Table of Contents
Fetching ...

Explainable Machine Learning for Cyberattack Identification from Traffic Flows

Yujing Zhou, Marc L. Jacquet, Robel Dawit, Skyler Fabre, Dev Sarawat, Faheem Khan, Madison Newell, Yongxin Liu, Dahai Liu, Hongyun Chen, Jian Wang, Huihui Wang

TL;DR

This work targets cyberattack identification in traffic management by leveraging traffic-flow data alone, addressing the lack of network-layer visibility in public agencies. It couples a semi-realistic city simulation with a CNN-based anomaly detector and XAI tools (occlusion sensitivity and LIME) to interpret decisions and diagnose errors. The study identifies Longest Stop Duration and Total Jam Distance as key indicators of compromise and traces misclassifications to transitional data and stealth attacks in low-traffic scenarios, informing directions for more robust defenses. The approach enhances trust and practical deployment of AI-driven security in smart transportation systems, with implications for real-time anomaly detection using observable traffic dynamics.

Abstract

The increasing automation of traffic management systems has made them prime targets for cyberattacks, disrupting urban mobility and public safety. Traditional network-layer defenses are often inaccessible to transportation agencies, necessitating a machine learning-based approach that relies solely on traffic flow data. In this study, we simulate cyberattacks in a semi-realistic environment, using a virtualized traffic network to analyze disruption patterns. We develop a deep learning-based anomaly detection system, demonstrating that Longest Stop Duration and Total Jam Distance are key indicators of compromised signals. To enhance interpretability, we apply Explainable AI (XAI) techniques, identifying critical decision factors and diagnosing misclassification errors. Our analysis reveals two primary challenges: transitional data inconsistencies, where mislabeled recovery-phase traffic misleads the model, and model limitations, where stealth attacks in low-traffic conditions evade detection. This work enhances AI-driven traffic security, improving both detection accuracy and trustworthiness in smart transportation systems.

Explainable Machine Learning for Cyberattack Identification from Traffic Flows

TL;DR

This work targets cyberattack identification in traffic management by leveraging traffic-flow data alone, addressing the lack of network-layer visibility in public agencies. It couples a semi-realistic city simulation with a CNN-based anomaly detector and XAI tools (occlusion sensitivity and LIME) to interpret decisions and diagnose errors. The study identifies Longest Stop Duration and Total Jam Distance as key indicators of compromise and traces misclassifications to transitional data and stealth attacks in low-traffic scenarios, informing directions for more robust defenses. The approach enhances trust and practical deployment of AI-driven security in smart transportation systems, with implications for real-time anomaly detection using observable traffic dynamics.

Abstract

The increasing automation of traffic management systems has made them prime targets for cyberattacks, disrupting urban mobility and public safety. Traditional network-layer defenses are often inaccessible to transportation agencies, necessitating a machine learning-based approach that relies solely on traffic flow data. In this study, we simulate cyberattacks in a semi-realistic environment, using a virtualized traffic network to analyze disruption patterns. We develop a deep learning-based anomaly detection system, demonstrating that Longest Stop Duration and Total Jam Distance are key indicators of compromised signals. To enhance interpretability, we apply Explainable AI (XAI) techniques, identifying critical decision factors and diagnosing misclassification errors. Our analysis reveals two primary challenges: transitional data inconsistencies, where mislabeled recovery-phase traffic misleads the model, and model limitations, where stealth attacks in low-traffic conditions evade detection. This work enhances AI-driven traffic security, improving both detection accuracy and trustworthiness in smart transportation systems.
Paper Structure (19 sections, 1 equation, 6 figures, 1 table)

This paper contains 19 sections, 1 equation, 6 figures, 1 table.

Figures (6)

  • Figure 1: Data distribution of the simulated attack and normal scenarios. We used Principal Component Analysis (PCA) to project the original data to 2D space with 90% of variance explained.
  • Figure 2: Architecture of the Convolutional Neural Network (CNN)
  • Figure 3: Occlusion Sensitivity of CNN
  • Figure 4: LIME Explanations for Two Different Traffic Scenarios: (a) Normal Traffic and (b) Hacked Case.
  • Figure 5: Transitional Data Issues: (a) data remain abnormal while hack was ended. (b) SHAP analysis
  • ...and 1 more figures