Vehicle-based communications include (but are not limited to) vehicle-to-vehicle (V2V), vehicle-to-pedestrian (V2P), vehicle-to-motorcycle (V2M) and vehicle-to-infrastructure (V2I) communications. All can be bundled under a general term—vehicle-to-everything or “V2X” communications. V2X communications use positioning data to make safety decisions. Bad positioning data may lead to a false alert or to missing an alert. As use of V2X communications in autonomous driving decisions is imminent, the bad positioning events need to be detected. The detection of bad positioning events is referred to herein as “misbehavior detection”. “Plausibility checks” are applied to identify such events.
Global Navigation Satellite System (GNSS) positioning may suffer from errors, for example when satellites are obstructed and/or when sensors feeding dead-reckoning algorithms are noisy or not calibrated. Ever more worrisomely, GNSS data may be a subject to attacks, for example by feeding the data with a GNSS simulator. A GNSS receiver typically lacks the ability to identify an attack. The communication bus in a vehicle may be under attack as well, potentially manipulating the dead-reckoning algorithm. Detection of attacks in remote vehicles (or “remote units”) is far more complex than in a local vehicle (or “local unit”).
A misbehavior detection method applies a plausibility check. The plausibility check is expected to validate local unit GNSS receiver integrity and remote unit GNSS receiver integrity. FIG. 1 illustrates a known V2X communications system 100 capable of performing such positioning plausibility check. System 100 comprises a GNSS receiver 102 for providing fresh positioning information embedded in transmitted messages and used in internal calculations that provide position information; one or more inertial sensors 104 for providing correction inputs to the GNSS receiver calculation of the position information, where reception from satellites is inaccurate or infrequent enough; a V2X modem and radio unit 106 for transmitting and receiving messages including the position information; V2X middleware 108 responsible for running V2X networking, security and facilities functions; and a plausibility check unit 110 configurable and operable to analyze each received message and to estimate if the position information received from GNSS receiver 102 and potentially augmented by data received from inertial sensors 104 is plausible. In addition, plausibility check unit 110 may detect if GNSS receiver 102 or inertial sensors 104 have been compromised or malfunctioned.
Sensors 104 may be located on the same printed circuit board (PCB) or remotely in a different physical unit. V2X radio unit 106 may follow any direct communication protocol including IEEE802.11p and its potential successors or cellular V2V. Middleware 108 prepares the content of a packet for transmission and parses the content of a received packet. Plausibility check unit 110 may perform its function using any known method (like checking for an illegal field in each parsed packet or overlap between positions of different vehicles) or using a method disclosed herein. Each component of system 100 can be physically separated from other elements. Some of these components may be implemented in software (SW), some may be implemented in hardware (HW) and some in both SW and HW.
The reliability of a plausibility check in a dynamic environment and its real-time implementation in such an environment are very problematic. In a dynamic environment, the distances between vehicles change constantly, leading to unstable Received Signal Strength Indicator (RSSI) measurements; the reflections from the environment, for example from buildings or other cars, harm the RSSI stability as well; the movement of vehicles can obstruct or stop obstructing other vehicles, creating huge jumps in RSSI values; and environment changes, such as a hill suddenly blocking vehicles, impact the measurement as well.
A RSSI based plausibility check against Sybil attacks in sensor networks was proposed by Yingying Chen et al., IEEE Transactions on Vehicular Technology, Vol. 59, No. 5, June 2010. In a Sybil attack, a single unit sends information as if it were multiple units. A particle filter is used to detect this effect. The position of remote units is analyzed over time to determine if a received transmission is from a single unit or from multiple ones. However, this plausibility check cannot detect a manipulated or faulty GNSS receiver. Also, the complexity of this check is too high. The model suggested by Chen does not fit a dynamic environment.
Known plausibility check solutions for dynamic environments use data-based filtering. A plausible/implausible decision is based on inspecting fields inside packets. Such a solution is unsatisfactory, since a sophisticated attacker may forge the data to overcome the detection methods. Physical detection methods based on RSSI cannot be forged, but they do not exist for dynamic environments. RSSI based plausibility checks are applied in static sensor networks and to date have been considered as not very reliable.
There is therefore a need for, and it would be advantageous to have, reliable methods and systems for plausibility check in V2X dynamic environments, to detect implausible positioning of a misbehaving vehicle, either remote or local.