A. Adversarial Attacks on DRL-TSCs

The falsified data attacks generally designed with optimization techniques to identify which feature to perturb [6]. Similar to this analogy, the attack strategy in DRL targets DNN structures where policy of learning agent is calculated to find the minimum perturbation amount. There are two possible threat models for DRL-based TSCs; attack may be carried out in the cyber domain by directly accessing the input pipeline of DRL agent or attack may be launched over the communication network by releasing falsified data from actual devices or Sybil devices to mislead the learning agent. Since FGSM attack perturbs all the input features only a slight amount, this attack can be launched purely in the cyber-domain without considering physical traffic conditions by accessing the input gate of the DRL agent. On the other hand, JSMA adversarial attack selects specific feature dimensions to perturb based on the constructed saliency map. JSMA can achieve this by using compromised vehicles or creating Sybil vehicles to send falsified data to TSCs.

In order to assess the impact of these adversarial attacks on different DRL-based TSCs, we consider both value-based, namely Deep Q Network (DQN), and policy-gradient with actor-critic-based, advantage actor-critic (A2C), DRL algorithms. We simulate the following: (i) single-intersection TSC scenario trained with DQN and A2C approaches, and (ii) multi-agent grid like 4-intersection TSC scenario trained with A2C approach, referred to as MA2C-DRL. Since the black-box attack assumes attacker does not have access to the actual target DNN model, we trained a separate DRL agent with different traffic demands and DNN settings for black-box attack. All the experiments are performed using a realistic SUMO traffic simulator. Detailed analysis shows that DRL-based TSCs are vulnerable to cyber-attack with or without knowledge of the trained DNN models.

B. Defense Mechanisms Against Adversarial Attacks on DRL-TSCs

Adversarial attack surface for targeting DRL agents is very broad. Therefore protecting DRL agents against adversarial attacks is a challenging task. There are two general protection mechanism for DRL agents: (i) the agent builds a defense mechanism within the agent model that increases the robustness of DRL agent against the attacks, (ii) the agent is equipped with an external detection mechanism that detects the anomalies and raises an alarm. One possible mitigation strategy for external anomaly detectors is changing the controller model from learning-based one to another model such as max-pressure TSC [7] or actuated TSC [8]. Since gradient-based adversarial attacks such as FGSM and JSMA generally have a minimal perturbation on the data, it is also hard to differentiate adversarial samples from real samples with standard anomaly detectors.

Given the adversarial attacks FGSM and JSMA for single intersection and multi-intersection scenarios discussed in the previous subsection, we studied the performance of statistical anomaly detectors to detect even infinitesimally small anomalies. An ensemble anomaly detector that combines two sequential anomaly detection models and an autoencoder-based anomaly detection model with CUSUM-like detection model is evaluated on the gradient-based adversarial attacks. The experiments show that proposed ensemble sequential anomaly detection model achieves the best detection rate with different DRL agents and TSC scenarios.

C. Contributions

In this paper, we characterize the impact of two state-of-the-art adversarial attack models on DRL-TSCs and evaluate multiple statistical anomaly-based detection techniques. Our ensemble detection mechanism outperforms the other statistical anomaly detection models. The contributions of this paper can be summarized as follows.

• We demonstrate experimentally that both FGSM and JSMA adversarial attacks degrade the performance of DRL-based TSC agents as long as attack continues. White-box and black-box FGSM attacks have similar effects on TSC. However, black-box JSMA attack is less effective compared to white-box JSMA attacks.

• We developed and applied a sequential anomaly detection mechanism to the FGSM and JSMA adversarial attack on DRL-TSC scenarios with single intersection and multiple intersection models. The method combines multiple detection models in a computationally efficient method.

• The ensemble anomaly detection method is agnostic to both the model of the neural network policy and the type of adversary. Hence, the detection algorithm protects the DRL-TSC agents against different adversarial attack models.

• While different sequential anomaly detection models achieve the best performance on different attacks and DRL settings, our proposed ensemble model achieves the best detection performance on all the scenarios.

The rest of the paper is organized as follows. Section II discusses related work while Section III provides background for DRL learning agents and TSC settings. We present our adversarial attack models in Section IV and statistical anomaly detection model in V. We discuss our adversarial attack and defense results in Section VI and Section VII, respectively. Finally, Section VIII concludes the paper.

A. Security of TSCs

Initial studies on adaptive TSC methods are rule-based or threshold-based control methods where predefined values of different traffic parameters such as queue or delay can trigger adaptive rules [10]. Lately, many machine learning-based TSC control mechanisms have been proposed. One such approach leverages DNN in a RL agent referred to as DRL and applies it to a network of traffic intersections [2]. The performance of learning based TSCs are generally better than standard TSC controllers.

There are many security analysis papers in literature for different type of TSCs. In [11], the authors identified some of the underlying threats against TSCs and proposed a game-theoretic risk minimization model without specifying the type of TSC. The study assumes that attacker has access to the control center and manipulates the traffic lights directly. Security of single intersection and multiple intersection back-pressure based TSCs is studied in [12]. The same group later extended their study with multiple attack strategies with several protection algorithms [13]. With the advanced vehicular and communication technologies, vehicles expected to communicate with the TSCs through Vehicular Ad Hoc Network (VANET). The security vulnerabilities of such VANET-based TSCs are investigated without considering a signal control mechanism in [6] where adversary uses decision three ML model to find the optimum perturbation. Although machine learning-based, especially DRL TSCs, offer promising performance gain, their security vulnerabilities need to be studied carefully. Apart from TSCs, there are various other studies on assessing the vulnerability of different ML-based ITS control mechanisms. Autonomous vehicles need to have a perfect perception while driving. Hence, deep learning has been exploited to process high-dimensional data. Since securing autonomous vehicles against malicious activities is an important and challenging task [14], the effects of adversarial attacks on DNN structures are studied in [15] where LIDARs of autonomous vehicles are under attack.

B. Adversarial Attacks on DRL

There have been numerous studies on the adversarial attack models on the DNN policies of DRL agents. Adversarial attacks targeting DNNs are generally applicable to DRL agents. However, most of the DRL attack models are not applicable to DRL-TSC settings because it requires access to multiple parts of learning agent such as state, action and rewards and directly accessing the DRL-TSC components are challenging.

One of the earlier generative adversarial attack [16] targets the DNN classifier by perturbing the input data. The attack model is designed with constrained minimization approach using $L_{2}$ norm. Another constraint optimization adversarial attack for image classification task is proposed in [17]. Gradient-based adversarial attack models have promising results on DNN classifiers. Two well know gradient based adversarial attacks are FGSM [4] and JSMA [5] which deteriorate the performance of DNNs by crafting data input geared towards confusing the neural networks. These discussed adversarial attacks are know as the state of the art sequential adversarial attacks mainly proposed for DNNs.

Authors, in [18], presented a strategic attack reducing the number of attack times for DRL agents using random noise and FGSM attack strategies. With the transferability of neural networks, similar attack concepts can be extended to black-box attacks [19] and can target directly the DRL agents [20]. Since DRL agents estimate state values or policy values using DNNs, they are also vulnerable to adversarial attacks with white-box attack settings [21] and black-box attack settings [20]. A sequential adversarial attack for DRL agents is proposed in [22] in which adversarial samples are generated using adversarial transformer networks [23] on white-box attack strategy. Another strategic timing and target specific adversarial attack model for DRL agents is presented in [24]. The authors perturbed the input states selectively to reduce the visibility of attacker while achieving higher attack performance. Similar to our black-box attack settings, the authors in [25] injects perturbations from imitatively learned black-box model. There are also other adversarial attack models which are specific to application areas such as multi-agent robot interactions and path findings [26], [27].

C. Defense Models for DRL

There are multiple defense options for the DRL agents including adversarial training, defensive distillation and adversarial detection. Adversarial training idea trains the learning model with adversarial samples that makes the learning model more robust. Several adversarial training-based defense mechanisms exist in literature for DRL agents [18], [28], [29]. However, adversarial training is attack dependent and it is easy to fool the model with a different attack strategy. Another defense model is called defensive distillation that trains the DRL policy with a different DNN model and transfers pre-trained soft-max layer from the other trained model to increase the robustness of DRL agents [30]. However it is already proven that bypassing the defensive distillation method is easy with various techniques [17]. The other security model, which is more aligned with our proposed detection model, is adversarial detection that distinguishes the adversarial samples from the clean samples without modifying the DRL model. One of the earlier adversarial attack detection mechanism for DRL agents is proposed in [31] where a defense mechanism detects the adversarial samples and suggests alternative actions for the DRL agent instead of the wrong action. A DNN-based adversarial sample detection model for DNNs is presented in [32]. The adversarial samples are classified and rejected by DNN models using the autoencoder reconstruction error similar to the robust autoencoder model [33].

Statistical properties of input data are susceptible to divergence after the perturbation. The study in [34] analyzes two statistical distance measures, maximum mean discrepancy and energy distance, for detecting adversarial samples against several adversarial attacks including FGSM and JSMA. There are several adversarial detection models for DNN classifiers applicable to DRL agents [35], [36]. Sophisticated adversarial detection models for DRL agents are also proposed in literature [37], [38].

D. Summary

To date, there remains a limited understanding of the security vulnerabilities of learning-based ITS controllers and their impact on various operational performance metrics. In our paper, we experimented another research direction of ITS security where we characterize the security vulnerabilities of TSCs when implemented with DRL model and proposed a novel statistical detection model. Main-stream adversarial attack models continuously inject adversarial samples to the learning models and expects to fool the model quickly. To protect the DRL-TSC learning model we propose to use statistical sequential detection models with a novel ensemble detection algorithm that achieves the best detection performance in all cases.

A. Deep Reinforcement Learning

Reinforcement learning (RL) is a trial-and-error based learning algorithm where agent interacts with the environment and takes action to maximize cumulative reward. Mathematical formulation of RL is based on Markov Decision Process (MDP). In general RL agent interacts with the environment and receives a numerical positive reward (penalty if it is negative). Continuously observing the state of the environment defined by $s_{t}$ , taking action $a_{t}$ , and receiving reward (or penalty) from the environment $r_{t}$ , RL agent learns an action policy which defines how to behave by computing action value function $Q(s_{t},a_{t})$ after each iteration. In high dimensional environments, RL agent cannot estimate this action value functions easily. Through non-linear approximation, deep learning can easily estimate this function. Controlling RL agents with deep neural network based function approximations is called DRL. In this section, we explain how two popular DRL algorithms, DQN and A2C, work in the context of TSCs.

B. Deep Reinforcement Learning for TSC

In this section, we will discuss relevant DRL settings for single-agent and multi-agent settings. First, we will explain state, action and reward definitions, and then we will explain our collaboration technique for the multi-agent RL model.

In this application, the state of the environment is described as a vector of values for each incoming lane of the intersection. For one intersection, we created two valued vectors for each lane: one is average speed and the other is total number of vehicles. Position and speed of each vehicle can be collected from individual vehicles for calculating average speed and number of vehicles using V2I communication. Based on the information received from vehicles, the DRL agent in the TSC selects a green phase from among possible green phases. The TSC at a single intersection (such as Fig. 1) has four possible green phases: North-South Green (NSG), East-West Green (EWG), North-South Advance Left Green (NSLG), and East-West Advance Left Green (EWLG). Each selected green phase is executed after a yellow phase transition. With the objective of maximizing cumulative reward, a scalar reward is computed after each action (phase selection in this case). There are several reward definitions for TSC settings such as vehicle waiting time, cumulative delay, and queue length. In our DRL-based TSC, we used the change of the vehicle waiting time at an intersection for one cycle as a reward function.

FIGURE 1.

TSC is controlled with a DRL agent and an adversary that can attack the agent with falsified data which perturbs the input state. While adversary can input directly for FGSM attack, it can use compromised vehicles for JSMA attack.

Show All

As mentioned earlier, applying deep learning techniques to RL can help compute the action value functions more efficiently. For DRL models, designing a neural network structure for better performance is another critical step. Multi-layer perceptron (MP), i.e., the standard fully connected neural network model, is a useful tool for classic data classification. In this project, we used MP with 4 layers in DQN and 5 layers in A2C with relu and softmax activation functions for policy estimations of learning agents.

To test more general cases in DRL-based TSCs, we also studied a multiple intersection scenario with multi-agent A2C (MA2C) settings where the interaction among agents is necessary to reach a global optimal performance. In multi-agent settings, each agent updates its policy by including the current state and reward functions of neighbor TSCs as well to decrease the overall delay in traffic. For this purpose, global state is found with concatenation of the local states of neighboring intersections and reward is generated by summing the local rewards of neighboring intersections.

A. Fast Gradient Sign Method

A clever attack model, fast gradient sign method (FGSM) introduced in [4], calculates the gradient of the cost function with respect to DNNs to maximize the perturbation using the $L_{\infty }$ distance. Adversarial input is generated by adding generated adversarial data to the input state as follow: $$\begin{equation*} \eta ={\epsilon } * {\mathrm {sign}}(\nabla _{x}{J(\theta, \boldsymbol {x},a)})\tag{1}\end{equation*}$$ View Source\begin{equation*} \eta ={\epsilon } * {\mathrm {sign}}(\nabla _{x}{J(\theta, \boldsymbol {x},a)})\tag{1}\end{equation*} where $\epsilon$ is the attack magnitude, J is the cost function of DNN, and $\theta$ is the model parameters. $\nabla _{x}$ refers to the gradient of the cost function related to model input state $\boldsymbol {x}$ , and true action $a$ .

The FGSM attack designed to be fast and effective by generating infinitesimal perturbation that is close to the true input with perturbation parameter, e.g., $\epsilon =0.007$ . FGSM attack model is untargeted where the attacker does not specify the target action when FGSM is launched. The optimal perturbation $\eta$ satisfies $||\eta ||_{\infty } < \epsilon$ .

The perturbation amount $\eta$ is added to the input data $x$ : $$\begin{equation*} \boldsymbol {x}_{adv}=\boldsymbol {x}+\eta.\tag{2}\end{equation*}$$ View Source\begin{equation*} \boldsymbol {x}_{adv}=\boldsymbol {x}+\eta.\tag{2}\end{equation*}

In DRL-TSC, FGSM attack perturbs all the input features with very low values, therefore, launching this attack from the communication network requires to modify all the state dimensions that corresponds to each traffic lanes. The attack model assumes that the attacker has access to the input gate of DRL agents. By using this gate, an attacker perturbs the input state $\boldsymbol {x}$ right before it goes into the DNN where $Q$ values for each action is estimated. Launching FGSM with the black box settings is also possible. In this case, the attacker will not be able to access to the DRL agent directly, it only has access to the data pipeline of the DRL agent.

B. Jacobian-Based Saliency Map Attack

Another attack model, jacobian based saliency map attack (JSMA), utilizes forward derivative is presented in [5]. The intuition of JSMA attack is to find the influence of each state feature $\boldsymbol {x}_{i}$ to a specified output action $a$ and then perturb only those specified feature dimensions. This influence relies on the jacobian matrix of outputs with respect to each action taken by the DRL agent using the forward gradient of the DNNs to construct adversarial saliency maps.

The adversary can control which input feature to perturb with respect to constructed saliency maps to achieve the desired goal. In this attack model, an attacker selects a target action for the DRL agent where the output of the DNN is $Q$ values for each action. With a greedy mechanism, an action is selected from the DNN during the test phase with respect to given state $\boldsymbol {x}$ as: $$\begin{equation*} a_{t} = \mathop{\mathrm {argmax}}\limits _{a}{Q}(\boldsymbol {x},a)\tag{3}\end{equation*}$$ View Source\begin{equation*} a_{t} = \mathop{\mathrm {argmax}}\limits _{a}{Q}(\boldsymbol {x},a)\tag{3}\end{equation*} where $a_{t}$ refers to the selected action by the DRL agent at time $t$ .

In our case, an adversary tries to mislead the DRL agent to select a wrong action and for this purpose, the output $Q$ value for the desired action should be increased. The $Q$ values are the probabilities of corresponding actions. The adversary can increase the desired $Q$ values estimated through DNNs by using the saliency map: $$\begin{align*} S^{+}(x_{(i)}, a)=\begin{cases} 0\quad \text {if} ~\frac {\partial f(\boldsymbol {x})_{(a)}}{\partial x_{(i)}} < 0 ~\text {or} ~\sum \limits _{a' \neq a} \frac {\partial f(\boldsymbol {x})_{(a')}}{\partial x_{(i)}} > 0 \\ \left ({\frac {\partial f(\boldsymbol {x})_{(a)}}{\partial x_{(i)}} }\right) \left |{ \sum \limits _{a' \neq a} \frac {\partial f(\boldsymbol {x})_{(a')}}{\partial x_{(i)}}}\right |\quad \text {otherwise} \end{cases}\tag{4}\end{align*}$$ View Source\begin{align*} S^{+}(x_{(i)}, a)=\begin{cases} 0\quad \text {if} ~\frac {\partial f(\boldsymbol {x})_{(a)}}{\partial x_{(i)}} < 0 ~\text {or} ~\sum \limits _{a' \neq a} \frac {\partial f(\boldsymbol {x})_{(a')}}{\partial x_{(i)}} > 0 \\ \left ({\frac {\partial f(\boldsymbol {x})_{(a)}}{\partial x_{(i)}} }\right) \left |{ \sum \limits _{a' \neq a} \frac {\partial f(\boldsymbol {x})_{(a')}}{\partial x_{(i)}}}\right |\quad \text {otherwise} \end{cases}\tag{4}\end{align*} where $i$ is the input feature of state $\boldsymbol {x}$ , $a$ is the action corresponding to the input, and $a'$ is the other actions of DRL agent. In Equation 4, the first line of the expression rejects the negative target derivative with respect to action $a$ and positive derivatives with respect to other actions $a'$ of input state $\boldsymbol {x}$ feature $i$ . The second line of Equation 4 extracts the positive forward derivative of state $\boldsymbol {x}$ of feature $i$ given the action $a$ . Based on the constructed saliency map, an adversary selects which input feature to perturb in order to mislead the agent for selecting the wrong action. Higher $S^{+}(x_{(i)}, a)$ values mean the attacker can more easily determine if increasing this feature either increase the $Q$ value of the target action $a$ or decrease the $Q$ values of other actions. In the JSMA model, the attacker first selects which action to perturb randomly then based on that selected action it creates the saliency map. Using the saliency map the attacker finds the best features to perturb.

The threat model for JSMA attack is different from the FGSM attack. Since JSMA perturbs specific features based on the saliency map, it is possible to launch this attack by compromising the communication between vehicles and TSC units. In this attack model, an attacker can use compromised vehicles and/or Sybil vehicles to broadcast falsified information in order to increase or decrease the corresponding feature dimension values.

A. GEM-Based Summary Statistic

The Geometric Entropy Minimization (GEM) method defines an acceptance region for the offline training set based on the nearest neighbor statistics with respect to significance level $\alpha$ [40]. A GEM-based computationally efficient summary statistic extraction method using bipartite $k$ NN graph is presented in [41]. In the training phase, summary statistics extracted as described in the following.

We begin with randomly partitioning the anomaly free dataset $\mathcal {X}_{N}$ into two subsets ${\mathcal{ S}}_{1}$ and ${\mathcal{ S}}_{2}$ with sizes $N_{1}$ and $N_{2}$ where $N=N_{1}+N_{2}$ . Then, for each data point $\boldsymbol {x}_{j} \in {\mathcal{ S}}_{2}$ , we find the $k$ NN Euclidean distance $e_{j}$ from ${\mathcal{ S}}_{1}$ . Sum of the distances of $\boldsymbol {x}_{j}$ to its $n$ th nearest neighbor in ${\mathcal{ S}}_{1}$ can be denoted as: $$\begin{equation*} d_{j}= \sum _{i=1}^{k} e_{j}(i). \tag{5}\end{equation*}$$ View Source\begin{equation*} d_{j}= \sum _{i=1}^{k} e_{j}(i). \tag{5}\end{equation*}

Once $\{d_{j}~:~\boldsymbol {x}_{j} \in {\mathcal{ S}}_{2} \}$ is computed and sorted in ascending order, we refer to this baseline set as $\boldsymbol {D}_{GEM}$ .

B. PCA-Based Summary Statistic

High dimensional observation may exhibit sparse data structure so the underlying independent data dimension can be lower than the actual data dimension. When we represent data $\boldsymbol {x}_{j}$ in lower dimension as $\boldsymbol {y}_{j}$ , the remaining parts $\boldsymbol {r}_{j}$ is the residuals. Adversarial noise injected to the actual data is mainly represented in residuals $\boldsymbol {r}_{j}$ , hence the magnitude of the residuals $\| \boldsymbol {r}_{j} \|_{2}$ are expected to be higher than normal data. Recently a PCA-based online anomaly detection model is proposed in [42]. Based on this intuition, and the same partitioning strategy, we follow the PCA-based training steps for set ${\mathcal{ S}}_{1}$ .

1. Compute the sample mean $\overline {\boldsymbol {x}}$ and sample covariance matrix ${\mathcal{ Q}}$

2. Then, compute the eigenvalue $\{\lambda _{j}\,\,:\,\,j=1,2,\ldots, p\}$ and the eigenvectors $\{\boldsymbol {v}_{j}\,\,:\,\, j=1,2,\ldots, p\}$ of ${\mathcal{ Q}}$

3. Determine the dimension of $\boldsymbol {y}_{t}$ , $r$ , with respect to the desired level of data variance $\gamma$ ,

4. Form the eigenmatrix corresponding the largest $r$ eigenvalues $\lambda _{1,} \lambda _{2},\ldots, \lambda _{r}$ : $\boldsymbol {V} \triangleq [\boldsymbol {v}_{1}, \boldsymbol {v}_{2},\ldots, \boldsymbol {v}_{r}]$

5. Compute the residual term $\boldsymbol {r}_{j-PCA}$ for every sample $\boldsymbol {x}_{j}$ in set ${\mathcal{ S}}_{2}$ as follows: $$\begin{align*} \boldsymbol {y}_{j}=&\overline {\boldsymbol {x}} + \boldsymbol {V}\boldsymbol {V}^{T}(\boldsymbol {x}_{j}-\overline {\boldsymbol {x}}) \\ \boldsymbol {r}_{j-PCA}=&\boldsymbol {x}_{j} - \boldsymbol {y}_{j} \\=&(\boldsymbol {I}_{p} - \boldsymbol {V}\boldsymbol {V}^{T})(\boldsymbol {x}_{j}-\overline {\boldsymbol {x}})\tag{6}\end{align*}$$ View Source\begin{align*} \boldsymbol {y}_{j}=&\overline {\boldsymbol {x}} + \boldsymbol {V}\boldsymbol {V}^{T}(\boldsymbol {x}_{j}-\overline {\boldsymbol {x}}) \\ \boldsymbol {r}_{j-PCA}=&\boldsymbol {x}_{j} - \boldsymbol {y}_{j} \\=&(\boldsymbol {I}_{p} - \boldsymbol {V}\boldsymbol {V}^{T})(\boldsymbol {x}_{j}-\overline {\boldsymbol {x}})\tag{6}\end{align*}

6. Finally form the residual term vector $\boldsymbol {D}_{PCA}$ with $\{\| \boldsymbol {r}_{j-PCA} \|_{2}\,\,:\,\,\boldsymbol {x}_{j} \in {\mathcal{ S}}_{2} \}$ in ascending order.

C. Robust Deep Autoencoder Summary Statistic

A deep autoencoder-based noise and outlier extraction technique is proposed in [28] as an unsupervised Robust Deep Autoencoder (RDA) anomaly detection algorithm. The proposed RDA learns the normal data behaviors with a regularization penalty term using different norms. The idea of the RDA combines the powerful nature of the Robust PCA model [43] with autoencoders that recover low dimensional $\boldsymbol {y}_{t}$ iteratively by removing the residuals $\boldsymbol {r}_{t}$ from the data $\boldsymbol {x}_{t}$ .

The training procedure of the RDA-based summary extraction model starts with pre-training the model with the sample set ${\mathcal{ S}}_{1}$ . After pre-training the model with certain number of episodes, which is 10 in our experiments, RDA is trained with sample set ${\mathcal{ S}}_{2}$ and summary statistic $\boldsymbol {D}_{RDA} = \{\| \boldsymbol {r}_{j-RDA} \|_{2}\,\,:\,\,\boldsymbol {x}_{j} \in {\mathcal{ S}}_{2} \}$ is formed as a baseline.

D. Sequential Anomaly Detector

In the test phase, summary statistics $d_{t-GEM}$ , $\| \boldsymbol {r}_{t-PCA} \|_{2}$ and $\| \boldsymbol {r}_{t-RDA} \|_{2}$ of each anomaly detection model is found for the new data point $\boldsymbol {x}_{t}$ independently. The anomaly score is expected to be higher in the case of adversarial attack. Since the procedure is the same for all three models, we explain the remaining anomaly statistic extraction algorithm for the GEM model as an example. For a new data point $\boldsymbol {x}_{t}$ , once $d_{t-GEM}$ summary score is computed using (5), tail probability of $p_{t}$ would be computed with respect to baseline set $\boldsymbol {D}_{GEM}$ as follow: $$\begin{equation*} p_{t} = \frac {1}{N_{2}} \sum _{\boldsymbol {x}_{j} = {\mathcal{ S}}_{2}} {\mathsf{1}} \{ d_{j} > d_{t-GEM} \} \tag{7}\end{equation*}$$ View Source\begin{equation*} p_{t} = \frac {1}{N_{2}} \sum _{\boldsymbol {x}_{j} = {\mathcal{ S}}_{2}} {\mathsf{1}} \{ d_{j} > d_{t-GEM} \} \tag{7}\end{equation*} which shows the fraction of the baseline summary statistics $\boldsymbol {D}_{GEM}$ greater than $d_{t}$ . Given the significance level $\alpha$ , we can get a real valued statistical score in log scale with $$\begin{equation*} s_{GEM}=\log \left({\frac {\alpha }{p_{t}}}\right), \tag{8}\end{equation*}$$ View Source\begin{equation*} s_{GEM}=\log \left({\frac {\alpha }{p_{t}}}\right), \tag{8}\end{equation*} if the tail probability $p_{t} < \alpha$ , we can consider $\boldsymbol {x}_{t}$ as an outlier. We follow the same approach in equations (7) and (8) to calculate $s_{PCA}$ and $s_{RDA}$ scores. Since the three scores are independent from each other, they can be calculated in parallel. For extracting the final anomaly score, we sanitized the three anomaly scores using a simple averaging as follows: $$\begin{equation*} s_{t} = \frac {1}{3} \sum (s_{GEM},s_{PCA},s_{RDA}) \tag{9}\end{equation*}$$ View Source\begin{equation*} s_{t} = \frac {1}{3} \sum (s_{GEM},s_{PCA},s_{RDA}) \tag{9}\end{equation*}

Note that the anomaly scores $s_{t}$ can be positive or negative values with respect to the existence of anomalies. Instead of sample-by-sample anomaly declaration we propose to use a model-free CUSUM-like anomaly detection approach [44]: $$\begin{align*}&g_{t} \leftarrow \max \{0, g_{t-1}+s_{t}\},~g_{0}=0 \\&\,\,\,\,{\mathcal{ T}}= \inf \{ t~:~\max \{0, g_{t}\geq h\}\tag{10}\end{align*}$$ View Source\begin{align*}&g_{t} \leftarrow \max \{0, g_{t-1}+s_{t}\},~g_{0}=0 \\&\,\,\,\,{\mathcal{ T}}= \inf \{ t~:~\max \{0, g_{t}\geq h\}\tag{10}\end{align*} where $g_{t}$ refers to the decision statistic. The anomaly is declared if enough sequential anomaly evidence is accumulated. The detection threshold $h$ is chosen to strike a balance between minimum detection delay and lower false alarm rate. While a lower detection threshold $h$ results in lower detection delay, it enables higher false alarm rates. The summary of the proposed anomaly detection technique is shown in Algorithm 1. The proposed sequential anomaly detector is also robust against system misbehavior due to the nature of the cumulative anomaly detection model.

A. White-Box Insider Attack

Regardless of the DNN structure, learning models are vulnerable to white-box adversarial attacks, even with a very slight perturbation on input data. White-box adversarial attacks assume that the attacker has access to the target model of learning policy.

2) Results

Fig. 3 and Fig. 4 show the results from FGSM and JSMA, respectively. After the attack is launched, both DQN and A2C TSCs perform poorly during the attack duration with FGSM and JSMA attacks. Although DRL settings are different, single-intersection TSC (Fig. 3(a) and 4(a)) and multi-agent multi-intersection TSC (Fig. 3(b) and 4(b)) are both affected, and the total waiting time in the traffic exceeds even the fixed-time controller. While the total waiting time increases almost $10\times$ for single-intersection, it increases almost $6\times$ for multi-intersection immediately after the white-box FGSM and JSMA attacks are launched. DRL agents cannot respond to these attack models and the attack continuously effects the learning agents as long as the DRL agent is targeted because the DQN and A2C agents do not recognize the attacks. For FGSM attack, the total waiting time decreases to pre-attack levels in 5 episodes after the attack ends in both the single-intersection DQN and the multi-intersection A2C cases. On the other hand, for JSMA attack, the total waiting time decreases to the pre-attack levels immediately right after the attack ends.

FIGURE 3.

FGSM White-box and black-box attack results for DQN and multi-agent A2C with 0.007 attack magnitude using FGSM attack model. Attack continues 5 episodes from 15 to 20. Both white-box and black-box attacks continuously effects the performance of DRL agent while attack continues.

Show All

FIGURE 4.

JSMA attack continues a) with 10% of data perturbation for single agent DQN model and b) with 40% of data perturbation for multi-agent A2C model. The attack injects falsified data by selecting specific lanes of the intersection. The attack starts at episode 15 and lasts for 5 episode and ends in episode 20.

Show All

B. Black-Box External Attack

In the black-box attack scenario, the attacker does not have a precise knowledge about the model. Here, we investigate the vulnerability of the DNN policies for DRL-based TSCs when the attacker does not have access to the actual target model.

C. Robustness Against Noise

A. Sequential Detector Setup

To generate training and test sets for sequential detectors, we collect anomaly-free training states and test sets that include anomalies from the DRL-TSCs. For single intersection TSC model, the DRL setup has relatively low dimensional state format since each lane corresponds to two dimensions in state vector which are the number of vehicle and average speed. This form of state known as feature-based vectorized state representation (See Fig. 5). The number of vehicle and average speed per lane states are concatenated to form final state representation. For example, the state definition for our single intersection DQN-TSC, which has 4 incoming roads with a 4 lane single intersection, is 32 units column vector.

FIGURE 5.

Feature-based vectorized state representation.

Show All

Regarding the single-intersection DQN, sequential detectors are trained with 1 episode of anomaly-free traffic flow. Then, the detectors are trained on FGSM and JSMA adversarial attacks using 50 test episodes where adversarial attack starts after 200 state samples. Regarding the multi-intersection MA2C, we followed similar data collection procedure with slight changes. In our MA2C model, every intersection has a different number of approaching lanes, therefore, the state dimensions varies in MA2C model. We have 3 groups of state representation for 4 intersections as 82, 86, 92. After collecting neighborhood information, two of four intersections have the same size of state dimensions. Due to having different state dimensions, each agent of MA2C model is trained and tested separately, then, test results are concatenated. Adversarial attack for 1 episode is highly time consuming. Hence, the number of test samples are relatively low which is 35 MA2C episodes. In total, we have 105 test trials for MA2C-TSC model.

B. Results

Fig. 6 shows average detection delay vs false alarm probability results for the proposed ensemble model compared with the other statistical anomaly detectors. We observe that the proposed ensemble model has the lowest detection delay vs lower false alarm probability on FGSM attack to the single intersection DQN model (Fig. 6(a)) and JSMA attack to multi-intersection MA2C model (Fig. 6(d)). The ensemble model also performs closer to the other statistical detectors for JSMA to single intersection DQN (Fig. 6(b)) and FGSM to multi-intersection MA2C (Fig. 6(c)). Due to invisible nature of FGSM attack, all detectors have higher detection delays. The proposed ensemble model is the second best detector among all. Except for FGSM attacks on MA2C, the ensemble model detects the adversarial samples within less than 10 samples. This means that the ensemble detector informs the DRL agent within 10 adversarial samples, which is small enough for taking an action against adversarial attack. The ensemble model is able to handle multiple adversarial attack types on different controller settings. The results can be extended to a broader range of adversarial attacks that may target the DRL-TSCs. One proposed mitigation strategy on top of detecting the anomalies is switching to another TSC model such as max-pressure TSC after attacks are detected.

FIGURE 6.

Comparison of sequential detection performances in terms of average detection delay vs false alarm period.

Show All

Next, we analyzed the overall detection performance with ROC curve and AUC scores. Since anomaly detectors are simple binary classifiers, evaluating the accuracy of anomaly detectors with the ROC classifier curve is important where the curve does not assume any distribution on data for producing classification performance. As depicted on Fig. 7 and supported by the AUC scores in Table 1, the proposed ensemble model outperforms all the other statistical detectors. While the statistics in bold shows the best detection performance, statistics in green tells the second best detection performance in Table 1. It is clear from the statistics in green that different statistical anomaly detectors performs differently on different threat models, however, the proposed ensemble model has a clear advantage over the other detectors with almost perfect detection performance.

TABLE 1 AUC Scores for Different Baselines for All Configurations

FIGURE 7.

ROC curves for different attacks and TSC settings with the proposed anomaly detection model.

Show All