A Testing and Verification Approach to Tune Control Parameters of Cooperative Driving Automation Under False Data Injection Attacks

Control systems are used in safety-critical applications where tuning the system parameters is required to ensure safe and secure operation. The process of tuning these parameters can be arduous, time-consuming, and unreliable as they are dependent on the operating environment. In this paper, we discuss a testing and verification approach for tuning the control parameters of a secure cooperative adaptive cruise controller (CACC) while simultaneously testing the safety of the algorithm under false data injection (FDI) attacks. In our approach, we use particle swarm optimization (PSO) to tune the parameters of the controller and observer. The performance of the controller will be evaluated before and after the optimization of control and detection parameters. After employing several swarms, it was noticed that the global optimal solution is reached within 74 iterations, on average. In summary, the configurations found by each swarm ensured that a safe following distance was achieved throughout testing. In terms of FDI estimation, however, the more conservative configuration with the minimum optimal parameter values performed the best.


I. INTRODUCTION
Connected autonomous vehicles (CAVs) are an active area of research that seeks to develop safe and efficacious self-driving vehicles that communicate with one another.The benefits of this technology is innumerable, including improvements to traffic management and congestion, reducing vehicle emissions, and -most importantlyreducing traffic fatalities.CAVs utilize vast systems of sensors and controllers that rely on tunable parameters to enable decision-making and piloting, using cooperative driving automation (CDA).Determining the optimal values for these parameters is an arduous task and is heavily The associate editor coordinating the review of this manuscript and approving it for publication was Hassan Omar .dependent on the operating environment.In order to achieve ideal results, the controller and observer gains should be tuned to implement the optimal solution.This ensures that CAVs and CDAs deliver on their promises of safe, efficient, and stress-free transit and services.Cooperative adaptive cruise control (CACC) is one of the many popular CDA systems.CACC is similar to adaptive cruise control (ACC) but leverages wireless connectivity to enable vehicle-toeverything (V2X) communication.As such, CACC can enhance the capabilities of ACC systems with cooperative maneuvers and increase proliferation by reducing the sensors required to safely operate.CACC improves the reaction time to potential threats and traffic conditions which could result in increased roadway utilization while reducing traffic congestion [1], [2], [3].
Designing a safe CACC algorithm is a daunting task due to two major factors.Firstly, a controller can only be designed for the platform and environment that it is expected to operate within.Traditionally, this was accomplished by either directly measuring the environment or by making assumptions about the operating conditions.While this does indeed suffice in some situations, the mission of CACC is too critical to cut such corners.Second, the wireless connectivity of CACC introduces inherent vulnerabilities to system stability that can be exploited by adversarial factors or even by the stochastic nature of reality.
To further improve controller safety and reliability are resilient controllers.Resilient controller design is an area within the field of control engineering that seeks to establish designs and principles that guarantee a system will behave as designed, even in contested environments.Traditionally, this involved the utilization of observers and Lyapunov design principles [4].In recent years, researchers have investigated utilizing techniques leveraged in other fields, such as neural-networks and online predictive algorithms for attack detection and mitigation [5], [6], [7].Just as with any other controller or algorithm, resilient controllers require adequate testing and tuning to ensure the system operates as desired.However, there is a big gap in a mathematical-based approach to address this issue.
Optimal control is an active research area that seeks to solve exactly this problem.The objective of an optimal controller is to operate in a manner that minimizes a cost function [8].There exists a myriad of techniques and algorithms that may be applied, depending on the system and use case.One of the classical methods is gradient descent which operates by iteratively tuning the control parameters to ''driving'' the cost function to a minima value, without guaranteeing that this is the global minima.Through our survey of the literature, particle swarm optimization (PSO) was selected for use in tuning the observer and controller parameters of a resilient CACC.The justification for this will be discussed further in Section II.
Testing CACC and CAVs, as a whole, is an exceedingly difficult task.Firstly, enumerating all the potential test cases that a given system could encounter under ideal circumstances is challenging.This issue is exacerbated when considering less-than-ideal operating conditions or adversarial actors, as would be necessary for testing CAVs and CDA.There exist two projects of note that have undertaken this endeavor, these being the Adaptive and Pegasus projects [9], [10].These projects are interdisciplinary, leveraging insight and guidance from the fields of engineering as well as legal professionals and policymakers to identify the fundamental aspects of autonomous driving that need to be tested.To address this challenge, we have proposed a framework for dynamically generating test cases based on fundamental requirements and the performance of a given system while under testing.
In addition to test generation is the requirement for defining a means for test convergence.Currently, there is no defined standard for accomplishing this, however, there are many methods being employed.The first of these is through testing CAVs with real-world driving.Using this approach, approximately 80%-90% of the verification process has been accomplished.What remains, however, are the challenging and dangerous edge-case scenarios [11].Furthermore, these scenarios are also very rare and often occur once every 100,000 miles [12].Even at the current, unprecedented rate of testing, verification by this method alone is expected to take at least 200 years [13], [14].To address this challenge, our proposed framework incorporates a means for verifying the performance and safety of the vehicle's decision-making algorithms.
This research will contribute to our other, ongoing work in CAV testing and verification [15].The first novelty of this paper is in developing a secure CACC algorithm which can estimate and mitigate FDI attacks in real-time.Since there is no systematic technique to tune the parameters of the developed algorithm for its safe operation under FDI attacks, the second novelty of this work is in the utilization of PSO as an optimization approach in the context of our proposed testing and verification framework.To achieve this, we developed a novel verification cost function to measure the safety of CACC algorithm.This creates the foundation for our testing and verification framework to perform future controller tuning.The aforementioned aspects of this work have not been previously presented in the literature.Furthermore, a threat model and risk analysis was conducted for, booth, the untuned and tuned CACC proposed in this paper to guide the discussion and outline the goals of this paper.
The remainder of this paper is organized as follows.Section II discusses existing work related to this project and provides justifications for the selection of PSO.In Section III, the threat model and risk analysis of a CACC system is presented.Section IV discusses the dynamic model of CACC under FDI attack, along with the controller, observer, and attack estimation design.Furthermore, a stability analysis has been done in this section to ensure the overall system's stability.Section VI introduces the testing and verification approach.The PSO algorithm is defined in Section VII as a method to find the optimal parameters for the controller and observer.A detailed description of the experimental setup is given in Section VIII, and Section IX presents the results of this study.Lastly, Section X concludes that the proposed method is effective for tuning control parameters under FDI attack.

II. LITERATURE REVIEW
There exist a myriad of approaches for both the upper and lower level of CACC implementations.Many of the proposed upper-level control schemes utilize fuzzy logic, model predictive controls, and reinforcement-learning [16], [17], [18], [19].Research improving upper-level controls often seek to increase safety, traffic flow, and efficiency through cooperative traffic management [20], [21].The proposed low-level control methods primarily determine the actuator inputs to achieve a necessary drivetrain output for maintaining speed.In [22], a soft actor-critic (SAC) based controller was leveraged to calculate the necessary engine torque to maintain desired vehicle speed.In [23], a PID control scheme was proposed for maintaining speed through adjusting of the engine's throttle position.Another PID control approach that manages both acceleration and deceleration using a logic switch was proposed in [24].In [25], an efficiency-focused robust controller for electric vehicles was proposed.
To accomplish the task of CAV testing and verification, there are several approaches.Each of these considers either an individual vehicle subsystem or combinations of subsystems and occurring either in the real-world or simulated environments.Within simulated testing, there exist offline and real-time methods.Offline simulations seek to maximize the computation speed of testing while real-time simulations prioritize testing accuracy in a bounded response time [26].Furthermore, real-time simulations maintain data accessibility and accelerate testing while ensuring certainty throughout the development process [27].Contained within real-time simulations are the following methods: Simulation-in-the-Loop (SiL), Vehicle-in-the-Loop (ViL), and Hardware-inthe-Loop (HiL).
Within the area of optimal control, there exists a myriad of techniques and algorithms that may be applied, depending on the system and use case.A popular subset of optimization algorithms is metaheuristic algorithms which are capable of solving many nonlinear problems in a reasonable time [28], [29], [30].These algorithms also benefit from faster convergence time compared to gradient descent, Newton method, and other derivative-based approaches while also being less susceptible to converging on local minima [31].This is accomplished by using a two-phase approach, referred to as exploration and exploitation.Exploration is where the algorithm searches the problem space to discover the most ideal search area.During exploitation, the best solution for the current local area is found.
Metaheuristic optimization algorithms can be grouped into two main groups: genetic algorithms and swarmbased.Genetic algorithms are another branch of optimization techniques [32].These are iterative algorithms that take inspiration from natural selection.Typically, these algorithms can be thought of as a distributed implementation of gradient descent where a population of many points searches the solution space for the ideal parameter solutions.At each iteration, the best solution found by the population, as a whole, is used to ''mutate'' the other members of the population such that the most globally optimal solution is converged on.
There exist many metaheuristic algorithms, such as MOEA/D [33], AMOEA/D [34], adaptive recurrent fuzzy algorithms [35], as well as plant-inspired approaches [36].The authors in [33] present a method for adaptive control of wastewater treatment using a Multiobjective Evolutionary Algorithm Based on Decomposition (MOEA/D).In [34], the authors propose an adaptive recursive fuzzy neural network with Gustafson-Kessel (GK) clustering and a hierarchical adaptive second-order optimization algorithm (HAS).Proposed in [35] is an enhanced MOEA/D that incorporates a self-organizing collaborative scheme.In [36], a review of plant-based approaches the utilize recent developments in the understanding of plant decision-making.
Within the branch of genetic algorithms is the particle swarm optimization (PSO) algorithm [37].PSO simulates the behavior of a particle swarm exploring the solution space.At each iteration, each point's velocity is altered based on the best solution found by each particle and the swarm, as a whole, such that the swarm converges on a finite area of the space.An advantage of PSO is the ability for widespread exploration of the solution space to prevent conversion on a local minima.In addition, PSO is an intuitive algorithm that is very easy to understand and implement [38].As such, PSO was selected for tuning the control parameters of the resilient CACC presented in this paper.

III. THREAT MODEL AND RISK ANALYSIS
In this section, a threat model will be created and evaluated based on the approach laid out in ISO/SAE 21434: Road Vehicles -Cybersecurity Engineering.These steps are applied to our use case of a resilient CACC algorithm deployed on two vehicles traveling along a straight highway.
There exist several approaches for performing threat modeling and risk analysis.Three of which are appropriate for automotive applications are STRIDE [39], STPA-Sec [40], and ISO/SAE 21434:2021 [41].
A new cybersecurity analysis framework that aligns with the ISO/SAE 21434:2021 standard, using threat models and vulnerability scoring is presented in [42].The framework was applied to real-life scenarios, revealing 199 potential cyber threats in Advanced Driver-Assistance Systems (ADAS) and the need for specific security measures in modern vehicles to address vulnerabilities to cyberattacks.
In another recent publication, the authors emphasize the importance of a robust threat modeling framework for autonomous vehicles (AVs), proposing a comprehensive framework to identify cyber-physical threats to AV perception systems based on mathematical modeling and a comparative analysis with the ISO/SAE 21434 standard [43].
Discussed in [44] is the need for advanced techniques in assessing the cybersecurity of cyber-physical systems and introduces the System-Theoretic Process Analysis for Security (STPA-Sec) model, emphasizing its potential for (semi-)quantitative analysis through the newly proposed System-Theoretic Process Analysis for Security with Simulations (STPA-Sec/S) approach, illustrated in a water treatment plant case study.

A. DEFINE THE ITEM
The item is the CACC system that consists of a leader vehicle and a follower vehicle that communicate through wireless channels.The item decomposition includes the sensors, actuators, controllers, and communication modules of each vehicle.The interfaces include the physical and logical connections between the components and the external environment.The data flows include the information exchanged between the components and the external sources.The assets include the safety, security, and performance of the CACC system.

B. IDENTIFY THREAT
The threats to the item can be identified using the STRIDE method, which considers six categories of threats: spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege.For example, a spoofing threat could be an attacker impersonating the leader vehicle and sending false acceleration commands to the follower vehicle.A tampering threat could be an attacker modifying the sensor data or the control signal of the follower vehicle.A repudiation threat could be an attacker denying their involvement in an attack or a vehicle denying its responsibility for an accident.An information disclosure threat could be an attacker eavesdropping on the wireless communication and obtaining sensitive data.A denial of service threat could be an attacker jamming the wireless channel and preventing the communication between the vehicles.An elevation of privilege threat could be an attacker gaining unauthorized access to the CACC system and compromising its functionality.For each threat, a threat level can be assigned based on the likelihood and severity of the threat.

C. ANALYZE RISKS
The risks associated with the identified threats can be analyzed using the DREAD method [45], which considers five criteria of risks: damage potential, reproducibility, exploitability, affected users, and discoverability.For example, a spoofing threat could have a high damage potential if it causes a collision or a loss of control, a high reproducibility if it can be easily repeated by the attacker, a high exploitability if it does not require sophisticated skills or tools, a high affected users if it impacts all the vehicles in the platoon, and a high discoverability if it can be easily detected by the system or the users.For each risk, a risk level can be assigned based on the DREAD criteria.In the case of this paper, risk was quantified from [46] as where R represents the risk value, F quantifies aggregated attack feasibility rating (Very Low = 0, Low = 1, Medium = 1.5, High = 2), and I denotes impact rating (Negligible = 0, Moderate = 1, Major = 1.5, Severe = 2).In the case of this work, impact will be quantified and as shown below where C and A denote the number of crashes and attacks, respectively, with the whole ratio scaled by two such that the impact is mapped to the same number space as the traditional, statically defined quantity.
Given the criticality of a CACC system, the impact I rating could considered to be severe as interruption of this feature could result in injury or the loss of life.However, for the purposes of this research, a static I rating would be less helpful for tuning the proposed controller.As such, I was defined as the number of collisions per FDI attack.Attack feasibility is heavily dependent on several factors.In the case of this study, however, it is assumed to be high.This is due to the fact that the test scenarios to be used during validation possess a faulty leader vehicle reference signal.

D. DEFINE SECURITY CONCEPT
The security concept should describe the security mechanisms, security architecture, and security verification and validation methods for the item.For example, the security mechanisms could include encryption, authentication, error detection, frequency hopping, etc.The security architecture could include the security modules, security protocols, security policies, security interfaces, etc.The security verification and validation methods could include security testing, security analysis, security evaluation, security certification, etc.One of the advantages of the novel controller proposed in this paper is streamlining the process of securing the system by preventing erroneous control signal generation by using a Lyapunov-based algorithm that leverages fault detection and estimation.This enables the CACC control policy to focus on maintaining a safe following distance to prevent collision rather than attempting to prevent an attack from occurring.

IV. DYNAMIC MODEL OF CACC UNDER FDI ATTACK A. DYNAMIC MODEL REPRESENTATION
where x i ∈ R is the position, v i ∈ R is the velocity, and u i ∈ R is the control input of the follower vehicle.γ 1 i ∈ R >0 and γ 2 i ∈ R >0 denotes the constant parameters that describe the follower vehicle engine dynamics as derived experimentally.
The Dynamic model of the leader vehicle is described as where and u i−1 ∈ R denotes the position, velocity, and control input of the leader vehicle, respectively.The leader vehicle dynamics are defined as Since the scenario generator platoon consists of homogeneous vehicles, these parameters are similar to the follower vehicles, γ 1 i and γ 2 i .

B. FDI ATTACK REPRESENTATION
In FDI attacks, erroneous data is injected into the connected vehicles' communication network to disrupt the performance of the whole system, potentially leading to vehicle collisions.This study focuses on acceleration as the parameter affected by the FDI attack, which is defined as where i ∈ R is the FDI attack function, β i (t) ∈ R is an unknown, bounded, and continuous signal.Assumption 1: The FDI attack is assumed to be bounded and differentiable such that ∥β i (t)∥ ≤ βi ∀t ≥ t 0 where βi is a known positive constant [4].

V. CONTROL, OBSERVER, AND ATTACK ESTIMATION DESIGN A. ERROR SIGNALS
To quantify the performance of the designed controller, let e i : [t 0 , ∞) → R be the tracking error between the leader and follower.
where D i ∈ R is the length of vehicle i, and is the desired distance between leader and follower.Assumption 2: The desired distance, its first, and second derivatives are assumed to be bounded by positive known constants, x d i , ẋd i , ẍd i ∈ L ∞ [47].
To facilitate the design process and stability analysis, an auxiliary error signal is defined as such that α i ∈ R >0 , is a user-specified known gain.Since the CACC is under FDI attack, there is a need to design an observer.To quantify the accuracy of the observer, a state estimation error xi−1 : where xi−1 ∈ R denotes the estimated position of the lead vehicle.
An estimation of the auxiliary error signal ri−1 : [t 0 , ∞) → R is needed for stability analysis and can be defined as where α i−1 ∈ R >0 is a user-defined gain.We use the observer to estimate the control signal of the leader.To evaluate its accuracy, an estimation error signal where ûi−1 ∈ R is the estimated control signal of the leader.
we consider βi ∈ R as the estimation of FDI attack and design it such that it remains bounded.Therefore, ūi−1 (t) is bounded and ∥ū i−1 (t)∥ ≤ Ūi where Ūi ∈ R >0 .

B. CONTROL DESIGN
The control signal is designed based on the Lyapunov stability analysis as where k i ∈ R >0 is a gain specified for the controller that will be further optimized.
Taking the time derivative of (7), and substituting (6) yields the closed loop tracking error of the system as Replacing ẍi , ẍi−1 from the model into (13) and substituting ėi (t) from (7) yields Adding and subtracting γ 1 i ẋd i to and from ( 14) generates the tracking error term as To introduce the effect of FDI attack in the error dynamic, u i−1 (t) term is substituted from ( 11) 16) Finally, if we place the designed control law for u i (t) from ( 12), we can generate the tracking error as 19852 VOLUME 12, 2024 Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.

C. OBSERVER AND ESTIMATION DESIGN
Based on the Lyapunov stability analysis, we define the observer as 18) such that L 1 i denoted the observer gain, that will be tuned further.Taking the derivative of ( 9) with respect to time yields substituting xi−1 (t) from ( 8), results considering u i−1 (t) as in (11) and the observation rule as in (18) and substitute them in (20), we derive tracking error estimation as

D. FDI ATTACK ESTIMATION
The accuracy of the FDI attack estimation is monitored using an estimation error signal, βi : using Lyapunov stability analysis, we determined the FDI attack estimation as

E. STABILITY ANALYSIS
For simplicity in further analysis, the parameter t, which is time, is dropped from the equations.Let's define z i as Theorem 1: The controller given in (12), state estimator in (18), and FDI attack estimator in (23) ensure that the z i converges to zero at t → ∞ in the presence of FDI attack, and the FDI attack estimation error βi is bounded.
Proof: We define Lyapunov candidate function as where V i : R n → R is a continuous positive definite and continuously differentiable function.Taking the time derivative of (25) results

Vi
substituting ėi , ṙi , ẋi−1 , and ṙi−1 from ( 7), ( 17), (9), and ( 21), respectively, yields After some simplification, we have substituting βi from ( 23) the extra terms with βi in (28) cancels.The derivative of Lyapunov candidate function can be written as is The Vi inequality derived in ( 29) is a negative semi-definite function since the βi effect cancelled the FDI attack estimation.According to the Lyapunov stability theorem and Barbalat's Lemma [48], we can conclude that there exist α i , k i , α i−1 and L 1i gains such that z i → 0 as t → ∞ in presence of FDI attacks, and βi ∈ L ∞ .□

VI. TESTING AND VERIFICATION APPROACH
In [15] and [49], mathematical modeling for the scene and scenario has been introduced.This model is based on the mathematical definition of the scene vector C k ∈ R n i that represents the environment surrounding the vehicle or the Unit Under Test (UUT) at a certain time step k.The dimension of scene vector n i corresponds to the number of parameters used to represent the UUT and the other agents in the environment.The scene vectors form a scene C with a specific radius.The Scenario is a matrix of consecutive Scene Vectors.To validate the CAV's response using different scenarios, the authors define an assertion function that evaluates the probability of the vehicles passing a set of predetermined weighted assertions.The assertion function is calculated using an assertion matrix A, which is a multi-layer matrix representing the assertion and parameters in the scene vectors.The method allows for flexibility in defining equivalence relations between scenarios, improving the completeness and coverage of testing.
That is for a scene C the verification cost function V is defined as The vector denoted by C ref is the reference scene and it is comprised of acceptable parameter values that are automatically generated using a set of rules detailed in [50].These rules may include the speed limit derived from the road structure input and the minimum safety distances mandated for the assertion.The matrix M is a diagonal matrix with its entries being the maximum between the reference parameter values from C ref and the corresponding actual values.
To illustrate this, let us assume that a tester intends to asses a CAV's ability to maintain a velocity below the speed limit while maintaining a following distance greater than or equal to the minimum safety distance between itself and another vehicle.The tester can then compute the following: where d min,x (t) and d min,y (t) are the minimum latitudinal and longitudinal safe distance between the UUT and the actor.This minimum distance depends on the position and speed of UUT and the actor.The distance between the actor and the UUT defined as d 1,x (t) and d 1,y (t).Additionally, v max = max(v limit , v), d x,max = max(d min,x , d 1,x ) and finally d y,max is defined similarly.The tested unit would ''pass'' the test if the result of ( 31) is a vector with entries less than 0.5 in all its rows.
This raises an important question about how to improve the operational efficiency of autonomous vehicles.One crucial factor that requires attention relates to enhancing the behavior of CAVs.Note that if a CAV operates at a speed significantly below the prescribed speed limit, such as 10 mph in a 45 mph zone, it may still pass the regulatory tests.However, such a sub-optimal driving approach may not align with the desired outcome.
Therefore, it is crucial to optimize the CAV's responses by minimizing a cost function.It is important to note that all the entries of V(C) are in the interval of [0, 1].Hence one can now identify ''optimized behavior'' when the value of entries is closer to 0.5.

VII. PARTICLE SWARM OPTIMIZATION A. BACKGROUND
PSO is a population-based stochastic optimization technique first proposed in 1995 by Kennedy and Eberhart [37].This technique takes inspiration from the behaviors of a flock of birds or a school of fish and is an example of evolutionary computing.PSO has been demonstrated to obtain better results in a faster, cheaper way than other methods, partially due to the algorithm's ability to be parallelized [51].Furthermore, the PSO algorithm possesses very few tuning parameters that are simple and intuitive to understand.These parameters are population size, the number of iterations, particle inertia, inertia damping, and acceleration coefficients.
The first parameter, population size, simply defines the number of particles in the swarm.The next parameter, number of iterations, describes the number of times the PSO algorithm will execute.The swarm size and the number of iterations can be optimized, depending on the number of tunable parameters in the optimization problem [52], [53].Particle inertia, inertia damping, and acceleration coefficients determine how the particles traverse the problem space.The inertia θ i at time-step i should be set to a value between 0.9 and 1.2 [54], [55].Inertia decreases at each iteration proportionate to the inertia damping parameter.The acceleration coefficients, often referred to as C 1 and C 2 , allow the user to tune the extent to which each particle will explore the problem space versus exploiting the swarm's knowledge.C 1 tells the swarm how much weight to give to the best position of each individual particle while C 2 defines the weight of the best solution obtained within the swarm.According to another follow-up paper by Eberhart [56], the parameters should be set such that C 1 + C 2 = φ where φ > 4.However, other more recent studies have suggested the opposite, φ < 4 [57], [58].
In practice, the above parameters may be defined at run-time or even tuned during execution to tune the optimization algorithm.This has given rise to several variations of PSO, which will not be covered in this paper.In addition, for the purposes of this research, the parameters will be set at run-time and change only as an effect of the algorithm's execution.

B. MATHEMATICAL MODEL OF PARTICLE SWARM OPTIMIZATION
In this section, a mathematical model of PSO will be defined and discussed.First, we will formally define the parameters responsible for enabling this algorithm.There are nine (9) parameters in total with several of them being tunable.These tunable parameters are the number of particles in the swarm n, the minimum S min and maximum S max permissible variance, the particle inertia θ i , and inertia damping ratio ζ , as well as the personal and global learning coefficients.
Swarm size should be defined with respect to the problem space and number of parameters being solved for, so long as n is a positive real integer.The S min and S max parameters are floating-point real numbers that may be negative.These values are utilized for applying bounds to particle velocity.θ i and ζ determine the future velocities of each particle and, as such, the potential solutions they may find.As the iterations increase, θ i decreases proportionately to ζ .This is to cause the particles to explore the problem space instead of erratically jumping from point to point.
During each iteration, each particle's velocity is used to determine the next position and is calculated by where 0 < θ i < 1 is the inertia coefficient, S i−1 is the previous particle velocity, C 1 and C 2 are the exploration and exploitation coefficients, with − → Pos P Best and − → Pos i being the individual particle's best and current positions while − → Pos G Best is the swarm's most optimal position.
To prevent a particle's velocity from exceeding permissible bounds, S i = min(max(S i , S max ), S min ), (33) where S i is the current velocity, S max and S min are the maximum and minimum permissible velocities.
19854 VOLUME 12, 2024 Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.from scratch and scale to our use case.Due to these reasons, PSO was selected for integration into our framework.
Next, the results of optimization via PSO are discussed.Shown in Figure 5 is the problem space explored by the 50 particles across 30 iterations, illustrated as a mesh.Specifically, the mesh was created by reducing the dimensions of the particle position data to two dimensions, using the t-SNE MATLAB function.This reduced data serves to define the xy−plane with cost defining displacement along z−axis and each point's shading corresponding with iteration.
As can be seen in Figure 5, the majority of particles start at higher elevations, denoting that their parameter solutions are sub-optimal.The swarm movement progression shows that some particles stumble upon lower-cost solutions within the first few iterations.Due to exploitation, these regions are further explored by other particles.As the iterations increase, the swarm begins to converge upon a relatively contained region of the mesh.
Following the optimization process, the controller was further verified utilizing a longer test scenario.Shown in  Table 2 are the baseline and optimal controller configurations with their respective parameter values and performance in terms of cost and the RMSE of FDI estimation, βi .

B. DATA ANALYSIS
The optimal configuration presented in Table 2 was then verified using our testing framework.In Figure 6 and 7, the results of the optimal and baseline configurations are plotted over each other.Using the risk formulation from Equation 1, the baseline controller's impact I parameter was found to be over 0.4 while the optimized controller exhibited no impact due to the lack of collisions.Therefore, the risk associated with the baseline controller is 1.4.
Figure 6, demonstrates the FDI attack estimation performance.The true and estimated fault signals from the baseline and optimized controllers has been presented in blue, purple, and orange, respectively.
The following distances of both controllers has been shown in Figure 7.The effects of adversarial conditions and inadequate controller tuning were made apparent by the following distance plot.The baseline configuration possesses   a naive definition for the control and FDI estimation parameters, demonstrated by the noisy estimation signal as well as erratic and dangerous following distances.The optimized controller's estimation algorithm adequately tracks and predicts the magnitude of the signal, allowing the controller to compensate.The tuned controller, illustrated in blue, possesses drastically improved performance and adequately prevents collision, unlike the baseline controller that is shown in orange.

X. CONCLUSION
In this paper, we presented a testing and verification approach that has been enhanced with a PSO algorithm to tune the controller and observer parameters of a secure CACC while under FDI attack.The resulting parameter solutions and costs were presented.These parameters were then utilized for defining an optimal controller to be compared against a baseline configuration.After subjecting the controller configurations to testing, it was found that the tuned controller was a drastic improvement over the baseline configuration.

XI. FUTURE WORK
Using our proposed testing and verification framework, further controller tuning will be performed in a ViL environment.In a ViL environment, the testing and tuning process should be completed as quickly and efficiently possible.Furthermore, due to the nature of testing on a physical system, additional bounds for the parameters are required to prevent damaging the hardware.As such, a novel optimization algorithm will be developed to address these challenges.To accommodate this, our workflow will require reworking to improve the rate in which optimization iterations are completed as tuning will occur in real-time.Once an algorithm is selected and the workflow revised, we will develop and subject a neural network-based FDI estimator to improve upon the fault detection implemented in this paper.

Figure 1
Figure 1 illustrates a diagram of the CACC string of vehicles.The leader is denoted by i − 1, and the n follower vehicles in the platoon are described as i ∈ {1, . . ., n}.The leader vehicle receives the control input as an acceleration command transmitted through the wireless communication channel.Other parameters such as velocity and position of the leader are measured using onboard sensors, such as Radar and GPS.The dynamic model of the vehicle in the platoon

FIGURE 2 .
FIGURE 2. PSO algorithm convergence in terms of cost over time.

FIGURE 3 .
FIGURE 3. Genetic algorithm convergence in terms of cost over time.

FIGURE 4 .
FIGURE 4. Comparative analysis of convergence in terms of cost over time.

FIGURE 5 .
FIGURE 5. Problem space explored by swarm of 50 particles.

FIGURE 6 .
FIGURE 6. FDI attack estimation results using baseline controller and optimized controller.

FIGURE 7 .
FIGURE 7.Following distance using baseline controller and optimized controller.

TABLE 2 .
Optimal solutions for resilient CACC parameters.