Resource-constrained in-vehicle CAN buses face a fundamental trade-off between detection accuracy and real-time performance for intrusion detection. Method: This paper proposes a cloud-vehicle collaborative lightweight intrusion detection framework. In the cloud, multi-distribution hybrid clustering and deep data mining are integrated with vehicle physical mechanism modeling to generate a high-confidence payload rule library offline. On-board, only lightweight LSTM-based temporal feature extraction is performed to assist rule generation; detection relies solely on efficient rule matching—eliminating complex model inference at the edge. Contribution/Results: This paradigm strictly confines computationally intensive operations to offline rule generation, achieving both detection lightweighting and mechanistic interpretability. Evaluated on the real-world ROAD dataset, the framework significantly outperforms state-of-the-art methods in detecting highly stealthy, camouflaged attacks, while exhibiting ultra-low detection latency and negligible on-device inference overhead.

With the growing interconnection between In-Vehicle Networks (IVNs) and external environments, intelligent vehicles are increasingly vulnerable to sophisticated external network attacks. This paper proposes ATHENA, the first IVN intrusion detection framework that adopts a vehicle-cloud integrated architecture to achieve better security performance for the resource-constrained vehicular environment. Specifically, in the cloud with sufficient resources, ATHENA uses the clustering method of multi-distribution mixture model combined with deep data mining technology to generate the raw Payload Rule Bank of IVN CAN messages, and then improves the rule quality with the help of exploitation on the first-principled physical knowledge of the vehicle system, after which the payload rules are periodically sent to the vehicle terminal. At the vehicle terminal, a simple LSTM component is used to generate the Time Rule Bank representing the long-term time series dependencies and the periodic characteristics of CAN messages, but not for any detection tasks as in traditional usage scenarios, where only the generated time rules are the candidates for further IVN intrusion detection tasks. Based on both the payload and time rules generated from cloud and vehicle terminal, ATHENA can achieve efficient intrusion detection capability by simple rule-base matching operations, rather than using complex black-box reasoning of resource-intensive neural network models, which is in fact only used for rule logic generation phase instead of the actual intrusion detection phase in our framework. Comparative experimental results on the ROAD dataset, which is current the most outstanding real-world in-vehicle CAN dataset covering new instances of sophisticated and stealthy masquerade attacks, demonstrate ATHENA significantly outperforms the state-of-the-art IVN intrusion detection methods in detecting complex attacks.