Controller area network (CAN) is a widely used communication protocol for in-vehicle networks. With the up-gradation of traditional vehicle ad-hoc networks (VANETs) to the internet of vehicles (IoV), the connectivity is incremental between the vehicular network and the outside world, making cyber-security become a stringent problem. Although existing machine learning-based methods for automotive intrusion detection are powerful, there are still limitations in detection performance and resistance attack types during the unsupervised learning process that lacks massive amounts of labels. Therefore, this paper proposes an in-vehicle intrusion detection system that incorporates a combination of sparse regularization convolutional auto-encoder (SRCAE) and streams clustering to construct a deep evolving stream clustering model, namely DESC-IDS. Specifically, the method encodes continuous messages as 2-D data frames, which are fed into the SRCAE built by the temporal convolutional network (TCN) to obtain a low-dimensional non-linear spatial–temporal mapping of the high-dimensional data. Thereafter, the stream clustering model can describe a contour baseline of normal communication messages by the spatial–temporal features. Based on this baseline, DESC-IDS can detect any abnormal changes in vehicular communication. In particular, this paper exploits the SRCAE to reconstruct message matrices, which are considered as variants of known attacks due to reconstruction deviation. The extensive evaluation results illustrate that the proposed model provides enough performance and real-time competitiveness in anomaly detection, with 96.44% accuracy on the HCRL intrusion dataset and 98.80% accuracy on the ORNL intrusion dataset. For the mixed attack of fabrication and masquerade, the proposed model achieves stable F1-scores of 93.48% and 86.99%, respectively. Moreover, the performance in unknown attacks is righteous with 98.43% accuracy and 97.15% F1-scores.

控制器局域网 (CAN) 是一种广泛用于车载网络的通信协议。随着传统车辆自组织网络（VANET）向车联网（IoV）的升级，车辆网络与外界之间的连接不断增加，网络安全成为一个严峻的问题。尽管现有的基于机器学习的汽车入侵检测方法功能强大，但在缺乏大量标签的无监督学习过程中，在检测性能和抵抗攻击类型方面仍然存在局限性。因此，本文提出了一种车载入侵检测系统，该系统结合了稀疏正则化卷积自动编码器（SRCAE）和流聚类来构建深度演化流聚类模型，即DESC-IDS。具体来说，该方法将连续消息编码为二维数据帧，将其输入到由时间卷积网络 (TCN) 构建的 SRCAE 中，以获得高维数据的低维非线性时空映射。此后，流聚类模型可以通过时空特征描述正常通信消息的轮廓基线。基于此基线，DESC-IDS 可以检测车辆通信中的任何异常变化。特别是，本文利用 SRCAE 来重构消息矩阵，由于重构偏差，这些消息矩阵被认为是已知攻击的变体。广泛的评估结果表明，所提出的模型在异常检测方面提供了足够的性能和实时竞争力，在 HCRL 入侵数据集上的准确率为 96.44%，98. ORNL 入侵数据集的准确率为 80%。对于制造和伪装的混合攻击，所提出的模型分别实现了 93.48% 和 86.99% 的稳定 F1 分数。此外，在未知攻击中的表现是正确的，准确率为 98.43%，F1 分数为 97.15%。