In-vehicle networks are generally used for computerized control and connecting information technology devices in cars. However, increasing connectivity also increases security risks. “Spoofing attacks”, in which an adversary infiltrates the controller area network (CAN) with malicious data and makes the car behave abnormally, have been reported. Therefore, countermeasures against this type of attack are needed.Modifying legacy electronic control units (ECUs) will affect development costs and reliability because in-vehicle networks have already been developed for most vehicles. Current countermeasures, such as authentication, require modification of legacy ECUs. On the other hand, anomaly detection methods may result in misdetection due to the difficulty in setting an appropriate threshold. Evaluating a reception cycle of data can be used to simply detect spoofing attacks. However, this may result in false detection due to fluctuation in the data reception cycle in the CAN.We propose the “delayed-decision cycle detection” method for improving a conventional cycle detection method, which does not require modification of legacy ECUs, detects intrusions with a low misdetection rate, and prevents intrusions. We evaluated this method in a simulated environment of an actual car. The processing load of the method was sufficiently low. In some specific cases, the method resulted in misdetection. Therefore, we further improved the proposed detection method.Security architecture for in-vehicle networks should be constructed of multi-layer countermeasures to prevent single point of attacks. The proposed method can be easily applied as one layer of security architecture because it has several advantages, such as low processing load, and does not require the modification of legacy ECUs.