Research efforts to detect and prevent possible attacks on vehicles have led to various defense schemes that are capable of preventing attacks and/or determining the presence/absence of an attack on the in-vehicle network. However, these efforts still cannot identify which Electronic Control Unit (ECU) on the in-vehicle network actually mounted the attack. Moreover, they cannot detect attacks by an adversary that impersonates ECUs injecting in-vehicle messages aperiodically. Identifying the source of an attack is essential for efficient forensic, isolation, security patch, etc. To fill these gaps, a method is presented for detecting and identifying compromised ECUs in a vehicle network.