To address the high latency and computational overhead of machine learning–based intrusion detection systems (IDS) in automotive CAN networks—stemming from software-based execution on ECUs—this paper proposes the first hardware-level IDS architecture deeply embedded within the CAN controller’s data path. Our approach tightly couples a custom, quantized, lightweight ML accelerator to the CAN receiver path, leveraging protocol-aware pipelining and overlapping inference across reception windows to fully conceal attack detection within the CAN frame reception process: achieving zero software overhead, zero added detection latency, and ultra-low energy consumption of 73.7 μJ per frame. Implemented on an AMD XCZU7EV FPGA, the design consumes <30% LUTs and <1% FFs—meeting stringent automotive-grade constraints. Evaluated on diverse attack datasets, it achieves state-of-the-art detection accuracy across all frame lengths, while significantly outperforming existing solutions in real-time capability and energy efficiency.

Recent research has highlighted the vulnerability of in-vehicle network protocols such as controller area networks (CAN) and proposed machine learning-based intrusion detection systems (IDSs) as an effective mitigation technique. However, their efficient integration into vehicular architecture is non-trivial, with existing methods relying on electronic control units (ECUs)-coupled IDS accelerators or dedicated ECUs as IDS accelerators. Here, initiating IDS requires complete reception of a CAN message from the controller, incurring data movement and software overheads. In this paper, we present SecCAN, a novel CAN controller architecture that embeds IDS capability within the datapath of the controller. This integration allows IDS to tap messages directly from within the CAN controller as they are received from the bus, removing overheads incurred by existing ML-based IDSs. A custom-quantised machine-learning accelerator is developed as the IDS engine and embedded into SecCAN's receive data path, with optimisations to overlap the IDS inference with the protocol's reception window. We implement SecCAN on AMD XCZU7EV FPGA to quantify its performance and benefits in hardware, using multiple attack datasets. We show that SecCAN can completely hide the IDS latency within the CAN reception window for all CAN packet sizes and detect multiple attacks with state-of-the-art accuracy with zero software overheads on the ECU and low energy overhead (73.7 uJ per message) for IDS inference. Also, SecCAN incurs limited resource overhead compared to a standard CAN controller (<30% LUT,<1% FF), making it ideally suited for automotive deployment.