CAN bus networks are vulnerable to flooding, fuzzing, replay, and spoofing attacks due to the absence of encryption and authentication. To address this, this paper proposes a lightweight anomaly detection framework integrating graph-structured learning with time-series modeling. Specifically, CAN message sliding windows are innovatively modeled as dynamic graphs that preserve temporal relationships—enabling the first structured representation of CAN protocol semantics. A joint architecture combining graph convolutional networks (GCNs) and overcomplete autoencoders generates structure-aware graph embeddings, while gated recurrent units (GRUs) capture inter-window temporal dependencies. Optimal window size is determined via Shannon entropy analysis, eliminating manual feature engineering. Evaluated on real-world in-vehicle datasets, the method achieves significant improvements in detection accuracy and robustness, effectively identifying all four canonical CAN attack types.

Modern in-vehicle networks face various cyber threats due to the lack of encryption and authentication in the Controller Area Network (CAN). To address this security issue, this paper presents GUARD-CAN, an anomaly detection framework that combines graph-based representation learning with time-series modeling. GUARD-CAN splits CAN messages into fixed-length windows and converts each window into a graph that preserves message order. To detect anomalies in the timeaware and structure-aware context at the same window, GUARD-CAN takes advantage of the overcomplete Autoencoder (AE) and Graph Convolutional Network (GCN) to generate graph embedding vectors. The model groups these vectors into sequences and feeds them into the Gated Recurrent Unit (GRU) to detect temporal anomaly patterns across the graphs. GUARD-CAN performs anomaly detection at both the sequence level and the window level, and this allows multi-perspective performance evaluation. The model also verifies the importance of window size selection through an analysis based on Shannon entropy. As a result, GUARD-CAN shows that the proposed model detects four types of CAN attacks (flooding, fuzzing, replay and spoofing attacks) effectively without relying on complex feature engineering.