Yufeng Li, Qi Liu, Weihua Zhuang, Yiqing Zhou, Chenhong Cao, Jiangxing Wu
©SHUTTERSTOCK.COM/VIDEOFLOW
For connected automated vehicles (CAVs), safety and security are two interrelated critical issues since many in-vehicle components are both safety critical and security critical. To achieve both safety and security in the presence of functional failures or cyberattacks, this article proposes a dynamic heterogeneous redundancy (DHR) scheme for CAVs. The basic idea is that each safety- and security-critical in-vehicle component should employ a DHR architecture, which is constructed by multiple heterogeneous executors with the same function. With redundancy, the functional safety can be achieved when one executor fails. Meanwhile, based on the principle that the probability is extremely low that two or more heterogeneous executors with the same function will fail for the same vulnerability, security can be ensured by using simple consensus mechanisms to detect abnormal executors caused by any cyberattacks. A DHR prototype has been designed and installed on an automated bus. Test results show that the proposed DHR is effective in enhancing both safety and security for CAVs.
Recent years have witnessed rapid progress in software and electronic innovations in the automotive industry. As a result, CAVs have proliferated with increasingly high levels of connectivity and automation. Although automated vehicles have powerful perception and behavioral capabilities, facilitating many useful and convenient services, they face serious safety risks and security threats.
Vehicles are safety-critical systems whose failure can result in loss of life. A modern CAV can be viewed as a computer on wheels that contains more than 100 million lines of software code and is expected to have around 300 million lines of code by 2030 [1]. Even with mature software development processes, the deployed code still has a high density of bugs, usually ranging from two to five bugs per 1,000 lines of code. Therefore, it is challenging to achieve functional safety for automated vehicles.
Moreover, such a large number of unknown bugs makes CAVs vulnerable to security attacks due to the increasing connectivity. CAVs may be attacked via various interfaces, including short-range and long-range wireless interfaces, such as Bluetooth, remote keyless entry, radio-frequency identification, Wi-Fi, GPS, and satellite radio [2]. For example, an attacker can steal information from a SmartGate-enabled Skoda car while in the range of the in-car Wi-Fi [3]. The attacker may also attack through indirect physical access, exploiting the onboard diagnostics port or the entertainment systems [2].
To make vehicles safe, existing mechanisms employ active safety technologies, including automated driving systems with automated braking and adaptive cruise control, as well as passive safety technologies, such as crumple zones, seat belts, and airbags. Meanwhile, to make vehicles secure, traditional security mechanisms employed in the Internet are applied to CAVs, such as authentication, detection, and cryptography [6].
Recently, CAV safety and security have been considered simultaneously through a collaborative analysis framework integrating the standard ISO 26262 [7], the SAE J3061 guidebook [8], and security standard ISO/SAE 21434 [4]. The framework first analyzes the automated vehicle’s failures and attacks. Then, traditional safety and security countermeasures can be adopted correspondingly when developing automated vehicles. Since safety and security countermeasures are usually investigated independently, safety countermeasures may weaken security, and vice versa. To harmonize the conflicts between safety and security, many works in the literature on safety and security coengineering for CAVs are proposed that aim to identify, assess, and manage risks related to both safety and security.
Unlike the existing works, in this article we propose a smart DHR scheme to enhance the safety and security of CAVs at the same time. The basic idea of DHR is to employ a heterogeneous redundancy architecture for both safety- and security-critical in-vehicle components via multiple heterogeneous executors with the same function. With sufficient redundancy, the functional safety can be achieved when one executor fails. Meanwhile, with an extremely low probability that two or more heterogeneous executors with the same function will fail for the same flaw [10], safety can also be ensured by employing a simple consensus mechanism of multiple executors to detect the abnormal component caused by cyberattacks. Without the need to know the attack characteristics of threats, the proposed smart DHR scheme is robust to both known and unknown vulnerabilities and attacks. We have implemented a prototype of DHR on an automated bus and conducted two test cases to validate the effectiveness of the DHR architecture against both safety risks and security risks.
To effectively enhance both the safety and security of CAVs, the relationship between safety and security is explored. A new taxonomy of in-vehicle components in CAVs is proposed based on their safety/security attributes, which is the basis for developing a joint safety and security mechanism.
Safety and security have been developed into different disciplines over the years, owing to their distinct communities and different design tools or methods. For vehicles, safety usually refers to functional safety, which is to prevent mistakes of the core functions of a vehicle or, in a worst case, to protect the occupants and other persons involved from harm. Safety risks are accidental. The ISO 26262 standard provides procedures and methods for the proper design, development, and manufacturing of electric vehicle systems to ensure functional safety. Security, on the other hand, refers to the cybersecurity of systems against external attacks. Security risks are malicious. The Society of Automotive Engineers (SAE) released the first security guidebook SAE J3061 [8] for cyberphysical vehicle systems. The later-published ISO 21434 [4] uses the principles of SAE J3061 to define the requirements related to cybersecurity risk management for road vehicles that include electrical and electronic systems. In summary, safety is about preventing events caused by accidental hazards (e.g., carelessness, hardware failures, and natural phenomena), whereas security is about repelling intentional attacks.
Traditional vehicles focusing on local vehicle control manage only safety risks. However, CAVs are fully connected systems. In addition to traditional safety risks, they face a high risk of network security attacks. In fact, their safety and security are interrelated. As shown in Figure 1, the in-vehicle components of a CAV, such as the advanced driver assistance system (ADAS) and the automotive telematics box (T-Box), can be both safety critical and security critical. Security attacks on these components can lead to CAV functional failures and cause safety problems. The ADAS is an active safety mechanism that employs automated technologies to detect nearby obstacles or driver errors and responds accordingly. Attackers can deceive the ADAS to make wrong decisions by projecting or setting fake environmental information, such as fake pedestrians or lane markers projected on a road by a projector-equipped drone [9]. This can place the vehicle and its occupants in a dangerous situation. The T-Box is a connected-car-standard terminal that delivers multiple online applications, such as remote monitoring, remote control, and remote diagnosis. Severe destruction may occur to the environment and property when these CAV components fall into the wrong hands through cyberattacks.
Figure 1 The scope of safety-and-security-critical components will constantly expand. ADAS: advanced driver assistance system; T-Box: automotive telematics box.
We propose a new taxonomy to divide all in-vehicle components into three groups based on different safety/security attributes: pure safety-critical components, pure security-critical components, and safety-and-security-critical components.
Pure safety-critical components and pure security-critical components can be protected by existing safety and security mechanisms. However, the safety-and-security-critical components often face the dilemma that strengthening safety weakens security, and vice versa. Therefore, an effective solution should be developed to achieve both safety and security at the same time.
A DHR scheme is proposed for CAVs to achieve both safety and security. Based on the “relatively correct” axiom [10], when multiple heterogeneous systems of different software and hardware perform the same task at the same time and in the same place, the possibility of failure caused by the same flaw is extremely low. This possibility is related to the number and heterogeneous degree of the systems. The most consistent results of the multiple heterogeneous systems are relatively correct.
Heterogeneity means that two functionally equivalent executors are different in structural design; it describes the differentiation between two executors, which generally ensures that similar attacks on two executors will not cause completely consistent failure. Diverse redundancy can effectively reduce the probability of common cause failures.
In detail, the proposed DHR scheme employs multiple heterogeneous executors to accomplish the function of a safety-and-security-critical component. According to [5], for two executors with different underlying chips, operating systems, and upper-level applications, the probability that they will fail for the same flaw is generally less than 10−4. When an inconsistency of the executors’ output is detected, the consistent output of most executors is taken as the correct output, and the abnormal executor is detected, i.e., a “consensus mechanism” is applied. Then, the abnormal executors will be replaced by the normal executors with the same function.
The proposed DHR-based joint safety and security system is shown in Figure 2. It contains an input agent, an executor set, an arbiter, a feedback controller, and a component pool.
Figure 2 A defense system based on the DHR architecture.
The input agent distributes tasks to the executor set, which consists of multiple heterogeneous executors with the same function. For example, the perception and decision unit (autopilot module) of a CAV can be chosen as an executor, which performs fundamental functions in safety-and-security-critical components.
The arbiter judges the content consistence of the executors’ outputs according to the consensus mechanism. Given the replacing instruction generated by the arbiter, the feedback controller determines whether to choose a normal executor from the component pool to replace the abnormal executor. For a complex system, an arbiter (essentially software) can perform diverse redundancy to maintain high reliability. The component pool consists of multiple functionally equivalent heterogeneous executors.
The outputs of the executor set can be divided into two groups: inconsistent and consistent groups. Based on these outputs, a smart DHR scheme is proposed as follows. Without loss of generality, take three executors E1, E2, and E3 in the executor set as an example.
In Group 1 with inconsistent outputs, two subsets are considered. The first subset has two inconsistent outputs, one from E1 and the other from E2 and E3. This may indicate two possible results. In the first case, E1, whose failure is detected as the abnormal executor by the consensus mechanism, is replaced by the functionally equivalent heterogeneous executor in the component pool. In the second case, E1 is normal, but E2 and E3 fail with consistent output. Then E1 will be taken as failed according to the consensus mechanism and replaced by a new executor E4 in the component pool. However, when E4 works, its output is again inconsistent with that of E2 and E3. The DHR mechanism detects this abnormality and replaces E2 or E3 randomly. Then, the output of the executor set is the same as that in the first case.
The second subset has three inconsistent outputs; i.e., the outputs of E1, E2, and E3 are different from each other. In this case, no consistent output can be generated. None of E1, E2, or E3 can be taken as reliable, and they are not employed anymore. A new executor, E4, in the component pool will be scheduled and become the only working executor. At the same time, E1 through E3 will be checked and fixed offline. Afterward, they can be added to the executor set.
In Group 2, all of the executors (E1, E2, and E3) generate a consistent output. Thus, no abnormal executor is detected. But E1–E3 may all work normally or all fail. To solve this problem, the DHR mechanism periodically replaces an executor in the executor set when the outputs of all executors are consistent. The replacement cycle of the system depends on both its software and its hardware. Then, the output of the executor set is the same as that in the first subset of Group 1 or as that in Group 2.
The proposed DHR scheme aims to achieve integrated safety and security. In CAVs, safety risks are usually due to design defects, and security threats come from vulnerabilities. Both design defects and vulnerabilities can cause abnormal behaviors of executors. The DHR scheme can detect abnormality by the consensus mechanism, and the system can restore to normal states by replacing the abnormal executors. Note that the DHR scheme can detect both unknown design defects and vulnerabilities as long as they cause abnormality.
The operation of the DHR scheme can be modeled by a continuous-time Markov chain (CTMC), which characterizes the transitions between different states of the system. In the following, we first derive the steady-state probabilities of the CTMC, which represents the probability that the system is in various states. Then, we analyze the performance of the DHR scheme based on the steady-state probabilities of the CTMC.
In terms of performance criteria, since both functional failures and cyberattacks will affect the system operation, and CAV functional changes can pose a threat to human life, it is essential for a CAV to maintain normal functions. Hence, the probability that a CAV can remain in normal operation under functional failures and/or cyberattacks is of main concern and is referred to as the system functional availability (SFA).
Taking one function with three executors as an example, the SFA can be derived based on the CTMC. First of all, given three executors, all possible states of DHR are listed in Table 1. An executor has an abnormal output when a failure happens. From state 1 to state 4, no more than one executor fails. In these cases, an abnormal executor can be detected by the consensus mechanism, and the consistent output of the most executors is taken as the correct output to make the system work normally. Then, for states 5–13, using the proposed DHR scheme, they will transit to states 1–4. Therefore, the SFA of the DHR scheme can be obtained as the sum of the steady-state probabilities of states 1–4.
Table 1 States of DHR with three executors E1, E2, and E3.
The CTMC model of DHR is shown in Figure 3, which contains all of the states and state transitions of DHR. Note that states 1 and 11 belong to Group 2, and the rest of the states belong to Group 1. Specifically, states 2, 3, and 4 are the first case in the first subset of Group 1, while states 5, 7, 9, and 12 are the second case in the first subset of Group 1. States 6, 8, 10, and 13 are the second subset in Group 1.
Figure 3 The CTMC model for DHR with three executors.
An important parameter of the CTMC is ${\lambda}_{i}$, which represents the rate of general disturbances, such as cyberattacks and functional failures, on executor i. Moreover, we define the consistent rate of abnormal output, ${\sigma}$, as the probability that the abnormal outputs of two executors are the same when failures happen. Since the heterogeneous degree is difficult to quantify, ${\sigma}$ is used to represent the heterogeneous degree. The lower the value of ${\sigma}$, the higher the heterogeneous degree. Another important parameter of the CTMC is ${u}_{j}{(}{j} = {0},{1},{2},{3}{)}$, which represents the recovery rate to the normal state from an abnormal state with j inconsistent outputs. Specifically, ${u}_{0}$ represents the recovery rate when the system has no inconsistent outputs, i.e., three consistent abnormal outputs, as illustrated by the directed arc from state 11 to state 1 in Figure 3; ${u}_{1}$ represents the recovery rate when one executor becomes abnormal and is driven back to normal state 1 by DHR, as illustrated by the directed arcs from states 2, 3, and 4 to state 1 in Figure 3; ${u}_{2}$ represents the recovery rate when the system has two consistent abnormal outputs, as illustrated by the directed arcs from states 5, 7, 9, and 12 to state 1; ${u}_{3}$ represents the recovery rate when the system has three inconsistent abnormal responses, as illustrated by the directed arcs from states 6, 8, 10, and 13 to state 1.
According to the properties of a Markov chain, each steady state occurs with a certain probability. Let ${P}_{i}$ denote the steady-state probability of the system in state i, and ${\vec{P}}_{n} = {[}{P}_{1} \quad {\cdots} \quad {P}_{13}{]}^{T}$ be the steady-state probability vector at time n. We have ${\vec{P}}_{{n} + {1}} = {Q}^{T}{\vec{P}}_{n}$, where ${Q}^{T}$ is the state transition probability matrix. Assuming that the system works properly at the beginning, the initial value of the probability vector is given by ${\vec{P}}_{0} = {[}{1},\,{0},\,{\ldots},\,{0}{]}^{T}$. Given the rates of general disturbances at all executors, i.e., ${\lambda}_{1},{\lambda}_{2}$, and ${\lambda}_{3}$, the steady-state probability for each state can be derived. Thus, the SFA can be obtained as the summation of the steady-state probabilities of states 1–4.
Simulations are carried out to verify the performance of the proposed DHR scheme. The software PIPE Stochastic Petri Net Package is used to simulate the CTMC model on a PC with an Intel i7 processor, 16GB random-access memory, Windows 10, and Java JDK 8.0. Three executors are considered to execute the same function. We assume that the interarrival times of general disturbances and recoveries follow a negative exponential distribution [11], and we set ${\lambda}_{i}$ and ${u}_{j}$ to various values to simulate the arrival rate of general disturbances and the replacement rate of abnormal executors in the scenario illustrated in Figure 1. That is, in states 2, 3, and 4, the abnormal executor can be replaced with a functional component in ${1} / {u}_{1}{h}$ on average, while in states 5, 7, and 9, the system recovers to the normal state in ${1} / {u}_{2}{h}$ on average.
Since E1, E2, and E3 are functionally equivalent and play the same role in the simulation, we set ${\lambda}_{1} = {\lambda}_{2} = {\lambda}_{3} = {\lambda}$. Without loss of generality, the impact of ${u}_{1}$ on the SFA performance is investigated, while ${u}_{0},{u}_{2}$, and ${u}_{3}$ are set to fixed values. The impact of ${u}_{0},{u}_{2}$, and ${u}_{3}$ can be investigated in a similar way.
Table 2 gives the parameter values of the CTMC model. The general disturbances consist of functional failures and cyberattacks. According to [14], the random hardware fault probability is set to 10−8, and the average functional working time of the hardware is 8,000 h. Common cyberattacks in the in-vehicle network, such as flooding attacks, fuzzing attacks, and malfunction attacks, usually take 10 s to cause a fault or get control of the vehicle [15]. Thus, the average interarrival time of general disturbances, $1/{\lambda}_{i}$, ranges from 10 s to 10 h.
Table 2 Parameters of the CTMC model for smart DHR with three executors.
The recovery rate of the function is determined by the damaged hardware and software. Based on the recovery rate in communication equipment [11] and practical development experience, the recovery rates ${u}_{i},{i} = {0},{1},{2},{3}$, are set as in Table 2.
Figure 4 shows the SFA as a function of the consistent rate, ${\sigma}$, and the rate of general disturbance, ${\lambda}$. It can be seen that the lower the consistent rate, the higher the SFA. This happens because a lower ${\sigma}$ value means a higher heterogeneous degree among the executors. When ${\sigma}$ is lower, it is less possible that the multiple executors fail for the same flaw, and hence, the SFA is higher. It can also be seen that the lower the general disturbance rate ${\lambda}$, the higher the SFA. Overall, the DHR scheme is robust to disturbances with various consistent rate ${\sigma}$ values. Even with a strong general disturbance, such as flooding attacks that occur every 1/360 h [15], the SFA is still as high as 0.9997.
Figure 4 The SFA under different consistent rate v and general disturbance m.
The SFA as a function of recovery rate ${u}_{1}$ and ${\lambda}$ is also investigated. The simulation results demonstrate that the faster the recovery rate ${u}_{1}$, the higher the SFA. A faster recovery rate means that the executor set can restore to the normal operational state in a shorter time, leading to a higher SFA. The smart DHR is robust to disturbances with various recovery rate ${u}_{1}$ values since, even with frequent general disturbances, such as once every 1/360 h on average, the SFA is still as high as 0.9994.
Moreover, we investigate the relationship between SFA and redundancy, i.e., the number of executors n in the executor set. When n is larger than 3, a simplified CTMC model can be employed to obtain the SFA of the DHR scheme [11]. The SFA is shown in Figure 5 as a function of redundancy with different values of disturbance rate ${\lambda}$. It can be seen that the SFA improves with redundancy, but the improvement reduces as redundancy increases. When the disturbance rate is no more than six times per hour, a redundancy with three executors is sufficient to provide a high SFA of 0.9997. However, when there is a high-rate attack occurring 60 times per hour, the SFA is degraded to 0.977. Hence, when the disturbance rate is high and a better SFA is needed, a redundancy of more than three should be considered.
Figure 5 The SFA under different redundancies and general disturbance m.
A prototype has been developed based on the smart DHR architecture, where three L2 [12] ADASs are employed as executors, and there is one L2 ADAS in the component pool. The executor, L2 ADAS, is chosen because it is the most common CAV component in the market, with many heterogeneous suites available. Moreover, the L2 ADAS costs much less than the L3 and L4 ADASs. As shown in Figure 6, the first L2 executor consists of a radar and camera, implemented with Infineon platforms. The second L2 executor is implemented with a field-programmable gate array platform including cameras. The third L2 executor is based on lidars. Moreover, the L2 ADAS in the component pool is implemented with a Freescale platform with camera. The arbiter is built on a customized industrial control computer, running on an Ubuntu 18.04 operating system, equipped with an Intel Core i5-6500 2.5 GHz × 4 CPU. In the arbiter, three L2 ADASs are connected via a CAN bus. The DHR prototype has been deployed on the “All Star” autonomous electric minibus.
Figure 6 The field test under functional failure (one obstacle).
With DHR, the “All Star” bus not only can detect unknown failures and ensure functional safety, but also can detect unknown attacks to enhance security in the L2 functional domain. Two tests are conducted to validate the effectiveness of the proposed smart DHR. Each of the tests is set for 5 min. The arbiter detects any abnormality and makes a decision every 100 ms, and 3,000 decisions are made in 5 min. The benchmark system for comparison has only one executor, E3.
This test aims to validate the effectiveness of the smart DHR when experiencing functional failures. One obstacle was set on the road. In this test, E3’s instruction message is blocked to simulate the instruction-sending module’s functional failure.
E1 and E2’s perception results reported that there was one obstacle ahead and suggested braking. However, E3’s perception was empty because of the functional failure. The arbiter compared the output of executors every 100 ms and chose the consistent output of the most executors as the final output. The arbiter detects the abnormality of executors, and E3 would be replaced with a normal one from the component pool.
Therefore, with the DHR scheme, the obstacle could be detected, and the bus got around the obstacle, as shown in Figure 6. However, for the comparing system with only E3, no obstacle was detected because of the functional failure. The comparing system made a wrong decision, resulting in the bus hitting the obstacle.
This test aims to validate the effectiveness of the smart DHR in the presence of cyberattacks. No obstacle is set on the road. The test cyberattack is generated by an adversarial sensor, which attacks on lidar-based perception and tries to spoof obstacles close to the front of the “All Star” bus.
The attack equipment was constructed by a high-voltage power supply, a laser PCO-7114 drive plate, and an AFG3251 signal generator. The attack equipment spoofed a fake obstacle in front of a victim automated bus by transmitting laser signals to the victim’s lidar sensor [13]. The lidar sensor perceived a fake obstacle and led to a wrong decision, such as braking, in the automated car.
The perceptions of E1 and E2 were not spoofed since they are not based on lidar, and their decisions were consistent. However, the perception of E3 was inconsistent with the other two, reporting that there was one obstacle ahead and suggesting braking. With the DHR scheme, the arbiter could detect the abnormality of E3. Thus, E3 was replaced with a normal one from the component pool, and the attack no longer took effect.
In summary, with the DHR scheme, the perception results collected from the executor set reported that there was no obstacle ahead, and the decision was for the bus to keep moving forward. However, for the benchmark system with only E3, the abnormality of E3 was not detected, leading to a wrong decision, and the bus braked and stopped.
The tests provide a proof of concept of the proposed DHR architecture. Note that only one executor failed in the tests because of the functional failure or the cyberattack—the probability that multiple executors fail at the same time is extremely low because of the heterogeneity and dynamics of the DHR.
Although analysis and tests have demonstrated the effectiveness of the proposed DHR, there are still many open research issues.
The effectiveness of the proposed smart DHR scheme is closely related to the configuration and performance of the executors themselves. Proper DHR design can significantly improve the reliability and SFA performance [15], effectively defending against safety risks and security threats. It is challenging to obtain a relationship between the heterogeneous degree and the level of security and design an effective DHR structure accordingly.
The DHR employs multiple heterogeneous executors. One key challenge is how to synchronize these executors so that they can deliver output to the arbiter at the same time. The synchronization mechanism has inevitable human operation errors and algorithm errors, which will lead to a certain degree of deviation in the output of executors under normal circumstances.
The arbiter needs to detect inconsistent executors and make correct judgments based on their results. This is nontrivial since the judgments include not only binary decisions, such as whether the CAV should stop or not, but also decisions on numerical values, such as the CAV moving velocity.
Comprehensive modeling analysis is pivotal for safety and security, both to determine the riskiest scenarios and to select the most effective countermeasures. One key challenge is to choose reasonable mathematical models to describe the random functional failures and the cyberattack process with cumulative effect.
CAVs have many in-vehicle components that are both safety critical and security critical. However, they are usually investigated separately, resulting in the dilemma that safety mechanisms often weaken security, and vice versa. In this article, we propose a smart DHR scheme to enhance the safety and security of CAVs at the same time. Moreover, the DHR architecture can resist unknown vulnerabilities and defects. For safety, the DHR architecture employs a typical heterogeneous redundancy structure. For security, the DHR architecture uses a consensus mechanism to detect an abnormal component and eliminates threats through a dynamic reconstruction mechanism. Preliminary simulation and field test results provide a proof of concept. Further research is needed to realize the full potential of DHR in both the safety and security of future CAVs. There are many open questions in this area worth further exploring.
This work was supported by Henan Science and Technology Major Project (221100240100), the National Science Foundation of China (62002213), Shanghai Sailing Program (21YF1413800 and 20YF1413700), the Program of Industrial Internet Visualized Asset Management and Operation Technology and Products, Shanghai Science and Technology Innovation Action Plan (21511102500), and Jiangsu Provincial Key Research and Development Program under Grant (BE2021013-2). The corresponding authors are Yiqing Zhou and Chenhong Cao.
Yufeng Li (liyufeng_shu@shu.edu.cn) was born in 1976. He is a professor at the School of Computer Engineering and Science, Shanghai University, Shanghai 200444, China. His research interests include cybersecurity, broadband information networks, and high-speed router core technology.
Qi Liu (liuq@shu.edu.cn) is a Ph.D. candidate at the School of Computer Engineering and Science, Shanghai University, Shanghai 200444 China. His research interests include the safety and security of connected automated vehicles and privacy protection.
Weihua Zhuang (wzhuang@uwaterloo.ca) is with the Department of Electrical and Computer Engineering, University of Waterloo, Waterloo, ON N2L 3G1, Canada, where she is currently a professor and a Tier I Canada Research Chair in wireless communication networks. She is a Fellow of IEEE and the Royal Society of Canada, the Canadian Academy of Engineering, and the Engineering Institute of Canada. She is a member of the Board of Governors and vice president-publications of the IEEE Vehicular Technology Society.
Yiqing Zhou (zhouyiqing@ict.ac.cn) is a professor at the State Key Lab of Processors, Institute of Computing Technology, Chinese Academy of Sciences, Beijing 100190, China. She is also a professor of the University of Chinese Academy of Sciences and Zhongke Nanjing Mobile Communication and Computing Innovation Institute. She received several best paper awards from IEEE conferences and the 2014 Top 15 Editor Award from IEEE Transactions on Vehicular Technology (TVT). She was a cochair in the organizing committee or technical committee of several IEEE conferences. She is also serving as an associate/guest editor for several IEEE journals/magazines, including TVT. Her research interests include the convergence of communications and computing, heterogeneous wireless networks, and resource management.
Chenhong Cao (caoch@shu.edu.cn) is currently a lecturer at the School of Computer Engineering and Science, Shanghai University, Shanghai 200444, China. Her research interests mainly focus on the network and system of the Internet of Things, network measurement and security, and wireless sensing.
Jiangxing Wu (ndscwjx@126.com) is an academician with the China National Academy of Engineering and CEO of China National Digital Switching System Engineering, Zhengzhou 450002 China, and Technological R&D Center. He also works as chairman of the major dedicated supervisory group for China’s 863 Hi-tech research program. He received his B.S. degree from the Institute of Engineering and Technology of the People’s Liberation Army in 1982.
[1] “Vehicle cybersecurity: Control the code, control the road,” Veh. Dyn. Int., Mar. 2020. [Online] . Available: https://www.vehicledynamicsinternational.com/features/vehicle-cybersecurity-control-the-code-control-the-road.html
[2] S. Checkoway et al., “Comprehensive experimental analyses of automotive attack surfaces,” in Proc. 20th USENIX Secur., San Francisco, CA, USA, 2011, p. 6.
[3] R. Link, “Is your car broadcasting too much information?” Trend Micro, Jul. 2015. [Online] . Available: https://www.trendmicro.com/en_us/research/15/g/is-your-car-broadcasting-too-much-information.html
[4] “Road vehicles - Cybersecurity engineering,” (ISO SAE): ISO/SAE 21434 (e), 2021.
[5] M. Garcia et al., “Analysis of operating system diversity for intrusion tolerance,” Softw., Pract. Exp., vol. 44, no. 6, pp. 735–769, Jun. 2014, doi: 10.1002/spe.2180.
[6] J. Li, H. Lu, and M. Guizani, “ACPN: A novel authentication framework with conditional privacy-preservation and non-repudiation for VANETs,” IEEE Trans. Parallel Distrib. Syst., vol. 26, no. 4, pp. 938–948, Apr. 2015, doi: 10.1109/TPDS.2014.2308215.
[7] “Road vehicles - Functional safety,” Standard ISO-26262, Dec. 2016.
[8] “Surface vehicle recommended practice - Cybersecurity guidebook for cyber-physical vehicle systems,” SAE International, Warrendale, PA, USA, Tech. Rep. SAE J3061, 2016.
[9] B. Nassi et al., “Phantom of the ADAS: Securing advanced driver-assistance systems from split-second Phantom attacks,” in Proc. ACM SIGSAC Conf. Comput. Commun. Secur., 2020, pp. 293–308, doi: 10.1145/3372297.3423359.
[10] J. Wu, Cyberspace Mimic Defense. Cham, Switzerland: Springer, 2020.
[11] Q. Ren et al., “Multipath resilient routing for endogenous secure software defined networks,” Comput. Netw., vol. 194, Apr. 2021, Art. no. 108134, doi: 10.1016/j.comnet.2021.108134.
[12] SAE On-Road Automated Vehicle Standards Committee, Taxonomy and Definitions for Terms Related to Driving Automation Systems for On-Road Motor Vehicles. Warrendale, PA, USA: SAE International, 2018.
[13] Y. Cao et al., “Adversarial sensor attack on lidar-based perception in autonomous driving,” in Proc. ACM SIGSAC Conf. Comput. Commun. Secur., 2019, pp. 2267–2281, doi: 10.1145/3319535.3339815.
[14] F. Yang, “PMHF decomposition in ISO 26262,” Automot. Dig. (Chinese), vol. 2020, no. 2, pp. 58–62, 2020.
[15] B. I. Kwak, M. L. Han, and H. K. Kim, “Cosine similarity based anomaly detection methodology for the CAN bus,” Expert Syst. Appl., vol. 166, no. 21, Mar. 2021, Art. no. 114066, doi: 10.1016/j.eswa.2020.114066.
Digital Object Identifier 10.1109/MVT.2023.3263334