Automotive CAN networks face highly stealthy spoofing attacks, yet existing detection methods only support coarse-grained, window-level analysis, failing to achieve precise single-frame localization. This paper proposes a dual-perspective statistical graph modeling framework—comprising a Temporal Correlation Graph (TCG) and a Coupling Relationship Graph (CRG)—integrated with a lightweight shallow Graph Convolutional Network (GCN), enabling, for the first time, fine-grained, message-level intrusion detection. Key contributions include: (1) multi-perspective modeling of intrinsic temporal dependencies and inter-message coupling patterns in CAN traffic; (2) systematic evaluation on real-world datasets against four novel spoofing attack types; and (3) an end-to-end trainable architecture jointly optimizing temporal modeling and contextual similarity measurement. Evaluated on two real automotive CAN datasets, our method achieves a significant F1-score improvement over state-of-the-art approaches, with 98.7% detection accuracy for the new spoofing attacks.

As an important component of internet of vehicles (IoV), intelligent connected vehicles (ICVs) have to communicate with external networks frequently. In this case, the resource-constrained in-vehicle network (IVN) is facing a wide variety of complex and changing external cyber-attacks, especially the masquerade attack with high difficulty of detection while serious damaging effects that few counter measures can identify successfully. Moreover, only coarse-grained recognition can be achieved in current mainstream intrusion detection mechanisms, i.e., whether a whole data flow observation window contains attack labels rather than fine-grained recognition on every single data item within this window. In this paper, we propose StatGraph: an Effective Multi-view Statistical Graph Learning Intrusion Detection to implement the fine-grained intrusion detection. Specifically, StatGraph generates two statistical graphs, timing correlation graph (TCG) and coupling relationship graph (CRG), based on data streams. In given message observation windows, edge attributes in TCGs represent temporal correlation between different message IDs, while edge attributes in CRGs denote the neighbour relationship and contextual similarity. Besides, a lightweight shallow layered GCN network is trained based graph property of TCGs and CRGs, which can learn the universal laws of various patterns more effectively and further enhance the performance of detection. To address the problem of insufficient attack types in previous intrusion detection, we select two real in-vehicle CAN datasets that cover four new attacks never investigated before. Experimental result shows StatGraph improves both detection granularity and detection performance over state-of-the-art intrusion detection methods.