Control Area Network (CAN) is an essential communication protocol that interacts between Electronic Control Units (ECUs) in the vehicular network. However, CAN is facing stringent security challenges due to innate security risks. Intrusion detection systems (IDSs) are a crucial safety component in remediating Vehicular Electronics and Systems vulnerabilities. However, existing IDSs fail to identify complexity attacks and have higher false alarms owing to capability bottleneck. In this paper, we propose a self-supervised multi-knowledge fused anomaly detection model, called MKF-ADS. Specifically, the method designs an integration framework, including spatial-temporal correlation with an attention mechanism (STcAM) module and patch sparse-transformer module (PatchST). The STcAM with fine-pruning uses one-dimensional convolution (Conv1D) to extract spatial features and subsequently utilizes the Bidirectional Long Short Term Memory (Bi-LSTM) to extract the temporal features, where the attention mechanism will focus on the important time steps. Meanwhile, the PatchST captures the combined contextual features from independent univariate time series. Finally, the proposed method is based on knowledge distillation to STcAM as a student model for learning intrinsic knowledge and cross the ability to mimic PatchST. We conduct extensive experiments on six simulation attack scenarios across various CAN IDs and time steps, and two real attack scenarios, which present a competitive prediction and detection performance. Compared with the baseline in the same paradigm, the error rate and FAR are 2.62\% and 2.41\% and achieve a promising F1-score of 97.3\%.

翻译：控制器局域网（CAN）是车载网络中电子控制单元（ECU）进行交互的重要通信协议。然而，由于其固有安全风险，CAN面临严峻的安全挑战。入侵检测系统（IDS）是弥补车辆电子与系统漏洞的关键安全组件。然而，现有IDS因能力瓶颈，难以识别复杂攻击且存在较高误报率。本文提出一种自监督多知识融合异常检测模型，称为MKF-ADS。具体而言，该方法设计了一个融合框架，包括带注意力机制的时空关联模块（STcAM）和补丁稀疏变换器模块（PatchST）。采用精细剪枝的STcAM通过一维卷积（Conv1D）提取空间特征，随后利用双向长短期记忆（Bi-LSTM）提取时间特征，其中注意力机制将聚焦于关键时间步。同时，PatchST从独立单变量时间序列中捕获组合上下文特征。最后，该方法基于知识蒸馏将STcAM作为学生模型，用于学习内在知识并具备模仿PatchST的能力。我们在不同CAN标识符和时间步的六种模拟攻击场景以及两种真实攻击场景上进行了广泛实验，展现出具有竞争力的预测与检测性能。与同范式基线相比，错误率与误报率分别为2.62%和2.41%，并达到了97.3%的优异F1分数。