With the maturity of automotive intelligent network technology, the number of ECUs loaded on vehicles by different car manufacturers is increasing year by year. Anyone can access the inside of CAN bus through OBD-II, Bluetooth and other vehicle peripheral devices and cloud network to get ECU data or even forged data. The current attack detection and defense technology is mainly established in the offline intrusion detection method and post-event defense system, which is difficult to meet the real-time and security of the car driving.

For the real-time detection and defense mechanism of CAN bus, we propose a data-based anomaly detection algorithm to identify anomalous information and attack types. A real-time intrusion detection model is established according to different attack types to propose suitable encryption and authentication methods for CAN bus to achieve the purpose of active defense. The network environment of real vehicle CAN bus is simulated in CANoe software. It is able to detect the intrusion of five different attack types such as Replay and Flood. According to the attack model, the data anomalies are found in real time to eliminate unnecessary hidden dangers and meet the requirements of real-time defense in the vehicle driving.The joint experimental results of the CANoe software and the STM32F407 show that the type of attack can be effectively detected and a 99.8% defense rate is achieved out of 10,000 messages tested. The time required to perform one detection and defense is 2.25ms, which is much smaller than the time required to send and receive messages on the CAN bus (10ms). Therefore, it meets the requirements of CAN bus for real time, etc.