The automotive sector has witnessed significant advancements driven by the enhanced connectivity of vehicles even with Smart City infrastructures. This evolution expands the vehicles' attack surface in unforeseen ways, exposing continental-wide critical networks important for governmental and military operations. Considering today's threat of Multi-Domain Operations (MDOs), it isn't dificult to imagine vehicles as perfect victims of attacks related to future complex MDOs with the ultimate goal of afecting people-related efect dimension's. Special attention should be paid to the security of Machine Learning (ML) based Intrusion Detection Systems (IDSs), useful to detect intrusions in Controller Area Network (CAN) protocol-based In-Vehicles networks. Adversarial Machine Learning (AML) attacks in the Black-Box scenario pose a concrete threat to such IDSs making the task of defense really challenging. Therefore, the main goal of this work is to understand the possible importance of some hyperparameters related to Decision Tree (DT)-based Ensemble models (on which the Supervised ML IDS is based) in the CAN Bus Frame Detection Task, recognized as an inherent defense (or deterence) tool from Black-Box AML attacks (seen as the "Cyber" part of a MDO). The victim core models are Technology Transfer state-of-the-art Random Forest bagging-based (RF), Gradient Boosting (GB) and Extreme Gradient Boosting (XGB). The attack considered is Zeroth Order Optimization. The experimental results show the hyperparameters related to the bagging trees number's per RF and to the boosting rounds number's per GB influence the attack time. This cannot be seen for the one related to the boosting rounds number's per XGB. The correct choice of these values can be a perfect Responsible/Trustworthy AI best practices' example for the Robustness/Security of automotive ML systems. The secondary goal is to study the impact (qualitative) of such evidence on the organizational units (Detection, Response and Prevention) in the Cyber Social Security (CSS) in MDOs. Generally, a Very High impact is estimated considering the importance of such evidence in threat detection and response.
Recently, the automotive industry is advancing at a rapid pace, recognizing Connected and Autonomous
Vehicles (CAVs) and Internet of Vehicles (IoV) technologies as essential assets for achieving long-term
sustainability within Smart Cities [
The evolution of shared mobility as well as the evolution of electric mobility are strategies for
optimising any travel with a view to greater sustainability [
This concept of technological and social development can be linked to the concept of Multi-Domain
Operations [
In such a complex scenario, the integration of Artificial Intelligence (AI) and Machine Learning (ML)
into the automotive sector should be regarded not only as innovative enhancements to vehicle security
but also as essential tools for preventing situations that may compromise the psychological and physical
well-being of passengers [
Compromising that system allows for the execution of various attacks (targeting assets within the "Transport" sector [13]) through corrupted Electronic Control Units (ECUs), considered as nodes within In-Vehicle Networks, ultimately causing abnormal behavior within the vehicle itself [14]. Within this context, the cognitive well-being of passengers may also be compromised, with serious repercussions stemming from the covert actions conducted by malicious actors against ML-based IDS. This concept is the link between automotive cyber security and Cyber Social Security (CSS) [15].
The most worrisome tool for conducting attacks on ML-based systems is Adversarial Machine Learning (AML) [16, 17, 18]. In the case of evasive paradigm, it’s possible to manipulate the input data (at the testing/monitoring time [19]) of the victim model, for example by altering any type of image (or any CAN processed frame) in imperceptible ways, to fool the victim ML model which will misclassify that example [20, 21]. In general, AML attacks can be executed in three distinct scenarios, each varying based on the attacker’s knowledge of the target system’s architecture and parameters. The Black-Box scenario is both the most probable and accessible for attackers, as it requires no prior insight into the victim system’s structure [16, 22]. Current literature on the application or conceptualization of Black-Box attacks within the CAN bus frame detection task remains limited and in an early stage of development.
Therefore, this paper shows an empirical case study on the importance of some Decision Tree (DT)based Ensemble models hyperparameters used as the core of Supervised ML-based IDS in the CAN Bus Frame Detection Task in automotive cyber security scenarios. It’s supposed the IDS is installed in the vehicle itself and attacked via a Black-Box AML attack i.e. Zeroth Order Optimization (ZOO) in a pure Black-Box Evasive Scenario. This attack is labelled as the "Cyber" part of an MDO. Several algorithms underlying this analysis are considered: Random Forest bagging based (RF), Gradient Boosting (GB) and Extreme Gradient Boosting (XGB). Basically, the time needed to generate adversarial examples (for each victim ML model) is empirically evaluated as the values associated with these parameters change. This provides a qualitative estimate of the evolution of that time with the goal of providing a concrete demonstration to any defense team (in any Vehicle-SOC) regarding the most appropriate values to associate with such hyperparameters. The experimental results show the hyperparameters related to the bagging trees number’s per RF and to the boosting rounds number’s per GB influence the attack time needed. This cannot be seen for the one related to the boosting rounds number’s per XGB. These can be seen as an inherent defense (or deterrence) tool from Black-Box AML attacks capable of controlling the attack time (for the RF and GB case). Choosing these values correctly can be a perfect example of Responsible/Trustworthy AI (by Design) best practice [23, 24, 19]. In particular, we allude to the Robustness [25] and Security [26] of the chosen ML models under Black-Box AML attacks [27].
Moreover, the secondary goal of this work is to qualitatively identify the (negative) impact resulting from worst practices programming (i.e. inappropriate values for the previously mentioned hyperparameters) related to the application of the ZOO attack (in a pure Black-Box scenario) on the "Detection", "Response" and "Prevention" axes of the framework for Cyber Social Security in MDOs. Figure 1 presents two dimensions, Horizontal and Vertical, which combine Technical and Organisational requirements for integrating various operations. The Horizontal dimension is defined by five operational warfare domain which allow to identify for each layer methodologies, tools and techniques necessary to define in each dimension the Detection-Response-Prevention life cycle. It enables the definition of diferent tactical and strategic levels, aiming to vertically organize security operations through the integration of technical aspects of each domain facilitating the inclusion of cyber aspects in MDO. The definition of the three operational units along the Vertical dimension allow to manage the impact on the civil context and, specifically, on Cyber Social Security [15, 28].
There is no shadow of a doubt that setting the right values can negatively afect the time required for the attack by favouring (hopefully as much as possible) the defense team by giving away valuable time to unearth the previous Vulnerability Assessment and Penetration Testing (VAPT) attempt sufered by the In-Vehicle network.
This entire analysis can be recognized as a critical component of any Cyber Threat Intelligence (CTI),
designed to comprehensively assess the risks posed by such threats. This intelligence could prove
indispensable in countering adversaries during Multi-Domain Operations (MDOs) [
• Empirically detect the possible influence of the hyperparameters related to the bagging trees number’s per RF, to the boosting rounds number’s per GB and to the boosting rounds number’s per XGB under on the ZOO adversarial examples generation time applied to Supervised ML-based IDS in the CAN Bus Frame Detection Task in a Black-Box attack scenario; • Qualitatively quantify the (positive) impact of these values on the "Detection", "Response" and "Prevention" axes of the CSS framework in MDOs.
The idea underlying the research work is to accelerate the process of innovation and awareness
associated with exploitable disruptive technologies in one or more domains during an MDO and to
contribute to developing a multidimensional national deterrence approach [
The rest of the paper is organized as follows: section 2 provides some related works, section 3 shows the experimental setup; section 4 illustrates the results and the discussions; section 5 concludes the paper.
To the best of our knowledge, the scientific literature concerning Black-Box AML attacks on ML-based IDS within the context of CAN bus frame detection remains relatively limited.
For example, Aloraini et al. [20] have conducted an adversarial attack using a substitute victim IDS, trained on data extracted from the OBD-II interface. This dataset is diferent from the one used to train the real victim IDS [20]. This scenario is not a pure Black-Box one since the transferability of the adversarial examples is exploited [20]. The victim IDS models were: a baseline proprietary DNN-based IDS and one state-of-the-art model i.e. MTH-IDS. The surrogated models were a DNN and a DT. The dataset exploited for the surrogated model is the Car Hacking Dataset [29]. Several White-Box AML attacks were considered like Fast Gradient Sign Method (FGSM), Basic Iterative Method (BIM), Projected Gradient Descent (PGD) and Jacobian-based Saliency Map Attack (JSMA) [20]. The experimental results have shown the decrease of the F1 scores from 95% to 38% and from 97% to 79% respectively for the real victim models [20]. pSace aLnd icon eDt icon eDt sepon RR sepon tnio evev rP tnio rP
Cyber Cyber
This paper seeks to delve into the Robustness/Security of ML-based systems (in the automotive sector). Adversarial Training is the most exploited countermeasure to raise the security level of ML-based systems and avoid Black-Box AML attacks [34, 35, 32]. In the literature, there is an important lack of works dealing with the importance of ML-based system programming practices focused on Robustness/Security (by Design) concerning Black-Box AML attacks in the CAN bus frame detection task.
Consequently, it is necessary to consider the impact of best AI/ML-based systems programming practices (for Responsible/Trustworthy AI and especially for Robustness/Security of ML models) on Cyber Social Security (CSS) in MDOs. The CSS links the security of physical systems with the safety of the most valuable assets, i.e. physical persons.
Accordingly, this paper seeks to underscore the critical need for future research.
In this section (useful for answering all RQs), details about the Black-Box attack scenario, the ZOO attack pipeline, the empirical estimation of attack time (and its possible evolution) and the qualitative analysis of the parameters’ impact on the CSS framework for MDOs are discussed. This work is based on Python (version 3.9). The implementation of the ML models is carried out using the Scikit-learn library, with the exception of the XGBoost model which utilized the xgboost library. Data manipulation and processing are facilitated by the Pandas framework. The ZOO attack implementation is provided by the Adversarial Robustness Toolkit (ART) [36]. The working machine is equipped with an AMD Ryzen 5 2600 Six-Core Processor and 16 GB of RAM.
The attack scenario examined aligns with that presented in [32]. The attack begins by conducting a Vulnerability Assessment and Penetration Test (VAPT) on the target In-Vehicle Network (IVN) to compromise a single ECU. This phase facilitates the exfiltration and injection of CAN frames, enabling the attacker to gather extensive insights into the behavior of the target IDS. The attacker’s ultimate goal is to infiltrate the IDS module directly [ 37] and, obtain the correct label for each preprocessed frame to generate the corresponding adversarial example. Additionally, the attacker may monitor the IDS-generated predictions by gaining control of any module interfacing with the IDS system. The attacker knows nothing about the victim system (i.e. the pure Black-Box scenario) [32].
The work presented in this paper is based on the Barletta et al. [32] attack pipeline, useful for training the victim ML models (to be attacked later). Specifically, the OTIDS dataset [ 33] is prelaborated following the Bari et al. [34] pipeline. The final dataset version is splitted into three parts: (i.e. the 60% part), (i.e. the first 20% part) and (i.e. the second 20% part).
ML models useful for empirical estimation (discussed later) are: RF bagging-based, GB and XGB (in their default configurations). The attack pipeline (for each victim ML model) follows these steps: 1. Training of the IDS on dataset (obtaining ); 2. Generating the adversarial examples sets ′ and ′ (related to the and ) on ; Before performing the ZOO attack on the subdataset, a K-Fold Stratified Cross Validation (K-FSCV) (with = 5) is performed. The ZOO configuration follows the default configuration except for: • the learning_rate is set to 0.1 (default is 0.01) since the attacker’s probably would probably want to converge very fast (during the gradient descent step); • the max_iter is set to 50 (default is 10) since the attacker would probably want to get examples very close to the normal ones, by increasing the number of trials; • the variable_h is set to 0.2 (default is 0.0001) since the attacker probably wants the adversarial examples very quickly (enlarging the extremes of the search range). However, the global minimum (i.e. the minimum adversarial perturbation) of the gradient descent is not guarantee.
This phase is useful for answering RQ1. Ideally, every defense team (Vehicle-SOC) would want to exploit an ML-based IDS system that involves as much time as possible to generate adversarial examples. Considering this idea, some hyperparameters related to Ensemble-based ML models (i.e. RF, GB, XGB) could be labelled as an intrinsic defense tool for the IDS system useful to control the needed generation time for the adversarial examples. This approach aims to strengthen the organization’s defense mechanisms by maximizing the efort required of the attacker. The analysis’ modus operandi is the following: for each ML model (i.e. RF, GB and XGB) and for each hyperparameters’ value (incremental), the value (seconds) related to the generation time of 92270 examples is detected after about five minutes of computation. The examined hyperparameters are the bagging trees number’s per RF, the boosting rounds number’s per GB and the boosting rounds number’s per XGB. So, the empirical estimation is performed on _ by exploiting the second step of the attack pipeline (mentioned above). The empirical analysis is performed only on ′ since the examples follow the same distribution. The core goal of this analysis is to assess whether a direct proportionality exists between the previously discussed parameters and the time required to generate the considered adversarial examples. Accordingly, this study aims to ofer practical recommendations regarding optimal values for these hyperparameters and the most efective ensemble model.
To answer RQ2, the qualitative analysis is carried out considering the "Land" and "Cyber" domains. In general, assessing the impact of cyber threats on assets (across all domains within MDOs scenarios) requires an estimation of their inherent risk level [38, 39]. Even in this situation where the goal is to estimate the (negative) impact resulting from programming practices that do not also consider the resilience of ML models to Black-Box attacks, this is critical.
Considering the lack (previously mentioned), an high-level qualitative risk assessment is adopted taking into account not only the severity of social consequences resulting from such attacks (i.e. the instigation of terrorism’s climate linked to the abnormal vehicle behavior as well as the disorientation of civilian/military operators And the reputational damage in the “Country System” [32]) but also the "risk-averse" approach that informs our perspective.
At a time in history when CAVs are becoming increasingly central assets in Smart Cities and MDOs are a concrete threat, it’s critical to hardening vehicle defenses to prevent damage to passengers’ physical 0.9 ) 0.8 ( 0.7 0.6 0.5 0.4 0.3 0.2 0.1
Attack Time 33.25 · + 31,375 Lin. Reg. and cognitive dimensions. AI/ML represent a tool that can fulfil this task but there is a need to develop IDSs for CAN bus IVNs that are robust (as much as possible) to Black-Box AML attacks as well.
Therefore, in this paper the possible influence of some hyperparameters related to DT-based TT state-of-the-art Ensemble models (i.e. RF, GB, XGB) underlying an IDS, victim of the ZOO attack (in a purely Black-Box scenario), on the time needed to the generation of adversarial examples is evaluated (RQ1). In addition, the impact of such on the CSS framework for MDOs is qualitatively evaluated (RQ2).
The experimental results reveal a direct proportional relationship between the bagging trees’ number for the RF and the estimated time required to execute the attack. This trend is also confirmed for the boosting rounds’ number for the GB model but does not hold for the corresponding parameter for the XGB model. Consequently, only in the first two cases can these hyperparameters be considered intrinsic defense mechanisms (or deterrents) against the attack under investigation. The RF model is recommended given its greater robustness. Generally, the impact of such evidence is rated very high considering the important possibility of controlling the timing of the attack (to the point of diverting attention away from the attacker).
Some future directions of this work, it would be interesting to perform the empirical analysis by considering diferent values related to the attack hyperparameters (even the default ones), to base the analysis on additional Black-Box (and White-Box) attacks as well as additional state-of-the-art datasets in the automotive context. In addition, it is also consedered to extend the analysis on datasets and IDSs (based on ML and Deep Learning algorithms) exploited in additional systems of national interest (i.e. IoT networks, Aircraft, Submarines). Regarding impact analysis, a clear development is to quantify the analysis itself.
This work was partially supported by the following projects: SERICS - “Security and Rights In the CyberSpace - SERICS” (PE00000014) under the MUR National Recovery and Resilience Plan funded by the European Union - NextGenerationEU; Casa delle Tecnologie Emergenti del Comune di Bari – “Bari Open Innovation Hub” – CUP J99J19000300003.
bile Communication Conference (UEMCON), 2021, pp. 0944–0949. doi:10.1109/UEMCON53757. 2021.9666745. [12] K. A, H. R, F. L. D, J. H, S. M. JI, G. G. E, Toward explainable, robust and fair ai in automated and autonomous vehicles (2023). doi:10.2760/95650(online). [13] D. Morris, G. Madzudzo, A. Garcia-Perez, Cybersecurity threats in the auto industry: Tensions in the knowledge environment, Technological Forecasting and Social Change 157 (2020) 120102. URL: https://www.sciencedirect.com/science/article/pii/S0040162520309288. doi:https://doi. org/10.1016/j.techfore.2020.120102. [14] F. Sommer, J. Dürrwang, R. Kriesten, Survey and classification of automotive security attacks, Information 10 (2019). URL: https://www.mdpi.com/2078-2489/10/4/148. doi:10.3390/info10040148. [15] V. S. Barletta, D. Caivano, C. Catalano, M. de Gemmis, D. Impedovo, Cyber social security education, in: Extended Reality: International Conference, XR Salento 2024, Lecce, Italy, September 4–7, 2024, Proceedings, Part IV, Springer-Verlag, Berlin, Heidelberg, 2024, p. 240–248. URL: https: //doi.org/10.1007/978-3-031-71713-0_16. doi:10.1007/978-3-031-71713-0_16. [16] B. Wu, Z. Zhu, L. Liu, Q. Liu, Z. He, S. Lyu, Attacks in adversarial machine learning: A systematic survey from the life-cycle perspective, 2024. arXiv:2302.09457. [17] C. Xie, Z. Cao, Y. Long, D. Yang, D. Zhao, B. Li, Privacy of autonomous vehicles: Risks, protection methods, and future directions, 2022. arXiv:2209.04022. [18] H. Cao, W. Zou, Y. Wang, T. Song, M. Liu, Emerging threats in deep learning-based autonomous driving: A comprehensive survey, 2022. arXiv:2210.11237. [19] and European Union Agency for Cybersecurity, A. Malatras, I. Agrafiotis, M. Adamczyk, Securing machine learning algorithms, 2021. URL: https://op.europa.eu/publication-detail/-/publication/ c7c844fd-7f1e-11ec-8c40-01aa75ed71a1. doi:doi/10.2824/874249. [20] F. Aloraini, A. Javed, O. Rana, Adversarial attacks on intrusion detection systems in in-vehicle networks of connected and autonomous vehicles, Sensors 24 (2024). URL: https://www.mdpi.com/ 1424-8220/24/12/3848. doi:10.3390/s24123848. [21] S. Longari, F. Noseda, M. Carminati, S. Zanero, Evaluating the robustness of automotive intrusion detection systems against evasion attacks, in: Cyber Security, Cryptology, and Machine Learning: 7th International Symposium, CSCML 2023, Be’er Sheva, Israel, June 29–30, 2023, Proceedings, Springer-Verlag, 2023, p. 337–352. URL: https://doi.org/10.1007/978-3-031-34671-2_24. doi:10. 1007/978-3-031-34671-2_24. [22] S. Kotyan, A reading survey on adversarial machine learning: Adversarial attacks and their understanding, 2023. arXiv:2308.03363. [23] Q. Lu, L. Zhu, X. Xu, J. Whittle, D. Zowghi, A. Jacquet, Responsible ai pattern catalogue: A collection of best practices for ai governance and engineering, ACM Comput. Surv. 56 (2024). URL: https://doi.org/10.1145/3626234. doi:10.1145/3626234. [24] E. U. A. for Cybersecurity (ENISA), Artificial intelligence and cybersecurity research, 2023.
URL: https://www.enisa.europa.eu/publications/artificial-intelligence-and-cybersecurity-research. doi:10.2824/808362. [25] H.-L. E. G. on AI European Commission, Ethics guidelines for trustworthy ai, 2024. URL: https: //digital-strategy.ec.europa.eu/en/library/ethics-guidelines-trustworthy-ai. [26] N. I. of Standards, Technolgy, Ai fundamental research - security, 2023. URL: https://www.nist.
gov/artificial-intelligence/ai-fundamental-research-security. [27] S. Goellner, M. Tropmann-Frick, B. Brumen, Responsible artificial intelligence: A structured literature review, 2024. URL: https://arxiv.org/abs/2403.06910. arXiv:2403.06910. [28] V. S. Barletta, M. Calvano, A. Sciacovelli, Cyber social security in multi-domain operations, in: 2024 IEEE International Workshop on Technologies for Defense and Security (TechDefense), 2024, pp. 41–46. doi:10.1109/TechDefense63521.2024.10863352. [29] H. M. Song, J. Woo, H. K. Kim, In-vehicle network intrusion detection using deep convolutional neural network, Vehicular Communications 21 (2020) 100198. [30] I. Zenden, H. Wang, A. Iacovazzi, A. Vahidi, R. Blom, S. Raza, On the resilience of machine learning-based ids for automotive networks, in: 2023 IEEE Vehicular Networking Conference