Safe Unmanned Robotic Ensembles

Self-driving personal cars that coordinate themselves to eliminate road accidents while doubling the capacity of highways; swarms of autonomous flying machines that quickly map and explore critical areas during emergency response; fleets of service robots that inspect, clean or repair large infrastructures or vessels in a fraction of the time needed to do this manually. These are just a few examples of so called robotic ensembles, and that have the potential of revolutionizing our life in a short time span. But a key factor that can prevent them to deliver their expected benefit, is un-safety. What if such complex collective systems may be made unusable, or even dangerous, by failures or misbehaviours of a few, or even a single of their members? Threats may come from simple and inevitable physical damage occurring to individual units, or may be the result of the deliberate action of compromised ones, due to malicious cyber-attacks directed at disrupting the service provided by the ensemble.
Eradicating such scenarios was precisely the motivation of SURE, a project that lead to the conception and analysis of innovative distributed diagnosis approaches for robotic ensembles. Cooperative self-driving cars were the project motivating example, which is a sector projected to be worth 71 billions of Euros in 2030.

SURE was divided into three Work Packages (WP).

WP1 was devoted to theoretical developments. The starting point for such investigation was based on existing literature for distributed fault detection in large-scale and networked control systems, a topic to which the researcher did contribute in the past years. Anyway, existing results did reveal several shortcomings that prevented a direct application to the scope of SURE. For this reason, new theoretical developments were undertaken, addressing problems of detectability in a probabilistic sense, rather than deterministic; privacy in multi-party estimation; detection of Man-In-The-Middle attacks via watermarking and, finally, detection of attacks in the special case of platooning cars. In particular, privacy was a novel and welcome addition to the existing theoretical approaches, which would be useful for the case of platooning cars autonomous cars: on one side they are used for transporting passengers whom may care for their privacy; on the other, self-driving cars employ state-of-the-art technology and know-how which car-makers would prefer to keep private and avoid it being exposed.

Apart from theoretical results, an interactive and real-time 3D demo was developed in WP2, to allow simulation of a platoon of autonomous cars. The demo allowed users to control the platoon leader car, and introduce simulated cyber-attacks affecting the communication with a follower car. The detection algorithms developed in WP1 were implemented, and the user had the possibility of seeing the effects of turning them on or off.

Finally, in WP3 a pair of autonomous small-scale RC cars were used in laboratory condition to test the implementation of platooning algorithms, thus moving results from WP1 and WP2 from the theoretical and simulation realms to the laboratory floor.
The following papers were presented at top-level conferences in the field of control systems theory and fault detection.

[1] V. Rostampour et al., “A set based probabilistic approach to threshold design for optimal fault detection,” 2017.
[2] R. M. G. Ferrari et al., “Detection and isolation of routing attacks through sensor watermarking," 2017.
[3] R. M. G. Ferrari et al., “Detection and Isolation of Replay Attacks through Sensor Watermarking,” 2017.
[4] R. M. G. Ferrari et al., “Detection of Sensor Data Injection Attacks with Multiplicative Watermarking,” 2018.
[5] N. Jahanshahi et al., “Attack Detection and Estimation in Cooperative Vehicles Platoons: A Sliding Mode Observer Approach,” 2018.
[6] V. Rostampour et al., “Differentially-Private Distributed Fault Diagnosis for Large-Scale Nonlinear Uncertain Systems,” 2018 (finalist for the Paul M. Frank Award).

Results were presented to the general public during two scientific festivals in The Netherlands (International Festival of Technology at Delft, June 2018; and European Researchers' Night at Rotterdam, September 2018). In this occasion the public was able to use the interactive real-time demo that was developed in WP2, and so to better understand current risks and limitations regarding security in cooperative self driving cars.

Finally, the researcher did obtained a tenure-track position as Asst. Prof. at TU Delft, as a consequence of the results generated during SURE.

The papers published during SURE contributed to extend the state of the art in fault and cyber attack detection for distributed networked systems, in particular for the case of platooning autonomous cars (paper [5]). Indeed, all such papers present a first contribution in their respective sub-fields, to the best of the researcher knowledge.

Paper [1] introduced a computationally viable way to obtain thresholds with higher detection performance, at the expense of a negligible risk of false alarms, and are specially suited to nonlinear, uncertain systems. The approach can applied to any dynamical system for which either a model, or previous historical data is available, thus paving the way for an extensive cross-sectorial exploitation.

Papers [2], [3] and [4] introduced a novel multiplicative sensor watermarking approach to detecting Man-In-The-Middle (MITM) attacks. Their advantage is especially relevant for fields protocols used in automation systems, as in such systems encryption is not currently used due to cost, latency and retro-compatibility issues.

Paper [5] presented a simple, yet effective approach to detecting (MITM) attacks in communication networks serving cooperative self driving attacks. Currently, existing protocols for Vehicle to Vehicle (V2V) communication consider extensive use of encryption as a way to protecting confidentiality and integrity of V2V networks. Anyway, they cannot address the case of malicious vehicles deliberately disseminating false information, which in the case of a platoon may lead to a crash. Our result does use vehicle sensors and a mathematical model of the platooning control algorithm, as well as the vehicle dynamics, to allow detection of crafted communication.

Paper [6], as mentioned, is the first available result on privacy-enabled fault diagnosis, and has a high potential to make distributed fault diagnosis possible between possibly adversary parties, that is entities that do not trust each other.

Current results have been proven in theory and in simulation, and limitedly in a laboratory environment using small scale RC autonomous cars. Anyway, talks are being made with key industrial players in the field of Cooperative Intelligent Transportation Systems (C-ITS), in order to implement and test such algorithms on real autonomous cars or intelligent road infrastructures. This has a huge potential, as several projects on C-ITS are under way in Europe, and roll-out to the general public of C-ITS services is foreseen in the next future. Furthermore, if such tests are successful this could lead to regulatory bodies mandating the introduction of such security features in all future C-ITS applications and systems. This could have a direct influence on the security of critical European infrastructures int he next decades, which could serve millions of citizens.