This work investigates the adversarial robustness of in-vehicle CAN bus intrusion detection systems (IDS), focusing on the feasibility and efficacy of gradient-based evasion attacks under white-box, gray-box, and black-box knowledge assumptions. We propose a pre-computed escape payload injection method tailored to real-time bus timing constraints, integrating CAN traffic modeling, adversarial perturbation optimization, and evaluation across multiple IDS benchmarks using standard metrics (e.g., AUC, F1-score). To our knowledge, this is the first systematic comparison of evasion success across all three knowledge settings against state-of-the-art CAN IDS. Experimental results demonstrate that attack success critically depends on dataset quality, IDS architecture, and attacker prior knowledge: even under strict black-box conditions, high-fidelity training data enables >70% detection evasion while preserving real-time injectability.

The security of modern vehicles has become increasingly important, with the controller area network (CAN) bus serving as a critical communication backbone for various Electronic Control Units (ECUs). The absence of robust security measures in CAN, coupled with the increasing connectivity of vehicles, makes them susceptible to cyberattacks. While intrusion detection systems (IDSs) have been developed to counter such threats, they are not foolproof. Adversarial attacks, particularly evasion attacks, can manipulate inputs to bypass detection by IDSs. This paper extends our previous work by investigating the feasibility and impact of gradient-based adversarial attacks performed with different degrees of knowledge against automotive IDSs. We consider three scenarios: white-box (attacker with full system knowledge), grey-box (partial system knowledge), and – the more realistic – black-box (no knowledge of the IDS’ internal workings or data). We evaluate the effectiveness of the proposed attacks against state-of-the-art IDSs on two publicly available datasets. Additionally, we study effect of the adversarial perturbation on the attack impact and evaluate real-time feasibility by precomputing evasive payloads for timed injection based on bus traffic. Our results demonstrate that, besides attacks being challenging due to the automotive domain constraints, their effectiveness is strongly dependent on the dataset quality, the target IDS, and the attacker’s degree of knowledge.