The introduction of modern connected vehicles has led to increased safety and comfort. It also introduces new attack surfaces that could be exploited by malicious actors during an attack targeting the electronic control units (ECU) in the vehicle. The ECUs control safety-critical components in the vehicle, and a successful attack could lead to catastrophic consequences. The most common network type for inter-ECU communication is CAN-bus, which is a reliable and lightweight protocol, but it was never intended to withstand cyber security threats.This master thesis explores different approaches to CAN-bus intrusion detection systems (IDS) and evaluates them in terms of capability to detect previously unknown attacks (zero-day), real-time performance and implementation feasibility on a typical embedded device. To the best of our knowledge, these requirements have not been evaluated together in previous research. High-level features are created and evaluated in order to include as many aspects of the data as possible. The different approaches are evaluated by exposing them to attacks commonly used in previous research, as well as a data-altering attack introduced in the thesis.The experiments show that the best-performing approach is to model the behaviour of every single ECU on the network with a separate support vector machine (SVM) and a set of high-level features that capture the timing and data payload aspects of CAN-bus traffic. This approach achieves a detection rate of more than 99% and a false positive rate during normal operation below 0.01% in the majority of cases. More long-term features are also explored, but they do not conform to the real-time requirements.