Real-Time, Reconfigurable CAN Intrusion Detection for EV Powertrain Networks via Specification-Driven Timing and Integrity Constraints

The Controller Area Network (CAN) remains the backbone of in-vehicle communication, but its lack of built-in security exposes safety-critical systems to cyberattacks. This paper presents a real-time, reconfigurable, specification-driven intrusion detection system (IDS) implemented on a custom test bench that emulates an EV powertrain. The CAN traffic captured from the four-ECU setup formed the dataset used in this study. The IDS enforces a compact, reconfigurable ruleset covering timing bounds, jitter envelopes, identifier whitelists, frame format, data length code (DLC) compliance, bus-load thresholds, application-level CRC, and alive-counter verification. The IDS achieves detection times below 2 ms with false positive rates under 1% for injection, denial of service (DoS), and fuzzy attacks, even at CAN bus loads up to 70%, while microcontroller resource usage remains within the constraints of automotive-grade devices, supporting deployment in embedded environments. The main contributions of this study are as follows: (i) a validated and reproducible EV powertrain test bench with millisecond-level timing, (ii) a deployable and easily reconfigurable ruleset with deterministic runtime, and (iii) a latency-oriented evaluation framework that is portable across automotive microcontroller platforms. The EV powertrain dataset v1.0 was released in a public GitHub repository to facilitate reproducible research and enable future benchmarking studies.