., Ghalmane, Z., Brahmia, M.-E.-A., Fadlallah, A., Jaber, A., & Zghal, M. (2026). ADAP-GNN: Adaptive property-aware graph neural network for intrusion detection in IoT networks. Computers and Electrical Engineering, 133, 111051.

[9] Termos, M., Ghalmane, Z., Brahmia, M.-E.-A., Fadlallah, A., Jaber, A. & Zghal, M. Intrusion detection system for IoT based on complex networks and machine learning. In 2023 IEEE DASC/PiCom/CBDCom/CyberSciTech, 471–477. IEEE (2023).

[10] Tihanyi, N., Ferrag, M. A., Jain, R., Bisztray, T., & Debbah, M. (2024, September). Cybermetric: A benchmark dataset based on retrieval-augmented generation for evaluating llms in cybersecurity knowledge. In 2024 IEEE International Conference on Cyber Security and Resilience (CSR) (pp. 296-302). IEEE.

[11] Al Tfaily, F., Ghalmane, Z., Brahmia, M.-E.-A., Hazimeh, H., Jaber, A. & Zghal, M. Graph-based federated learning approach for intrusion detection in IoT networks. Scientific Reports 15, 41264 (2025). https://doi.org/10.1038/s41598-025-25175-1

[12] Al Tfaily, F., Ghalmane, Z., Brahmia, M. E. A., Hazimeh, H., Jaber, A., & Zghal, M. (2026). Community-based Vulnerability Prediction Framework for IoT Intrusion Detection using only Network Topology. Future Generation Computer Systems, 108493.

[13] Ghalmane, Z., Cherifi, C., Cherifi, H. & El Hassouni, M. Centrality in complex networks with overlapping community structure. Scientific Reports 9, 10133 (2019).

[14] Ghalmane, Z., Cherifi, C., Cherifi, H. & El Hassouni, M. Extracting backbones in weighted modular complex networks. Scientific Reports 10, 15539 (2020).

[15] Yassin, A., Haidar, A., Cherifi, H., Seba, H., & Togni, O. (2023). An evaluation tool for backbone extraction techniques in weighted complex networks. Scientific Reports, 13(1), 17000.