Stealthy spoofing attacks on in-vehicle CAN buses—such as forged periodic messages inducing unintended acceleration or brake failure—remain challenging to detect due to their low observability and resemblance to legitimate traffic. Method: This paper proposes a graph machine learning–based intrusion detection framework that jointly leverages shallow graph embedding and fine-grained temporal statistical features. It models CAN messages as attributed message sequence graphs (MSGs), uniquely coupling node-level graph topology with time-domain features—including inter-message intervals, periodicity distributions, and entropy—at the per-node level. Node2Vec embeddings are integrated with non-parametric statistical tests (Mann–Whitney U and Kolmogorov–Smirnov) to enhance detection robustness against multi-modal spoofing. Contribution/Results: The approach overcomes the detection blind spot of conventional IDSs for periodic spoofed traffic. Evaluated on the ROAD dataset, it achieves statistically significant improvements in detection rate over pure graph-based baselines (p < 0.05), exhibits strong generalization, low false-positive rate, and real-time deployment feasibility.

Modern vehicles rely on a myriad of electronic control units (ECUs) interconnected via controller area networks (CANs) for critical operations. Despite their ubiquitous use and reliability, CANs are susceptible to sophisticated cyberattacks, particularly masquerade attacks, which inject false data that mimic legitimate messages at the expected frequency. These attacks pose severe risks such as unintended acceleration, brake deactivation, and rogue steering. Traditional intrusion detection systems (IDS) often struggle to detect these subtle intrusions due to their seamless integration into normal traffic. This paper introduces a novel framework for detecting masquerade attacks in the CAN bus using graph machine learning (ML). We hypothesize that the integration of shallow graph embeddings with time series features derived from CAN frames enhances the detection of masquerade attacks. We show that by representing CAN bus frames as message sequence graphs (MSGs) and enriching each node with contextual statistical attributes from time series, we can enhance detection capabilities across various attack patterns compared to using only graph-based features. Our method ensures a comprehensive and dynamic analysis of CAN frame interactions, improving robustness and efficiency. Extensive experiments on the ROAD dataset validate the effectiveness of our approach, demonstrating statistically significant improvements in the detection rates of masquerade attacks compared to a baseline that uses only graph-based features, as confirmed by Mann-Whitney U and Kolmogorov-Smirnov tests (p<0.05).