Robust Reset Speed Synchronization Control for an Integrated Motor-Transmission Powertrain System of a Connected Vehicle under a Replay Attack

—This paper deals with the speed synchronization control of a connected vehicle subject to a replay attack. A large number of replay attack signals are injected into controller area network (CAN) through external network, which greatly reduces the real-time control performance of a connected in- tegrated motor-transmission (IMT) system. In order to ensure the performance of an IMT speed tracking system under large random message delays, a robust reset controller combined with a delay-robust speed synchronization controller satisfying energy- to-peak performance is designed in this paper. The uncertain impact caused by a replay attack is described by large random network delays which are modeled by polytopic inclusions. Then, a dynamic output-feedback controller considering the uncertain caused by attack-delays is proposed for online speed tracking. Moreover, a robust reset controller is designed to obtain better transient response at large attack-delays. Once the reset condition is triggered, the after-reset value calculated by linear matrix inequality (LMI) would replace the dynamic state vector. Finally, the effectiveness of the controller is veriﬁed by comparing it with model predictive control (MPC), existing PD control considering delays and energy-to-peak robust control in terms of performance.


I. INTRODUCTION
W ITH the development of connected vehicles and the advancement of communication technologies, the connection through external communication networks and invehicle controller area network (CAN) provides drivers enjoyable driving environment and economical driving guidance [1]- [3]. Once the vehicle is connected to the external network, there are two kinds of communication networks. One is the external network which transmits instructions from remote servers to vehicles and the other one is the CAN which helps the communication between control signals and sensor measurement signals [4].
Unfortunately, malicious components and malicious programs embedded in CAN as well as wireless interfaces all X. Xu, X. Li, P. Dong, Y. Liu  provide opportunities for attackers to invade an in-vehicle CAN. Moreover, CAN data frames without authentication will be broadcast to each network node, paving the way for an attacker to eavesdrop or launch an attack on the vehicle control system. Extensive experiments proved that attackers use the in-vehicle CAN as an entry point to attack vehicles [5]- [8]. Besides, Murvay and Groza successfully have carried out a replay attack, a denial of service (DoS) and a distributed DoS attack experiment on a commercial vehicle with SAE J1939 [9]. Kang et.al developed an automated CAN analyzer (ACA) which support the execution of a deception attack [10]. Road tests conducted by Koscher et.al show that by using the OBDII tool to insert malicious components or inject malicious programs on CAN, an attacker can shut down the brakes and stop the engine [11]. Woo et.al and Choi et.al have carried out a long-range wireless attack experiment by using a real vehicle and malicious smartphone application [12]. Based on the above attack experiments, published results studied the CAN security vulnerability and proposed some effective protocols to filter attack signals [12]- [15]. In practice, attack signals increase CAN bus load and take up the transmission time of legitimate signals. Security protocols protect information security, while the response of control system under attackdelays needs to be improved.
The unknown time-varying delays on in-vehicle CAN may downgrade the real-time performance of CAN message transmission, which presents a challenge to controller design [16]- [18]. Numerous researches have discussed the system stability with short time-varying delays. Banos, Barreiro and Zhao studied the theoretical stability conditions of the reset control system under time-varying delays [19]- [24]. In vehicle system control, integrated motor transmission (IMT) powertrain system with directly combined a motor and a gearbox has shown the great potential to be one of the best transmission mechanisms for connected vehicles [25]- [32]. Moreover, the IMT speed tracking controller considering short time-varying delays has been studied deeply. Caruntu et al. pointed out that the CAN message delay was the resource of the oscillation of the IMT transmission system [33]. Zhu et.al proposed a robust IMT speed tracking controller and reduce powertrain oscillation caused by network-induced time-varying delays [34]. Liu et.al proposed an approach for robust mixed H ∞ /LQR controller for an IMT speed tracking system [35]. An active CAN period-scheduling approach was designed to govern the utilization of in-vehicle CAN enhancing IMT speed tracking performance [36]. These controllers achieved good speed tracking performance when the CAN-induced delays were less than twice the sampling time.
The large random attack-induced delays may cause some controllers to be infeasible. Fortunately, the controllers proposed in reference [34] and [35] can reduce the impact, but worse speed tracking response and oscillation damping capability is returned. Therefore, some measures need to be applied to address it. The reset controller is a type of hybrid controller that the state variables of the controller can be reset when certain predefined constraints are met. Thus more degrees of freedom of the controller appear and they could be used to achieve the trade-off between fast response time and small overshoot [37], [38]. Therefore, a controller combing reset control and delay robust control techniques referring to [34] is designed in this paper to ensure the speed tracking performance and oscillation damping capability under attackdelays. A new method of obtaining after-reset values has been proposed instead of a traditional zero-crossing. The after-reset value was obtained by minimizing a quadratic cost function based on a model predictive control (MPC) method [39], [40].
In this paper, a dynamic output-feedback robust controller satisfying energy-to-peak performance combined with a robust reset controller is designed to preserve the oscillation damping capability and improve the speed tracking capability of a connected car under a replay attack. The main contributions of our research are listed in the following respects. (1) A dynamic tracking controller is proposed, making the closedloop control system robust to uncertain time-varying delays.
(2) A robust reset controller is designed to calculate the afterreset value online by considering the stability of the reset control system with time-varying delays. (3) The real-time online calculation, speed tracking and oscillation damping capability of the proposed controller are verified by a hardware-in-theloop (HIL) online experiment. The experiment results show that the overshoot and settling time of the proposed controller is 47.4% and 40.2% less than [34] under step response test conditions from 7km/h to 20km/h under a replay attack with random time-varying delays of maximum 100ms. Fig. 1 shows a replay attack process to an IMT transmission system, which can be divided into a speed synchronization control process of the IMT system and a process of eavesdropping and attacking in-vehicle CAN data.

A. Replay Attack Model
As illustrated in Fig.1, the speed synchronization control architecture of an IMT system consists of a motor, a gearbox, a drive shaft, wheels, a transmission control unit (TCU), an motor control unit (MCU), and a CAN communication network. A TCU is employed for speed synchronization control and an MCU is applied to help the motor accurately execute torque commands from the TCU. In this paper, we consider an attack process on CAN, similar as the replay attack addressed in [41]. In such a process setup, an OBDII scan toll connects with the in-vehicle CAN through a physical interface. All data frames are broadcasted to every in-vehicle CAN node. Therefore, the OBDII node could eavesdrop CAN data frames and send these data to the self-diagnostic APP and the attacker. Moreover, the OBDII scan toll could retransmit these eavesdropped data into the in-vehicle CAN masquerading as a diagnostic process at attacker's request. In fact, malicious self-diagnostic APPs that control the OBDII tools through bluetooth and communicate with attackers over mobile network are allowed to be downloaded from APP market. If the victim downloads them, eavesdropping and attacking the in-vehicle CAN will be implemented. Fig. 2 demonstrates the impact of replay attack signals on legitimate CAN messages transmission. The TCU control signals retransmitted by the malicious OBDII node will not be executed with the security protocol. However, Fig.2 shows that these random attack signals greatly increase CAN messages transmission time.

C. Fundamentals of IMT System
The state-space model of an IMT system is expressed as [34]. where ] T , B ω,c = I. Here, the system output y, control input u and state variables x are chosen as follows.
where w is the error between the mathematical model and the actual IMT system, c m is the motor damping, c f is the driveshaft damping, k f is the driveshaft stiffness, T m is the motor torque, , i 0 is the final drive ratio, i g is the gear ratio, C a is the air resistance coefficient, J v is the vehicle inertia, J g is the gearbox inertia, J m is the motor inertia, w g is the rotation speed of gearbox output shaft, w m is the motor rotation speed, w w is the rotation speed of wheel, θ w is the wheel angle, θ m is the motor output angle, θ g is the gearbox output shaft angle. T m * , w * m , w * w and θ * m , which have star added to the variables, are the desired values of the corresponding variables, separately. The desired value of the state variables can be obtained by the following relationship if the desired wheel speed w * w is given.
where T * load is the desired external load torque. Actually, the signals sampled by sensors are periodical with fixed sampling period T s . Therefore, the IMT continuous-time model (1)   transformed to a discrete-time form as follows for vehicle onboard controller design as follows. where

D. IMT System Modeling Considering Attack-Delays
Assuming that the attack-induced time-varying delays are bounded, and maximum delay τ max can be composed of ψT s and a ΥT s as follows.
where ψ ∈ Z + , ψ > 4 and Υ ∈ R [0,1) . By referring to Fig.2, the IMT discrete-time system in (4) can be rewritten as the following nonlinear system to consider the effect of attackdelays on actual control inputs. where Therefore, is employed as a new state vector to convert the nonlinear system (6) into a standard state-space model as follows. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication.

E. Linearization of Attack-Delays.
The nonlinear integral part in (7) can be linearized as a finite summation and a infinitesimal of higher order as follows by Taylor linear series expansion [42].
The (7) represent the two delay patterns ΥT s and T s in a sampling interval. Therefore, nonlinear ∆ i,k can be rewritten as a combination of a set of linear vertices and vectors as shown below.

IMT Model
where A r , B r , C r and D r are the controller matrix. Furthermore, we can obtain the following dynamic output-feedback closed-loop system by employing a new state vector (2). where The tracking error of wheel speed and the axle wrap rate are selected as controlled outputs to evaluate the speed synchronization performance and IMT powertrain system oscillations, which can be expressed as follows where This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TVT.2020.3020845, IEEE Transactions on Vehicular Technology .

B. Dynamic Output-Feedback Controller Design
The following performance is employed to ensure the stability of the IMT speed synchronization control system as well as the energy-to-peak performance of the closed-loop system, which is where ∥Z dyn1 (k)∥ ∞ and ∥Z dyn2 (k)∥ ∞ are the ∞-norm of Z dyn1 (k) and Z dyn2 (k), and ∥w(k)∥ 2 denotes the 2-norm of w(k). ϑ 1 and ϑ 2 are the energy-to-peak performance indexes, which are used to constrain the impact of the external input w(k) on the evaluation input Z dyn1 (k) and Z dyn2 (k).
In order to obtain dynamic controller matrices A r , B r , C r and D r in (11), Theorem 1 and Corollary 1 are designed. Based on Theorem 1, the linear matrix inequality (LMI) conditions for the closed-loop system in (12) satisfying Lyapunov stability and energy-to-peak performance are derived. Then we can solve the controller matrix based on Corollary 1.
The minimum value of ϑ 2 can be obtained in the following corollary.
Corollary 1: Given a positive scalar ϑ 1 , the minimum energy-to-peak performance ϑ 2 and the matrices A 1 , A 2 , B 1 , B 2 , C 1 , C 2 , D 1 , D 2 can be obtained by solving following optimal problem.
Furthermore, the feedback gains can be calculated by IV. ROBUST RESET CONTROLLER DESIGN Fig.4 shows the online algorithm flow of the reset robust controller. The overall control procedure is divided into online stage and offline stage.

After-Reset Value Solving
Robust Reset Controller As shown in Fig.4, in the offline stage, the dynamic outputfeedback controller matrices A r , B r , C r , D r satisfying energyto-peak performance are calculated based on Theorem 1 and Corollary 1, which ensures the attack-delays robustness and speed tracking performance. Then they are fixed in the online stage. The reset control is activated when ξ(k) and x r (k) satisfy the reset condition M r , and this reset moment is designed as reset time k + . Then, temporal regulation method is used to avoid zeno and large amounts of computing resources being occupied for a long time [40]. Theorem 2 is used to calculate the after-reset value x + r (k) and the dynamic controller states x r (k) are reset to x + r (k). Moreover, the reset law is design as follows    x r (k + 1) = A r x r (k)+B r ξ(k) x r + (k) = ρ (ξ(k), x r (k)) y + (k) = C r x r

Reset Condition
where x + r (k) is the after reset vector, M r is a mathematical set determining the beginning and end of the reset action. And ρ (ξ(k), x r (k)) is a function that determining the after-reset value. Therefore, the robust reset closed-loop system can be rewritten as follows The after-reset value x r + (k) = ρ(ξ(k), x r (k)) can be obtained in terms of the conditions in Theorem 2.
Proof: Consider a quadratic Lyapunov function for system to complete the proof below where P T = P > 0. A cost function for evaluating system stability and robust performance is defined as follows.
A quadratic cost function for tracking error is defined as: where Φ is a positive symmetric matrix used to weigh the tracking error variables and k + is the reset point time. We assume the relationship between J(k + ) and Ψ(k + ) and the upper bound γ of them as following [45] J(k + ) < Ψ(k + ) < γ.
By substituting the closed-loop system (30) into (35)−(37), (38) Applying Schur complement to (38), we can obtain the following LMI.  Pre-multiplying and post-multiplying (39) by diag(I, I, P −1 , I) and referring to [44], the following LMI can be obtained.  where Q = P −1 . Minimizing the upper bound γ leads to minimization of J(k + ). Therefore, the assumption V (k + ) < γ can be converted to the following LMI solving problem by employing Schur complement. Defining for a dynamic output-feedback controller, the conditions in (31)−(33) can be obtained. The Proof is thereby completed.

V. SIMULATION
In order to verify the effectiveness of the proposed robust reset controller, simulations based on Matlab/Simulink (R2016a, MathWorks, Natick, MA, USA) environment are carried out. A process of upshifting and downshifting and a step upshift process are applied as driving conditions.
The designed simulation platform diagram can refer to Fig.1. TCU is employed to calculate the tracking torque command. MCU&motor module receives this command through the in-vehicle CAN network. The real CAN message delays under a replay attack are imitated by random time-varying delays produced by the network module. The sampling time is set to 10ms. The impact of replay attacks on CAN message transmission is described by three attack-induced delays in Fig.5. Fig.5(a) represents a periodic attack in which each attack causes a delay of 50ms. Fig.5(b) and (c) describe two random attack with maximum 50ms and 100ms attack-induced delays.  Wheel rolling radius 0.281m g Gravity acceleration 9.8m/s 2 λ Taylor expansion series 3 Table I lists the main parameters for the IMT powertrain system. Moreover, Table II shows the detailed controller parameters consisting of an MPC controller, the PD controller considering time-varying delays referring to [46], the energy-to-peak delay-robust controller referring to [34] and the proposed controller. Among them, MPC prediction horizon N p = 10 and control horizon N c = 4. The minimum energy-to-peak performance index ϑ 2 of the proposed dynamic output-feedback controller is obtained as 0.423 by setting the performance index ϑ 1 to 0.1.

A. Comparisons with MPC in Effectiveness.
MPC is getting more and more attention in terms of processing constraints, time-varying systems, and tracking control. Especially in many chemical processes, it has been applied to deal with parameter uncertainty and time delay. A periodic attack I in Fig.4(a) is employed to test the performance of  Fig. 6: The control performance under replay attack I.
the proposed controller and a model predictive controller. Fig.6(a)-(d) show the response of the motor torque, driveshaft torque, and the jitter of the powertrain during the speed synchronization control. It is necessary to mention that the MPC is designed for the powertrain system without any attack. However, in the simulation, the attack exists and the performance of designed MPC is affected significantly.
We can see from Fig.6(a) that the model predictive controller and the proposed controller have similar control effects on the speed tracking. Fig.6(b) shows the motor control signal calculated by MPC fluctuates greatly under replay attack I. In practice, these torque fluctuations should be avoided because they increase the load on the motor. However, the proposed controller has a more stable torque output, which preserves the oscillation damping capability under severe network congestion.
The axle wrap rate, which is the difference between the motor speed divided by the gear ratios and wheel speed, is PD in [46] Proposed PD in [46] Proposed PD in [46] Proposed Fig. 7: The control performance under replay attack II.
used to characterize the jitter of the powertrain in engineering. Passenger ride comfort and drive shaft life are affected by this jitter. Therefore, the controller robustness can be indicated by the fluctuation frequency and peak value of the axle wrap rate. The warp rate responses of two controllers are shown in Fig.6(c). We can see that the powertrain system under MPC shakes violently during shift. However, the proposed controller fluctuates slightly at the beginning and end of the upshifting and downshifting, robustness is improved compared with the MPC. As shown in Fig.6(d), the driveshaft torque of MPC violently oscillates. However, the driveshaft torque response under the proposed controller has little oscillation compared with MPC. In actuality,, passengers are sensitive to the driveshaft torque vibration which we should try to eliminate. The controller we proposed shows its good damping performance.

B. Comparisons with PD Controller Considering Time-Varying Delays in Effectiveness.
PID controllers are widely used in industrial control as a classical feedback loop component due to its flexibility. We next verify the effectiveness of the proposed robust reset controller compared to the PD controller considering network delays referring to [46]. Fig.7(a)-(d) show the comparisons of proposed controller and PD controller under the process of upshifting and downshifting with maximum attack-delays of 50ms in the control communication loop as shown in Fig.5(b). Fig.7(a) shows that the proposed has a shorter rise time than the PD controller in speed tracking, which shows the proposed method have better speed synchronization capability in upshifting and downshifting conditions. Fig.7(b) shows the motor torque response under above test condition. The motor control signal calculated by PD controller in [46] fluctuates greatly, but the output signal calculated by the proposed controller is relatively stable. It needs to be further explained that during the upgrade phase of 0-2s, the motor has a stable interval without jitter due to actuator saturation.
The warp rate responses of the two controllers are shown in Fig.7(c). We can see that the PD controller causes a large oscillation in powertrain system at the beginning and end of the shift. The same result can be obtained from Fig.7(d). The controller we proposed show its good damping performance and the driveshaft torque has little oscillation. Therefore, the robustness is obviously improved compared with the PD controller considering delays.

C. Comparisons with Energy-to-Peak Delay-Robust Controller in High-Efficiency.
In order to verify the improvement, we test the proposed robust reset controller in step upshift under replay attack III in Fig.5(c), in contrast with the energy-to-peak controller in [34]. Comparison results are shown in Fig.8−Fig.9. Fig.8(a) and (b) show the speed synchronization performance and its details. Furthermore, the proposed controller reaches its peak 20.82km/h at 0.8s and the setting time is T 1 =1.07s. The energy-to-peak controller reaches the peak 21.56km/h at 1s. It first enters and then stays within the error band at T 2 =1.79s. Table III depicts the overshoot and setting time of the two controllers. In addition, the relative improvement of the proposed controller relative to [34] is detailed. Energy-to-peak in [34] Proposed Energy-to-peak in [34] Proposed Energy-to-peak in [34] Proposed Energy-to-peak in [34] Proposed Reference speed   improvements in speed tracking compared to [34] when replay attack III happened. Fig.8(c) shows that the response of the two controller oscillates similarly and all asymptotically stable. Proposed controller shows a peak at the beginning of the reset controller.
The oscillation indicates that there are vibrations on the powertrain. Fig.8(a)−(c) shows that the proposed controller has better tracking performance than energy-to-peak controller with similar powertrain vibration. Due to excessive delays caused by a replay attack, the driveshaft torque and the motor torque response of the two controllers oscillate before reaching steady state as shown in Fig.8(d) and Fig.8(f). We can see that the proposed controller has a faster steady-state response. Compared to the energy-to-peak controller in [34], the proposed controller achieves better tracking performance with a smaller overshoot and a faster response when attack happened.
The difference between w w and w * w is expressed in terms of ξ 2 (k). Furthermore, w w > w * w represents that the actual speed is bigger than the ideal speed, which means the appearance of overshoot in speed tracking. The maximum overshoot of ξ 2 (k) is 0.07(rad/s). Therefore, ξ 2 (k) > 0.07(rad/s) is selected as the condition for the reset control to be triggered. Furthermore, the response of ξ 2 (k) is shown in Fig.8(e). Also, the temporal regulation technology is utilized with τ ρ = 0.05s. Fig.9(a) and (b) show the before-reset states and after-reset vectors x r which is calculated online by Theorem 2. The before-reset vectors in Fig.9(a) will be replaced by x + r when the reset condition is satisfied. Then the after-reset vectors in Fig.9(b) is obtained. We can see from Table 2 that the matrix C r is negative. Therefore, the x + r calculated by the Theorem 2 will be larger than the before-reset vectors for smaller overshoot, which is different from the after-reset value x + r which approach zero in [39] and [47].

VI. EXPERIMENT UNDER HIL CONDITION
The controller should guarantee its real-time control performance under a replay attack for further applied to real connected cars. Therefore, we set up a hardware-in-the-loop (HIL) online experiment based on a dSPACE MicoAutoBox simulator to verify its real-time and control effects under severe CAN information congestion.
Host PC with Matlab dSPACE MicroAutoBox Ethernet Connected In the HIL experiments, as shown in Fig.10, a dSPACE Mi-coAutoBox and a host personal computer (PC) are employed. A TCU node, an MCU&motor node, an IMT powertrain node, a controller network module, a random delays generation module, a dynamic output-feedback controller combined a robust reset controller are loaded into the dSPACE MicoAutoBox, which is a real-time digital test system. The host PC is used to show the real-time test results. Experimental conditions are set to step speed tracking from 7km/h to 30 km/h under packet dropping attacks. Fig.11(a) and Fig.11(b) show the comparison of experimental and simulation results of speed tracking and motor torque. Fig.11 shows that the simulation results are agree with the experimental results. The experimental results and simulation on IMT speed synchronization control prove the correctness and effectiveness of the proposed dynamic output-feedback combined with robust reset controller.

VII. CONCLUSION
In this work, we improved the IMT speed synchronization control system of a connected car under a replay attack. The controller design procedure was divided into offline part and online part. Firstly, the nonlinear delays generated by a replay attack on in-vehicle CAN was modeled by polytopic inclusions using Taylor series expansion. Secondly, a closed-loop model of the speed synchronization system considering a reset action was established. Thirdly, the gains of a dynamic output feedback controller based on energy-to-peak performance were calculated offline by solving a set of LMIs. The gains were used for the online step tracking. Fourthly, the after-reset value was obtained by solving an optimal LMI problem, which was used to replace the states of the dynamic controller.
The simulation and experimental results are summarized as follows: (1) The proposed controller was more effective than MPC and PD control considering delays in speed tracking performance and oscillation damping performance. (2) The cost function considering known input w was proposed for the establishment of the reset controller and the proposed controller was more efficient than [34] with smaller overshoot and shorter settling time. (3) The HIL real-time experiment showed that simulation results match the experimental results well. In the future research, we will consider the fault detection problems [48], [49] for vehicle application.