Introduction

Sustainable cyber-physical systems (CPS) have transformed modern industries by delivering smart, connected solutions across transportation, healthcare, and industrial automation. Sustainable CPS is designed to incorporate the functionality of computers, sensors, and electronic systems to efficiently monitor and regulate multiple processes in real time1. In Vehicular Ad Hoc Networks (VANETs), CPS provides intelligent interfaces for transportation systems to enable real-time spatial communication and internet connectivity2. Through Vehicle-to-Vehicle (V2V) and Vehicle-to-Infrastructure (V2I) connectivity, VANETs support autonomous driving, improve traffic management, and enhance road safety3. However, as VANETs increasingly depend on communication and connectivity technologies, they also support a novel and disruptive range of cybersecurity vulnerabilities, including data poisoning, Sybil, and Distributed Denial of Service (DDoS) attacks4. An additional security aspect is monitoring for instabilities and hostile actions. This type of real-time monitoring is part of the anomaly detection systems that VANETs deploy for operational security5. The standard systems for anomaly detection, especially the rule-based and signature systems, are less able to cope with the fast, dynamic, and unpredictable cyber threat landscape that characterises VANETs6. These systems are also poorly designed for detecting advanced and novel cyberattacks, poorly scalable, and generate high false-positive rates.

Communication within VANETs must be reliable, efficient, and sustainable to support the future of intelligent transportation systems. Research on intelligent transportation systems based on machine learning and anomaly detection highlights scalability, energy efficiency, and false-positive rates associated with preemptive anomaly control7,8. This work proposes using energy-aware multi-criteria routing in conjunction with machine-learning-integrated anomaly detection to mitigate these challenges. This will enhance real-time threat response, support energy-efficient computing, and promote sustainable cyber-physical VANET computing. With Artificial Intelligence (AI), VANET systems will learn and adapt anomaly detection systems to new threats, improving detection systems’ precision and operational efficiency9. Nonetheless, many recent AI solutions are ill-suited for real-time implementation in vehicle networks due to excessive computational requirements10. Thus, protecting VANETs with appropriate network performance will require scalable, low-latency anomaly-detection systems.

The framework improves detection efficiency while minimising computational burden by combining feature selection, clustering, and classification. Through continuous network traffic supervision, AD-MLA automatically lowers active security threats by resolving real-time deviations. In terms of computing efficiency, false-positive reduction, and detection precision, the experimental results demonstrate that AD-MLA outperforms all other active anomaly detection systems. Unlike other systems, AD-MLA is scalable to cyber threat ecosystems while addressing the high false-positive problem that dominates anomaly detection in VANETs. The primary research contributions are outlined below.

  • Developed a sustainable AD-MLA framework, integral in advancing VANET security and facilitating intelligent, clean transportation systems. AD-MLA improves detection accuracy, enables real-time adaptation, and enhances the efficiency and sustainability of VANET operations.

  • Integrated Random Forest with feature selection, grouping, and classification algorithms can enhance the utilisation of computational resources in vehicular networks.

  • Optimisation of routing decisions based on energy consumption, link stability, and mobility is necessary for safety-critical applications in dynamic urban VANET environments.

The manuscript is structured as follows: Section "Related works" presents the related work on anomaly detection in VANETs. In Section "Materials and methods", the proposed AD-MLA methodology is explained. In section "Results and discussions", the efficiency of AD-MLA is discussed and analysed, followed by a discussion of the deployment platforms. Finally, in section "Model development and deployment", the research concludes with a discussion and a section on future work.

Related works

The contribution of AI-driven methods in improving security across many transportation and network systems is investigated in this collection of publications. Aiming to improve safety, privacy, and system efficiency in modern intelligent transportation networks, these studies examine anomaly detection, predictive maintenance, and cyberattack prevention using advanced methods, including LSTM, CNN-GAN, and machine learning from autonomous vehicles and IoT to VANETs and EnFVs. It presents an ensemble of Long Short-Term Memory (LSTM) networks and a deep learning-based Intrusion Detection System (IDS) for ICTS11. This approach tracks V2V, In-Vehicle Networks (IVN), and V2I connections to identify harmful behaviour. The system’s effectiveness in detecting cyber threats within autonomous vehicle networks is evaluated using the UNSW-NB15 and automobile-hacking datasets. Their method maximises data flow, strengthens security, and increases smart network efficiency through intelligent transportation. Researchers examine Artificial Intelligence (AI)-based anomaly detection techniques in the Controller Area Network (CAN) systems of advanced vehicles12. With a focus on methods such as Machine Learning (ML), Deep Learning (DL), and Federated Learning (FL) for anomaly detection, the authors examine how AI could improve IoT security13. Practical solutions for identifying and managing security risks in IoT devices are developed using artificial intelligence techniques, which also improve attack detection and predictive analysis, thereby reducing human involvement. Recent work in14 investigates how AI could help VANETs; to avoid dangerous circumstances, AI methods are explored for tasks such as data collection, routing, driver awareness, and mobility prediction.

Recent reviews of AI-based techniques for vehicle network security problems. It starts by providing a general overview of vehicle networks and their weaknesses, then evaluates the principles of artificial intelligence and how they affect vehicle security15. The proposed framework focuses on assessing the integration of AI technologies to address security challenges in these networks. It suggests a novel taxonomy for identifying and benchmarking several AI-driven approaches. Saud et al.16 specifically analyse the impact of AI, the Internet of Things (IoT), and 5G/6G technologies in VANETs to enhance traffic safety, convenience, and economic efficiency. Besides analysing the improvements in connectivity that the IoT and 5G/6G technologies bring, the study also focuses on AI for routing, driver-automation awareness, and mobility prediction. For network anomaly detection, Rao et al.17 propose a hybrid architecture that integrates Convolutional Neural Networks (CNNs) and Generative Adversarial Networks (GANs). In the context of real-time IIoT environments, Himanshu et al.18 propose an adaptive CNN-GRU deep learning model that achieved 99.75% accuracy, 99.75% precision, and 99.74% recall on the N-BaIoT dataset, for reliable IIoT security. Alqahtani et al.19 explore the application of machine learning (ML) to enhance the security of electric and flying vehicles (EnFVs). To increase safety and save downtime, it emphasises predictive maintenance, cyberattack detection, and intelligent decision-making. The paper, which covers Explainable AI, real-time algorithms for resource-constrained settings, and privacy-preserving strategies, offers an overview of ML applications, identifies key problems, and outlines future research directions. Akinola et al.20 introduce the Urban Adaptive Location-based Routing Protocol (UALRP), an adaptive machine-learning-based location-routing protocol for urban WSNs that utilises real-time data analytics to enhance routing performance. By analysing traffic and environmental data, it improves routing accuracy, network performance, and scalability, adjusting to dynamic urban environments.

As shown in Table 1, existing AI- and ML-based intrusion detection systems achieve higher accuracy and threat coverage than traditional rule-based methods but still face significant limitations, including high false-positive rates, limited scalability, and high computational cost. Artificial intelligence techniques include CNN-GAN, machine learning, and ensemble LSTM-based IDS, which provide effective solutions for anomaly recognition and enhanced security in car networks, IoT, and smart transportation systems. These approaches address significant concerns, including predictive maintenance, privacy, and cyberattacks.

Table 1 The comparison of existing methods.
Full size table

The results in Table 2 show that the AD-MLA framework outperforms standard blockchain and hybrid deep learning IDS models. While blockchain models secure data transactions, they do so at the expense of high latency and high energy costs. While deep learning models like LSTM and CNN-GAN achieve high accuracy, they require large training datasets and heavy computational costs. In contrast, the proposed Random-Forest-driven AD-MLA merges feature selection and energy-aware multi-criteria routing, dynamically adjusting accuracy, efficiency, and detection sustainability. This framework achieves 95.33% accuracy, 96.09% recall, 15.22% FPR, 94.25% computational efficiency, 91.45% resource-usage efficiency, demonstrating the real-time edge applicability of the proposed framework to VANET and CPS. AD-MLA offers the best balance of performance and energy-efficient operation, allowing us to grade it as a sustained, practical IDS architecture for intelligent transport system CPS. Overall, AD-MLA offers the best balance of performance and energy-efficient operation. All of these contribute to the practical application of next-generation intelligent transport systems as a sustained, practical IDS architecture.

Table 2 Comparative analysis of the proposed AD-MLA with blockchain-based and hybrid deep-learning IDS frameworks.
Full size table

The results of the experiments validate that the proposed AD-MLA approach meets the research goal of designing a lightweight, adaptive, and energy-efficient intrusion detection system for VANET and CPS environments. Combining Random-Forest-based anomaly detection with a multi-criteria routing strategy allows the framework to reduce latency and power usage while preserving detection accuracy. With 95.33% accuracy, 96.09% recall, and 94.25% computational efficiency, these results represent a meaningful advancement over existing blockchain-based and hybrid deep-learning IDSs. This demonstrates that AD-MLA can efficiently operate on edge or vehicular nodes without the GPU-heavy computation or consensus communication typically required. AD-MLA’s sustainable design contributes to green, scalable vehicular communication ecosystems that support adaptive, innovative, eco-friendly transport systems.

Materials and methods

Cyber-physical systems improve intelligent decision-making and automation by aggregating computer, networking, and physical components. By spotting abnormalities in EV data, suspicious activities, and unusual traffic patterns, machine learning-enabled anomaly detection in VANETs enhances security, efficiency, and safety.

Method 1: Development of the AD-MLA framework for anomaly detection

It proposed an AD-MLA architecture that leverages RF to reliably and efficiently categorise abnormalities in VANETs. Figure 1 illustrates the integration between computational and physical components within Cyber-Physical Systems, highlighting their dynamic interactions. The physical layer comprises actual components such as autonomous automobiles that use sensors and actuators to track and respond to their surroundings, as well as power plants. Above this is the network layer, which links physical and computational devices via wireless (LTE, 5G) and wired (DNP3, IEC61850) protocols for real-time data exchange and control feedback loops. The application layer handles traffic monitoring, electricity demand projections, and geolocation services to provide intelligent decision-making. Control systems made available by a central computer system that analyses incoming data help achieve optimal performance in energy efficiency, routing mechanisms, and sustainability. Due to CPS technology’s ability to integrate various physical systems over a robust network, automation is accelerated, smart infrastructure is improved, and intelligent services can be expanded across many sectors.

Fig. 1
figure 1

Cyber-physical systems: the interplay of computation and physical dynamics.

Full size image

To further improve performance, energy-saving measures are adopted for path optimisation based on latency, power usage, and network utilisation. Such strategies minimise costs and environmental degradation by reducing power consumption, minimising real-time data transmission, and controlling energy waste.

$${md}_{e}\ll i-s{n}^{{^{\prime}}{^{\prime}}}\gg :\to Vs\left[kia-es{a}^{{^{\prime}}{^{\prime}}}\right]+ Va\left[ds-t{w}^{{^{\prime}}{^{\prime}}}\right]$$
(1)

Integrating intelligent sensing (\({md}_{e}\)), vehicle status analysis (\(i-s{n}^{{^{\prime}}{^{\prime}}}\gg :\to\)), and adaptive decision methods (\(Vs\left[kia-es{a}^{{^{\prime}}{^{\prime}}}\right]\)) in dynamic VANET settings is represented by Eq. (1), which also shows entropy (\(Va[ds - tw^{{\prime \prime }} ]\)) and these three variables. Modifying classification parameters dynamically based on evolving VANET conditions ensures low-latency, high-accuracy detection.

$${f}_{f}s\left[lo-a{n}^{{^{\prime}}{^{\prime}}}\right]:\to Vs\left[lo-a{n}^{{^{\prime}}{^{\prime}}}\right]+Va\left[e-su{y}^{{^{\prime}}{^{\prime}}}\right]$$
(2)

The feature selection (\({f}_{f}s\)), localised anomaly detection (\(\left[lo-a{n}^{{^{\prime}}{^{\prime}}}\right]\)), and enhanced safety patches (\(Vs\left[lo-a{n}^{{^{\prime}}{^{\prime}}}\right]\)) in VANETs \(Va\left[e-su{y}^{{^{\prime}}{^{\prime}}}\right]\) are all represented by Eq. (2). It optimises computing efficiency for intelligent, secure VANET operations and ensures adaptive, real-time anomaly detection.

$${U}_{vd}\ll u-s{n}^{{^{\prime}}{^{\prime}}}\gg :\to Vx\left[a-8b{q}^{{^{\prime}}{^{\prime}}}\right]+ Ba\left[ki-s{n}^{{^{\prime}}{^{\prime}}}\right]$$
(3)

Equation (3) shows how VANETs can improve anomaly identification (\({U}_{vd}\)) and knowledge integration (\(Vx\left[a-8b{q}^{{^{\prime}}{^{\prime}}}\right]\)) by using vehicular data (\(\ll u-s{n}^{{^{\prime}}{^{\prime}}}\gg :\to\)) via unified sensing (\(Ba\left[ki-s{n}^{{^{\prime}}{^{\prime}}}\right]\)). By effectively mitigating cyber risks and dynamically analysing vehicle communication patterns, it provides strong, real-time protection.

$${f}_{g}e\left[k-a{l}^{{^{\prime}}{^{\prime}}}\right]:\to Bx\left[s-9v{w}^{{^{\prime}}{^{\prime}}}\right]+CVa\left[ko-ap{w}^{{^{\prime}}{^{\prime}}}\right]$$
(4)

To improve anomaly identification (\({f}_{g}e\)) and context-aware validating (\(\left[k-a{l}^{{^{\prime}}{^{\prime}}}\right]\)) in VANETs, Eq. (4) shows the integration of feature generation (\(Bx\left[s-9v{w}^{{^{\prime}}{^{\prime}}}\right]\)) and adaptive knowledge allocation (\(CVa\left[ko-ap{w}^{{^{\prime}}{^{\prime}}}\right]\)). It makes sure that anomaly detection systems are smart and flexible, such that in dynamic VANET settings, real-time threat mitigation is maintained while false positives are reduced

$${O}_{s}s\left[a-n{j}^{{^{\prime}}{^{\prime}}}\right]:\to Ns\left[w-9b{w}^{{^{\prime}}{^{\prime}}}\right]+Va\left[kl-sj{e}^{{^{\prime}}{^{\prime}}}\right]$$
(5)

In VANETs, the optimisation of security sense (\({O}_{s}s\)) is represented by Eq. (5) together with \(Va\left[kl-sj{e}^{{^{\prime}}{^{\prime}}}\right]\) anomaly surveillance of networks (\(a-n{j}^{{^{\prime}}{^{\prime}}}\)) and adaptation validation (\(Ns\left[w-9b{w}^{{^{\prime}}{^{\prime}}}\right]\)). It makes VANETs more resilient by reducing the number of false positives, improving detection precision, and ensuring effective threat mitigation.

Figure 2 describes how an ML-based intrusion detection system identifies malicious activity on a network. It starts with network traffic monitoring, where tools used for packet sniffing capture, decode and analyse data in the packet decode stage. The data being captured is used to create a feature set and undergo data pre-processing, including feature transformation, reduction, and normalisation. Post-preprocessing, the data is routed to the classifier system, where random forests, an ML technique, analyse it. A detector and recogniser determine whether the behaviour is malicious; if so, the activity is classified as an attack.

Fig. 2
figure 2

Flow of intrusion detection in network traffic using machine learning.

Full size image

To enable protection, energy-conserving multi-criteria routing mechanisms maximise data transfer without overburdening specific network segments. This not only conserves energy but also increases the lifetime of network devices. Such integration of sustainable computing concepts enhances cybersecurity while fostering green technology initiatives.

$${l}_{c}d:\to Ms\left[ko-{n}^{{^{\prime}}{^{\prime}}}\right]+Vs\left[k-aj{{e}^{{^{\prime}}}}^{{^{\prime}}{^{\prime}}}\right]*Vx\left[s-{k}^{{^{\prime}}{^{\prime}}}\right]$$
(6)

Equation (6) depicts the learning-based association of continually changing information (\({l}_{c}d\)) with VANET anomaly classification (\(Ms\left[ko-{n}^{{^{\prime}}{^{\prime}}}\right]\)), vehicular health assessment (\(Vs\left[k-aj{{e}^{{^{\prime}}}}^{{^{\prime}}{^{\prime}}}\right]\)), and multi-source knowledge optimisation (\(Vx\left[s-{k}^{{^{\prime}}{^{\prime}}}\right]\)). It optimises computing efficiency in dynamic vehicle networks while ensuring adaptive, high-accuracy security monitoring.

$${\forall }_{hs}s\left[k-a{n}^{{^{\prime}}{^{\prime}}}\right]:\to Ls\left[ki-a{n}^{{^{\prime}}{^{\prime}}}\right]+Xa\left[s-i{u}^{{^{\prime}}{^{\prime}}}\right]$$
(7)

In VANETs, \(Xa\left[s-i{u}^{{^{\prime}}{^{\prime}}}\right]\) the localised security learning (\(\left[k-a{n}^{{^{\prime}}{^{\prime}}}\right]\)) and extended anomalies analysis (Xa[s-iu]) contribute to the universal sensitivity perception (\({\forall }_{hs}s\)) of known abnormalities (\(Ls\left[ki-a{n}^{{^{\prime}}{^{\prime}}}\right]\)), which is given in Eq. (7). Improving VANET security through real-time threat assessment and mitigation it guarantees an adaptable and scalable method to anomaly detection.

$${l}_{e}s\left[lu-a{n}^{{^{\prime}}{^{\prime}}}\right]:\to Cs\left[w-9{u}^{{^{\prime}}{^{\prime}}}\right]+mVa\left[ki-s{n}^{{^{\prime}}{^{\prime}}}\right]$$
(8)

Based on contextual security analysis (\({l}_{e}s\left[lu-a{n}^{{^{\prime}}{^{\prime}}}\right]\)) and modular validator adaptation (\(mVa\left[ki-s{n}^{{^{\prime}}{^{\prime}}}\right]\)), the learning-based retrieval of unusual patterns (\(Cs\left[w-9{u}^{{^{\prime}}{^{\prime}}}\right]\)) in VANETs is represented by Eq. (8). This improves security measures in real time by leveraging feature selection, groupings, and classification to enhance anomaly detection.

$${l}_{d}e\left[x-zn{a}^{{^{\prime}}{^{\prime}}}\right]:\to Bs\left[ki-sn{e}^{{^{\prime}}{^{\prime}}}\right]+Va\left[ki-s{e}^{{^{\prime}}{^{\prime}}}\right]$$
(9)

In VANETs, the adaptive validation (\({l}_{d}e\) and behavioural security assessment (x-zna′′) allows for the learning-driven extractionVaki -se′′ from complicated anomaly patterns (Bski -sne′′), which is given in Eq. 9. It guarantees a smart, adaptable security system that monitors emerging cyber threats and takes action.

$${V}_{c}s\left[x-znb{a}^{{^{\prime}}{^{\prime}}}\right]:\to Ks\left[ki-an{e}^{{^{\prime}}{^{\prime}}}\right]+Vs\left[ji-sn{e}^{{^{\prime}}{^{\prime}}}\right]$$
(10)

Equation (10) expresses the cybersecurity sensing in vehicular area networks (VANETs) as a function of knowledge-based anomaly evaluation (\({V}_{c}s\left[x-znb{a}^{{^{\prime}}{^{\prime}}}\right]\)) and vehicular security state analysis (\(Ks\left[ki-an{e}^{{^{\prime}}{^{\prime}}}\right]\)). Through ongoing analysis of network behaviours, the reduction of false positives, and improvements in VANET endurance against cyberattacks, it guarantees strong, adaptive security.

Method 2: Enhanced detection accuracy and computational efficiency

Integrated feature selection, clustering, and classification algorithms to enhance detection performance, lower false-positive rates, and cut computation costs, making it suitable for real-time deployment. Figure 3 shows a general architecture for anomaly detection in VANETs driven by artificial intelligence. Once noise reduction and feature extraction are performed, the system aggregates real-time data gathering from Road Side Units (RSUs) and vehicle sensors. Using machine learning methods helps one find anomalies, including traffic accidents, network outages, or hostile conduct. Once an anomaly is discovered, alerts are fired off and routed across V2I and V2V, therefore enabling rapid responses. With cloud or edge computing, we can achieve continuous system monitoring, model retraining, and data storage. By predicting and managing unexpected events, AI algorithms help the overall system improve traffic safety, efficiency, and reliability. The adoption of sustainable computing principles ensures that the VANET architecture is environmentally friendly while maintaining high performance.

Fig. 3
figure 3

AI-Driven anomaly detection in VANETs for smart transportation.

Full size image
$$Evf\left[x-sn{a}^{{^{\prime}}{^{\prime}}}\right]:\to Sv\left[\sigma {\tau }^{{^{\prime}}}+an\right]-Vas\left[\theta \epsilon -u{w}^{{^{\prime}}{^{\prime}}}\right]$$
(11)

Anomaly suppression strategies (\(Evf\left[x-sn{a}^{{^{\prime}}{^{\prime}}}\right]\)) and security validation (\(Sv\left[\sigma {\tau }^{{^{\prime}}}+an\right]\)) in VANETs are represented by Eq. (11), which evaluates feature variations (\(Vas\left[\theta \epsilon -u{w}^{{^{\prime}}{^{\prime}}}\right]\)). Optimising computing performance, avoiding false positives, and reacting to real-time network circumstances strengthen VANET security.

$${n}_{d}m[ki-cz{^{\prime}}{^{\prime}}]":\to Sp[ju-sq{^{\prime}}{^{\prime}}]+ Xa[s-8b{^{\prime}}{^{\prime}}]*Hs{^{\prime}}{^{\prime}}v$$
(12)

In Eq. (12),\(({n}_{d}m\)) depicts the VANET network detection method \(Hs{^{\prime}}{^{\prime}}v\) for anomaly identification using specialised pattern recognition (\([ki-cz{^{\prime}}{^{\prime}}]":\to\)), extended anomaly analysis (\(Sp[ju-sq{^{\prime}}{^{\prime}}]\)), and hybrid security validation (\(Xa[s-8b{^{\prime}}{^{\prime}}]*\)). It guarantees adaptive coverage in dynamic VANET situations, optimises network performance, and improves real-time security.

$${l}_{f}r\left[yt-s{n}^{{^{\prime}}{^{\prime}}}\right]:\to Hs\left[ji-a{n}^{{^{\prime}}{^{\prime}}}\right]+Xs\left[q-9av{r}^{{^{\prime}}{^{\prime}}}\right]$$
(13)

The learning-driven \(\left[yt-s{n}^{{^{\prime}}{^{\prime}}}\right]\) component refinement \({l}_{f}r\) in VANETs is represented by Eq. (13), which \(Xs\left[q-9av{r}^{{^{\prime}}{^{\prime}}}\right]\) uses hybrid security sensing \(Hs\left[ji-a{n}^{{^{\prime}}{^{\prime}}}\right]\) and extended anomaly detection. It continually improves detection models, reduces errors in detection, and effectively mitigates developing threats in VANET systems, ensuring real-time adaptive security.

$$v{g}_{g}j\left[ki-s{m}^{{^{\prime}}{^{\prime}}}\right]:\to Ms\left[ji-a{n}^{{^{\prime}}{^{\prime}}}\right]+Vs\left[ki-sn{e}^{{^{\prime}}{^{\prime}}}\right]$$
(14)

Vehicular anomaly detection (\(v{g}_{g}j\)), multi-source knowledge validation (\(\left[ki-s{m}^{{^{\prime}}{^{\prime}}}\right]\)), and vehicular state assessment (\(Ms\left[ji-a{n}^{{^{\prime}}{^{\prime}}}\right]\)) are all integrated in \(Vs\left[ki-sn{e}^{{^{\prime}}{^{\prime}}}\right]\) VANETs according to Eq. (14). It optimises computational performance, minimises false positives, and guarantees high-accuracy, real-time threat recognition in dynamic VANET systems.

$${p}_{f}r\left[ku-s{n}^{{^{\prime}}{^{\prime}}}\right]:\to Xs\left[w-9{u}^{{^{\prime}}{^{\prime}}}\right]+Sz\left[po-iw{q}^{{^{\prime}}{^{\prime}}}\right]$$
(15)

With the help of VANET security \(Sz\left[po-iw{q}^{{^{\prime}}{^{\prime}}}\right]\) zone analysis (\({p}_{f}r\)) and extended anomaly detection (\(Xs\left[w-9{u}^{{^{\prime}}{^{\prime}}}\right]\)), the feature improvement process (\(\left[ku-s{n}^{{^{\prime}}{^{\prime}}}\right]\)) may be represented by Eq. (15). It maintains high classification accuracy in dynamic vehicular networks and ensures efficient, low-latency threat mitigation.

Figure 4 shows an anomaly detection system for the monitoring data for electric vehicles. The technique is initiated by normalising the seen statistics from the alert messages for Electric Vehicles. Training sequences are then derived from the tagged data using ML models. Features are extracted, and anomalies are detected to separate the usual data from outliers. A weight optimiser polishes the model to maximum accuracy; anomalies are detected through a thresholding mechanism. An anomaly above the threshold is defined as something that needs to be known. The discovered anomalies create alarm-generating events. Dashboards, analytical and visualisation reporting tools are also part of the system. This technology enables efficient predictive maintenance and EV monitoring by improving real-time anomaly detection.

Fig. 4
figure 4

Intelligent anomaly detection for EV data monitoring.

Full size image
$$\partial \forall \left[i-s{n}^{{^{\prime}}{^{\prime}}}\right]:\to Vs\left[w-9{h}^{{^{\prime}}{^{\prime}}}\right]+Sc-i{u}^{{^{\prime}}{^{\prime}}}\left[ak*4s{q}^{{^{\prime}}{^{\prime}}}\right]$$
(16)

In vehicular state, monitoring (\(\partial \forall \left[i-s{n}^{{^{\prime}}{^{\prime}}}\right]\)) and security context assessment (\(Vs\left[w-9{h}^{{^{\prime}}{^{\prime}}}\right]\)) in VANETs, Eq. (16) reflects \(\left[ak*4s{q}^{{^{\prime}}{^{\prime}}}\right]\) the dynamic adjustment of the detection of anomaly features \(Sc-i{u}^{{^{\prime}}{^{\prime}}}\). To optimise security performance, minimise false positives, and preserve computing efficiency, it guarantees adaptive anomaly detection.

$${v}_{f}rs\left[lo-s{n}^{{^{\prime}}{^{\prime}}}\right]:\to Vs\left[w-8v{f}^{{^{\prime}}{^{\prime}}}\right]+Vs\left[v-z{n}^{{^{\prime}}{^{\prime}}}\right]$$
(17)

By keeping tabs on vehicle status (\({v}_{f}rs\)) and identifying security threats (\(\left[lo-s{n}^{{^{\prime}}{^{\prime}}}\right]\)) in VANETs, Eq. (17) depicts the improvement of anomaly detection \(Vs\left[v-z{n}^{{^{\prime}}{^{\prime}}}\right]\) via the analysis of system state features \(Vs\left[w-8v{f}^{{^{\prime}}{^{\prime}}}\right]\). By boosting classification accuracy and reducing false positives, it enables efficient, real-time risk identification and mitigation, thereby improving VANET security. Figure 5 explains the performance response evaluation framework, which systematically assesses the influence of various network factors.

Fig. 5
figure 5

Performance response evaluation framework for network factors.

Full size image
$${V}_{d}rs\left[ki-a{n}^{{^{\prime}}{^{\prime}}}\right]:\to Js\left[f-8{b}^{{^{\prime}}{^{\prime}}}\right]+Xs\left[ew-8{b}^{{^{\prime}}{^{\prime}}}\right]$$
(18)

The joint security analysis (\({V}_{d}rs\)) and extended extracted feature \(\left[ki-a{n}^{{^{\prime}}{^{\prime}}}\right]\) methods are used in Eq. (18), \(Xs\left[ew-8{b}^{{^{\prime}}{^{\prime}}}\right]\) to identify irregularities in VANETs (\(Js\left[f-8{b}^{{^{\prime}}{^{\prime}}}\right]\)). As a result, real-time anomaly detection is guaranteed to achieve low false-positive rates and high accuracy, thereby improving network security in dynamic vehicle environments.

$${l}_{r}f\left[\ll ki-sn{^{\prime}}{^{\prime}}\gg \right]:\to Ms\left[w-8b{f}^{{^{\prime}}{^{\prime}}}\right]*Vs\left[w-iu{y}^{{^{\prime}}{^{\prime}}}\right]$$
(19)

Equation (19) depicts the procedure for improving features (\({l}_{r}f\)) to identify abnormalities in VANETs by combining \(Vs\left[w-iu{y}^{{^{\prime}}{^{\prime}}}\right]\) multi-source threat assessment \(\left[\ll ki-sn{^{\prime}}{^{\prime}}\gg \right]\) with vehicular state evaluation (\(Ms\left[w-8b{f}^{{^{\prime}}{^{\prime}}}\right]\)). For better VANET security and real-time threat mitigation, it enables the identification of complex cyber threats at lower computational cost and with fewer false positives.

$${U}_{d}e\left[ki-s{n}^{{^{\prime}}{^{\prime}}}\right]:\to Vs\left[w-u{y}^{{^{\prime}}{^{\prime}}}\right]+Vs\left[ju-sj{e}^{{^{\prime}}{^{\prime}}}\right]$$
(20)

The assessment of identified anomalies (\({U}_{d}e\)) in VANETs is represented by Eq. (20), which analyses vehicular status at many levels (\(\left[ki-s{n}^{{^{\prime}}{^{\prime}}}\right]:\to\) and \(Vs\left[ju-sj{e}^{{^{\prime}}{^{\prime}}}\right]\). Improving security by decreasing false positives, optimising network efficiency, and ensuring real-time threat detection are all benefits.

Method 3: Comprehensive evaluation and benchmarking

Figure 6 shows an ML-based multi-layered approach for anomaly detection in VANETs. Starting from roadside device and automobile sensor data collection, which may involve GPS, LIDAR, OBD, and cameras, the system gathers the data before pre-processing that data with aggregation and filtering to feed into the anomaly detection module that is machine learning-based, the main steps involved in the key procedures of the module are feature extraction, selection, and classification of anomalies by using ML models such as RF. It produces alerts and analyses dangers, and roadside units provide communication with the vehicle. That is why edge computing enables fast inference and ensures model updates from cloud storage, increasing real-time processing. With this complex technology, traffic safety, vehicle communication, and proactive risk management are improved in networks of connected automobiles. Energy-efficient multi-criteria routing protocols are incorporated to reconcile performance with minimal power consumption under certain circumstances.

Fig. 6
figure 6

AI-driven anomaly detection in vehicular networks.

Full size image
Algorithm 1
figure a

AD-MLA: anomaly detection using machine learning approximation

Full size image

Algorithm 2 simulates feature extraction and classification using a basic threshold-based approach. The classification logic uses a Random Forest classifier trained on real-world VANET data to improve accuracy in energy efficiency, routing mechanisms, and sustainability. This paper presents frameworks for identifying abnormalities in CPS, VANET, and EV data using artificial intelligence and machine learning models, such as Random Forest.

Algorithm 2
figure b

Energy-efficient multi-criteria routing in VANET

Full size image

The energy-efficient multi-criteria routing algorithm in VANETs selects optimal next-hop vehicles based on residual energy, signal strength, hop count, and link stability, as explained in Algorithm 2. Using if-else conditions, it filters for neighbours that meet the threshold criteria, ensuring low-latency, energy-efficient, and reliable data transmission in dynamic vehicular environments while maintaining network performance and security.

Results and discussions

By integrating intelligence into transportation systems, cyber-physical systems enhance vehicle ad hoc networks. VANETs are highly susceptible to cyberattacks; hence, anomaly detection driven by artificial intelligence is required. This work proposes AD-MLA, a Random Forest-based architecture that reduces false positives, improves detection accuracy, and optimises computational efficiency, thereby guaranteeing real-time security and reliability in VANET systems.

Dataset description

Rising cyber threats, increasing digitisation, and stringent regulatory requirements are driving market growth22. Key regions consist of North America, Europe, and the rapidly developing Asia Pacific. The market comprises software (largest share), hardware, and services, and is driven by demand for advanced AI-based threat detection and security solutions23. The Kaggle VANET dataset24 is a simulated collection of vehicular network traffic under false information attacks. It records VANET message flows, both legitimate and malicious, capturing a variety of benign and malicious message flows. It contains message-id, timestamp, position, speed, direction, signal strength, hop count, attack type, and other attributes for supervised learning of anomaly detection models. The diverse scenarios and variations in attack strength in the data make it ideal for training and validating systems such as AD-MLA to differentiate benign and malicious behaviour across a collection of network conditions. The dataset also contains a well-balanced mixture of normal and attack samples, which promotes meaningful evaluation and benchmarking, and the models trained on this dataset will apply to real-world VANET environments because it is a realistic simulation. Ashmiyalenin25 provided the VANET Dataset, a synthetically generated dataset for studying network behaviours in vehicular ad hoc networks. It contains features relevant to vehicle communications, such as message metadata, signal parameters, node IDs, mobility attributes, and possibly connectivity/hop information. It is structured to support experiments in anomaly detection, traffic modelling, or routing optimisation.

Analysis of false positives

The proposed AD-MLA framework significantly reduces false positives, as evidenced by the 15.22% false-positive rate in Fig. 7. This improvement assures that authorised network actions are not falsely recorded as anomalies, hence reducing unnecessary warnings. Random Forest classification, when combined with feature selection, lowers misclassification and increases accuracy.

Fig. 7
figure 7

Comparison of false positive ratios across different network architectures for varying sample sizes.

Full size image

In VANETs, a lower false-positive rate is crucial to prevent wasteful security operations and maintain efficient vehicle communication free of interruptions.

$${XZ}_{f}r\left[ki-s{n}^{{^{\prime}}{^{\prime}}}\right]:\to Js\left[ko-s{n}^{{^{\prime}}{^{\prime}}}\right]+BVs\left[ko-sn{e}^{{^{\prime}}{^{\prime}}}\right]$$
(21)

Joint security analysis (\({XZ}_{f}r\left[ki-s{n}^{{^{\prime}}{^{\prime}}}\right]\)) and improved vehicular state evaluation (\(BVs\left[ko-sn{e}^{{^{\prime}}{^{\prime}}}\right]\)) in VANETs improve anomaly detection features (\(Js\left[ko-s{n}^{{^{\prime}}{^{\prime}}}\right]\)), as shown in Eq. (21). In ever-changing network settings, it guarantees accurate anomaly detection with minimal false positives, without sacrificing analysis performance.

Analysis of detection accuracy

Compared with other conventional methods of anomaly detection classification, the AD-MLA framework achieved a high detection accuracy of 95.33%, as shown in Fig. 8. The framework focuses least on identifying risky behaviours using feature selection, clustering, and other machine learning approaches. Given the high detection accuracy within the Security of Cyber-Enabled VANETs framework, one can confidently state that it will consistently meet the security needs of Cyber-Enabled VANETs without disrupting the VANET’s seamless operations.

Fig. 8
figure 8

Comparison of detection accuracy ratios across different models with respect to sample size. The AD-MLA model achieves the highest performance improvement over ICTS, VANET, and CNN-GAN.

Full size image

In the context of the implementation of the framework in real-time applications of secured vehicular networks, the framework’s operational security can be commended.

$${l}_{f}r\left[p-s{n}^{{^{\prime}}{^{\prime}}}\right]:\to Vs\left[w-8v{f}^{{^{\prime}}{^{\prime}}}\right]+Vaw\left[w-8h{e}^{{^{\prime}}{^{\prime}}}\right]$$
(22)

An anomaly detection method \(Vaw\left[w-8h{e}^{{^{\prime}}{^{\prime}}}\right]\) in the vehicular state, analysis (\({l}_{f}r\)) and wireless connection assessments (\(\left[p-s{n}^{{^{\prime}}{^{\prime}}}\right]\)) in VANETs is represented by the feature enhancement process (\(Vs\left[w-8v{f}^{{^{\prime}}{^{\prime}}}\right]\)) in Eq. 22. It improves VANET security by real-time pattern identification of false positives through analysis of detection accuracy.

Analysis of optimising computational efficiency

The framework achieved an optimal computational efficiency of 94.25%, effectively maintaining a balance between processing speed and detection accuracy. Random Forest with feature selection avoids pointless calculations, therefore saving processing time even as security is maintained. This efficiency guarantees that anomaly detection does not overburden vehicle resources, so the technique is viable for real-time use in VANETs.

Figure 9 illustrates the operating computational efficiency (%) with respect to the number of samples for ICTS, VANET, CNN-GAN, and AD-MLA models, demonstrating comparative performance trends. Reduced processing costs enable flawless interaction with current vehicle communication systems without performance loss.

Fig. 9
figure 9

Operating computational efficiency (%) as a function of the number of samples for ICTS, VANET, CNN-GAN, and AD-MLA models.

Full size image
$${v}_{y}r\left[ki-s{n}^{{^{\prime}}{^{\prime}}}\right]:\to Ls\left[ju-sn{w}^{{^{\prime}}{^{\prime}}}\right]+vs\left[f-9h{e}^{{^{\prime}}{^{\prime}}}\right]$$
(23)

By integrating VANET network status analysis (\({v}_{y}r\)) with vehicular state monitoring (\(\left[ki-s{n}^{{^{\prime}}{^{\prime}}}\right]\)), Eq. (23), vsf − 9e′′ depicts the improvement of recognising anomalies and features (\(Ls\left[ju-sn{w}^{{^{\prime}}{^{\prime}}}\right]\)). It optimises current safety and network efficiency while ensuring effective detection of digital dangers, with few false positives, and analysis of optimising computational efficiency.

Analysis of recall

The proposed AD-MLA system attained a 96.09% recall rate, as evidenced in Fig. 9, which denotes its ability to acknowledge and identify the genuine anomalies in the network. Having placed this within the context of Cyber-Enabled VANETs, it can be appreciated that having recall levels of this magnitude minimises the chances of a security breach going unaddressed. This is of utmost importance in the dynamic environment of automobiles, where unrecognised anomalies can trigger serious security risks. Doing this, the framework amplifies the system’s dependability and actionable safety of secured networked automobiles.

The Fig. 10 demonstrate that AD-MLA and CNN-GAN achieve higher recall performance as the sample size increases, reflecting better sensitivity in detecting positive cases compared to ICTS and VANET.

Fig. 10
figure 10

Recall ratio (%) plotted against the number of samples for ICTS, VANET, CNN-GAN, and AD-MLA models.

Full size image

Analysis of resource usage

The proposed AD-MLA architecture efficiently manages memory and computational resources in VANET systems, achieving a resource utilisation efficiency of 91.45%, as illustrated in Fig. 11. Although strong detection performance is maintained, efficient classification techniques together lower the processing unit load via feature selection. This ensures that the anomaly detection system operates without creating delays or too high power consumption, thus making it suitable for real-time, resource-limited vehicle networks.

Fig. 11
figure 11

Resource usage ratio (%) plotted against the number of samples for ICTS, VANET, CNN-GAN, and AD-MLA.

Full size image

The process of anomaly detection in VANETs \(Bs\left[ji-ne{a}^{{^{\prime}}{^{\prime}}}\right]\), as represented by Eq. 24, involves evaluating the vehicular status (\({J}_{d}r\left[lo-s{n}^{{^{\prime}}{^{\prime}}}\right]\)) and doing a multi-source security analysis (\(Vs\left[w-sy{e}^{{^{\prime}}{^{\prime}}}\right]\)). It improves VANET security by minimising false positives and making the most of threat mitigation in ever-changing contexts, and it efficiently detects complicated cyber threats through analysis of recall.

$${J}_{d}r\left[lo-s{n}^{{^{\prime}}{^{\prime}}}\right]:\to Vs\left[w-sy{e}^{{^{\prime}}{^{\prime}}}\right]+Bs\left[ji-ne{a}^{{^{\prime}}{^{\prime}}}\right]$$
(24)
$${\tau }_{f}r\left[\rho {\sigma }^{{^{\prime}}}-6v{d}^{{^{\prime}}{^{\prime}}}\right]:\to Vs\left[w-8{y}^{{^{\prime}}{^{\prime}}}\right]+Bs\left[nji-s{n}^{{^{\prime}}{^{\prime}}}\right]$$
(25)

The improvement of anomaly identification features \(Vs\left[w-8{y}^{{^{\prime}}{^{\prime}}}\right]\) in VANETs is shown by Eq. (25), which takes \(Bs\left[nji-s{n}^{{^{\prime}}{^{\prime}}}\right]\) into account, the analysis of vehicle status (\({\tau }_{f}r\)) and the integration of multi-source security information (\(\left[\rho {\sigma }^{{^{\prime}}}-6v{d}^{{^{\prime}}{^{\prime}}}\right]\)). Improving real-time threat detection and decreasing false positives are the main goals of Eq. (25) on the analysis of resource usage.

The results in Fig. 11 demonstrate that, as the sample size increases, AD-MLA and CNN-GAN exhibit more efficient resource utilisation scaling than ICTS and VANET, indicating improved computational adaptability.

This research presents AD-MLA, a VANET anomaly detection system powered by AI and using Random Forest to improve performance, precision, and safety. As shown in Table 3, the proposed method outperforms existing approaches. Results show that the current methods are highly effective, with a recall of 96.09%, an accuracy of 95.33%, and a false-positive rate of 15.22%. For adjusted deployment, the concept improves computational efficiency by 94.25% and energy conservation by 91.45%. It also provides real-time, low-latency detection, strengthening VANET security.

Table 3 Comparison of the existing method and the proposed method.
Full size table

Model development and deployment

To assess the real-time applicability of the proposed AD-MLA framework in edge-intelligent settings, we measured execution performance, memory efficiency, and deployment level on the NVIDIA Jetson Nano and Jetson TX2. This research focuses on integrating feature selection into the RF-based detection pipeline while accounting for the hardware limitations of CUDA-enabled GPUs. Each stage of the AD-MLA processing pipeline (data acquisition, feature extraction, classification, and routing) was exhaustively measured, and latency metrics were established. Inference latencies were recorded to be below 250 ms on the Nano and close to 150 ms on the TX2, thus meeting real-time requirements for vehicular and industrial CPS. The model also exhibited a memory footprint of less than 150 MB, moderate GPU utilisation, and a consistent throughput of 4 to 7 inference cycles within a power range of 5 to 7 W, with a latency of 5 to 7 W. This observed sustained resource consumption confirms the model’s high-accuracy intrusion detection capabilities on embedded hardware with limited resources.

As shown in Table 4, its modular design facilitates containerised deployment and, combined with JetPack, enables over-the-air updates and federated retraining across multiple distributed edge nodes using Docker. The AD-MLA framework efficiently balances computational load, power consumption, and system size, making it a sustainable edge-intelligent intrusion detection system for real-time deployment in VANET, IoT, and cyber-physical environments.

Table 4 Execution-time performance of the developed model on Jetson Nano / TX2.
Full size table

With the AD-MLA framework, the balancing act between the extremes of real-time operations and the performance of the security module, in a cryptographic context, is optimised in edge-based IoT and Industrial IoT (IIoT) deployments. The system utilises AES-256 symmetric key cryptography to enable secure inter-node communication. It is supplemented with SHA-256 hashing to provide real-time integrity checks, hence, authentication, and overall system data integrity without undue computational burden. While elliptic curve cryptography, lattice-based cryptography, and even homomorphic encryption were considered, none met the cost-effective computational constraints of the Jetson Nano and TX2 (sub 5–10 W) implementations, given 4 GB RAM and the need to stay within a 5–10 W boundary. The lightweight cryptography provides encryption and verification under 20 ms, ensuring the system as a whole responds within the real-time limits of 150–250 ms. Since vehicular and CPS sessions are periodically refreshed and short-lived, the system’s strategic positioning meets the minimum requirements to combat basic replay and network attacks; hence, the system’s scaffolding provides the best efficiency. Future work with lightweight ECC and lattice-based systems will still meet the edge security requirements of evolving systems.

The information in Table 5 undoubtedly supports the choice of AES-256 + SHA-256, as implemented in the AD-MLA framework, as the optimal solution for balancing security and efficiency in real-time applications for vehicles and IIoT. Although ECC provides a slight improvement in cryptographic strength, it is an order of magnitude slower (≈ 3 times slower than AES). It can therefore cause significant delays in authenticating packets for real-time applications in VANET. For lattice-based PQC schemes such as Kyber-512 or NTRU-HRSS, while guaranteeing safety against quantum attacks, they currently exceed the processing power of Jetson-class devices, which results in ≈ 100 ms of additional encryption delay. For powerful privacy-preserving analytics, homomorphic encryption remains an unrealistic option for embedded or mobile systems due to high memory and energy costs.

Table 5 Comparison of Cryptographic Schemes and Their Suitability for Real-Time AD-MLA Deployment on Jetson TX2.
Full size table

Conclusion

This research proposes an AD-MLA model to enhance the security and reliability of VANET. The model uses Random Forests to dynamically identify and mitigate cyber vulnerabilities via feature selection, clustering, and classification. With 95.33% detection accuracy, 96.09% recall, and a significantly low false positive rate of 15.22%, the empirical results underscore the model’s superiority over current approaches to anomaly detection. The framework’s suitability for dynamic VANET environments also demonstrates optimal resource control (91.45%) and peak computational efficiency (94.25%). The model shows the potential of machine learning techniques to protect automotive networks from rising cyber threats. In addition to improving threat detection capabilities, the proposed system guarantees low-latency processing needed for real-time systems. The AD-MLA model for VANET security addresses significant challenges in developing intelligent and safe transport systems, including unsatisfactory detection methods, high false-positive rates, and scalability limitations. Enhanced multi-criteria energy-efficient routing within the model provides substantial advantages for safety–critical scenarios, where communication must be timely and reliable. Deep learning techniques will be employed in future work to enhance AD-MLA further, thereby improving the model’s anomaly-detection accuracy. Furthermore, this research will investigate the practical implementation and operational deployment in large-scale VANET ecosystems. For seamless integration into self-driving cars, further advancements in resource management and processing efficiency will be necessary. For the following, we plan to use dedicated Explainable AI methods, namely, Shapley Additive exPlanations and Local Interpretable Model-agnostic Explanations, to delineate the instance-specific decision factors and justify each detection in a manner understandable to the user. This will enhance the practical applicability of AD-MLA to network analysts and cybersecurity practitioners by connecting operational perspectives to the model’s decisions, while preserving the architecture’s low overhead and real-time nature.