This work addresses the challenge of detecting stealthy spoofing attacks on in-vehicle CAN buses, where existing approaches predominantly rely on offline simulation logs—violating real-time operational constraints. To bridge this gap, we propose the first unsupervised, online intrusion detection system (IDS) benchmark framework supporting real-time streaming processing, built upon the ROAD dataset and systematically evaluating four non-deep-learning IDS variants under sliding-window settings. Our key innovations include a streaming-data-aware conditional control mechanism and a hierarchical time-series clustering method for structural change detection—departing fundamentally from conventional offline evaluation paradigms. Experimental results demonstrate that our approach achieves significantly higher detection rates than the three baseline methods. Although it incurs higher computational overhead, it provides a practical, deployable pathway for online IDS in real-world automotive environments.

Vehicular controller area networks (CANs) are susceptible to masquerade attacks by malicious adversaries. In masquerade attacks, adversaries silence a targeted ID and then send malicious frames with forged content at the expected timing of benign frames. As masquerade attacks could seriously harm vehicle functionality and are the stealthiest attacks to detect in CAN, recent work has devoted attention to compare frameworks for detecting masquerade attacks in CAN. However, most existing works report offline evaluations using CAN logs already collected using simulations that do not comply with the domain's real-time constraints. Here we contribute to advance the state of the art by introducing a benchmark study of four different non-deep learning (DL)-based unsupervised online intrusion detection systems (IDS) for masquerade attacks in CAN. Our approach differs from existing benchmarks in that we analyze the effect of controlling streaming data conditions in a sliding window setting. In doing so, we use realistic masquerade attacks being replayed from the ROAD dataset. We show that although benchmarked IDS are not effective at detecting every attack type, the method that relies on detecting changes in the hierarchical structure of clusters of time series produces the best results at the expense of higher computational overhead. We discuss limitations, open challenges, and how the benchmarked methods can be used for practical unsupervised online CAN IDS for masquerade attacks.