5.5 TrioSys for detecting location forgery attacks
5.5.2 Calibration methods to improve the detection precision
As we stated above, although the multi-array relative positioning can significantly help to verify the false location claim of the attack vehicle, its drawbacks about the localization accuracy in an urban area also raise grave concerns to the detection accuracy. In fact, the detection accuracy can be improved significantly by implementing several additional measurements. Increasing the number of antenna arrays may vastly help the improvement, but also incurs a high cost. Another simple calibration method such as using a digital driving map, which is available on the ego vehicles, can partially reduce the cost while still gain the remarkable benefits of potentially higher accuracy. With the geo-location information from centimeter-level accurate High-resolution Dynamic (HD) Maps in autonomous vehicles [114], correlating our estimated position and orientation to the map can help to reveal the behavior and the consistency of the transmitter’s location appearance. Moreover, location prediction and filtering such as Unscented Kalman Filter (UKF) [114] can provide a plausibility check on the consistency of the vehicle movement.
For this case, we extend our prior work (above) to misbehavior detection based on motion prediction, in which the new location of the vehicle can be calculated by using UKF model. For the attack model, there is a little change with major meaning of misbehavior activities, instead of only the location forgery.
A change to the attack model
Most of the attack model defined above is keeping the same meaning. Only a little different information, that is, we now define a misbehaving vehicle as a vehicle which transmits erroneous data that should not be transmitted when the hardware and software behave as expected. This definition thus involves not only malicious vehicles from a cyber attack
(i.e., erroneous messages with malicious intent) but also faulty vehicles (i.e., misbehavior due to the process caused by variance in the damaged sensors). For the V2X application, we also specify the evaluation for the platooning, the model we believe that it will be soon deployed in practice.
Misbehavior detection system
To adapt the change of the attack model, we propose a data-centric and cross-layer approach based on TrioSys to effectively detect such abnormal activities, as illustrated in Fig. 5.5.2. Note that data-centric methods are compatible with the laws and the standard.
These extensive misbehavior detection engines are distributed into two layers: MEC-based engines and global analysis at the cloud. We believe that the cross-layer architecture is a preferable approach to address multiple issues of the detection system, including performance, low latency (MEC-based engine), long-term behavior monitoring and storage optimization (cloud-based engine). As mentioned, in our case, we assume that trusting any vehicle can be questionable, i.e., the compromised one could be any vehicle; thus, placing a detection system on such vehicles is unreliable. However, it can be assumed that most of the vehicles in the platoon are not compromised so that the sensor readings from the majority of the platoon vehicles will be consistent.
Edge Detection
Edge layer
Vehicle layer
UKF prediction
Digital Maps
V2X messages Filter, Tracking
Signal-based localization
Target vehicle tracking
V2X OBU
RSSI signals from vehicles
Update
Vehicle Presence State
WAVE Service Advertisement
Misbehavior Detection
High-definition Digital Maps Platoon
Platoon
Edge Detection
Edge Detection
MEC
MEC
MEC 1
2
2 1
Leader
2
1 Local detection engine Assistive verification 1
RSU
RSU
RSU
LIDAR or Long-range
radar Short-range radar
360oCamera
Figure 5.5.2: The abstract architecture of the TrioSys-based misbehavior detection system: (1) Path prediction on vehicle (leader); (2) Platoon control plan on MEC-based system.
The goal of this new system is also to verify the messages, i.e., consistency of messages from different senders and detect misbehavior activities, e.g., abnormal activities from sensing data fusion. To limit the impact of unreliable information on real driving, the detection system is designed to keep the cruise control (included Local Dynamic Map services) out the attacker’s misleading information and irregular data (i.e., from faulty devices). That means the detection must pre-process the information before a V2X app and the platoon leader broadcasts a platooning control plan to the vehicles. For that purpose, we integrate the detection engine directly as a fundamental feature of building the driving map function and the trajectory monitoring feature of V2X apps. For such building, RSUs/gNBs are able to receive the report from individual platoon members in real-time, besides the leader.
In practice, the access of the compromised attacker to the network, including the platoon communication, is entirely legitimate. To defeat the false location claim, besides to use the relative positioning, we also propose a novel method to determine the difference between the driving planning by the leader and by platoon members (abnormal trajectory) along with validating the messages (data consistency). For message verification, i.e., the physical movement of the vehicle is consistent with our physical calculation (above), affordable Doppler radar and HD camera-based system of the front and adjacent vehicles can help to validate whether the report matches the physical actions of that vehicle. In the case of faulty sensors, the physical action could fit the report information, but the trajectory is abnormal, e.g., moving out of the platoon. In the case of attacking, the attacker must steer the wheel to match the report and physical radar scanning to evade our detection, but that means it will violate the second condition, i.e., the abnormal trajectory. For abnormal trajectory detection, we use the filter such as Unscented Kalman Filter and advanced motion model to estimate the state of a moving vehicle of interest with noisy sensor and radar measurements. Because we assume no trust in any vehicle, the idea is to separate the reporting procedure and building the driving map, instead of relying only on the leader. A difference larger than an allowed deviation (e.g.,3m) in motion estimations in maps can provide significant evidence of misbehavior, besides the message verification.
Note that UKF can run in nearly real-time. The detail of the mechanism is presented the next section.
In a highway scenario, speed and position in the straight-direction are usually more important for tracking than the turn rate because highways do not often have sharp curves or turns. Any simple attack like reporting with the location out of direction is
considered from a lying vehicle and tracked. We also define a “threat zone” around the platoon vehicles (e.g., within 100 meters each side) with the support of in-vehicle sensors and radar. If a vehicle far from the zone tries to flood the messages or the one in the platoon moves to a new location without official leaving, it is considered illegal and should be cast as a suspicious one. To defeat a wrong event claim or fake warning from a vehicle such as a brake, the received data from neighbor vehicles’ sensors such as camera-based ADAS and infrared systems (vehicle detection and tracking) will be used to check whether there is any physical movement or presence of the vehicle as claimed.
For the trust of the leader, a leading vehicle is often controlled by a human driver, which often requires to get specific permission, and passes advanced verification in the platoon- forming or re-forming stage due to its importance in keeping the safety of the whole train of vehicles. However, in practice, an attacker can probably hijack all mentioned security checks with a simple move, e.g., the driver is replaced with the attacker or its core system is controlled by malware. As a result, the platoon probably encounters a high risk to follow a planned trajectory set by the attacker. In this case, the cooperation between the MEC-based engine and the cloud-based engine plays a critical role to verify the route of the platoon. The cloud-based engine can verify the orbit of a vehicle whether it is following the scheduled route posted by itself at the time of joining the platoon. This is possible because a vehicle may be willing to join and leave a platoon at any point during the journey. If any leader does not match the scheduled route of the vehicles, a warning will be notified to the members for further actions, e.g., wake up the drivers to take over the steering wheel. To create a backup schedule (i.e, the incumbent leader is down due to DoS or untrusted any more), a poll for the leader position like the polling in the network can be performed on the verified vehicles in the platoon. The successor can take over the control to handle the platoon or the V2X app will immediately notify the platoon members to take over the steering wheel, especially, in that emergency. For fake location claims, including the collusion, we have another option to evaluate the credibility of the collected information using the path prediction of historical information, e.g., last location reported by that vehicle. As vehicles have limited moving speed, the temporal and spatial differences between two adjacent reported locations also indicate the credibility of the claimed location.
In the following subsection, we sequentially detail the principles of such calibration methods: (1) Vehicle maneuver prediction for misbehavior detection, and (2) Assistive signal-based verification.