Yifan Jia,Jingyi Wang,Christopher M. Poskitt,Sudipta Chattopadhyay,Jun Sun,Yuqi Chen

DOI: https://doi.org/10.1016/j.ijcip.2021.100452

IF: 3.683

2021-01-01

International Journal of Critical Infrastructure Protection

Abstract:The threats faced by cyber-physical systems (CPSs) in critical infrastructure have motivated research into a multitude of attack detection mechanisms, including anomaly detectors based on neural network models. The effectiveness of anomaly detectors can be assessed by subjecting them to test suites of attacks, but less consideration has been given to adversarial attackers that craft noise specifically designed to deceive them. While successfully applied in domains such as images and audio, adversarial attacks are much harder to implement in CPSs due to the presence of other built-in defence mechanisms such as rule checkers (or invariant checkers). In this work, we present an adversarial attack that simultaneously evades the anomaly detectors and rule checkers of a CPS. Inspired by existing gradient-based approaches, our adversarial attack crafts noise over the sensor and actuator values, then uses a genetic algorithm to optimise the latter, ensuring that the neural network and the rule checking system are both deceived. We implemented our approach for two real-world critical infrastructure testbeds, successfully reducing the classification accuracy of their detectors by over 50% on average, while simultaneously avoiding detection by rule checkers. Finally, we explore whether these attacks can be mitigated by training the detectors on adversarial samples.

Md Rayhanur Rahman,Brandon Wroblewski,Quinn Matthews,Brantley Morgan,Tim Menzies,Laurie Williams

2024-01-04

Abstract:Defending from cyberattacks requires practitioners to operate on high-level adversary behavior. Cyberthreat intelligence (CTI) reports on past cyberattack incidents describe the chain of malicious actions with respect to time. To avoid repeating cyberattack incidents, practitioners must proactively identify and defend against recurring chain of actions - which we refer to as temporal attack patterns. Automatically mining the patterns among actions provides structured and actionable information on the adversary behavior of past cyberattacks. The goal of this paper is to aid security practitioners in prioritizing and proactive defense against cyberattacks by mining temporal attack patterns from cyberthreat intelligence reports. To this end, we propose ChronoCTI, an automated pipeline for mining temporal attack patterns from cyberthreat intelligence (CTI) reports of past cyberattacks. To construct ChronoCTI, we build the ground truth dataset of temporal attack patterns and apply state-of-the-art large language models, natural language processing, and machine learning techniques. We apply ChronoCTI on a set of 713 CTI reports, where we identify 124 temporal attack patterns - which we categorize into nine pattern categories. We identify that the most prevalent pattern category is to trick victim users into executing malicious code to initiate the attack, followed by bypassing the anti-malware system in the victim network. Based on the observed patterns, we advocate organizations to train users about cybersecurity best practices, introduce immutable operating systems with limited functionalities, and enforce multi-user authentications. Moreover, we advocate practitioners to leverage the automated mining capability of ChronoCTI and design countermeasures against the recurring attack patterns.

Cryptography and Security,Information Retrieval,Machine Learning,Software Engineering

Ravdeep Kour,Adithya Thaduri,Ramin Karim

DOI: https://doi.org/10.13052/jcsm2245-1439.912

2020-01-01

Journal of Cyber Security and Mobility

Abstract:Most organizations focus on intrusion prevention technologies, with less emphasis on prediction and detection. This research looks at prediction and detection in the railway industry. It uses an extended cyber kill chain (CKC) model and an industrial control system (ICS) cyber kill chain for detection and proposes predictive technologies that will help railway organizations predict and recover from cyber-attacks. The extended CKC model consists of both internal and external cyber kill chain; breaking the chain at an early stage will help the defender stop the adversary’s malicious actions. This research incorporates an OSA (open system architecture) for railways with the railway cybersecurity OSA-CBM (open system architecture for condition-based maintenance) architecture. The railway cybersecurity OSACBM architecture consists of eight layers; cybersecurity information moves from the initial level of data acquisition to data processing, data analysis, incident detection, incident assessment, incident prognostics, decision support, and visualization. The main objective of the research is to predict, prevent, detect, and respond to cyber-attacks early in the CKC by using defensive controls called the Railway Defender Kill Chain (RDKC). The contributions of the research are as follows. First, it adapts and modifies the railway cybersecurity OSA-CBM architecture for railways. Second, it adapts the cyber kill chain model for the railway. Third, it introduces the Railway Defender Kill Chain. Fourth, it presents examples of cyber-attack scenarios in the railway system.

Zhengbing Hu,Roman Odarchenko,Sergiy Gnatyuk,Maksym Zaliskyi,Anastasia Chaplits,Sergiy Bondar,Vadim Borovik,

DOI: https://doi.org/10.5815/ijcnis.2020.06.01

2021-12-08

International Journal of Computer Network and Information Security

Abstract:Represented paper is currently topical, because of year on year increasing quantity and diversity of attacks on computer networks that causes significant losses for companies. This work provides abilities of such problems solving as: existing methods of location of anomalies and current hazards at networks, statistical methods consideration, as effective methods of anomaly detection and experimental discovery of choosed method effectiveness. The method of network traffic capture and analysis during the network segment passive monitoring is considered in this work. Also, the processing way of numerous network traffic indexes for further network information safety level evaluation is proposed. Represented methods and concepts usage allows increasing of network segment reliability at the expense of operative network anomalies capturing, that could testify about possible hazards and such information is very useful for the network administrator. To get a proof of the method effectiveness, several network attacks, whose data is storing in specialised DARPA dataset, were chosen. Relevant parameters for every attack type were calculated. In such a way, start and termination time of the attack could be obtained by this method with insignificant error for some methods.

Giancarlo Fortino,Claudia Greco,Antonella Guzzo,Michele Ianni

DOI: https://doi.org/10.1007/s12652-022-04416-5

IF: 3.662

2022-09-23

Journal of Ambient Intelligence and Humanized Computing

Abstract:Abstract The task of identifying malicious activities in logs and predicting threats is crucial nowadays in industrial sector. In this paper, we focus on the identification of past malicious activities and in the prediction of future threats by proposing a novel technique based on the combination of Marked Temporal Point Processes ( MTTP ) and Neural Networks. Differently from the traditional formulation of Temporal Point Processes, our method does not make any prior assumptions on the functional form of the conditional intensity function and on the distribution of the events. Our approach is based the adoption of Neural Networks with the goal of improving the capabilities of learning arbitrary and unknown event distributions by taking advantage of the Deep Learning theory. We conduct a series of experiments using industrial data coming from gas pipelines, showing that our framework is able to represent in a convenient way the information gathered from the logs and predict future menaces in an unsupervised way, as well as classifying the past ones. The results of the experimental evaluation, showing outstanding values for precision and recall, confirm the effectiveness of our approach.

computer science, information systems,telecommunications, artificial intelligence

Dongjie Wang,Pengyang Wang,Jingbo Zhou,Leilei Sun,Bowen Du,Yanjie Fu

DOI: https://doi.org/10.48550/arXiv.2008.12618

2020-08-26

Abstract:While Water Treatment Networks (WTNs) are critical infrastructures for local communities and public health, WTNs are vulnerable to cyber attacks. Effective detection of attacks can defend WTNs against discharging contaminated water, denying access, destroying equipment, and causing public fear. While there are extensive studies in WTNs attack detection, they only exploit the data characteristics partially to detect cyber attacks. After preliminary exploring the sensing data of WTNs, we find that integrating spatio-temporal knowledge, representation learning, and detection algorithms can improve attack detection accuracy. To this end, we propose a structured anomaly detection framework to defend WTNs by modeling the spatio-temporal characteristics of cyber attacks in WTNs. In particular, we propose a spatio-temporal representation framework specially tailored to cyber attacks after separating the sensing data of WTNs into a sequence of time segments. This framework has two key components. The first component is a temporal embedding module to preserve temporal patterns within a time segment by projecting the time segment of a sensor into a temporal embedding vector. We then construct Spatio-Temporal Graphs (STGs), where a node is a sensor and an attribute is the temporal embedding vector of the sensor, to describe the state of the WTNs. The second component is a spatial embedding module, which learns the final fused embedding of the WTNs from STGs. In addition, we devise an improved one class-SVM model that utilizes a new designed pairwise kernel to detect cyber attacks. The devised pairwise kernel augments the distance between normal and attack patterns in the fused embedding space. Finally, we conducted extensive experimental evaluations with real-world data to demonstrate the effectiveness of our framework.

Cryptography and Security,Machine Learning,Signal Processing

Subhash Lakshminarayana,Teo Zhan Teng,Rui Tan,David K.Y. Yau

DOI: https://doi.org/10.48550/arXiv.1709.07574

2017-09-22

Abstract:Modern urban railways extensively use computerized sensing and control technologies to achieve safe, reliable, and well-timed operations. However, the use of these technologies may provide a convenient leverage to cyber-attackers who have bypassed the air gaps and aim at causing safety incidents and service disruptions. In this paper, we study false data injection (FDI) attacks against railways' traction power systems (TPSes). Specifically, we analyze two types of FDI attacks on the train-borne voltage, current, and position sensor measurements - which we call efficiency attack and safety attack -- that (i) maximize the system's total power consumption and (ii) mislead trains' local voltages to exceed given safety-critical thresholds, respectively. To counteract, we develop a global attack detection (GAD) system that serializes a bad data detector and a novel secondary attack detector designed based on unique TPS characteristics. With intact position data of trains, our detection system can effectively detect the FDI attacks on trains' voltage and current measurements even if the attacker has full and accurate knowledge of the TPS, attack detection, and real-time system state. In particular, the GAD system features an adaptive mechanism that ensures low false positive and negative rates in detecting the attacks under noisy system measurements. Extensive simulations driven by realistic running profiles of trains verify that a TPS setup is vulnerable to the FDI attacks, but these attacks can be detected effectively by the proposed GAD while ensuring a low false positive rate.

Cryptography and Security,Systems and Control

Pegah Barkhordari,Roberto Galeazzi,Alejandro de Miguel Tejada,Ilmar F. Santos

DOI: https://doi.org/10.48550/arXiv.1910.06582

2019-10-15

Abstract:This study introduces a low-complexity behavioural model to describe the dynamic response of railway turnouts due to the ballast and railpad components. The behavioural model should serve as the basis for the future development of a supervisory system for the continuous monitoring of turnouts. A fourth order linear model is proposed based on spectral analysis of measured rail vertical accelerations gathered during a receptance test and it is then identified at several sections of the turnout applying the Eigensystem Realization Algorithm. The predictviness and robustness of the behavioural models have been assessed on a large data set of train passages differing for train type, speed and loading condition. Last, the need for a novel modeling method is argued in relation to high-fidelity mechanistic models widely used in the railway engineering community.

Systems and Control,Applications

Yuan Yang,Zhongmin Cai,Chunyan Wang,Junjie Zhang

DOI: https://doi.org/10.1109/tifs.2018.2833048

IF: 7.231

2018-01-01

IEEE Transactions on Information Forensics and Security

Abstract:There is an increasing need of assessing and mitigating the effects of successful attacks. Uncovering malicious and contaminated objects in an attacked computing system is referred to as identification of attack ramifications. Previous methods identify the attack ramifications by directly tracking information flows (or dependences) from the intrusion root (i.e., the entry point of an attack). They face challenges such as undetermined intrusion root and dependence explosion. In this paper, we present a novel, light-weight method capable of identifying attack ramifications without the knowledge of intrusion root and less subject to dependency explosion. The method utilizes a probabilistic reasoning approach to fuse evidence derived from a subset of objects whose security states are known. It first splits the lifetime of an object into consecutive time slices (object-slices) to profile how the security state of this object changes over time. Then, a temporal dependence network (TDN) is constructed from system call traces to correlate object-slices according to information flows between them. Based on that, a Bayesian network (BN) model is built to characterize the uncertainties of infection propagations in the TDN. Finally, the method adopts loopy belief propagation on the BN model to infer the security state of an object. We evaluate the proposed method using a large data set of 389 attacks launched by the real-world malware samples including sophisticated ones such as Stuxnet. Extensive experiments demonstrate that our method is able to identify attack ramifications with a 97.47% precision at 97.21% recall without the knowledge of intrusion root.

Michael Hubner,Kilian Wohlleben,Martin Litzenberger,Stephan Veigl,Andreas Opitz,Stefan Grebien,Franz Graf,Andreas Haderer,Susanne Rechbauer,Sebastian Poltschak

DOI: https://doi.org/10.3390/s24134118

IF: 3.9

2024-06-25

Sensors

Abstract:Effective security surveillance is crucial in the railway sector to prevent security incidents, including vandalism, trespassing, and sabotage. This paper discusses the challenges of maintaining seamless surveillance over extensive railway infrastructure, considering both technological advances and the growing risks posed by terrorist attacks. Based on previous research, this paper discusses the limitations of current surveillance methods, particularly in managing information overload and false alarms that result from integrating multiple sensor technologies. To address these issues, we propose a new fusion model that utilises Probabilistic Occupancy Maps (POMs) and Bayesian fusion techniques. The fusion model is evaluated on a comprehensive dataset comprising three use cases with a total of eight real life critical scenarios. We show that, with this model, the detection accuracy can be increased while simultaneously reducing the false alarms in railway security surveillance systems. This way, our approach aims to enhance situational awareness and reduce false alarms, thereby improving the effectiveness of railway security measures.

engineering, electrical & electronic,instruments & instrumentation,chemistry, analytical

Abolfazl Falahati,Ebrahim Shafiee

DOI: https://doi.org/10.1007/s13177-021-00274-1

2021-09-30

International Journal of Intelligent Transportation Systems Research

Abstract:With the advancement of modern rail transport systems, high-speed railways' safety and reliability is improved enormously due to proper intelligent traffic management systems. The automatic train control and operating system receive the train location beacons and the railway line's essential information through various channels, such as Balise wirelessly. However, this technology is vulnerable to cyber-physical attacks. This article aims to investigate the existing cyber attacks on Balise that can result a physical turmoil. Due to the limitations and constraints of the railway infrastructures, the attacks and failure detection methods are proposed based on machine learning. Also, a fuzzy countermeasure system is developed to improve train safety against known and unknown cyber-attacks. The simulation results show 92% accuracy in the proposed successful attacks detection system. Moreover, a small amount of false-positive and false-negative warnings can be also revealed employing the proposed scheme. The proposed method does not require change railway infrastructure.

Prashanth Krishnamurthy,Ali Rasteh,Ramesh Karri,Farshad Khorrami

2024-06-18

Abstract:Increased connectivity and remote reprogrammability/reconfigurability features of embedded devices in current-day power systems (including interconnections between information technology -- IT -- and operational technology -- OT -- networks) enable greater agility, reduced operator workload, and enhanced power system performance and capabilities. However, these features also expose a wider cyber-attack surface, underscoring need for robust real-time monitoring and anomaly detection in power systems, and more generally in Cyber-Physical Systems (CPS). The increasingly complex, diverse, and potentially untrustworthy software and hardware supply chains also make need for robust security tools more stringent. We propose a novel framework for real-time monitoring and anomaly detection in CPS, specifically smart grid substations and SCADA systems. The proposed method enables real-time signal temporal logic condition-based anomaly monitoring by processing raw captured packets from the communication network through a hierarchical semantic extraction and tag processing pipeline into time series of semantic events and observations, that are then evaluated against expected temporal properties to detect and localize anomalies. We demonstrate efficacy of our methodology on a hardware in the loop testbed, including multiple physical power equipment (real-time automation controllers and relays) and simulated devices (Phasor Measurement Units -- PMUs, relays, Phasor Data Concentrators -- PDCs), interfaced to a dynamic power system simulator. The performance and accuracy of the proposed system is evaluated on multiple attack scenarios on our testbed.

Systems and Control

Michał Bałdyga,Kacper Barański,Jakub Belter,Mateusz Kalinowski,Paweł Weichbroth

DOI: https://doi.org/10.3390/s24082633

IF: 3.9

2024-04-21

Sensors

Abstract:To date, significant progress has been made in the field of railway anomaly detection using technologies such as real-time data analytics, the Internet of Things, and machine learning. As technology continues to evolve, the ability to detect and respond to anomalies in railway systems is once again in the spotlight. However, railway anomaly detection faces challenges related to the vast infrastructure, dynamic conditions, aging infrastructure, and adverse environmental conditions on the one hand, and the scale, complexity, and critical safety implications of railway systems on the other. Our study is underpinned by the three objectives. Specifically, we aim to identify time series anomaly detection methods applied to railway sensor device data, recognize the advantages and disadvantages of these methods, and evaluate their effectiveness. To address the research objectives, the first part of the study involved a systematic literature review and a series of controlled experiments. In the case of the former, we adopted well-established guidelines to structure and visualize the review. In the second part, we investigated the effectiveness of selected machine learning methods. To evaluate the predictive performance of each method, a five-fold cross-validation approach was applied to ensure the highest accuracy and generality. Based on the calculated accuracy, the results show that the top three methods are CatBoost (96%), Random Forest (91%), and XGBoost (90%), whereas the lowest accuracy is observed for One-Class Support Vector Machines (48%), Local Outlier Factor (53%), and Isolation Forest (55%). As the industry moves toward a zero-defect paradigm on a global scale, ongoing research efforts are focused on improving existing methods and developing new ones that contribute to the safety and quality of rail transportation. In this sense, there are at least four avenues for future research worth considering: testing richer data sets, hyperparameter optimization, and implementing other methods not included in the current study.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Xi He,Li Zhang,Tao Liu,Wei Wang

DOI: https://doi.org/10.1109/compcomm.2018.8780699

2018-01-01

Abstract:Intrusion detection based on network traffic has been widely studied in traditional network systems. At the same time, the security threats faced by Industrial Control Systems (ICS) are becoming increasingly severe. The network communication environments of ICSs are very different from the traditional Internet in in terms of protocols, interaction modes and security considerations. How to detect anomalies effectively in power production control system is an important issue. In this work, we use a representative Distributed Control System (DCS) working in thermal power generation scenarios and conduct various attacks on this DCS to generate an original network traffic. We then consider the time correlation and interaction stability of the DCS and propose a dual window scheme (Dual-Win) to get more effective features based on basic features. We use several machine learning methods for the detection of anomalies based on the traffic data. The experimental results show that our method achieves the detection accuracy as 99.41% with only basic traffic features, and the detection accuracy can be as 99.77% with the basic and Dual-Win features.

Mouna Rekik,Christophe Gransart,Marion Berbineau

DOI: https://doi.org/10.1109/ssd.2018.8570650

2018-03-01

Abstract:Future railway systems should bring convenience to people's lives. In fact, the efficiency and the safety of railway services are improving due to the evolution from bespoke stand-alone systems to open-platform, standardized equipment and the increasing use of networked control and automation systems and connected technologies. However, this dependency of automation, control and communication technologies makes railway systems increasingly vulnerable to cyber-physical security threats which affect the overall performance. This paper deals with cyber-physical security concerns facing these systems. As such, vulnerabilities and characteristics of railway threat landscape are analyzed. We then discuss threats facing these assets, their direct impacts and cascading consequences on the whole system.

Allegra Alessi,Piero La-Cascia,Benjamin Lamoureux,Michele Pugnaloni,Pierre Dersin

DOI: https://doi.org/10.36001/phme.2016.v3i1.1641

2016-07-05

Abstract:Within railway infrastructure, railway point systems are among the most critical equipment, not only due to accidents and delays caused by their failures but also due to maintenance costs. The detection of early signs of degradation and the ability to identify the maintenance actions required to prevent a failure are key aspects of a successful and advantageous health assessment strategy. While studies focusing on the detection and prognostics of railway point systems exist, few or none address the correlation between environment, field layout and the point system behavior. This paper aims to consider the interaction between these factors and the point system behavior, and compare a fleet-based approach to an asset-based approach for the point systems health assessment, highlighting the influence of the field configuration on the effectiveness of the two methods. The proposed methods exploit Self-Organizing Maps (SOMs) to construct a health indicator for both the detection and the diagnosis of railway point systems. The approaches are applied to a case study for the on-line health assessment of 20 electro-mechanical point systems operating on a main line over the course of 6 months. The results show how an asset-based monitoring system is necessary in order to maintain a level of information which enables to achieve an efficient detection of anomalies and a correct identification of degradation mechanisms. In addition, fleet-based health assessment leads to a higher percentage of missed alarms, due to the intrinsic hypothesis of considering all point systems as operating in the same context and mission profile.

Bechir ALAYA,Lamaa SELLAMI,Pascal Lorenz

DOI: https://doi.org/10.1016/j.adhoc.2024.103417

IF: 4.816

2024-01-25

Ad Hoc Networks

Abstract:In a vehicular environment, by becoming connected, vehicles are subject to more threats in comparison to traditional information systems, with the difference that, as a cyber-physical system, anomalies and intrusions could have repercussions in the physical world. In this work, we have developed an ontological anomaly-detection approach (OADA). The anomalies studied in this work mainly concern: network scans, DNS tunnel attacks, and telemetry data anomalies. Our contribution relates to a study of the attributes of interest for the algorithm used during the detection phase, namely the hierarchical temporal memory algorithm (HTM). The packets exchanged by the vehicle are grouped in instant description windows. These windows are then analyzed to extract a set of attributes. These are linked to the properties of network traffic, such as flow or latency. They are subject to the process of detecting anomalies and intrusions, carried out thanks to the algorithm with HTM. For each entry, the algorithm produces a score that allows us to decide if a window is abnormal and to lift an alert if that is the case. We evaluated our system using a communications and anomalies emulation tool. We use the corpus of data produced thanks to Autobot. We seek to determine from among the best scores of Matthews correlation coefficient (MCC) and Detection efficiency score (DES) which were the parameters for which HTM detects all anomalies with the greatest possible coverage. The obtained results prove that HTM can detect all anomalies for each window duration.

computer science, information systems,telecommunications

Markus Heinrich,Arwed Gölz,Tolga Arul,Stefan Katzenbeisser

DOI: https://doi.org/10.1016/j.ijcip.2023.100603

IF: 3.683

2023-06-05

International Journal of Critical Infrastructure Protection

Abstract:We propose a rule-based anomaly detection system for railway signalling that mitigates attacks by a Dolev-Yao attacker who is able to inject control commands to perform semantic attacks by issuing licit but mistimed control messages. The system as well mitigates the effects of a signal box compromised by an attacker with the same effect. We consider an attacker that could cause train derailments and collisions, if our countermeasure is not employed. We apply safety principles of railway operation to create a distributed anomaly detection system that inspects incoming commands on the signals and points. The proposed anomaly detection system detects mistimed control messages against light signals, points and train detection systems that lead to derailments and collisions without producing false positives, while it requires only a small amount of overhead in terms of network communication and latency compared to normal train operation.

engineering, multidisciplinary,computer science, information systems

Tianhao Zhang,Waqas Aftab,Lyudmila Mihaylova,Christian Langran-Wheeler,Samuel Rigby,David Fletcher,Steve Maddock,Garry Bosworth

DOI: https://doi.org/10.3390/s22124324

IF: 3.9

2022-06-07

Sensors

Abstract:Railway networks systems are by design open and accessible to people, but this presents challenges in the prevention of events such as terrorism, trespass, and suicide fatalities. With the rapid advancement of machine learning, numerous computer vision methods have been developed in closed-circuit television (CCTV) surveillance systems for the purposes of managing public spaces. These methods are built based on multiple types of sensors and are designed to automatically detect static objects and unexpected events, monitor people, and prevent potential dangers. This survey focuses on recently developed CCTV surveillance methods for rail networks, discusses the challenges they face, their advantages and disadvantages and a vision for future railway surveillance systems. State-of-the-art methods for object detection and behaviour recognition applied to rail network surveillance systems are introduced, and the ethics of handling personal data and the use of automated systems are also considered.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Sagar Dasgupta,Courtland Hollis,Mizanur Rahman,Travis Atkison

DOI: https://doi.org/10.1061/9780784484326.008

2021-08-19

Abstract:An adaptive traffic signal controller (ATSC) combined with a connected vehicle (CV) concept uses real-time vehicle trajectory data to regulate green time and has the ability to reduce intersection waiting time significantly and thereby improve travel time in a signalized corridor. However, the CV-based ATSC increases the size of the surface vulnerable to potential cyber-attack, allowing an attacker to generate disastrous traffic congestion in a roadway network. An attacker can congest a route by generating fake vehicles by maintaining traffic and car-following rules at a slow rate so that the signal timing and phase change without having any abrupt changes in number of vehicles. Because of the adaptive nature of ATSC, it is a challenge to model this kind of attack and also to develop a strategy for detection. This paper introduces an innovative "slow poisoning" cyberattack for a waiting time based ATSC algorithm and a corresponding detection strategy. Thus, the objectives of this paper are to: (i) develop a "slow poisoning" attack generation strategy for an ATSC, and (ii) develop a prediction-based "slow poisoning" attack detection strategy using a recurrent neural network -- i.e., long short-term memory model. We have generated a "slow poisoning" attack modeling strategy using a microscopic traffic simulator -- Simulation of Urban Mobility (SUMO) -- and used generated data from the simulation to develop both the attack model and detection model. Our analyses revealed that the attack strategy is effective in creating a congestion in an approach and detection strategy is able to flag the attack.

Machine Learning