As a new type of attack, the CAN (Controller Area Network) bus-off attack can force the node to generate communication errors continuously and disconnect from the CAN bus through the error handling mechanism of the CAN bus communication. Aiming at the security problem of in-vehicle CAN bus communication caused by the bus-off attack, an intrusion detection algorithm for the in-vehicle CAN bus-off attack was proposed. Firstly, the conditions and characteristics of the CAN bus-off attack were summarized. It was pointed out that the synchronous transmission of normal message and malicious message is the difficulty of realizing the bus-off attack. And the front-end message satisfying the condition of synchronous transmission was used to realize the bus-off attack. Secondly, the characteristics of the CAN bus-off attack were extracted. By accumulating the transmission number of error frames and according to the change of message transmission frequency, the detection of the CAN bus-off attack was realized. Finally, the CAN communication node based on STM32F407ZGT6 was used to simulate the Electronic Control Unit (ECU) in the vehicle, and the synchronous transmission of the malicious message and the attacked message was realized. The experiment of CAN bus-off attack and the verification of intrusion detection algorithm were carried out. Experimental results show that the detection rate of the algorithm for high priority malicious messages is more than 95%, so the algorithm can effectively protect the security of the in-vehicle CAN bus communication network.