Cybersecurity Threats in Connected and Automated Vehicles based Federated Learning Systems
CCybersecurity Threats in Connected and Automated Vehicles basedFederated Learning Systems
Ranwa Al Mallah , Godwin Badu-Marfo , Bilal Farooq Abstract — Federated learning (FL) is a machine learningtechnique that aims at training an algorithm across decentral-ized entities holding their local data private. Wireless mobilenetworks allow users to communicate with other fixed or mobileusers. The road traffic network represents an infrastructure-based configuration of a wireless mobile network where theConnected and Automated Vehicles (CAV) represent the com-municating entities. Applying FL in a wireless mobile networksetting gives rise to a new threat in the mobile environment thatis very different from the traditional fixed networks. The threatis due to the intrinsic characteristics of the wireless mediumand is caused by the characteristics of the vehicular networkssuch as high node-mobility and rapidly changing topology.Most cyber defense techniques depend on highly reliable andconnected networks. This paper explores falsified informationattacks, which target the FL process that is ongoing at theRSU. We identified a number of attack strategies conducted bythe malicious CAVs to disrupt the training of the global modelin vehicular networks. We show that the attacks were able toincrease the convergence time and decrease the accuracy themodel. We demonstrate that our attacks bypass FL defensestrategies in their primary form and highlight the need fornovel poisoning resilience defense mechanisms in the wirelessmobile setting of the future road networks.
I. INTRODUCTIONFederated learning (FL) is a machine learning techniqueenabling the training of an algorithm across multiple dis-tributed entities holding their local data private. The tech-nique allows to address issues such as data privacy, securityand access rights. However, despite the advantages, there arestill critical challenges in applying FL to emerging wirelessmobile networks e.g. Connected and Automated Vehicles(CAV) based intelligent transportation systems (ITS) [1].Due the characteristics of wireless systems, limited spec-trum availability, and noise levels, the channel capacityavailable is much lower than in wired networks. Moreover,interference and noise have higher impact on the design ofthe wireless systems. Security is also a greater concern inthe wireless systems since information is being exchanged infree space. On the other hand, mobile and wireless systemsare not the same even though there is considerable overlap.In fact, mobile networks need to provide additional supportfor routing and location management. This gives rise to newchallenges in terms of the optimal use of low bandwidth Ranwa Al Mallah is with the Laboratory of Innova-tions in Transportation, Ryerson University, ON, Canada [email protected] Godwin Badu-Marfo is with the Laboratory of Innovations in Trans-portation, Ryerson University, ON, Canada @ryerson.ca Bilal Farooq is with the Laboratory of Innovations in Transportation,Ryerson University, ON, Canada [email protected] channels, application-level quality of service support, andincreased cybersecurity concerns.The road traffic network represents an infrastructure-basedconfiguration of a mobile and wireless network on whichCAVs travel, use regulated frequencies, and have access tothe bandwidth to communicate. Unlike mobile phones thatcommunicate through a high-speed network, CAVs exchangeV2X messages with unknown moving vehicles, Road SideUnits (RSU), pedestrians, and cyclists with no prior associa-tion. V2V messages enable vehicles to exchange informationabout their velocity, heading angle or position with othersurrounding vehicles in order to prevent incidents or traf-fic conditions. Vehicle-to-Infrastructure (V2I) complementsVehicle-to-Vehicle (V2V) communications and enable RSUsto exchange information with the vehicle about traffic, workzones, bridges and road incidents. Vehicle-to-Pedestrian(V2P) enables the exchange of alerts from pedestrians toapproaching vehicles. These technologies exchange packetscalled Basic Safety Messages (BSM) designed to contain nopersonal identifiable information, since Anonymity of sendermust always be maintained. Vehicles and their drivers shouldremain untraceable in order to ensure the privacy in ITS.Recent reports identified highly practical wireless attackson CAVs [2]. Some attacks target in-vehicle security and oth-ers target security of inter-vehicle communications [3], [4].For instance, cyber-attacks on CAVs include impersonation,eavesdropping, stealing user private data, spoofing sensors,coordinated attacks on road side infrastructure or malwareinjection [5]. Security mechanisms to protect CAVs fromunauthorized access, control and tampering are important tostrengthen the ITS. However, currently, there is no securitymechanism in place to validate and authenticate basic safetymessages and ensure trusted communication among the ran-dom moving entities [6]. The United States Department ofTransportation proposed a system where authorized partic-ipating vehicles use digital certificates issued by a certainauthority to validate and authenticate basic safety messagesby attaching these certificates with each message to ensureintegrity, confidentiality and privacy of the communication[7]. However, although the system ensures who signed thecertificate, among its many challenges is the fact that it isdifficult to prove how correct or true the information sentfrom the vehicle is. A corrupted device in the vehicle canresult in false BSM exchanged even though the sender istrusted [8]. Consequently, awareness of the potential threatsand developing mitigation methods to proactively mitigateattacks are required in the vehicular networks.Several Internet of things (IoT) architectures have been a r X i v : . [ c s . CR ] F e b roposed with different middleware layers in multi-layerstack representing physical objects, communication or ser-vice layer, cloud, and end user applications. Some studiesproposed enhanced access control oriented architectures rel-evant to the smart vehicles and ITS [9]. In the field of mobileedge computing, frameworks assume that all data resourcesare transferred from IoT data collection devices such assmartphones, and connected vehicles to computational in-frastructure (high-performance servers) through cellular net-works to perform their tasks [10]. However, this assumptionabout devices being connected to a high-speed network isnot always acceptable as it only considers the problem ofrunning FL in a cellular network used by different mobiledevices. Vehicular networks are are highly heterogeneous be-cause vehicles may have a range of different communicationtechnologies. Unfortunately, a direct application of existingFL protocols without any consideration of the underlyingcommunication infrastructure of the CAVs will expose theFL process to cyberattacks. For instance, malicious entitiesmay exploit vulnerabilities in the vehicular network in or-der to poison the training of the model with false inputs.The existing defense algorithms are more suitable to cloudassisted applications or data centers. However, the real-timeV2X edge supported cybersecurity is still missing.FL is an active area of research and has been considered inthe context of vehicular networks. Recent work has startedto address the classical problems in FL, such as privacy,large-scale machine learning, and distributed optimization.However, research on the cybersecurity issues related to FLin the context of vehicular networks has yet to be explored.In fact, in terms of the security, similar to machine learningapproaches in fixed networks, an attacker can surreptitiouslyinfluence the local training examples held by the user tomanipulate the result of the model by embedding carefullydesigned samples to data-poison the FL process. Besides datapoisoning, model poisoning attacks can also be performedand affect the convergence of the global model because ofthe malicious local model updates that the attacker may sendback to chief . In [11], FL has been analyzed through anadversarial lens to examine the vulnerability of the learningprocess to the model-poisoning adversaries in a fixed con-figuration network setting.In this paper, we aim at analyzing the vulnerability ofthe implementation of distributed stochastic optimization forlarge-scale deep neural network training in mobile wirelessvehicular networks. We explore how the FL setting givesrise to a new type of threat in the mobile environment andis different from traditional fixed networks. This threat isdue to the intrinsic characteristics of the wireless mediumand is caused by the highly mobile nature of CAVs. Weexplore falsified information attacks which target the FLprocess that is ongoing at the RSU. We highlight a numberof attack strategies on FL in this context. In fact, an attackercan compromise a vehicle and perform falsified informationattacks. By continuously driving through the same streetand performing a model poisoning attack, it can overcomethe effects of other CAVs and disrupt the training of the global model. We then design an attack where a singleCAV is able to declare multiple identities and perform acritical poisoning via model replacement at convergencetime. Because of the vulnerabilities in the environment ofthe FL process, our proposed attacks bypass classic defensestrategies in their primary form. Already proposed defensetechniques do not seem to fit the dynamic and randomunknown CAV ecosystem, where vehicles are spread andmove across a geographical area. Our attacks highlight theneed that novel poisoning resilience defense mechanisms areurgently required in the mobile wireless settings.This work is organized as follows: Section 2 presents abrief literature review. The FL protocol in a wireless mobilesetting is presented in Section 3. The threat model andthe attacks are illustrated in Section 4. In Section 5 wepresent the simulation environment and the results. Finally,concluding remarks and future outlook are in Section 6.II. LITERATURE REVIEWFL plays a critical role in supporting the privacy-sensitiveapplications, where the training data are distributed at theedge [12]. Nikman et al. [1] discussed several applicationsof FL in the wireless networks, especially in the contextof 5G networks. Content caching and data computing atthe edge of the wireless network is an approach to reduceback-haul traffic load. FL uses locally trained models ratherthan directly accessing the user data for content popularityprediction in proactive caching in wireless networks. Anotherapplication in the wireless mobile networks is the task oflearning the activities of mobile phone users. The applica-tion can then expose a search mechanism for informationretrieval or in-app navigation. Bonawitz et al. [13] proposeda production-level FL implementation, focusing primarily onthe averaging algorithm running on mobile phones. Theirsystem is conceived for mobile devices that have much lowerbandwidth and reliability compared to data center nodes.Nishio et al. [10] focused on applying the FL in differentenvironmental conditions, such as cases where the server canreach any subset of devices to initiate a round, but receivesupdates sequentially due to cellular bandwidth limit. A. FL in wireless mobile networks
In the context of vehicular networks, a potential applica-tion of FL includes adapting in real-time to the traffic condi-tions with connected and automated vehicles. For instance,a fleet of CAVs may require an up-to-date prediction modelof traffic, construction zone delays, or pedestrian behavior tosafely operate. FL can help to train models that efficientlyadapt to changes in these situations, while maintaining userprivacy. Samarakoon et al. [14] proposed a FL model inthe context of V2V communication. The work used FL tolearn the distribution of the extreme events correspondingto the queue delays. Lu et al. [15] propose an approachthat is built on top of the federated learning algorithm andlong short term memory networks, and it demonstrates theeffectiveness of driver personalization in connected vehiclesas it predicts failures to ensure sustainable and reliableriving in a collaborative fashion. Shiva et al. [16] proposea communication efficient and privacy preserving federatedlearning framework for enhancing the TCP Performance overWiFi of Internet of Vehicles.Unlike distributed network of a set of mobile phonesacting under a service provider, CAVs form a complexdistributed network where vehicles can randomly join andleave the network under no central entity. In the former,the concept of edge computing enables the system to learnfrom the training data that are distributed on the phones.The server in this setting is able to identify and authenticatethe entities of its underlying network. When the edge usersare CAVs of a vehicular network and the server is an edgecomputing platform, such as a road side unit, the type ofattacks on the FL process will differ significantly fromtraditional distributed environments. Such a network thusrequires fundamental advances in the area of cybersecurity.
B. Cybersecurity of FL in wireless mobile networks
Wi-Fi, WiMAX, Long-Term Evolution (LTE), Near-FieldCommunication (NFC), and Dedicated Short-Range Com-munications (DSRC) are among the communication tech-nologies available for vehicular data communications. Inreviewing the literature, several attacks on the communi-cation network involving ITS were found [2]. In terms ofthe privacy, there are various types of inference attacks, forinstance, parameter inference, input inference, and attributeinference attacks, which can jeopardize the privacy of thevehicles. While privacy is an important aspect for manymachine learning applications, FL is also vulnerable tocyberattacks that target the security of the system.In terms of cybersecurity, attackers may perform the datapoisoning. As in FL model weights are shared instead ofthe data, model poisoning attacks are also possible. Theadversarial goal in the latter is to ensure that the global modelconverges to ‘sub-optimal to utterly ineffective models,’while the defense aims at ensuring the convergence [17].Among the defense strategies, secure aggregation mecha-nisms are proposed for the distributed learning to ensureconvergence. A very commonly used aggregation rule isaveraging [18]. However, since linear combination rules givethe adversary full control of the aggregated gradient, Chen etal. [19] proposed an alternate approach to select the vectorsthat minimize the sum of the squared distances to every othervector. In another work, Blanchard et al. [20] proposed tochoose the vector that is the closest to its neighbors.Other defense mechanisms used clustering to detect modelupdates that are different to what they should be. Ratherthan correcting, more recently, some solutions proposed mea-sures designed to detect malicious workers by interpretinginformation of the worker’s behavior. Such an analysis cancomplement approaches that address the quality of the aggre-gation schemes. Preuveneers et al. [21] proposed a solutionthat supports the auditing of the local model updates wherethe entities in the FL process can be held accountable andhave their model updates audited. Kang et al. [22] proposeda reputation-based scheme designed to select reliable and trusted users to participate in the training. However, thesedefense mechanisms are more realistic in a data centersetting, where the entities are dedicated to a server, meaningthat they are ready to extract their next task from the serverimmediately after sending the results of their previous task.In contrast, in wireless mobile federated networks and withthe coexistence of dedicated short-range communication andcellular-connected vehicle-to-everything (c-V2X) in the sameITS band, each vehicle is free to join and leave the networkand most vehicles are not active on any given iteration. Thusthe FL vehicle training poses multiple novel challenges. Tothe best of our knowledge, no previous work has studiedthe effects of this more realistic node-centric communicationscheme in which each vehicle can decide when to interactwith the road side unit in an event-triggered manner. Thispaper exposes the key vulnerabilities of FL implementationsin wireless mobile networks by proposing attacks that exploitthe mobility of the connected and automated vehicles. Thethreat comes from CAV exploiting the medium to performmodel poisoning attacks on the FL model.III. FL PROTOCOL IN A WIRELESS SETTINGTypically, the FL process consists of K workers holdingdata samples D i locally, where | D i | = l i . The total numberof data samples is (cid:80) i l i = l . Each worker keeps its dataprivate, i.e. D i = { x i , ..., x il i } is not shared with the chief S or any other worker i (cid:54) = j, ∀ j ∈ K . The chief trains a model f with w G ∈ R n being the global parameter vector, where n isthe dimension of the parameter space. The resulting globalmodel is obtained by distributed training and aggregationover the K workers . The aim of the training is to generalizebeyond a test dataset D test . At each time step t , a randomsubset of k workers is selected by the chief . Every worker i ∈| k | trains a local model to minimize a loss functionover its own data D i . The worker starts the local trainingfrom the global model w tG received from the chief and runsan algorithm such as the stochastic gradient descent for anumber of E epochs with a batch size of B . Each worker then obtains a local weight vector w it +1 and then computesits local model update δ it +1 = w it +1 - w Gt . The localmodel update is sent back to the chief . To obtain the globalmodel update w Gt +1 for the next iteration, an aggregationmechanism is used: w Gt +1 = w Gt + (cid:80) i ∈| k | α i δ it +1 , where α i = l i /l and (cid:80) i α i = 1 .In this paper, we consider a vehicular network where aroadside unit can take the role of the chief and the vehiclesact as workers , as can be seen in Figure 1.However, the FL protocol, in the current form, is not quitesuitable for wireless mobile networks and must be adapted.It does not specifically considers the mobility of the CAVs.Even the protocol described in [13] does not directly applyto vehicular networks. Bonawitz et al. described in detailsthe FL protocol in a wireless mobile environment where the workers are mobile phones. They considered ‘eligible fortraining’ phones that are on idle, charging, and connected to ig. 1. Vehicles acting as workers in the FL process communicate usingV2I with the chief implemented at the Road Side Unit. an unmetered network such as WiFi. This is problematicfor vehicular applications and cannot be expected fromCAVs who are envisioned to participate in the FL processwhile navigating on the road network. Most vehicular ap-plications require real-time microscopic and macroscopictraffic variables to be extracted by the vehicles and it isthe dynamic with the surrounding vehicles that will lead tosuperior modeling at the application level. Offline trainingmay introduce bias in the training and may lead to inferiormodels. Therefore, since the protocol proposed by Bonawitzet al. is not particularly configuration specific, we adapt itfor the vehicular network under study. FL Protocol for vehicular network: • The RSU identifies an application and its learningproblem and broadcasts the FL task to the vehicles inits coverage area. An FL task is a specific computationsuch as training to be performed with given hyperpa-rameters e.g. learning rate, batch size and number ofepochs to run. • Since some vehicles may be unwilling to participate inthe training, vehicles that want to participate reply tothe chief that they are ready to run the FL task. • Vehicles must stay connected to the chief for theduration of the round. The chief can either considerall the vehicles announcing their availability as workers or he can select a subset and invite them to work onthe FL task. • The chief sends out instructions for how to execute thetraining task and the timing plan. • Once a round is established, the chief then broadcaststhe current global model parameters. • Each selected worker then performs a local computationbased on the global model and its local dataset, and sends a local model update back to the chief . A notableadvantage of FL in this setting is that it does not rely onsynchronization among the workers . Hence, even duringa loss of connectivity between the vehicles and the RSU,vehicles can still build their local models and navigate;this is crucial in a very dynamic environment as longas the worker adhere to the time window in the timingplan. • The chief waits for the participating workers to reporttheir updates. As local model updates are received,the chief aggregates them using federated averaging.If enough workers report in time, the round will besuccessfully completed and the chief will update itsglobal model, otherwise, the round is abandoned. The chief incorporates the updates into its global model, andthe process repeats.The optimal number of vehicles in a round as well asthe integrity of the local model updates sent by the workers play a crucial role on the performance of the collaborativelearning model. In fact, the overall training process canbe compromised by some workers intentionally providingwrong local model update values to the RSU. The vehiclesin this scenario are attackers as they are thus to degradethe performance of the FL model by significantly affectingits convergence time. Current defense schemes are not quitesuitable for vehicular networks because they do not considerthe threats coming from the mobility of the CAV, which maycause severe degradation in the model training of the FLprocess. IV. THREAT MODELThe reliability of the applications of ITS is highly depen-dent on the quality of the data collected across the trafficnetwork. In this paper, we describe a yet unexplored threatmodel that targets data integrity in federated learning.In a normal FL setting, vehicles are able to continu-ously extract link level information and use them locallyto participate, in a distributed manner, in the training of aglobal model. Vehicles travel the zone under the coverageof the RSU and then broadcast their local model update tothe RSU who is responsible of the aggregation in the FLprocess. RSUs are a core component in vehicular networksas they must authenticate, manage and update users and theirtransmitted messages. Therefore, a successful attack on aRSU can have a detrimental effect on its operations. Thispaper explores falsified information attacks, which target theFL process that is ongoing at the RSU.
Attack1. Standard falsified information attack
In the falsified information attack, compromised infor-mation is sent out by a malicious vehicle that is movingin and out of the zone under study very rapidly and thuscontinuously providing falsified real-time updates to theRSU. The zone under study represents the area where theRSU can receive messages. In this scenario, a single attackerdesigns malicious local model updates and sends them to theRSU to target the training of the model that is ongoing at theRSU. The adversary’s aim is to prevent convergence of thelobal model. This attack, if effective, represents a strategythat allows for maximum results with minimum effort due tothe fact that it is not computationally expensive to execute.Also, this attack is hard to mitigate because the incomingmessages may come from a legitimate vehicle having avalid, authenticated on board unit and having credentials tobe considered an authorised vehicle. Moreover, a vehiclecan impersonate a legitimate vehicle and launch falsifiedinformation attacks. An impersonation attack is the resultof a man-in-the-middle attack where a vehicle interceptsmessages exchanged through the traffic network lookingfor one with authentication information. Once the attackerhas access to credentials of authorised vehicles, he usesthem to impersonate authorised vehicles and launch theattacks. Algorithm 1 is implemented at the CAV and aimsat conducting an untargeted model poisoning attack on afederated learning task that is ongoing at the RSU.
Input:
Set of road segments under the coverage ofthe RSU, RS c , Global Model, GM t ,parameters sent by the chief sent at iteration t to the workers in its coverage area. Output:
Poisoned local model updates LM i,t sent bythe CAV at iteration t . Function
Main() :if
Current segment is in RS c then Get GM t parameters;Reply to the chief to participate in training; if Instructions and timing plan received then
Create LM i,t +1 with random parameterssampled from a distribution;Send LM i,t +1 to the chief ; endendAlgorithm 1: Algorithm of the standard falsified infor-mation attack conducted by a single CAV on a federatedlearning process.
Attack2. Sybil attack
The Sybil attack can be seen as a variant of the falsifiedinformation attack, an evolved version of it. A Sybil attackconsists in one vehicle creating fake vehicle identities andusing them to broadcast local model updates that may com-promise the FL process. In this scenario, the vehicle transmitsmultiple messages each with a different ID. The IDs couldhave been spoofed or stolen from compromised vehicles.This will enable the attacker to fabricate false messages andhave a greater influence on the FL process. Each round, theFL protocol randomly selects vehicles to participate in thetraining, a Sybil attack would allow the attacker to increaseit chances to be selected in the process. The increase inthe number of malicious vehicles will potentially impact thetraining and shift the global model away from convergence.The attacker may perform a critical attack via model re-placement at convergence time by simultaneously sendingfalsified local model updates. This strategy makes it difficultfor mitigation methods because it is almost impossible to predict a potential malicious behavior as it happens suddenlyby the group of Sybils. Algorithm 2 is implemented at theCAV and aims at conducting a sybil attack on a federatedlearning task that is ongoing at the RSU.
Input:
Set of road segments under the coverage ofthe RSU, RS c , Global Model GM t parameters sent by the chief sent at iteration t to the workers in its coverage area. Output:
Poisoned local models updates LM j,t sentby the CAV at iteration t . Function
Main() :if
Current segment is in RS c then Get GM t parameters;Generate set of Sybil nodes, Syb ; for j in Syb do Reply to the chief to participate intraining; if Instructions and timing plan received then
Create LM j,t with random parameterssampled from a distribution;Send LM j,t to the chief ; endendendAlgorithm 2: Algorithm of the Sybil attack conductedby the CAV on a federated learning process.
A. Threat Impact
Falsified information attacks can substantially degrade theperformance of the FL process that rely on averaging togenerate the global model. In Attack1, a persistent attackerwill have an impact, however in the Sybil attack, attackersaim at producing a larger attack impact and by the sametime avoid detection. By creating fake vehicle identities, theattacker is not only motivated by the greater scale of theattack, but also seeking to hide it from intrusion detectionsystems that may raise alarms if the attack is originatingfrom a single vehicle identity. It is worth mentioning thatin the case of a Sybil attack, the number of fake identitiesgenerated onto a single traffic lane should adhere to the trafficflow capacity of the lane to avoid raising intrusion flags.
B. Attack Assumptions
The attacks can be driven by political incentives, financialgains or acts of terrorism carried out to cause damage tocity functions. We assume that the attacker has sufficientresources and has full knowledge of the undergoing FLprocess. Moreover, before attacking the distributed train-ing, the attacker is assumed to have performed sufficientreconnaissance by studying beforehand: the coverage areaof the RSU, the appropriate timing to perform the attacks,which is specific to the FL process, the number of Sybilnodes to inject and the duration of the attack. In the Sybilattack, we assume that the attacker is only interested inanipulating the number of vehicles in one direction. In ourexperiments deploying fake identities on opposite directionsis not performed. Finally, the attack assumes the ability ofthe attacker to compromise the onboard unit of the vehicle inorder to transmit malicious messages. This can be performedphysically, wirelessly, or via malware [23].V. SIMULATION AND RESULTSWe evaluate our attack strategies on the predictive modelfor link level speed, developed using a deep learning basedtime series model. Predicting speed on a road segmentenables traffic managers to take early actions to controlflow and prevent congestion. In [24], using the technologicaladvancements related to CAVs, they trained a Long ShortTerm Memory (LSTM) deep network to predict speed on alink. In fact, the estimation of the parameters of the LSTMusing data samples gathered at each vehicle is crucial forthe prediction of link average speed. The authors modeledthe average speed distribution using a central entity, which isthe RSU to compute and communicate with all the vehiclesat each time step. However, this centralized approach maybe impractical due to: (i) The excessive overhead needed tocommunicate with all the vehicles in the dynamic wirelessmobile network will degrade the network-wide performance,and (ii) vehicles wanting to keep their data private by notsharing it with other vehicles, in which warrants collaborativelearning methods. Therefore, we propose the implementationof a distributed method for the predictive modeling of speedin a practical vehicular network. The solution is based on FLto train an LSTM model by allowing each vehicle to learna local model individually using local observations that arenever communicated to the RSU.
A. Simulation outline
Our experiments utilize downtown Toronto’s road networkas it experiences high levels of congestion, specificallyduring the morning peak period. The road network covers76 intersections and 223 links. The vehicular demand isprovided by the Transportation Tomorrow Survey (TTS) forthe 7:45am and 8:00am peak period for the year 2014. Toextract realistic measurements at every second, we deployeda microscopic traffic simulator [25]. Vehicular characteristicsare captured and used to estimate space mean link indicators.We aim at training an LSTM network to predict theaverage link speed. The LSTM network consists of fivehidden layers in a setting of three sequences of speed, den-sity, and in-links speed. We tuned several hyper-parameterssuch as the learning rate, epochs, learning rate drop factor,momentum and the number of hidden units of the differentlayers. The FL protocol then iteratively demands vehicles todownload this model from the RSU, update it with their localobservations, and upload the updated model to the RSU. TheRSU then aggregates the multiple model updates received bythe vehicles to generate a global model in order to then repeatthe process.
Fig. 2. Prediction accuracy of the LSTM model in a centralized setting.
B. Results
We present in Figure 2 the results for the centralizedtraining of the LSTM at the RSU for the prediction ofaverage speed. In this context, all vehicles upload via V2Itheir data samples to the RSU which estimates the globalmodel. We show in the figure the prediction performanceof the model in terms of Root Mean Square Error (RMSE)under the centralized setting. The RMSE value of the speedpredictive model is tending to approximately 0.00475 kmh.We then implement the FL protocol proposed in thispaper for the vehicular application under study. Current FLalgorithms such as federated averaging can efficiently utilizehundreds of devices in parallel even though many moremay be available. In the vehicular network of our study,and specifically for the use case application considered, thetopology of the network is dictating the maximum numberof workers to be considered by the algorithm and does notrequire increased parallelism. In fact, the maximum linklength is approximately 450 meters. The speed range is from0 to 80 km/h. Under the free flow traffic condition, themaximum travel time required to traverse a link is around 0.8minute. This bounds the number of workers to be consideredwith an upper bound corresponding to the maximum densityon the link. We fixed the number of workers K = 10 . Inlow density, when the number of vehicles travelling the roadsegment is K ≤ , all the agents are chosen at every roundof training to ensure that a sufficient number of vehiclesconnect to the chief . Otherwise, 10 workers are chosen atrandom every iteration. This is important both for the rateof task progress at the chief and for the security propertiesof the secure aggregation protocol. Also, it avoids excessiveactivity during peak hours without hurting FL performance.Moreover, our assumption holds because in a real worlddeployment, at any point in time only a subset of vehiclesconnect to the chief due to disconnections and drop outdue to computation errors, network failures, or changes ineligibility is high in this setting. It is worth noting that thenumber of participating vehicles depends on the time of dayand the road traffic condition. We run federated learninguntil a pre-specified test accuracy is reached or the maximumnumber of time epochs have elapsed.We observe in Figure 3 that FL enables the proposed ig. 3. Prediction accuracy of the LSTM model in a federated learningsetting. distributed method to estimate the average speeds on thesegment with an accuracy that is almost equivalent to thecentralized solution. The RMSE of the baseline curve isapproximately 0.0044 Kmh.We also demonstrate on the same figure, the vulnerabilityof federated learning to our attacks. Firstly, we show theimpact of the falsified information attack on the FL processin terms of prediction accuracy as reflected on the increasedRMSE value of approximately 0.16 kmh for Single Attack.Although acting alone, the attacker was able to graduallyincrease the error on the prediction by continuously travers-ing the link and causing poisoning of the global model.Defense strategies aiming at correcting the aggregation rulecannot detect the malicious model update being continuouslysent by this CAV because primarily it is not the modelupdate that is malicious but the behavior of continuouslysending irrelevant models that is malicious. The models sentby the attacker are fabricated to delay convergence becausethey do not contribute to the learning by actively traininga local dataset. Also, the CAV is allowed to traverse theroad segment as much as he desires as long as he respectsthe speed limit. Under low traffic densities, the attack isguaranteed to cause more damage on the performance of theglobal model because the protocol takes into considerationall vehicles available to participate and become workers inthe FL process. Under higher densities, the corrupted CAVmay not be selected by the chief and thus this attack maynot cause an big impact on the system.Then we present also on Figure 3, the impact of theSybil attack. We proposed the Sybil attack to improve stealthand have the same CAV cause a bigger impact on the FLprocess. In the figure, we notice the increase in RMSEby 0.15 compared to the baseline and 0.04 compared toSingle Attack. By fabricating fake vehicle identities, theCAV was able to conduct a single shot attack and resulted inan increase in the error. This attack has severe consequencein low or high densities since it increases the probabilityof the malicious CAV to be chosen to participate in theFL process. Poisoning resilience defense mechanisms areurgently required as FL in its standard form is susceptibleto such adversarial attacks. The threat to security comesfrom the mobility of the vehicles and must be mitigated. A key element in V2X communication is the ability forvehicles and RSU to effectively and efficiently communicate.In fact, constant message exchange must be conducted in realtime and since vehicles are constantly evaluating their envi-ronment and their position, real-time communication maybe maliciously exploited. Methods to authenticate vehiclesmust be implemented in order to enable secure future V2Xapplications. Information from a CAV must be securelytransmitted and compromised information sent out by amalicious vehicle must be immediately identified.VI. CONCLUSIONIn this paper, we explored the vulnerability of FL inthe vehicular networks, where CAVs can take advantage oftheir mobility, the wireless medium and the privacy thatFL is designed to provide to corrupt the global training ofa model. Our attacks demonstrate that FL in its standardform is vulnerable to mobile attackers exploiting the mediumto perform model poisoning. Demonstrating robustness toattackers of the type considered in this paper is yet to beachieved. In future work, we plan to explore sophisticateddefense strategies which can provide guarantees against theCAV attackers. In particular, encryption, localization, be-havioral analysis and clustering may be promising detectionmechanisms in this context.R EFERENCES[1] S. Niknam, H. S. Dhillon, and J. H. Reed, “Federated learning forwireless communications: Motivation, opportunities, and challenges,”
IEEE Communications Magazine , vol. 58, no. 6, pp. 46–51, 2020.[2] M. Dibaei, X. Zheng, K. Jiang, S. Maric, R. Abbas, S. Liu, Y. Zhang,Y. Deng, S. Wen, J. Zhang et al. , “An overview of attacks and defenceson intelligent connected vehicles,” arXiv preprint arXiv:1907.07455 ,2019.[3] Z. Zorz, “Researchers hack bmw cars discover 14 vulnerabilities,”
HelpNetSecurity , 2018.[4] O. Solon, “Team of hackers take remote control of tesla model s from12 miles away,”
The Guardian , vol. 20, 2016.[5] N. H. T. S. Administration et al. , “Cybersecurity best practices formodern vehicles,”
Report No. DOT HS , vol. 812, no. 333, pp. 17–20,2016.[6] M. Gupta, J. Benson, F. Patwa, and R. Sandhu, “Secure v2v andv2i communication in intelligent transportation using cloudlets,”
IEEETransactions on Services Computing , 2020.[7] B. Kreeb and K. Gay, “Security credential management system (scms)proof of concept (poc),”
US Department of Transportation , 2014.[8] J. Williams, “Danger ahead: The government’s plan for vehicle-to-vehicle communication threatens privacy, security, and commonsense,” 2017.[9] J. Gubbi, R. Buyya, S. Marusic, and M. Palaniswami, “Internet ofthings (iot): A vision, architectural elements, and future directions,”
Future generation computer systems , vol. 29, no. 7, pp. 1645–1660,2013.[10] T. Nishio and R. Yonetani, “Client selection for federated learning withheterogeneous resources in mobile edge,” in
ICC 2019-2019 IEEEInternational Conference on Communications (ICC) . IEEE, 2019,pp. 1–7.[11] A. N. Bhagoji, S. Chakraborty, P. Mittal, and S. Calo, “Analyzingfederated learning through an adversarial lens,” in
International Con-ference on Machine Learning . PMLR, 2019, pp. 634–643.[12] T. Li, A. K. Sahu, A. Talwalkar, and V. Smith, “Federated learning:Challenges, methods, and future directions,”
IEEE Signal ProcessingMagazine , vol. 37, no. 3, pp. 50–60, 2020.[13] K. Bonawitz, H. Eichner, W. Grieskamp, D. Huba, A. Ingerman,V. Ivanov, C. Kiddon, J. Koneˇcn`y, S. Mazzocchi, H. B. McMahan et al. , “Towards federated learning at scale: System design,” arXivpreprint arXiv:1902.01046 , 2019.14] S. Samarakoon, M. Bennis, W. Saad, and M. Debbah, “Federatedlearning for ultra-reliable low-latency v2v communications,” in . IEEE,2018, pp. 1–7.[15] S. Lu, Y. Yao, and W. Shi, “Collaborative learning on the edges: Acase study on connected vehicles,” in { USENIX } Workshop onHot Topics in Edge Computing (HotEdge 19) , 2019.[16] S. R. Pokhrel and J. Choi, “Improving tcp performance over wifi forinternet of vehicles: A federated learning approach,”
IEEE Transac-tions on Vehicular Technology , vol. 69, no. 6, pp. 6798–6802, 2020.[17] E. M. E. Mhamdi, R. Guerraoui, and S. Rouault, “The hiddenvulnerability of distributed learning in byzantium,” arXiv preprintarXiv:1802.07927 , 2018.[18] M. Abadi, P. Barham, J. Chen, Z. Chen, A. Davis, J. Dean, M. Devin,S. Ghemawat, G. Irving, M. Isard et al. , “Tensorflow: A systemfor large-scale machine learning,” in { USENIX } Symposium onOperating Systems Design and Implementation ( { OSDI } , 2016,pp. 265–283.[19] Y. Chen, L. Su, and J. Xu, “Distributed statistical machine learning inadversarial settings: Byzantine gradient descent,” Proceedings of theACM on Measurement and Analysis of Computing Systems , vol. 1,no. 2, pp. 1–25, 2017.[20] P. Blanchard, R. Guerraoui, J. Stainer et al. , “Machine learningwith adversaries: Byzantine tolerant gradient descent,” in
Advancesin Neural Information Processing Systems , 2017, pp. 119–129.[21] D. Preuveneers, V. Rimmer, I. Tsingenopoulos, J. Spooren, W. Joosen,and E. Ilie-Zudor, “Chained anomaly detection models for federatedlearning: An intrusion detection case study,”
Applied Sciences , vol. 8,no. 12, p. 2663, 2018.[22] J. Kang, Z. Xiong, D. Niyato, Y. Zou, Y. Zhang, and M. Guizani,“Reliable federated learning for mobile networks,”