Systems and methods are provided for detecting anomalous messages on a multipoint serial communications bus by extracting features from a first and a second message, including a time delay between the first and the second messages and, for each message, a sender address, a recipient address, a bus number, and a word count. A message transition pattern including the extracted features is generated. A probability of occurrence of the message transition pattern is determined by comparing the message transition pattern to a pattern dictionary, and the second message is determined to be anomalous when the probability is less than a predetermined threshold.