The Controller Area Network (CAN) has been widely used in the automotive and industrial automation for over two decades. However, due to the lack of security mechanisms, CAN is vulnerable to attacks. In this paper, we propose a novel protection scheme called CANeleon. It can defend CAN against a smart attacker who might inject malicious frames with legitimate frame IDs, which cannot be mitigated by existing countermeasures. Inspired by the idea of moving target defense technologies, CANeleon equips each legitimate CAN node with the ability to shift the spoofed frame ID. In this way, the IDs of malicious frames are exposed and can be further filtered by legitimate nodes. Moreover, CANeleon neither inserts new information to the frame, nor requires any modification to the CAN protocol, so it is in compliance with the existing standards. CANeleon is a decentralized mechanism guaranteeing that the protection could be done simultaneously without additional communication. Experiments on a CAN bus prototype and a real self-driving vehicle prove the effectiveness of CANeleon.