Phantom Car Attack Detection via Passive Opportunistic RF Localization

A novel opportunistic approach of passive RF localization is presented for detecting “phantom car” attacks, i.e., vehicles intentionally reporting false position/velocity information to surrounding vehicles and communication networks. Current state-of-the-art approaches for vehicle localization mostly rely on either: (i) self-reported position/velocity updates obtained via navigation technologies such as GPS, or (ii) cooperative communication approaches involving multiple vehicles exchanging situational awareness information with each other. In both cases, these approaches assume that all vehicles involved truthfully share their actual location information, which might not be the case if malicious users are present within the traffic flow. The proposed approach does not make this assumption. Rather, it extracts location information of vehicles operating on the road without the need to cooperate with them. Multiple sensors surrounding these vehicles are opportunistically and passively measured for their RF emission characteristics (e.g., received signal strength, time difference of arrival) based on using on-board widely available wireless signals (e.g., 5G, Bluetooth, WiFi). These RF emissions are not intentionally designed to be used in localization applications. Their characteristics are processed via data fusion and bounded via vehicle dynamics behavioral models before being compared against reported positions within the vehicular communications network. This paper presents the phantom car attack model used in this work to compromise conventional vehicle localization techniques, as well as the framework and its respective sub-components implementing the proposed detection approach. To evaluate the feasibility of the proposed approach, a custom-built Python-based computer simulation platform is described that accurately models the vehicular environment and its associated RF emissions characteristics. Finally, a simple hardware field experiment evaluating the performance of the proposed approach incorporating RF localization, data fusion, and vehicle behavioral dynamics modules illustrates the viability of identifying phantom car attacks within a non-cooperative framework.


I. INTRODUCTION
Self-driving vehicles are expected to save lives. The National Highway Traffic Safety Administration (NHTSA) estimates The associate editor coordinating the review of this manuscript and approving it for publication was Hassan Omar . that 8,730 people died in motor vehicle traffic crashes in the first three months of 2021, a 10.5% increase from the 7, 900 fatalities the agency projected for the first quarter of 2020 [1]. Most of these accidents being the result of driver error. Self-driving vehicles have the potential to reduce the number of road fatalities by up to 94% [2] by removing driver error from the equation. Given the significant safety and congestion reduction benefits that could be achieved, the vehicular technology community is working towards making reliable self-driving technology a reality. With developments in sensing technologies (e.g., LIDAR, RADAR, vision systems) [3], [4], [5], real-time control algorithms (e.g., adaptive cruise control, SLAM) [6], [7], [8], and high-performance computing [9], selfdriving cars are quickly approaching the abilities of a human driver.
The reliance of self-driving vehicle technology on position/velocity information introduces potential vulnerabilities that can be used to intentionally disrupt road traffic, which could cause harm and even result in fatalities. One form of malicious disruption, known as a phantom car attack, is based on the dissemination of false position/velocity information about vehicles in road traffic [43], [44]. Such an attack could significantly impact the automotive transportation sector, where 775 million connected consumer vehicles are expected on the road by 2023. A single incident could impact approximately 10 million vehicles [45].
New approaches are needed to independently and reliably determine position/velocity information of vehicles on the road to detect phantom car attacks. Since it is assumed the cooperative localization framework is compromised, alternative approaches of extracting accurate vehicle position/velocity information are needed. The following conditions make obtaining this independently extracted information challenging.
• Means for sharing vehicle information other than the existing, potentially compromised, cooperative localization framework do not exist.
• Not all vehicles on the road possess specialized hardware to perform localization of other vehicles in their vicinity.
• Roadside infrastructure for performing localization (e.g., video cameras) are either non-existent or of insufficient density to obtain this vehicle position/velocity information.
Thus, a vehicle localization framework is needed that can extract position/velocity information from surrounding vehicles in a non-cooperative manner without the need for specialized equipment. This framework should perform the localization operation using a subset of trusted vehicles operating on the same road as other vehicles whose positions/velocities are to be determined.
In this paper, we present a novel opportunistic approach of passive RF localization designed for detecting phantom car attacks. The proposed approach extracts position/velocity information of a target vehicle using a trusted network of surrounding vehicles with known positions/velocities but whose RF emissions were not intentionally designed to be used for localization. The proposed approach consists of the following fundamental modules.
• The surrounding trusted sensor vehicles passively measure RF emission characteristics (e.g., received signal strength, time difference of arrival) of on-board commercially available wireless signals (e.g., 5G, Bluetooth, WiFi) emanating from the target vehicle. These RF emissions were not designed to be used for passive localization applications.
• Data fusion is used to robustly integrate position/velocity information obtained from emissions characteristics of the target vehicle as it moves across a region. This approach can use two or more forms of RF emission data to more reliably determine the position/vehicle of the target vehicle.
• Reinforce/enhance the position/velocity information via vehicle behavior dynamics models that constrain the amount of variability in the results to within physically realizable limits. This method minimizes the impact of sensor distortion and other impairments introduced during emission measurement.
A custom-built Python-based computer simulation platform was implemented to evaluate the proposed approach across several use cases, including a mobile target emitter vehicle and several mobile sensor vehicles that form part of the trusted network. This simulation accurately models both vehicle movement and the corresponding wireless emissions in the operating environment. Additionally, to verify the real-world feasibility of the proposed approach, a small-scale VOLUME 11, 2023 proof-of-concept hardware test-bed was implemented and field experiments were conducted to validate the approach. This paper is organized such that the reader is methodically introduced to the technical problem to be solved, the proposed proof-of-concept interdisciplinary solution, the custom-built computer simulation environment designed to specifically assess the proposed solution, and the outcomes of the proof-of-concept real-world vehicular testbed used in field trials for validating the proposed solution. Consequently, the rest of this paper is structured as follows: Section II introduces a detailed overview of the phantom car attack model. Section III presents the proposed framework used to independently extract accurate position/velocity information of a target vehicle on the road in a passive and noncooperative manner. Section IV provides a detailed description of the computer simulation platform used to assess the performance of the proposed approach across several use cases, with simulation results presented in Section V. Section VI provides details and results of the small-scale hardware proof-of-concept test-bed used to demonstrate feasibility of the proposed approach in a real-world field experiment. Finally, Section VII presents concluding remarks and outlines future work.

II. PHANTOM CAR ATTACK MODEL
We define a phantom car as an intentional situational awareness anomaly in which false vehicle location and/or velocity information is injected into the cellular network. Phantom car attacks are especially dangerous because incorrect situational awareness could compromise applications require comprehensive knowledge of all vehicles on the road, e.g., self-driving cars and intelligent transportation systems. Given the wide range of potential phantom car attacks, in this paper we make the following assumptions to focus on a specific subset of possible attacks: • The cellular network can be compromised by an adversary who is capable of directly introducing false vehicle location/velocity information [45].
• The adversary must be physically present in the traffic environment when actively feeding false information to the cellular network, e.g., basic service messages (BSMs) containing incorrect information such as GPS/IMU readings.
• When attacking the cellular network, the adversary produces electromagnetic (EM) emissions that can be detected by the proposed sensor network.
• The adversary possesses vehicle networking credentials (e.g., Temporary Mobile Subscriber Identity (TMSI) such that the cellular network believes the phantom vehicle is legitimate and considers it to be part of the vehicle environment. Given these assumptions, we will initially explore the performance of our proposed RF localization approach using two possible attack modes: • In the first attack mode, adversary is assumed to be parked by the side of the road in an actual vehicle, a pedestrian traveling alongside the road, or a roadside unit installed next to the targeted road to be attacked. The stationary adversary provides false information to the cellular network about its actual location/velocity and ''impersonates'' a vehicle that is physically traveling along the road. The adversary can deploy the attack without needing to be within the traffic itself, and thus is unexposed to the risk of being involved in any automobile accidents resulting from the deployed attack. Conversely, this mode of attack is relatively easier to detect if deployed over long distances, since the proposed localization framework will reveal the complete absence of the adversary's EM emissions in the proximity of its generated phantom vehicle.
• A second, more difficult to detect attack mode is when the adversary is part of the vehicle traffic. In this attack, the adversary's EM emissions will be in the vicinity of the phantom car, although the adversary falsifies the reported location/velocity information. A primary challenges in phantom car detection is obtaining sufficiently accurate and computationally efficient estimates of vehicle locations and trajectories based on intercepted RF emissions, which could be weak and distorted by the operating environment. Additionally, different sources of RF emissions with heterogeneous distributions provide opportunities but also challenges for localization and tracking. Moreover, the sensitivity and deployment of the sensor network along a stretch of roadway could significantly influence the localization and tracking performance of the entire framework. Thus it is essential that we understand how these signals of opportunity (SOP) propagate throughout the vehicle operating environment from traffic sources to the array of base stations. Although there exists several vehicular RF propagation models, they are loosely based on statistical properties that could be experienced on the road, and not really tied to the specific traffic environment with defined vehicle densities, flow, and other characteristics. A key challenge is understanding how to link the traffic environment with the RF propagation environment, with a physics-based and deterministic approach rather than a statistical one.
Acquiring measurements on target location in this environment is fundamentally different from traditional target tracking. New approaches are needed for measurement and system dynamics modeling, measurement-to-track association, and various other data fusion aspects including training/initialization of machine learning (ML) and artificial intelligence (AI) models. Finally, since the data fusion framework depends on the data provided by the base stations and characterizations of RF propagation in the current operating environment, new approaches to intuitively adapt these sources of information should be employed to further enhance overall data fusion performance. In this work, we integrated research insights of passive RF emission detection, traffic flow motivated RF propagation modeling, and data fusion frameworks to examine their overall impact on the localization and tracking performance.

III. PROPOSED ATTACK DETECTION FRAMEWORK
The proposed phantom car attack framework is illustrated in Figure 1. This approach consists of three fundamental building blocks: the mobile stations (MS), the data fusion center, and the joint RF emission/traffic flow model. Each MS possesses a sufficient level of intelligence to adapt and dynamically calibrate its detection thresholds to increase detection and reduce false positives. The data fusion center is responsible for taking all the RF emission measurements from the network and estimating location and trajectory information for every detected vehicle on the target roadway. We leveraged a joint RF emissions/traffic flow model to characterize RF propagation in the vehicle environment for use in several initialization and training tasks in the data fusion center. Furthermore, the data fusion center is capable of providing feedback to the network and the joint RF emission/traffic flow model so they can fine tune their operations to improve measurement accuracy. Consequently, the data fusion center is a critical component of the proposed approach. This paper presents a proof-of-concept of the proposed solution for the detection of phantom car attack. Our future work will explore the proof of security analysis compared to other solutions.
Vehicles traveling in the target road environment can generally be associated with different types of RF emissions (e.g., WiFi, Bluetooth, TPMS) either emitted by the vehicle themselves or devices within them. Sub-6 GHz radio frequency emissions were evaluated in this work. Moreover, all RF emissions used as part of the localization approach were produced by commercial of-the-shelf (COTS) wireless devices, commonly found in road vehicles. RF emission detection techniques such as received signal strength indicator (RSSI) [46] and time-difference-of-arrival (TDOA) [47] were employed in this work. These two techniques provide the most amount of information without adding any additional hardware and complexity to the framework for vehicle localization; other techniques such as angle-ofarrival (AOA) [48] and time-of-arrival (TOA) [47], [49] require additional antennas, additional hardware, and tight timing synchronization between transmitter and receiver. The localization and tracking framework was assumed to possess mobile sensors connected to a centralized cloud center or fusion center (FC). Mobile sensors measure RF emissions generated by wireless systems in the vehicles, and some adaptive signal processing is performed to further enhance detection process. Data fusion was used to convert this measurement information into identification, localization, and target tracking information of multiple vehicles traveling on the road. This operation will produce location and the continuous trajectories of vehicles in the time-space domain.
This paper uses both micro and macroscopic models to facilitate vehicle localization and tracking. Microscopic models describe the movements of individual vehicles on the road as they interact with other vehicles and the operating environment (such as road geometry). Macroscopic models captures the characteristics of a traffic stream, and describe the relationship between flow, density, and speed in an aggregate level. A joint analytical model that captures the characteristics of RF emission propagation and traffic flow was implemented. The model differed from statistical models as it was based on the physical properties of RF propagation and the vehicle behavior, which resulted in realistic and deterministic characterization of RF propagation. Building on the traffic-RF analytical model, it consisted of two integrated layers (vehicular traffic and RF emissions) and provided a high-fidelity simulation environment across varying conditions. The simulation platform was used to both train the VOLUME 11, 2023 data fusion framework in order to initialize it, and to predict the traffic-RF emission dynamics based on previous sensor inputs. Higher protocol layers (e.g., link layer, network layer were not included in the platform since it is only used on RF emission information and not the information contained within the transmission). Figure 2 illustrates the overall functionality of the custom computer simulation environment. Two types of emitter-sensor network topologies were evaluated. In the first case, the sensor nodes were assumed to be stationary, and they localized moving emitter vehicles. In the second case, all sensors were embedded in a subset of vehicles within the traffic flow. We studied how vehicles belonging to one subscriber network can be used as RF sensors to detect the emissions generated by cellular transmissions of vehicle belonging to another subscriber network. Data collected by these sensor vehicles were sent to the FC within the subscriber network for processing. We assumed the carrier-subscriber vehicles operated as the sensor nodes, and that they used cooperative data-sharing to localize non-carrier vehicles. These sensor nodes possessed trusted and accurate location information obtained either via GPS or through the subscriber network itself. For the second case, both emitter and sensor vehicles were assumed to be mobile and operating in active roadways.

IV. CUSTOM COMPREHENSIVE VEHICULAR COMPUTER SIMULATION PLATFORM
Two types of vehicles exist in the computer simulation framework:  The following subsections describe each module in detail.

A. PHANTOM CAR ATTACK MODULE
The Traffic Flow Generation module provided vehicle trace information to the Attack Model module to implement both forms of attack in the simulator (see Section IV-B). This information defined the actual locations of vehicles on the road, including the attackers, who could either be within the traffic flow or parked on the side of the road. Next, the Attack Model module designated one or more vehicles according to their vehicle IDs as attackers. Once the attackers were designated, the module modified their vehicle trace information based on the specified attack situation. A stationary attacker could provide vehicle trace information corresponding to a moving vehicle. Only traces corresponding to the attacker's vehicle could be compromised.

B. TRAFFIC FLOW GENERATION MODULE
This simulator module used SUMO [50] to produce traffic flow data, which was subsequently fed to both the attack model module ( see Section IV-A) and the EM layer module ( see Section IV-C). Figure 3 shows the framework for the traffic flow generator. For a given road environment, we simulated the microscopic longitudinal (i.e., car-following model) and lateral (i.e., lane-changing) behaviors of each vehicle, which yielded its detailed trajectory ( see plot at the right of Figure 3). The SUMO simulation, due to its extensibility and accessibility as an open source platform, package possessed many of the features we sought for this module.
• Dynamics: Vehicles could either run smoothly without inducing significant traffic oscillations, or temporary speed drops could occur due to vehicle interactions. These oscillations could propagate upstream and be amplified. • Speed: Vehicles could run at near free-flow speed, slower than free-flow speed, or halt due to stop-and-go waves.
• Lane Changing maneuvers: Vehicles could conduct LC maneuvers in the investigated area, or not.
Different traffic scenarios may affect the detection results. Table 1 summarizes a set of traffic scenarios that capture the typical variation amongst the three foregoing factors (dynamics, speed, and LC rate). Output from the traffic flow module was forwarded to the Attack Model module, EM Emissions Modeler module, and Attack Detection Performance Evaluator module (see Section IV-E).

C. EM EMISSIONS AND SENSING MODULE
The purpose of this module is to simulate the electromagnetic emissions from a target vehicle to surrounding trusted sensor vehicles. Since surrounding sensor vehicles are part of a trusted network and whose positions/velocities are known, hence using the road geometry and network indices, the RF emission characteristics (e.g., received signal strength, time difference of arrival) can be determined by using numerous electromagnetic models. The output of this system is a vector of powers of the received signal strength and time difference of arrival at each of the sensor vehicles and the Vehicle ID.
There are many different models that can be used to simulate the propagation of an electromagnetic wave from a transmitter to a receiver, from simple path loss models to complex ray tracing models that include multiple forms of wave-environment interactions. In this work, a 5G 3GPP-like Channel Model was implemented for outdoor Urban Microcellular (UMi) and Macrocellular (UMa) environments [51], [52], [53], [54]. Specifically, the close-in (CI) free space reference distance large-scale propagation path loss model was deployed [52].
One advantage of the CI Model is that it can be easily implemented in the existing 3GPP floating-intercept path loss model by modifying a floating non-physically based constant with a frequency-dependent constant that represents free space path loss in the first meter of propagation. As a result, the CI model is able to provide greater simulation accuracy, simplicity, better repeatability across experiments, and higher stability across a vast range of frequencies.
The CI path loss (PL) model is given as [55], [56], and [51]: where f is the frequency in Hz, n is the path loss exponent (PLE), shadow fading χ CI σ is a zero mean Gaussian Random Variable with standard deviation σ in dB describing large-scale signal fluctuations about the mean path loss over distance, d is the Tx-Rx separation distance in meters, and FSPL(f , 1, m)[dB] denotes the free space path loss in dB at a Tx-Rx separation distance of 1m at the carrier frequency f is given as: where c is the speed of light.
In this work, we assume a 5.9 GHz transmit frequency and 23 dBm transmit power. We simply calculate received power by subtracting PL CI from transmit power. Vehicle antenna heights were assumed to be 1.5 m for both target and sensors. Different road environments, like, UMi Street Canyon (SC), UMi Open Square (OS), UMa for Lineof-Sight (LOS), and Non-LOS communications were used to simulate received power considering different PLE and shadow fading parameters.
The EM emission module was also used to simulate the Time Difference of Arrival (TDoA) of the transmitted signal at the receivers. Because the mobile sensor vehicles are part of a trusted network and we assume that they are well synchronized. It is known that the propagation speed of an electromagnetic waveform is equal to the speed of light in the propagation medium, which is constant in a homogeneous medium. Therefore, propagation delay of a signal can be calculated as following: where r A is the distance between target vehicle and sensor vehicle A, c is the speed of light, t 0 is the time of transmission, and t A is the time of arrival at a sensor vehicle A. In order to calculate the time of flight, we must know the transmission time and the transmitters and receivers must be synchronized. Because we are dealing with a non-cooperative transmitter and thus we have no knowledge of transmission time, we solely rely on the arrival time of the transmitted signal at the various receivers. If r A and r B denote the distance between target vehicle D and sensor vehicle A, and B respectively, and t A , and t B the time of arrival at the respective receivers, then TDoA can be calculated to eliminate the transmission time t 0 as following: Thus, the difference eliminates the transmission time t 0 from the equation and difference in the time of arrival can be calculated from the difference in propagation distance. Moreover, TDoA measurements are generally corrupted by Additive White Gaussian Noise (AWGN) [57]. If ϵ A , and ϵ B denotes the AWGN at sensor vehicle A and B respectively with zero mean and corresponding standard deviations are σ ϵ A , and σ ϵ A respectively, then Eq. (3) and (5) can be modified as following: Equations (1)-(7) are then used in concert as the EM emissions module. Figure 5 illustrates the input/output definition of the EM emissions module.
Signals of Opportunity (SoOP) are used to passively intercept EM emissions from vehicles in order to extract the RSS and TDoA information; this information can subsequently be used by the data fusion center described in Section IV-D. An example of the EM module being used to extract this formation is shown in Figure 1. Carrier-Based Mobile Sensor Vehicles A, B, and C intercept EM emissions originating from a Non-Subscriber Vehicles D. The emissions are subsequently labeled by their ID D information contained within the transmission header. Using the emission signal strength and time of arrival, the RSS and TDoA of non-subscriber target vehicle is determined by each sensor vehicles at every sampling time instant. All of this information is collected, calculated, and forwarded to the data fusion center for target vehicle localization.

D. DATA FUSION MODULE
The Data Fusion Center (DFC) estimates vehicle locations and tracks their trajectories. Specifically, the DFC takes the RSS measurements of every vehicle i at base station j (P i,j ), along with its identification number (i.e. ID i ), converts them into range estimates (i.e., distance to vehicle from the basestation), and in turn use these measurements for tracking the trajectory of vehicles along the road network. This task is accomplished by several modules as shown in Figure 6. For each vehicle ID i detected by base-station B j at time t k , the Range Estimator module takes the RSS measurement P i,j [k] (generated by the EM Emissions described in Section IV-C) and estimates the distancer i,j [k] between vehicle ID i and base-station B j at time t k , by making use of the contextual information on base-station locations and road geometry. The Source Localization module uses three range estimates from the set Localization algorithms are generally classified in two categories: range-free and range-based methods. In rangebased techniques, directly observable range estimates are used in source localization, whereas range-free techniques use range indirectly and rely more on the connectivity of the sensor network for localization. Range-based techniques are generally more accurate than range-free methods and they are capable of directly generating both position and velocity estimates. Range-based methods are more common in applications that require high localization accuracy, and range-free methods are more common in applications where a high number of low-cost sensors can be deployed and high accuracy is not as important. With this in place, we focus on range-based localization for the task at hand. Rangebased methods utilize absolute range or angle measurements for calculating the location of a transmitter. These include time difference of arrival (TDOA), angle of arrival (AOA), and RSS methods [58]. Satellite Navigation (SATNAV) systems [59] and RADAR [60] are all range-based techniques.

1) RSS-BASED RANGE ESTIMATION
We use the received power to estimate the ranger (i,j ℓ ) denoting the distance between the base-station B j ℓ to vehicle ID i . The log distance path loss model is a generic commonly used model in wireless communications. The received power P i,j ℓ (in dBm) can is expressed as: where P i is the transmit power, γ is the path loss exponent, and X σ is a random variable drawn from a Rice distribution to account for the effects of small scale fading. We also assume that random variable γ and the transmit power P i are known, and all antennas are omni-directional. The range estimate is calculated as: We can perform the range estimation task using a least squares approach, similar to what is used in SATNAV and GPS positioning systems [61], [62], [63]. The range r i,j ℓ between base-station B j ℓ to vehicle ID i can be derived using the Pythagorean theorem: where (x j ℓ , y j ℓ ) denotes the known coordinates of the basestation B j ℓ . The estimated ranger i,j ℓ between base-station B j ℓ and vehicle ID i is given by: The unknown transmitter position consists of the approximated position with an offset added to it.
where δx j and δy j are the offsets. The solution to calculate the offset will usually converge after 10 iterations with an arbitrary initial estimate such as (0,0). If an accurate recent estimate is available, the solution will converge after 1 or 2 iterations. A typical test for convergence involves monitoring the change δx. The velocity can be found in a nearly identical manner, except instead of using ranges, the range rates derived from Doppler shift measurements are used. The range rate is a term used in GPS to described the velocity along the LOS from a receiver to the satellite. Since we assume our notional receiver can decode the packets, it is reasonable to assume frequency measurements are available to track the Doppler shift.

2) VEHICLE TRACKING USING RSS-BASED RANGE ESTIMATES
Among many recursive probabilistic filters, the Kalman Filter (KF) remains one of the most popular tracking methods [64]. In this work, we explored various KF models along with a constant velocity variable acceleration (CVVA) motion model for tracking vehicles, although other motion models such as Constant Turn Rate and Velocity model [65] could also be employed. With the CVVA motion model, we define the state of our target at time step k as: whereẋ k andẏ k denote the velocity in X and Y directions, respectively. The state at step k evolves from the previous step, k − 1, according to the following expression: = Ax k−1 + w k ; where A is the state transition matrix characterizing the physics of how the state changes from k − 1 to k, G is the control matrix, and σ a is the standard deviation of the random acceleration a in the system. Our measurements z k are characterized by the measurement model. . This information defines the actual locations of vehicles on the road, including the attackers, who could either be driving within the traffic flow or is parked on the side of the road. Next, the Attack Model module randomly designates one or more vehicles according to their vehicle IDs as attackers. Once the attackers have been designated, this module modifies their vehicle trace information based on the attack situation that has been specified. The output of the compromised vehicle trace information is (

V. SIMULATOR USAGE AND ASSESSMENT
A collection of different mobility channel models is provided in Table 2. Since the vehicle localization and tracking are complex operations, in this paper we focused on a very simple traffic scenario that consisted of two lanes for a straight road and we assume the vehicles do not change lanes. This physical scenarios will simply describe the EM characteristics.

A. EXPERIMENT WORKFLOW
We employed SUMO for creating realistic traffic traces which were fed to our C-V2X channel module to create realistic wireless conditions. The free space path loss model (FSPL) posits that the power of radio signal in free space  attenuates proportionally to d 2 , where d is the line-of-sight (LOS) transmitter and receiver separation distance. However, in real-world radio environments and more specifically for C-V2X, LOS communication is not always possible and signal propagation can be affected by various physical characteristics such as reflection, refraction, diffraction, scattering, and their combination. The carrier subscriber cars were assumed to be connected to the fusion center (FC), where localization estimates were computed via hybrid RSS-TDoA localization.
We employed a Close-in (CI) channel model with three different types of scenario, i.e., urban micro-cellular street canyon (UMi SC), urban micro-cellular open square (UMi OS), and urban macro-cellular. The simulation parameters used for the CI channel model are described in Table 2 [51], [52], [53]. We limited the frequency to 5.9 GHz since this channel is allocated for V2V and V2I applications. The path-loss exponent (PLE) α and shadow fading (σ ) can be tuned based on different channel conditions. Referring to Eq. (1), shadow fading (SF) is expressed as [51]: where A represents PL CI (f,d)[dB] − FSPL(f,1m)[dB], and D denotes 10 log 10 (d). Shadow fading's standard deviation is given as [51]: where N is the number of path loss data points. The path-loss exponent (PLE) n can be obtained by minimizing (A − nD), thus yielding: Figure 10 describes the data-fusion module, which takes the received signal strength P i,j (Modality = Power) and time-difference of arrival (TDoA) T i,j (Modality = Time) estimates of the carrier-subscriber vehicle with ID i and outputs the localization estimate of non-carrier vehicles. TDOA and RSS data is extracted from the RF emissions of a single vehicle signal employing the 5G C-V2X standard (specifically, LTE Mode 4). For this hybrid RSS-TDoA fusion simulation framework, we assume the measurement uncertainty should not decrease as a result of the fusion. The module computes the x and y location estimate independently using RSS and TDoA-based localization, and then fuses the data based on weights, and passes it to the fusion center for decision-making. An Ordinary Least Square (OLS) algorithm is used for RSS-based localization whereas for TDoA maximum likelihood estimate (MLE) is employed in order to avoid convergence issues. The covariance intersection method takes convex combination of the mean and co-variance estimates to fuse different random variables [66], which is given by: P −1 cc c = ω 1 P −1 a 1 a 1 a 1 + . . . + ω n P −1 a n a n a n , where a i is defined as the mean value, and P a i ,a j are the co-variances of La, L t , and L r . If n elements of information, labeled as a 1 , . . . , a n , are to be fused together to yield an output, and n i=1 W i = 1. For this simulation, two use-cases were considered, and the proposed localization algorithm was evaluated against baseline RSS and TDoA scenarios: 1) Stationary Sensors and Moving Emitter: In this scenario, we assumed that sensors were deployed close to the base-station and are fixed. Using this  setup, sufficient accuracy can be achieved as the location estimates of the sensors are approximately equal to ground truth. As C-V2X is rolled out for V2V applications, this use-case will be easier to implement and integrate with the location server of network providers.

2) Moving Sensors and Moving Emitters:
In the outof-coverage scenario, where there are no base-stations, vehicles will employ LTE Mode 4 to self-allocate spectrum resources using SPS and will be able to localize other vehicles based on this use-case in GPS-denied environments.

B. USE CASE 1: STATIONARY SENSORS AND MOVING EMITTER
For proper benchmarking of our proposed hybrid RSS-TDoA algorithm, the localization estimates were first calculated using individual RSS and TDoA modules and are then compared with the hybrid algorithm. Figure 9a shows localization estimates computed using only received signal power and ordinary least square algorithm. The emitter vehicle followed a straight trajectory along the length of the highway given by ground truth. The simulated highway was 850 m long and 4.7 m wide per lane. The traffic was assumed to be bidirectional, but in this work the emitter was followed one lane and had straight trajectory. We utilized three base-stations which were deployed randomly to cover the entire simulated highway. The distance measurement error was high when the vehicle is outside the trilateration zone due to poor wireless connectivity. The estimated position was smoothed out by applying the Kalman Filter on the localization output from the different algorithms. Figure 9b shows localization estimates computed using maximum likelihood estimation with only the time-difference of arrival data as input. We did not assume perfect synchronization between the vehicles, and the timing drift was simulated using Gaussian noise with mean of 0 and standard deviation of 1 ns. Due to the timing drift, we observed large positional errors where the performance was worse than simple RSS-based localization. Finally, Figure 9c shows RSS and TDoA estimates along with the final trajectory computed using the fusion algorithm. The accuracy was improved drastically for estimates inside the trilateration area, but outside we observed higher errors compared to RSS due to poor TDoA results.

C. USE CASE 2: MOVING SENSORS AND MOVING EMITTER
The moving sensors scenario is useful when operating within an out-of-coverage scenario. Vehicles can schedule resources autonomously using semi-persistent scheduling (SPS) and can start vehicle-to-vehicle (V2V) transmission. Localizing non-carrier subscriber vehicles in this use-case is difficult as both sensors and emitters are moving continuously. Figure 11a shows the RSS-based localization of moving emitter (sensor location was also continuously updated). It was critical for the carrier subscriber vehicles to exchange traffic data in real-time to obtain sufficient accuracy. Due to mobility of sensors, the RSS-based localization accuracy was particularly poor in low-connectivity zones. Figure 11b describes the TDOA-based localization using moving vehicles. Maintaining synchronization with mobile sensors is not a trivial task but in this work, we assumed the same timing error as in the static case. Figure 11c shows our proposed hybrid RSS-TDOA fusion scheme using moving sensors. Due to high positional errors using RSS localization, the hybrid fusion algorithm's output is closely aligned with the TDoA for the entire simulation run. The simulation time was not large enough for the hybrid algorithm to give more weight to the RSS.

VI. SMALL-SCALE FIELD EXPERIMENTATION
We conducted a small-scale field experiment to assess the viability of our proposed RF localization framework using low-cost radio hardware communicating over-the-air with both emitter and sensor vehicles in motion. Four different scenarios named A, B, C and D were evaluated. Scenarios A and B were ''sanity checks'' to ensure the sensor vehicle could detect the emitter vehicle. In Scenario A, we kept the emitter stationary, whereas in Scenario B the emitter was moving along straight line with respect to the static sensor. In Scenario C, all the sensor nodes were kept stationary and emitter was moving in a straight path. Finally, in Scenario D all vehicles and emitter were moving along the straight line.

A. EXPERIMENTAL SETUP
The experimental setup consisted of three RTL-SDR dongles which were used as sensor nodes and one ADALM-PLUTO [67] acting as an emitter node. Figure 14 describes the hardware testbed equipment as well   as the software modules employed for the small-scale field experiment. Four smartphones were also employed alongside software-defined radios (SDRs) to capture the GPS coordinate values of the emitter and sensor nodes. A GPS Logger [68] android utility was employed to capture GPS coordinates with periodic intervals of 10 Hz. The I/Q sample measurements were performed using RTL-SDR softwaredefined radios while post processing was conducted on Ubuntu 20.04 Linux laptops. The resulting I/Q samples captured by different radio-ends would have been sent to the fusion center (FC), although in these field experiments we performed the data fusion offline. The laptops consisted of i5 Intel processor with eight cores and 3.41 GHz clock cycle running Ubuntu 20.04. The sensor nodes software was implemented using librtlsdr library [69], where the radio locks to the emitter frequency channel and logs the I/Q samples after every 100 ms. The emitter node was implemented using the GNURadio library [70], which generated a narrowband pulse and transmit it continuously over 915.1 MHz ISM band. The measurement samples collected by three sensor radios are later combined offline at a fusion center (single laptop) to generate output data. The measurements were analyzed using the NumPy package [71]. Timing drift caused by different sensor nodes was subtracted during post processing by aligning the time-stamped I/Q samples with GPS coordinate logs. The RSSI values were upsampled by a factor of ten to align the RSSI and GPS values for localization. Table 3 describes the configuration parameters employed for the hardware testbed. Instead of using C-V2X mode 4 emissions of 5.9 GHz, we employed a narrowband sine pulse centered around 915.1 MHz ISM band with a 15 Khz bandwidth and transmit power of eight dBm. The emitter flow-graph implementation was done using GNURadio digital signal processing (DSP) framework [70]. The particular ISM band was chosen based on the spectrum measurement which showed low interference levels in that particular geographical area.
The experiment was conducted in the parking lot of the Worcester Polytechnic Institute, Gateway campus (42.27558421754517, -71.79924560335478) in straight North/South direction. Figures 12 describes the venue of experiment, where the total distance was 100 m marked by yellow line. The experiment used artificially generated narrowband tones operating at 915.1 MHz generated by a Pluto SDR. All three RTL-SDR software defined radios had a sampling rate of 2.4 MSps around the emitter center frequency which is an ISM band to intercept tone. The I/Q samples collected during the experiment were logged as .csv file for post-processing to extract the position estimates using the RSS localization. The LTE antennas were reinforced with low noise amplifier (LNA) to boost the receiver sensitivity especially at the edge of the coverage. GPS locations was continuously logged for each sensor and emitter with the time-stamp to correlate with the I/Q samples.

B. LOCALIZATION RESULTS
During offline processing, the RSS measurements collected from the RTL-SDR and the location values from the GPS data loggers required resampling to ensure proper time alignment. The RSS measurements were logged with a frequency of 1 Khz to reduce the effect of interference and multipath in the measurements. During the experiment, we were observing the power spectral density (PSD) of the emitter tone at 915.1 MHz and saw some unwanted signals at 914.3 and 915.8 MHz which were filtered out during postprocessing. The Ordinary Least Square (OLS)-based RSS localization algorithm was used in order to compute the position estimates using I/Q samples from the sensor nodes. The TDoA localization was not performed due to large timing errors incurred by the RTL-SDR dongle internal clock. The hardware experiment was conducted in line-of-sight (LOS) conditions with considerable signal to noise ratio (SNR). The SNR was greater than 20 dB for the entire experiment, as sensors were moving close to the emitter. Figure 13 describes the trajectory for the emitter and sensors, where latitude is on y-axis and longitude is in x-axis. The emitter was moving in a quasi-straight line along with sensor nodes in the experiment location. The sensors nodes were moving in a triangular fashion around the emitter to avoid convergence issue due to RSSI-based localization. The estimated emitter values are overlayed over the figure and we see the distance measurement error correlates to our simulation framework. The distance measurement error can be minimized by synchronizing the sensors with external clock but will lead to higher cost of implementation.

VII. CONCLUSION
In this paper, we implemented a comprehensive Python-based simulator framework to evaluate and test custom localization methods and communication protocols. We also proposed a hybrid RSS-TDoA localization approach which outperformed baseline RSS and TDoA by significant delta. The performance evaluation was conducted using our the simulation framework and was compared against baseline RSS and TDOA localization techniques. We also conducted a small-scale field experiment using RTL-SDR and Pluto software-defined radios for hardware validation. The experiment demonstrated the feasibility of our proposed hybrid localization approach using signals of opportunity in a realistic multipath environment. Our proposed approach enhanced localization accuracy in GPS-denied environments and can detect phantom attacks.
Our current test only focused on the tracking of a single vehicle, but it can easily be scaled to support localization VOLUME 11, 2023 and tracking of multiple vehicles. The timing synchronization was performed using internal clocking mechanism leading to timing drift. Investing in sophisticated software-defined radios with precision external timing support such as GPS disciplined oscillator can significantly improve localization performance.