In-vehicle network is easy to be attacked by masquerade attackers because of the controller local area network, and there are many intrusion detection systems to solve this problem. However, the traditional methods consider the transition and frequent property, but they lose the information of the cooccurrence. In this article, a novel method based on cooccurrence matrixes is proposed, and it makes use of the cooccurrence property of the command stream, which is often ignored. There are two steps in the training process. First, a relatively large number of distinct shell commands are transformed into a smaller number of unique events by hierarchically merging shell commands. Second, considering the correlation property of audit data, the method constructs a partly normalized cooccurrence matrix to profile the valid user's normal behaviors. Although performing detection, the partly normalized cooccurrence matrixes of the current event sequences are generated. Then the distances between these matrixes and the profile matrix are calculated with sliding windows. Finally, distances are used to determine whether they are normal or not. Our method is evaluated against two standard masquerade detection datasets provided by T. Lane et al and M. Schonlau et al, respectively. The results indicate that the proposed method is promising in terms of detection accuracy, which is at least 10% higher than other four solutions, and the proposed method has fewer memory requirements, which saves at most 90% of the compared methods, and it can be conducted in parallel and is more suitable for real-time masquerade detection. © 2020 John Wiley & Sons, Ltd.