Keywords

1 Introduction

With ever increasing population in urban areas, traffic congestion management became one of the major issues in the big cities. Intelligent Traffic Systems (ITS) uses adaptive traffic control system to improve the way of managing traffic on road. ITS aims to introduce different innovative traffic management services to make road safe for the commuters, use the existing transport network efficiently and make the Traffic Management System (TMS) more coordinated by providing real-time and better dissemination of traffic information. Innovative technologies surrounding ITS are on the rise, valuing the Global ITS market at US$ 21,481.4 M in 2017, and projected to reach US$ 70,798.4 M by 2027, indicating a compound annual growth rate of 12.7% [1]. In ITS, different wireless communication methods (e.g., Dedicated Short Range Communication (DSRC) or cellular network) are being used to make the communication between vehicles and the road infrastructure. These wireless communication methods are vulnerable to different cyber-attacks. There are mainly four components in ITS: (a) On Board Unit (OBU), (b) Road Side Unit (RSU), (c) Vehicle Detector (VD), and (d) Signal Controller (SC). These components use wireless technologies in some point to communicate with each other. In last few years research on cyber-security of transportation systems was mainly focused on inter-vehicle communications. A number of security breaches have already been reported. An Argentinian security expert intruded into New York City’s wireless vehicle detection system and showed that control of the devices (e.g., RSU, OBU, VD, and SC) can be compromised. It also showed that attackers can also send malicious or corrupted data [2,3,4,5,6].

Existing and future ITSs have huge risk of cyber-attacks. Attacks on automated vehicles and ITSs will have huge economic impact and even risk of loss of human life. These presents a pressing need to develop an IDS for ITS. This has been compounded by the fact that traffic control systems will be need to interact and manage many robotic systems (e.g., driverless cars) in the future. Vehicle-to-vehicle and infrastructure communication is based on wireless communication and ad-hoc in nature. Since wireless technologies are vulnerable to many attacks, consequently, future ITS will be very susceptible to various types of attacks including cyber-attacks. For this reason, to minimise the impact of the attack and study the cybersecurity of traffic infrastructure, the National Cooperative Highway Research Program (NCHRP) proposed few new projects to introduce some steps to mitigate the impacts cyber-attacks on TMS [7, 8].

Though reported attacks on ITS currently are limited to attacks on computers in the traffic controller, safety cameras installed in the RSU, and processing units installed in the signals of the intersection, undoubtedly such attacks will be on the rise in future [9]. Up to our knowledge, there is no Instruction Detection System (IDS) available in the current literature to detect attacks on traffic signal units and ITS in general. In this paper, for first time we have proposed an IDS for ITS. Our proposed system can detect the attacks in the road sensors, traffic signals and local traffic controller. We have theoretically modelled our proposed system using the DS decision theory considering the evidential observations of vehicle flow rate at intersections and the phase time of traffic signal changes and their historical data recorded by transportation authorities. For the verification and validation of our IDS, we developed a simulation based on the traffic simulator called SUMO [10] using many real scenarios and the data collected by the Victorian Transportation Authority, Australia called VicRoads. Simulated results show our proposed system can successfully detect overall 91.92% of original (non-intruded) and 91% of intruded traffic signals. Therefore, our proposed IDS can successfully detect most attacks on the traffic signals with a very number of false alarms.

2 Intelligent Traffic Systems

ITS uses different types of detectors to detect number of vehicles, speed of the vehicle, and type of the vehicle. There are mainly two types of detectors named strategic detectors and tactical detectors. Strategic detectors are used to gather vehicle data to effectively use the signal phase time and tactical detectors gathers vehicle data to assist ITS make decision to set different state of the phase of any intersection, set the variable speed limit and cycle time of a traffic signal. Several driver assistance sensor systems installed in modern smart vehicles can communicate with the RSU to receive and provide information to increase road safety and smart traffic management. Communication technologies like the IEEE 802.11p standard is available in ITSs for V2V, V2I, I2I I2X and V2X communication [11, 12]. Different types of Adaptive traffic control systems (ATCSs) e.g., Sydney Coordinated Adaptive Traffic System (SCATS), OPAC, RHODES, ACS Lite and InSync [11, 13] have been developed to reduce travel time and congestion, In our study we have selected SCATS, as this one of the best ATCSs and used in approximately 37,000 intersections in 27 countries. A SCATS- compatible Traffic Signal Controller (TSC) collects vehicle information from many different methods. These methods are (i) Triangulation method, (ii) Vehicle re-identification, (iii) GPS based methods and (iv) Smartphone based rich monitoring. SCATS has different operation modes. They are (i) Master Link, (ii) Flexi Link, (iii) Isolated, (iv) Hurry Call and (iv) Manual Operation. Depending on the traffic condition and demand, SCATS can operate on any of these operation modes [13].

2.1 Attacks in ITS

In ITS, different signal controller units are used to communicate between the signals in adjacent intersections, maintain the phase time, cycle time, and the operational status provided by the central traffic controller. Road side sensor systems and different driver assistance sensor systems installed in the modern vehicles can communicate with the RSU to receive and provide information to increase road safety and smart traffic management. Communication standards like the IEEE 802.11p is available in ITSs for V2V, V2I, I2I I2X and V2X communication. Different types of Adaptive traffic control systems (ATCSs) e.g., Sydney Coordinated Adaptive Traffic System (SCATS), OPAC, RHODES, ACS Lite and InSync [11] use real time traffic data to optimize the cycle time of the traffic signals to reduce travel time and congestion [11, 12]. These systems are at risk of going under different types of cyber-attack based on their communication methods.

Researchers at the University of Michigan [13] shown that traffic control systems uses unencrypted wireless signals and default username and password to manage the traffic signals and traffic controller that controls the lights and walk signs. These can make the traffic signal and traffic controller system easy target for the hackers. Denial of Service attack Distributed Denial of Service attack on Vehicular Ad-hoc Network (VANET), ITS and TMS is possible by jamming communication channel, network overloading, and packets dropping [14, 15]. Fake data insertion, ransomware attack, rail network disruption and malware attacks in different ITS units were reported in different cities in the world [2, 17, 18]. These attacks cause huge traffic jam, financial loss, disruption to transport ticketing system and cyber threats to transport authority. Attacker can also use Sybil attack to provide misleading information to nearby vehicles or the road side traffic infrastructure [16]. GPS hacking can effect navigation of driverless cars, drones and automated emergency vehicles to send the vehicle to different location or provide false data to traffic controller. Data spoofing attack on even single vehicle can increase the total delay by as high as 68.1% which completely reverses the benefit of using the Intelligent Traffic Signal System (I-SIG) system (26.6% decrease) by U.S. Department of transportation and cause the mobility to be even 23.4% worse than that without using the I-SIG system [17, 22].

3 Proposed Intrusion Detection Method

3.1 Overview of the Proposed IDS

Our proposed model mainly monitors the status of current traffic signal, which is statistically determined considering the flow rate and the density of vehicles, and the signal phase time of that traffic signal.

To assess the whether the traffic signal is behaving as normal or unusual, the current status is compared and contrasted with the relevant status of that traffic signal derived from the corresponding historical data recorded by its TMS. The basic operating principle of the proposed model is shown in Fig. 1. To reduce the false alarms in detection, firstly, the proposed model checks whether there is any software or hardware malfunction. If the deployed mechanism signals no software or hardware malfunction, the model then further verifies whether the MAC address is registered in the system. If the MAC address is not registered, it sends a message to the controller system that the data is coming from an unauthorized sensor. Otherwise, our system checks whether the current observation data sufficiently deviates from the corresponding historical observation pattern. If it sufficiently deviates, it confirms that there is an intrusion in that traffic signal. However, there may be special events (e.g., sports, festival) occurring seasonally and/or periodically throughout the year, which may affect the signal. To reduce the impact of those special events, the relevant historical data for the similar time that were affected by those events are chosen in our proposed model. Our proposed model consists of mainly two parts – (i) monitoring the status of the traffic signal and (ii) evaluating the traffic signal to detect intrusion. Those components are described below.

Fig. 1.
figure 1

An overview of the proposed intrusion detection system. SW = Software and HW = Hardware

Full size image

3.2 Monitoring the Status of the Traffic Signal

The traffic signal is monitored in two phases. In the first phase, we use the MAC address of the sensors. People (e.g., hackers) can use external devices equipped with sensors to connect with the TMS network through wireless communication infrastructure to exploit the system vulnerability and alter traffic data. Therefore, in the first stage, we can verify whether the MAC address of a particular sensor belongs to the list of registered MAC addresses. This verification process ensures to detect where any unregistered sensor is attempting to send signal data raising suspicion. In the second phase, our proposed approach determines whether a registered sensor have been compromised. For this, we can exploit historical traffic pattern probability mass function that has not been manipulated by intruder at a particular time within a particular time window (e.g., from 08:00 am to 09:00 am on Monday).

In this project, since we aim to use historical data to monitor the status of a current traffic signal at a particular time, we collected all required and relevant data from Vic Road’s traffic data [19]. How the probability mass function of these data for a particular time window can be approximated, is detailed later.

For detecting the intrusion in this phase, we need to calculate continuous observed values of some signal attributes. For this project, we have chosen the observed value of the flow rate and phase time of a signal. This is because flow rate and phase time can be used to obtain additional green time for creating traffic signal disruptions or having illegal benefits. Other attributes (e.g., vehicle type, velocity, pedestrian count) are not significant as they are not so effective like flow rate and phase time to make major change in signal timing. Here, we need to use an inferencing method to assess the status (e.g., Normal or Abnormal) of a traffic signal. There are many methods available in the literature for inferencing such as Bayesian theory, rule based inferencing system and Dempster Shafer (DS) decision theory. We have chosen the DS decision theory because it is based on generalized Bayesian theory and provides distributing support for different propositions using temporal data. For our proposed model, the frame of discernment is defined as,

$$ {\text{H = }}\left\{ {{\text{N,}}\,{\text{A}}} \right\} $$
(1)

where, N and A represent the proposition of the current observation being Normal and Abnormal, respectively.

Since the flow rate and phase time are measured by respective individual sensor data, the belief function contributing over a particular preposition needs to be statistically measured for each sensor.

Let \( R_{il\tau } \) be the id of a sensor placed in Lane l of intersection \( i \) having sensor type \( \tau \), where, \( \tau = 1\,and\,\tau = 2 \) represent flow rate and phase time, respectively. Since we observe events such as flow rate and phase time of a particular intersection over time (e.g., the observed event in this case \( E_{\tau } \left( t \right) \) at time t at a particular day), we observe the data in a time window (e.g., 08:00 am–09:00 am) of a day considering working and non-working days, we need to use the probability mass function of the historical data corresponding to that time window of that day to find out the probability of a particular observation being normal. Therefore, the belief over proposition N using the DS theory can be defined as,

$$ Belief_{{R_{il\tau } \left( N \right)}} = \sum\nolimits_{{E_{\tau } \left( t \right) \subseteq {\text{N}}}} {m_{{R_{il\tau } }} \left( {E_{\tau } \left( t \right)} \right)} $$
(2)

where, \( R_{il\tau } , N,\,and\,E_{\tau } \left( t \right) \) are as defined before and \( m_{{R_{il\tau } }} \) is the probability mass function of sensor \( R_{il\tau } \). Note, Eq. (2) represents the lower bound of a confidence interval for estimating the status of proposition being N.

The upper bound of the confidence interval can be defined as,

$$ Plausibily_{{R_{il\tau } \left( N \right)}} = 1 - \sum\nolimits_{{E_{\tau } \left( t \right) \cap {\text{N}} = \emptyset }} {m_{{R_{il\tau } }} \left( {E_{\tau } \left( t \right)} \right)} $$
(3)

We have two types of evidences being continuously observed over time such as \( E_{F} \left( t \right) \) = flow rate and \( E_{P} \left( t \right) \) = phase time at time t. So for proposition N, the observation of both evidences can be fused based on the DS theory in the following way,

$$ \left( {m_{{R_{{il{\text{F}}}} }} \oplus m_{{R_{{il{\text{P}}}} }} } \right)\left( N \right) = \frac{{\mathop \sum \nolimits_{{E_{\text{F}} \left( t \right) \cap E_{\text{P}} \left( t \right) = {\text{N}}}} m_{{R_{{il{\text{F}}}} }} (E_{F} \left( t \right) m_{{R_{{il{\text{P}}}} }} \left( {E_{P} \left( t \right)} \right)}}{{1 - \mathop \sum \nolimits_{{E_{\text{F}} \left( t \right) \cap E_{\text{P}} \left( t \right) = \emptyset }} m_{{R_{{il{\text{F}}}} }} (E_{F} \left( t \right)m_{{R_{{il{\text{P}}}} }} \left( {E_{P} \left( t \right)} \right)}} $$
(4)

Either or both of the sensors can be compromised by the hackers. As mentioned before, to determine whether they have been attacked, individually or both, we can compare and contrast their observed values with their corresponding and authentic (e.g., not attacked or forged) historical values. This accentuates the development of probability mass function \( m_{{R_{il\tau } }} \) used in the DS theory based fusion approach defined in (4). The development of \( m_{{R_{il\tau } }} \) using the VicRoads’s historical traffic signal data uploaded Victoria’s state government website [19] is described in the following section.

3.3 Development of the Probability Mass Function

Special event usually happens in a particular period of a year. The occurrence of a special event can increase the likelihood of having unusual historical data than normal data during that specific timeframe. This implies that we need to use historical traffic signal data with and without the occurrence of events for both evidences. We calculated histograms and their corresponding best fit normal distribution curves of the historical data for both flow rate and phase time as below.

Without any event occurring, the histogram of the flow rate per hour and phase time on working Mondays from 08:00 am–09:00 am in 2017 and their corresponding best fit normal distribution curves of five different intersections are shown in Figs. 2(a)–(e) and 3(a)–(e), respectively. All of the figures for both flow rate and the phase time show that all probability mass functions are approximately normally distributed. This is vindicated by their corresponding well fitted normal probability mass functions for all curves as shown in the labels where μ and σ represent the mean and standard deviation of the respective best fit normal curve. Using the probability mass functions developed from the historical data, we need to calculate the probability of observed evidences (flow rate and phase time) which is described below.

Fig. 2.
figure 2

Histogram and the corresponding fitting normal curves of different flow rates of five different intersections (a) Intersection 1, (b) Intersection 2, (c) Intersection 3, (d) Intersection 4, (e) Intersection 5.

Full size image
Fig. 3.
figure 3

Histogram and the corresponding fitting normal curves of different phase time of five different intersections (a) Intersection 1, (b) Intersection 2, (c) Intersection 3, (d) Intersection 4, (e) Intersection 5.

Full size image

3.4 Calculating Probabilities of the Observed Evidences

In this section, we need to calculate the probabilities of the observed evidences for both flow rate and phase time, respectively. Since, as explained before, the probability mass functions are normally distributed, the probability of an evidence can be calculated as,

$$ m_{{R_{il\tau } \left( x \right)}} = \left\{ {\begin{array}{*{20}c} {1 - \mathop \int \limits_{0}^{z} \frac{1}{{\sqrt {2\pi } }}e^{{ - \frac{{x^{2} }}{2}}} dx} & { z \ge 0} \\ {1 - \mathop \int \limits_{z}^{0} \frac{1}{{\sqrt {2\pi } }}e^{{ - \frac{{x^{2} }}{2}}} dx} & {Otherwise} \\ \end{array} } \right. $$
(5)

where, z = (x−μ)/σ, \( x = E_{\tau } \left( t \right) \) for \( \tau = F\,or\,P \), and μ and σ are the mean and standard deviation of the probability mass function, respectively. Once the probability of a particular evidence is calculated, we use this to evaluate the status of the traffic signal which is described in the next section.

3.5 Evaluating the Traffic Signal to Detect Intrusion

To detect an intrusion in the traffic signal, we need to evaluate the status of the traffic signals. This status is used in our model to determine the normal behavior of a traffic signal based on the historical data. If we know the value of current events (e.g., \( E_{F} \left( t \right) \) and \( E_{P} \left( t \right), \) we can calculate their probabilities as \( m_{{R_{{il{\text{F}}}} (E_{F} \left( t \right))}} \) and \( m_{{R_{{il{\text{P}}}} (E_{P} \left( t \right))}} \) using (5) and the μ and σ of their corresponding probability mass functions. Then next, the probability of \( \left( {m_{{R_{{il{\text{F}}}} }} \oplus m_{{R_{{il{\text{P}}}} }} } \right) \) being N. If \( \left( {m_{{R_{{il{\text{F}}}} }} \oplus m_{{R_{{il{\text{P}}}} }} } \right) \ge {\O } \), the traffic signal is assumed to be normal, otherwise, it is intruded. The sensitivity and accuracy of our proposed depend on the value of Ø. However, in average case, Ø can be considered 0.5.

4 Performance Evaluation

4.1 Simulation Environment

We instigated our model on the Simulation of Urban Mobility (SUMO) and simulated using real road map on SUMO to weigh the intrusion detection performance of our model. The following parameters were considered while setting up the simulation environment.

Map:

We used the road map of Melbourne CBD and VicRoads’s real traffic data available in [19]. We have used five different intersections in Melbourne CBD.

Density and flow rate:

We selected the peak-time density and flow rate in our simulation using the traffic data from 08:00 am to 09:00 am Monday at five busy corners of Melbourne CBD. The density and flow rate of an intersection at time \( t \) were calculated in the simulation using a popular microscopic traffic model presented in [21].

Vehicle type and traffic distribution:

We considered mixed vehicle types where 65% vehicles were passenger vehicles, 20% delivery vans, 15% bus (both public and free shuttle services), 5% tram and some random pedestrians.

Car following model:

We used the Krauss car following model in our simulation. Krauss car following model considers that car follow gradual deceleration while braking [22].

Normal and intrusion scenarios:

For normal condition, the flow rate and phase time of an intersection for a particular scenario were derived for the simulation model (SUMO). In the simulation model, traffic distributions were initiated with the respective and non-compromised historical information of VicRoads online data [19]. For simulating intrusions to the traffic signals, flow rate of an intersection for a particular scenario was changed by intuitive induced phase time and vice versa. Either the flow rate or phase time was induced in such a way so that it remains within 68% to 95% confidence intervals in some scenarios and outside of 95% confidence intervals of the relevant historical data for the other scenarios.

4.2 Performance Metrics

We evaluated our intrusion detection results for all scenarios using the standard performance metrics widely used in event detection, such as specificity, sensitivity, F-score and overall accuracy.

4.3 Simulation Results and Analysis

We have tested 40, 41, 39, 42 and 44 scenarios for Intersection 1 to 5, respectively. As a representative sample, Table 2 shows the probabilities of signals being normal for 4 scenarios having various flow rates and phase time for each intersection. Since the initial and instantaneous traffic distributions were induced in the simulation from the corresponding historical data, our proposed method is able to successfully determine most of normal cases correctly with the exception of a few cases. Where in the simulation SUMO created normal traffic condition that deviates largely from historical value, our model detected those scenarios as false negative. This happened because if the traffic condition deviates highly from historical data, it can make disruption in normal traffic management.

If the induced flow rate/phase time is taken within 68% to 95% confidence intervals, for the short time (e.g., 1 or 2 cycles) attacks, our proposed IDS fails to detect intrusion. This is because since the induced flow rate/phase time is within 68% to 95% confidence intervals, the probability of a signal being normal becomes high (e.g., 0.525), which is greater than the threshold Ø = 0.5 used in making decision whether a signal is normal. This is not a major issue as short time intrusion cannot create considerable disruption in the traffic signals. However, in this case, if the intrusions prevail over a long time (e.g., longer than 2 cycles), our proposed method can successfully detect them. The reason is that long time intrusions can create disruption among all adjacent intersections, which has been clearly reflected in our simulation. This eventually reduces the probability value of signal being normal considerably. Our proposed method can successful detect all intrusions if the induced flow rate/phase time is taken outside of 95% confidence interval. Because of the higher value, it can create considerable disruption among all closed by intersections, yielding the low value of the probability of a signal being normal (e.g., 0.024). Our proposed system produced 18, 18, 17, 19 and 19 true positives (TPs), 19, 20, 19, 20 and 20 true negatives (TNs), 2, 1, 1, 1 and 3 false positives (FPs) and 1, 2, 2, 2 and 2 false negatives (FNs) for Intersections 1 to 5, respectively (Table 1).

Table 1. Probabilities of signal being normal
Full size table
Table 2. Performance metrics
Full size table

For Intersection 5, the number of FPs (3) is slightly higher than that of the other intersections because for this intersection, the historical data used to generate traffic in SUMO for the specific time period (08:00 am to 09:00 am, Monday) during which an event occurred. This created more deviations compared with other intersections for the flow rate and phase time obtained from SUMO from their corresponding historical data distributions for the same events occurred in that time period throughout a year. Here, TN refers to a normal condition is detected as normal, FN represents a normal condition is detected as intrusion, TP means an intrusion is detected as intrusion and FP indicates an intrusion detected as normal. The specificity, sensitivity, F-score and accuracy of our proposed IDS for all intersections are shown in Table 3. These TP, TN, FP and FN are used to calculated sensitivity (true positive rate) and specificity (true negative rate). Our simulation result shows that we have high accuracy (91.74%) of detecting hacking even though some of the attacking data were for very small period of time.

5 Conclusion

In this paper, we have introduced a model to detect an intrusion in ITSs for the first time. Our proposed IDS can detect any anomaly of traffic flow or signal phase time that can make considerable disruption in traffic system. Our model is based on the estimation of probability mass functions of traffic flow and phase time from the historical data collected from an ITS and fusion of those variable using DS theory. To test the efficacy of the system, we developed a simulation model considering the real traffic flow rate, density and signal phase time using the real map of Melbourne CBD and the historical data provided by VicRoads. The simulation model is built on SUMO, a known road traffic simulator, and we created various traffic signal scenarios including induced intrusions by making either flow rate or phase time or both intentionally shorter or longer than their designed permissible durations. We assessed the performance of the IDS using the standard performance metrics such as specificity, sensitivity, F-Score and accuracy. Our proposed system can achieve detection accuracy of 91.03% and 92.58% for intruded and normal traffic conditions, respectively. Currently our system misses intrusion when the intrusion duration is very short, i.e., 1 or 2 cycles time. The reason being, such short interruption does not have any noticeable impact on the traffic system and hence on the collected traffic data to show sufficient deviation from normal signal. Future ITSs will have driverless vehicles, smart road infrastructure and various sensors wirelessly connected to TMS, which will attract researchers to work on detecting the vulnerability of future ITSs.