Connected Vehicle (CV) technologies are under rapid deployment across the globe and will soon reshape our transportation systems, bringing benefits to mobility, safety, environment, etc. Meanwhile, such technologies also attract attention from cyberattacks. Recent work shows that CV-based Intelligent Traffic Signal Control Systems are vulnerable to data spoofing attacks, which can cause severe congestion effects in intersections. In this work, we explore a general detection strategy for infrastructure-side CV applications by estimating the trustworthiness of CVs based on readily-available infrastructure-side sensors. We implement our detector for the CV-based traffic signal control and evaluate it against two representative congestion attacks. Our evaluation in the industrial-grade traffic simulator shows that the detector can detect attacks with at least 95% true positive rates while keeping false positive rate below 7% and is robust to sensor noises.
Although infrastructure-side sensors can provide accurate detection of the CVs to validate their reported states, their detection ranges are often much more constrained than the CV communication ranges. For example, the effective detection ranges of traffic cameras are usually at ~100 meters, while CV communication channels (e.g., DSRC and C-V2X) can cover much larger ranges (typically >300 meters).Â
This is a fundamental limitation of sensors compared to cyber-layer communication--extending the sensing range (e.g., installing and synchronizing with additional sensors) is often much more costly and difficult than extending cyber-layer communication ranges (e.g., using signal relay devices or opting to longer range communication protocols such as C-V2X). Because of this fundamental limitation, two defense challenges need to be addressed in order to leverage the infrastructure-side sensors for effective data spoofing detection in the CV context.
Challenge 1: How to systematically propagate the trust from the sensor range to the CV communication range?
Challenge 2: How to infer the RV states outside the sensor range?
In our design, we define the trust of a CV based on its integrity, i.e., CVs that report a state far away from its ground truth state will be assigned with lower trust (or higher suspicion). Our detector measures the trust of each CV in a traffic snapshot (i.e., the received CV states that a CV application is used for decision-making) and pinpoint the ones that have the lowest trust and the largest impact on the CV application performance. The detector takes the CV snapshot and the corresponding sensor detection results as input and outputs the suspicious CVs that are likely to be spoofers for further handling. The detection process involves two major steps: Trust Assignment and Remove-and-Rerun.
In this step, we start from our physical root-of-trust, i.e., sensor detection results, to assign suspicious scores to the CVs in the sensor range by comparing their reported states with the detection results. Next, we propagate the trust out to the CV range in the order of CVs' reported distances to the sensor range. Since there is no direct way to measure the physical states of CVs out of the sensor range (Challenge 1), we estimate the CV states based on our traffic invariants, i.e., the traffic models, which are empirically derived mathematical equations describing the vehicle driving behaviors under various traffic conditions. For example, the car-following models can be used to estimate a vehicle's spacing and velocity based on its leading vehicle. We then use the estimated state as a proxy to the CV's ground truth state to calculate the suspicious score.
We re-execute the CV application with and without a suspicious CV to confirm its impact on the attack objective. The intuition behind this is that the attacker's goal is to disrupt the CV application to cause adverse effects on some CV application metrics, which can often be quantified in the application itself. For example, the congestion attacks on I-SIG are designed to increase the total delay of the vehicles in the intersection, which is exactly what I-SIG is optimized for. Such an attack objective driven approach can effectively distinguish attack CVs from benign ones among the most suspicious CVs.
Defense design overview
[IV'23] Detecting Data Spoofing in Connected Vehicle based Intelligent Traffic Signal Control using Infrastructure-Side Sensors and Traffic Invariants
Junjie Shen, Ziwen Wan, Yunpeng Luo, Yiheng Feng, Z. Morley Mao, Qi Alfred Chen
Appeared in the IEEE Intelligent Vehicles Symposium (IV) 2023.
[paper]
Junjie Shen, Ph.D. student, CS, University of California, Irvine
Ziwen Wan, Ph.D. student, CS, University of California, Irvine
Yunpeng Luo, Ph.D. student, CS, University of California, Irvine
Yiheng Feng, Assistant Professor, CE, Purdue University
Z. Morley Mao, Professor, EECS, University of Michigan
Qi Alfred Chen, Assistant Professor, CS, University of California, Irvine