Interdependence-Aware Game-Theoretic Framework for Secure Intelligent Transportation Systems

07/12/2020 ∙ by Aidin Ferdowsi, et al. ∙ Virginia Polytechnic Institute and State University 0

The operation of future intelligent transportation systems (ITSs), communications infrastructure (CI), and power grids (PGs) will be highly interdependent. In particular, autonomous connected vehicles require CI resources to operate, and, thus, communication failures can result in non-optimality in the ITS flow in terms of traffic jams and fuel consumption. Similarly, CI components, e.g., base stations (BSs) can be impacted by failures in the electric grid that is powering them. Thus, malicious attacks on the PG can lead to failures in both the CI and the ITSs. To this end, in this paper, the security of an ITS against indirect attacks carried out through the PG is studied in an interdependent PG-CI-ITS scenario. To defend against such attacks, the administrator of the interdependent critical infrastructure can allocate backup power sources (BPSs) at every BS to compensate for the power loss caused by the attacker. However, due to budget limitations, the administrator must consider the importance of each BS in light of the PG risk of failure, while allocating the BPSs. In this regard, a rigorous analytical framework is proposed to model the interdependencies between the ITS, CI, and PG. Next, a one-to-one relationship between the PG components and ITS streets is derived in order to capture the effect of the PG components' failure on the optimality of the traffic flow in the streets. Moreover, the problem of BPS allocation is formulated using a Stackelberg game framework and the Stackelberg equilibrium (SE) of the game is characterized. Simulation results show that the derived SE outperforms any other BPS allocation strategy and can be scalable in linear time with respect to the size of the interdependent infrastructure.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 5

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

Intelligent transportation systems (ITSs) are complex systems that integrate connectivity, sensing, and autonomy to improve the efficiency and the security of traditional transportation systems [FerdowsiITS]. Different devices and sensors are connected in an ITS to collect, share, and process data of the vehicles and their surroundings. This information exchange requires a reliable communication infrastructure to connect the various vehicles and to transfer the data in real time[saad2019vision]. With its ability to connect ubiquitous devices to the Internet, the Internet of Things (IoT) is seen as a major enabler for future ITSs [Zanella, Chen2014, mozaffari2018beyond, zeng2019joint].

As one of the main ITS components, autonomous connected vehicles (ACVs) will receive control signals from the communication infrastructure (CI)’s components such as the base stations (BSs) through vehicle-to-everything (V2X) links. These control signals can help to optimize the operation of the ITS in terms of flow, fuel consumption, and air pollution[Kargl]. However, this reliance on wireless connectivity brings forward new vulnerabilities because of the interdependence that exists between the CI and the ITS[Kargl]. For instance, an ITS attacker can utilize the CI to jam road segments[alpcan2010security], deny V2X signal services [Lyamin], tamper with traffic signals [Laszka], and take the control of ACVs[ferdowsicps].

Furthermore, since the CI is operated using power grids (PGs), another interdependence relation comes into existence between both infrastructure. Consequently, ITSs and PGs will also be interdependent through the common CI. In this regard, failures in a PG will directly affect the CI as well as having indirect effects on the ITS. Thus, the administrator(s) of such critical infrastructure systems must account for the CI-PG-ITS interdependence, when securing their ITSs. This interdependence exposes the ITS to a new set of attacks such as bad data injection [liu2011false] or physical attacks such as tampering the PG components[he2016cyber].

CI-PG-ITS interdependence adds new constraints to the security designs of the ITSs against cyber-physical attacks. For example, a disruption of power delivery from the PG to the CI can deactivate the BSs which send control packets to ACVs. This, in turn, will disrupt the traffic flow in the ITS. Therefore, compensating the power loss at BSs by, e.g., using backup power sources (BPSs) [Wang2019], needs to consider the impact of the BSs on the ITS traffic flow. However, as the available budgets are usually limited, the administrator of an ITS will need to prioritize the PG components, in the security design, in light of the interdependencies between the ITS, the CI, and the PG. However, this type of interdependencies makes designing security solutions for such systems, highly challenging.

I-a Related Works

Critical Infrastructure protection and security has recently attracted significant attention [jamei2016micro] and [eldosouky2015contract]. In general, critical infrastructure systems refer to the systems that are vital to modern day economies and cities. Examples of such systems include power grids, transportation systems, nuclear reactors, communications infrastructure, water supply, and financial services [keeney2005insider]. Therefore, securing and maintaining the proper operation of such systems is of utmost priority. However, one challenge to the security of critical infrastructure systems stems from their interdependent nature, i.e., the functionality of one infrastructure can depend on one or more other infrastructure. Therefore, the failure of one infrastructure can affect other dependent infrastructure systems.

The security of interdependent critical infrastructure (ICI) has thus been the focus of many recent works [Rahnamay, Parandehgheibi2014, Das2014, Chen2018, Ferdowsi2017]. For instance, the authors in [Rahnamay]

solved a power flow optimization problem for interdependent PG-CI that takes into account the power requirements of the CI and the impact of the CI on the PG state estimation. The work in

[Parandehgheibi2014] developed a power load control policy for PGs that mitigates the cascading failures of interdependent PG-CI while the authors in [Das2014] analyzed the root cause of failures in ICIs. Furthermore, the work in [Chen2018] studied robustness of large-scale interdependent CI-PG via a complex network analysis. In addition, the authors in [Ferdowsi2017] and [FerdowsiCBG] proposed a game-theoretic security solution against data injection attacks on CI components that impact PGs.

Moreover, the security of connected vehicles has gained a lot of attention recently due to the important role of ACVs in the ITSs [FerdowsiITSC, Lei, Chetlur, Zheng2017]. The authors in [FerdowsiITSC]

proposed a deep reinforcement learning algorithm that makes ACVs robust against cyber attacks on the CI. The work in

[Lei] introduced a blockchain-based trust management mechanism for interdependent CI-ITSs that takes into account the geographical layout of the ITS networks. Furthermore, the authors in [Chetlur] modeled the interdependencies between a CI and an ITS using a Poisson line process. Meanwhile, in [Zheng2017], the authors studied the cyber attacks on intersection controllers of an ITS using game theory.

However, the works in [Rahnamay, Parandehgheibi2014, Das2014, Chen2018, Ferdowsi2017, FerdowsiCBG, FerdowsiITSC, Lei, Chetlur, Zheng2017] did not consider stealthy attacks on the ICI in which the attacker aims at disturbing the ICI while staying stealthy from detection. Furthermore, the works in [Rahnamay, Parandehgheibi2014, Das2014, Chen2018, Ferdowsi2017, FerdowsiCBG] only studied PG-CI interdependencies while [FerdowsiITSC, Lei, Chetlur, Zheng2017] focused solely on the CI-ITS interdependencies and there has been no study on the indirect but pronounced effects of PG failures on ITSs. Although the work in [ferdowsi2017colonel] considers indirect dependencies of critical infrastructure such as gas and water networks on a CI through a PG, however, the attack model therein did not consider any stealthiness for the attacker.

I-B Contributions

The main contribution of this paper is, thus, a holistic game-theoretic framework that analyzes the security of interdependent PG-CI-ITS infrastructure system. The proposed framework addresses the security of ITSs against indirect attacks carried out through the PGs as these attacks have direct effects on the CI and indirect effects on the ITSs. In particular we have the following key contributions:

  • We develop a novel model for capturing the interdependencies between PGs, CI, and ITSs. In particular, we analytically derived the interdependence relations across the three infrastructure: PG, CI, and ITS through formulating a two-tier model for the ITS-CI interdependence as well as the CI-PG interdependence.

  • Combining these two interdependence models, we derive the full PG-CI-ITS interdependence as a one-to-one mapping that captures the effect of PG components on the ITS operation. These one-to-one relations can be used by ICI administrators, when securing their interdependent infrastructure, to prioritize the PG components based on their ultimate effect on the ITS operation.

  • We model the interactions between a stealthy attacker and the administrator of an interdependent PG-CI-ITS system, using game theory. In particular, we formulate a Stackelberg game to model such interactions in which the attacker acts as a follower whose goal is to disrupt the ITS flow through attacking the PG components. The ICI administrator acts as a leader whose goal is to minimize such disruption by maintaining the optimal operation of its CI. In this game, the defender uses the interdependence model to allocate the BPSs to its CI to maintain the ITS operation.

  • We analytically derive the Stackelberg equilibrium (SE), for the proposed game, which is used to characterize the optimal attack and defense mechanisms. We show that the derived SE strategy, for the administrator, is scalable in linear time, and, thus it is practical for large-scale ICI implementations.

  • Through simulations, we show that the proposed SE strategy can outperform any other security strategy for protecting ICIs.

The rest of the paper is organized as follows. Individual infrastructure models and the interdependence models are presented in Section II. The attacker’s stealthy model and the optimal defense strategy are derived in Section III. The proposed Stackelberg game between the attacker and the ICI administrator is formulated in Section IV where the equilibrium solutions are also derived. Simulation results are shown in Section V. Finally, conclusions are drawn in Section VI.

Ii System Model

Ii-a Individual Infrastructure Models

Ii-A1 ITS Model

Consider an ITS that is modeled by a set of intersections. This ITS has three main macroscopic characteristics at each street (direction of movement is from intersection to intersection ) [daganzo1997fundamentals]:

  • Flow, , which is the number of ACVs passing street over a given period of time (expressed in veh/h/lane)

  • Density, , which is the number of ACVs moving in street at a specific instant in time (expressed in veh/km/lane)

  • Space-mean-speed, , which is the average rate of motion for vehicles moving in street (expressed in km/h).

In an optimal ITS which takes into account minimum travel time, maximum safety, and minimum air pollution, every street is designed to have an optimal flow, . Moreover, let and be the set of streets that have flow from and to intersection . Then, at every intersection , we have:

(1)

where is the portion of flow that comes from .

In fact, (1) captures the fact that the inflow from every street to an intersection is divided into outflows from that intersection. Note that we ignore u-turns at intersections since typically u-turns are a small fraction of the through traffic. We define an network flow matrix, , such that the element at row and column is . Therefore, in order to find the optimal values for the traffic flow at every street we need to solve:

(2)

where is an identity matrix and is an vector that contains the flow rate values of all of the streets. Equation (2) can be written as or , where . can be proven to be under-determined since its rank is [Harrod1984, Zhou]. Therefore, in order to solve (2), we will assume to know the traffic flow value at least in one street and, then, we can define an matrix that is identical to with the -th column removed. We also define as the -th column of matrix .

Next, the values of the flow in the remaining streets can be calculated by solving the equation:

(3)

where is an vector containing all the values of street flows other than street and is the value of the known street ’s traffic flow. The solution of (3) can be found by[Harrod1984]:

(4)

To this end, we can find the effect of flow deviation at the -th street on the entire ITS using (4) . Let be the flow deviation at street and be the flow rate of other streets following a deviation at street , then, we have:

(5)

Thus, the flow deviation on streets other than street , can be derived by solving

This result represents the first step in modeling the interdependence in PG-CI-ITS as it allows an administrator to fully understand the non-optimality in the flow of its entire ITS system. Next, we study the model of the CI in light of its connection to the ITS.

Ii-A2 CI Model

In our model, the ACVs of the ITS are powered by a CI that consists of a set of base stations. Each BS covers a portion of streets and communicates important control messages to the ACVs within the covered areas. As is customary in cellular networks, we use a hexagonal shape to model the coverage area of every BS as shown in Fig. 1. In Fig. 1, we can see that every BS can cover the entirety of a street or a section of every street. Under normal operating conditions, every BS is expected to service all the ACVs in its coverage region.

Next, we study the operation of a BS, and its impact on the ITS, in case there is a disruption in the delivered electrical power. We define as the power required by every BS , in order to be activated [conte2012power]. Similarly, we define as the power required by a BS to send control packets to of the ACVs in its cell, as shown in Fig. 2. Clearly, if the BS received only , it will not be able to serve any ACVs.

Then, consider that BS received a power such that , then, BS will be able to send packets to only a fraction of the ACVs in its cell. From Fig. 2, this fraction of users can be given as:

(6)

where is the fraction of users that can be covered by BS .

Next, let be the power deviation at BS such that . Then the relationship between the percentage of users that receive packets from BS and the power deviation can be shown as in Fig. 3. From Fig. 3, we can see that, if the supplied power deviates by more than , then, the BS cannot send packets to any of the users.

Figure 1: An illustrative example of an ITS and a CI.

Cell load (%)

Power consumption (W)

Figure 2: Power consumption diagram of every BS .

Power deviation (W)

User coverage (%)

Figure 3: Percentage of user coverage inside a cell as a function of deviation on the BS received power.

To this end, the previous analysis of the CI allows us to determine the percentage of the affected ACVs in case of power disruption. Next, we study the the operation of the PG in light of its connections to the CI.

Ii-A3 PG Model

The BSs in our CI are powered by a PG. In particular, we model this PG by a graph in which is the set of power nodes and is the set of connection lines between these nodes. We consider two types of power nodes: Power generators and loads. Note that, in a typical power grid, there can be other types of nodes such as transmission units and substations. However, we do not model these units explicitly as nodes in the graph as they do not have direct effect on the communication network.

Since we are interested in the power received at the BSs, we consider them in more detail as being load nodes in the power grid. The effect of the BSs failure can be included as part of the load nodes failure. Thus, let be the set of generators, be the set of all load nodes, and be the set of non-BS loads. Thus, we have , where is the set of base stations as defined earlier. We also have as the set of all nodes include all the generators and all the load nodes.

Since we are interested in studying the dependency between the PG and the CI, it is important to highlight the effect of power generation failures on CI. In a typical PG, electricity is generated to match the power consumption which is known as demand-response [palensky2011demand]. As it is hard and inefficient to store electricity, the power grid uses a means of communication to organize the generation capacity of each power generation unit. This management is also useful in case one generator fails so that its planned load can be shifted to other generation units to meet the power consumption demand [eldosouky2017resilient]. The relation between the power grid failures and the CI, is studied next.

Figure 4: An illustration of the interdependencies between ITS, CI, and PG.

Ii-B Interdependence Analysis

In Fig. 4, we illustrate the interdependencies in our system. From Fig. 4 we can see that the power grid provides the essential electricity required for the proper operation of the BSs in the CI. The BSs in turn use this power to transmit the control signals to the ITS. Therefore, in case a failure occurs in any of the power lines, some BSs might not receive their required power. As a result, they will fail to cover some portions of the ITS. Consequently, some ACVs in the ITS will not receive the control packets from the CI which will lead to a non-optimal traffic flow in the ITS.

In such a scenario, it can be said that the operation of the CI is directly dependent on the functionality of the PG while the operation of the ITS is indirectly dependent on the PG, through the CI. As a result, next, we propose a two-tier model to capture the interdependence within a PG-CI-ITS system. In particular, we will use the empirical, agent-based and flow-based methods to model the interdependencies between the ITS and CI in the first tier. Then, we will use the a network-based model to study the interdependence between the CI and the PG [OUYANG201443], in the second tier.

Ii-B1 Interdependence of ITS and CI

In our ITS model, every street or every section of each street is covered by a specific BS. This makes the ITS vulnerable against possible failures in the CI whenever a portion of BSs are either deactivated or do not have enough power to send control packets to all of the ACVs in streets. In this case, the flow at every street might deviate from its optimal value. In particular, if a BS can only send control packets to a fraction of its covered street , then the flow reduction at street will be , where is the length of street covered by BS , is the length of street , and is a fixed number indicating the difference between the flow of a street that is km long before and after deviation.

Such flow deviation can propagate forward and backward as time goes and can essentially affect the entire ITS. Thus, we define a matrix in which each element at row and column , equals:

Then, if the received power at a BS is reduced by , such that , then its effect on the flow of street is , and, thus, the flow deviation will propagate to the entire ITS which can be derived using (5) by:

(7)

Then, if we concatenate -1 at the -th row of and shift all the rows after row one row down, we will construct a new vector that has rows and shows the effect of failure of BS on the ITS through direct impact on street .

Therefore, the total impact of a power deviation at BS on ITS can be written as follows:

(8)

where set is the set of all the streets covered by BS . In (8), the -th element of captures the one-to-one impact of BS on the street .

Note that, in order to compare the value of every BS with that of other BSs, we can use the -norm of which we define it as , such that a BS with higher value will have higher impact on the ITS.

Ii-B2 Interdependence of CI and PG

The BSs must be connected to the PG to obtain the electricity required for their operation. Thus, we model each BS as a load node in the power grid. As discussed earlier, these BSs need certain power requirements in order for them to operate properly otherwise they will fail[conte2012power]. These power requirements can be satisfied by the power generators that are connected to the BS using transmission lines.

To study the effect of a power generator failure on its connected BSs, we consider the example in Fig. 1. In Fig. 1, power sources are represented using circles while the BSs are represented using hexagons. We notice that some BSs can receive electricity directly from multiple generators or indirectly through the transmission lines from other generators. Similarly, each generator is directly connected to some BSs (as loads) and also to the rest of the grid using transmission lines.

Modeling the exact behavior of power generators failure is a complex process as it can involve multiple failures in the grid known as cascading failures [Parandehgheibi2014]. However, in this work, we are concerned only with the effect on the BSs. We evaluate each power generation based on its failure effect on the connected BSs. The failure here refers to the inability of the power generator to produce the electricity either fully or partially due to any disruptive events such as cyber or physical attacks. In the following, we explain the procedure of evaluating the power generators in case of full failure, i.e., no electricity generation. Partial failures can be modeled in a similar way by considering the affected BSs.

Let be a matrix such that the entity at row and column of which we define as is a value in that indicates the portion of received at BS from power source . Therefore, if a power source is not connected to BS , then . When a BS is connected to more than one generator, we will have , i.e., the summation over all the connected generators will equal the full power received at a single BS, from these generators. Next, we explain the procedure that an attacker can use to exploit the interdependence in order to perform its stealthy attacks.

Iii Interdependent PG-CI-ITS Under Attack

Iii-a Stealthy Attack Model

Consider an adversary who aims at disrupting the operation of the ITS by attacking the PG components. Such an attack can target either the generators or the power lines. When the attacker damages a generator, that generator will no longer supply power at full capacity. In addition, the attacker can specifically reduce the power supply at any line by damaging the infrastructure. Doing so, the goal of the attacker can include disrupting the flow of a specific street or the entire ITS. However, defining such a specific goal for the attacker might not be always possible since the attacker may not have access to all the PG components.

Although a higher disruption at the PG will cause a higher flow deviation at the ITS, it will on the other hand expose the attacker to be detected with higher chance. Therefore, we introduce the stealthiness level to represent the level at which the attacker risks to be detected, i.e., a risk averse attacker will adopt a higher stealthiness level, and, thus it will perform less attacks in order not to be detected. On the other hand, a risk tolerant attacker will adopt a lower stealthiness level by performing a large scale attack despite the higher chance of being detected. Here, we define the stealthiness level based on the location of the attack as each location can cause a different degree of damage to the system while having a different chance of detection. In particular, we define three levels of stealthiness: a) at the power source level, b) at the power line level, and c) at the BS level.

Let be the power deviation caused by the attacker at the line connecting power source to BS . Then, at a power source

level, the probability of being detected can be defined as:

(9)

where the numerator is the total power deviation by the attacker at power source , and the denominator is the total generated power by the power source in a safe scenario.

Similarly, the probability of attack detection at the power line level connecting a power source to a BS can be defined as:

(10)

Moreover, the probability of staying stealthy at a BS can be defined as:

(11)

where the numerator is the total power deviation at BS and the denominator is the required power for covering of the users in BS ’s cell.

The probabilities of detection defined in (9), (10), or (11) will be utilized in Section IV to study the attacker’s behavior when interacting with a defender adopting our defense strategy discussed next.

Iii-B Defense Strategy

As a countermeasure, the administrator of the ICI, the defender hereinafter, can allocate BPSs at every BS in order to compensate for the power loss at the BS. However, in practice, due to the budget limitation and different impact levels of each BS on the ITS, the administrator must allocate a different amount of BPSs at every BS. Let be the total available amount of BPSs111Since the BPSs can be designed to have any desired storage capacity we consider and to take any positive value. for the defender and be the allocated BPSs at BS , then we will have , i.e., the defender does need to allocate all the BPSs. Therefore, the total power deviation at BS can be written as .

The defender can then evaluate the outcome from allocating each BPS by evaluating the improvement in the ITS due to the compensated power from the BPS. However, the defender’s outcome from allocating a BPS will depend on the attacker’s choice of PG component. Thus, next we study the outcomes for both players in presence of these interactions.

Iii-C Attacker-Defender Interactions

We propose to define the defender’s payoff from allocating the BPSs at BSs, as a function in both players’ actions, as the negative of total flow deviation at the ITS using (8) as follows:

(12)

where and are the strategy vectors of the defender and the attacker, respectively. Here, the defender’s strategy represents the allocated BPSs at every BS, while the attacker’s strategy represents the targeted power deviations at every power line. Recall that is given by (8), and it represents the one-to-one impact of the BSs on the ITS. We note that, in (12), we dropped from (8) as it is a constant value and will not impact the strategy design.

We can rearrange (12) as follows:

(13)

Since the defender and the attacker have opposing goals, the defender’s loss is considered as the attacker’s gain. Therefore, the attacker’s payoff will be the negative of the defender’s payoff, as follows:

(14)

However, (14) represents the general outcome of the attacker in case the attack is overt and no stealthiness was adopted. When an attacker performs a stealthy attack, its payoff will depend on the level of stealthiness. In this case, its payoff can be given by:

(15)

where represents the stealthiness level at the power source, at the power line, or the at BS. Thus, we can define three different payoff functions based on the three levels os stealthiness defined in Section III-A. First, for the power source level stealthiness, we substitute (9) in (15), so we get:

(16)

From (16), we can see that large values for each will yield a larger flow deviation in the ITS. However, this will result in a higher probability of detection. Therefore, the attacker must choose such that .

Similarly, the attacker’s payoff while seeking to remain stealthy at every power line level can be calculated by substituting (10) in (15), so we get:

(17)

In (17), we can see that, in order to stay stealthy, the attacker must choose such that .

Finally, for the case in which the attacker wants to stay stealthy at the BS level, the payoff function can be calculated by substituting (11) in (15), so we get:

(18)

As we can see from (12), (16), (17), and (18), the payoffs are functions of both of the strategies of the defender and the attacker which motivates a game-theoretic approach [han2012game]. Moreover, since BPSs will first be implemented and then the attacker will attack the PG, thus, the defender must choose its best strategy before seeing the attacker’s strategy. This scenario can be properly modeled using Stackelberg games [han2012game] in which the defender is the leader and the attacker is the follower. Note that, this hierarchical model of the players is common to many noncooperative Stackelberg games when addressing security problems e.g., [maharjan2013dependable] and [eldosouky2019drones].

Iv Stackelberg Game Formulation

We formulate a single-leader, single-follower Stackelberg game [han2012game], between the defender and the attacker. The defender (leader), will act first by choosing to maximize its payoff. The attacker, having seen the attacker’s allocated BPSs, will engage in a noncooperative game by choosing to maximize its payoff. In fact, the final flow at the ITS is a function of the defender and the attacker’s strategies. One suitable concept to find the optimal strategies, and solve the proposed game, for both the attacker and the defender is that of a Stackelberg equilibrium (SE) as defined next.

Definition 1.

A strategy profile is a Stackelberg equilibrium if it satisfies the following conditions:

(19)
(20)

where can be , , or depending on the desired level of stealthiness.

According to this definition, the defender needs to choose a strategy that maximizes its outcome based on the attacker’s optimal response. Therefore, in order to find the SE we can proceed by backward induction. First, we need to derive the values of that maximize the attacker’s payoff. Then, we will find the defender’s strategy at SE by plugging in the attacker’s maximizer strategy into the defender’s payoff function and finding the maximizer strategy of the defender. In what follows, we derive the SE for the three stealthiness levels.

Iv-a Stealthiness at the Power Source Level

In this case, the attacker’s problem of finding the values of that maximize its payoff can be formulated according to (16) as follows:

(21)
(22)

We can assume that the power loss at the generator is equally distributed at every power line connected to it. Thus, we can find the SE by considering the values for are equal for every . The following theorem derives the SE for this case.

Theorem 1.

The attacker’s strategy at the SE is: , where is the number of BSs which are connected to the power source

and the defender’s strategy at the SE is the solution of the following linear program:

(23)
s.t. (24)
(25)
Proof.

Considering equal values for for every power source , we can rewrite (21) as:

(26)

We can solve this maximization problem by taking the partial derivative of (26) with respect to and setting it to 0. Then we have:

which is equivalent to:

taking the derivatives of the individual terms:

then we have:

from which we can get the optimal strategy as:

We note that this solution satisfies (22), so it represents a valid solution to the problem in (21).

Next, in order to find the defender’s strategy at the SE, we first plug in the strategy of the attacker at the SE into (12) as follows:

(27)

Since the first term in (27) does not depend on , then the defender’s problem simplifies to (23). However, since the allocated BPS at every BS cannot exceed the attacker’s deviation at the same BS, we add the constraints in (25) which must be satisfied by the defender. ∎

Theorem 1 shows that there exists only one SE for the case in which the attacker wants to stay stealthy at the power source level since the linear program in (23) will yield only one solution. To solve (23), we can use known techniques such as the simplex method [boyd2004convex].

Iv-B Stealthiness at the Power Line Level

In this case, the attacker’s problem can be formulated according to (17) as follows:

(28)
(29)

Next, we derive the optimal strategy of the attacker that maximizes its payoff, plug it into the defender’s strategy, and, then, derive the maximizer strategy of the defender, similar to the case of power source level.

Theorem 2.

At the power line level, the SE of the game occurs when the attacker plays the strategy is: and the defender plays the strategy given by the solution of the following linear program:

(30)
s.t. (31)
(32)
Proof.

The proof follows a similar procedure to the proof of Theorem 1, where we first take the partial derivative of (28) with respect to and setting it equal to zero. Then we can find the maximizer strategy of the attacker which is .

By plugging this value into the payoff function of the defender in (12), we end up having the linear program in (30) and the condition in (32) comes from the fact that the allocated BPSs at every BS cannot exceed the power deviation caused by the attacker at each BS. ∎

Theorem 2 shows that, our game will admit a unique SE for the case in which the attacker tries to stay stealthy at the power line level.

Iv-C Stealthiness at the BS Level

In this case, the attacker’s problem can be formulated according to (18) as follows:

(33)
(34)

The following theorem derives the SE for this case.

Theorem 3.

At the SE, the defender’s strategy is the solution of the following linear program:

(35)
s.t. (36)
(37)

while the attacker’s SE strategy is any , such that .

Proof.

In order to find the maximizer strategy of the attacker, we define . In this case, the attacker’s problem simplifies to:

(38)
(39)

We can now take the first order partial derivative of (38) with respect to and set it equal to 0, similar to Theorem 1. Then, the maximizer value for the attacker is derived as .

By substituting this value into the defender’s payoff function, we end up having the linear program in (35). However, here, we note that should be satisfied which yields to the condition in (37). This linear program has a unique solution, however, since any solution of is an SE, thus, there exists infinitely many SEs for this case. ∎

Theorem 3 shows that, for the case in which the attacker tries to stay stealthy at the BS level, there are infinitely many SEs for the game. However, all of these strategies will yield the same payoff for the defender and the attacker.

Finally, we can see that all the derived SEs are the solutions of linear programs. Therefore, the proposed game model and its solution(s) can be solved in linear time with respect to the size of the ICI. This property makes the proposed solution scalable and, hence, it is applicable to large-scale ICIs.

V Simulation Results and Analysis

For our simulations, we consider a grid model for the ITS in which the lengths of streets and the numbers of intersections in the x and y directions are equal. We consider hexagonal models for the communication network’s cells and we spread a number of power sources in the studied world where their locations are drawn according to a 2-D uniform distribution. The number of BSs that are connected to the power sources is also drawn according to a uniform distribution. For every simulation, we construct a new flow matrix

that satisfies the condition in (1). In addition, we consider that for all of the BSs, .

First, in Fig. 5, we show the impact of deviation of the power generation of all power sources on the flow deviation of the ITS. We can see that, as the percentage of power reduction increases, the flow deviation linearly increases until when the power is reduced to half of the total power generation. At this point , which means that the received power can only activate the BS but is not enough to send control packets to ACVs. That is why after reduction the flow deviation stays constant.

Figure 5: Effect of the power deviation on the ITS flow.
(a) Stealthiness at the power source level.
(b) Stealthiness at the power line level.
(c) Stealthiness at the BS level.
Figure 6: Effect of the ITS scale on the traffic flow deviation for different levels of stealthiness.

Fig. 6 illustrates the effect of the scale of the ITS on the SE strategies and the flow deviation. In this scenario, we keep both the number of power sources and the radius of cells constant. However, the number of the cells will increase as the scale of the ITS grows. In Fig. 6, we also compare the three types of stealthiness level that are power source level (Fig. 5(a)), power line level (Fig. 5(b)), and BS level (Fig. 5(c)). First, we can see that in all the cases, the increase in the scale of the ITS, represented by the number of the intersections in each direction, will increase the interdependence of the ITS on the CI thus causing higher flow deviations on the ITS. The upper line in each figure represents the case of zero , i.e., no BPSs are used, and hence, the highest deviation. As the values of the compensated power increase, we can see a reduction in the flow deviation, in all the cases.

From Fig. 6, we can also see that on average, power line level stealthiness, in Fig. 5(b), can cause higher flow deviation than power source level stealthiness, Fig. 5(a), and, than, BS level stealthiness, Fig. 5(c). That means the interdependent PG-CI-ITS infrastructure is more sensitive to power line attacks than the other types of attacks. We can also in Fig. 6, that compensating the power by using BPSs at the BS level has higher positive effect on reducing the deviations in the flow. This can be seen from Fig. 5(c) as the gap between the lines representing flow deviations due to additional are wider than that in Figs. 5(a) and 5(b). Therefore, at the value of watts, for instance, the flow deviation is the minimum for all number of intersections in Fig. 5(c).

Fig. 7 shows the effect of the cell coverage radius on the final flow deviation. From Fig. 7, we can see that, in general, an increase in the cell size reduces the flow rate deviation. However, for the case in which the cell radius is 1.2 km there is a small increase in the average flow rate deviation, for most of the cases, compared to when the cell radius is 1.1 km. This is because, for this value, the increase in the radius means that fewer BSs are needed to cover the ITS. This, in turn, increases the portion of the ITS that is covered by each BS allowing the failures of the BSs to cause a higher deviation in the average flow rate of the ITS. However, this increase is limited due to the fact that each BS becomes connected to more generators which makes the BSs less vulnerable to power deviations. Note that, in Fig. 7, increasing the cell size over 1.2 km does not reduce the number of BSs, and thus, the flow rate deviation returned to normal behavior as before the value of 1.2 km.

Figure 7: Effect of the cell radius on the power flow deviation.

Moreover, Fig. 7 shows that our proposed Stackelberg allocation strategy can reduce the flow deviation by 19%, 22%, and 37% for stealthiness levels at power source, power line, and BS respectively, when the value of watts. This is represented by the gap between the lines representing the same stealthiness level when the BPSs are allocated per the optimal SE equilibrium in Section IV.

Figure 8: Attack on all of the power sources.
Figure 9: Attack on only one power source.

Figs. 8 and 9 show the effect of the number of power sources on the flow deviation. In Fig. 8, we study the case in which the attacker performs an attack on all of the power sources, while in Fig. 9, we show the case in which the attacker performs its attack on only one of the power sources. From Fig. 8, we observe that the flow deviation does not change as the number of generators increase. This due to the fact that, by adding more power sources, the attacker can still attack the newly added power sources and, thus, the new power sources would not compensate the power loss at the BSs. Note that, this case might be unrealistic in the sense that even powerful attackers might not have the capacity to attack all the power sources in the PG. However, we show this case to highlight the difference when the attacker attack just few generators. In particular, we consider the case of attacking just one generator in Fig. 9. From Fig. 9 we can see that, when the number of power sources increases, the flow deviation becomes smaller, when the number of the generators increase. This is because the ITS can now benefit from the added power sources as they are not targeted by the attacker.

Finally, in Fig. 10, we compare our proposed SE allocation with an allocation strategy in which the BPSs are equally distributed at every BS. We can see from Fig. 10 that our proposed SE can reduce the flow deviation by up to 40% compared to the case of equal allocation. Moreover, when the attacker is not stealthy, the equal BPS distribution cannot defend the ITS against the attacker compared to the SE allocation which is shown to be effective in reducing the flow deviation. The other stealthiness levels exhibit similar behavior where the SE allocations outperform the equal allocations in all cases. We also can see from Fig. 10 that when the attacker’s goal is to stay stealthy at the power lines, it can cause higher flow deviations compared to the other two stealthiness levels, which corroborates the results in Fig. 6.

Figure 10: Comparison between the SE and equal allocations.

Vi Conclusion

In this paper, we have studied the security of interdependent PG-CI-ITS infrastructure. We have modeled each infrastructure where it was shown that there is a strong interdependence between the ITS, the CI, and the PG infrastructure. Using these individual models, we have derived a rigorous one-to-one interdependence relation that can map the effect of power loss at the PG components on the ITS traffic flow. Then, we have defined the possible ways in which an attacker can perform a stealthy attack on the interdependent infrastructure. In particular, three levels of attacker stealthiness have been considered that can occur at the power source, the power lines, and at the BS level. In order to defend against any these types of attacks, we have proposed a Stackelberg game to model the interactions between the attacker and the infrastructure administrator, as the defender. We have analytically derived the Stackelberg solution for the different levels of stealthiness for the attacker. This Stackelberg solution can be used by the defender to strategically allocate its available BPSs at every BS. We have also shown that the solutions of the proposed game are scalable as they can be reached in linear time with respect to the size of ICI which makes the analysis practical for large-scale ICIs. Results have shown that the proposed Stackelberg allocation outperforms other strategy selection techniques and, in particular, can reduce the flow deviation at ITS up to 40% compared to an equal BPS allocation strategy.

References