This study proposes a two-stage Intrusion Detection System (IDS) for Controller Area Networks (CAN) that leverages protocol-specific timing characteristics. Modern vehicular networks are vulnerable to injection attacks due to the CAN protocol’s lack of built-in authentication. Our methodology transforms raw CAN traffic into a structured feature space consisting of CAN IDs, message offsets, and inter-message intervals derived from the CAN Remote Frame request–response mechanism. The first stage applies unsupervised z-score statistical thresholding, requiring no labeled attack data. The second stage employs three independent binary Random Forest (RF) classifiers for precise characterization. Individual classifiers achieve F1-scores of 0.96 (Fuzzy), 0.77 (DoS), and 0.79 (Impersonation). In the integrated end-to-end pipeline, while the system effectively filters 97% of legitimate traffic, a performance stratification is observed: high detection is maintained for timing-disruptive attacks (Fuzzy), whereas timing-preserving attacks (DoS, Impersonation) exhibit lower recall due to the restrictive nature of the timing-only first-stage gating mechanism. Hardware profiling confirmed an inference latency of ∼0.018 ms and footprint of 8.8–19.2 MB, offering a deployable, computationally efficient defense for legacy automotive environments.
Ferreira et al. (Fri,) studied this question.