Noticeability Versus Impact in Traffic Signal Tampering

This paper investigates the vulnerability of urban traffic networks to cyber-attacks on traffic lights. We model traffic signal tampering as a bi-objective optimization problem that simultaneously seeks to reduce vehicular throughput in the network over time (maximize impact) while introducing minimal changes to network signal timings (minimize noticeability). We represent the Spatio-temporal traffic dynamics as a static network flow problem on a time-expanded graph. This allows us to reduce the (non-convex) attack problem to a tractable form, which can be solved using traditional techniques used to solve linear network programming problems. We show that minor but objective adjustments in the signal timings over time can severely impact traffic conditions at the network level. We investigate network vulnerability by examining the concavity of the Pareto-optimal frontier obtained by solving the bi-objective attack problem. Numerical experiments are carried to illustrate the types of insights that can be extracted from the Pareto-optimal frontier. For instance, our experiments suggest that the vulnerability of a traffic network to signal tampering is independent of the demand levels.


Introduction
Urban network control has evolved from standalone control devices into sophisticated cyberphysical systems, where the integration of cyber elements such as sensing devices, communication channels and control units has greatly influenced the physical flow dynamics and the network controllability [17]. Various state-of-the art adaptive traffic signal control algorithms which rely on these cyber elements have been designed to better manage and control the vehicular flows through these networks [10,12,13]. This, however, has introduced vulnerabilities in traffic networks, especially to cy-Corresponding author, Email: sej7@nyu.edu ber attacks, an issue that has gained recent attention [5,6,9,11].
We study the vulnerability of urban road networks to traffic signal tampering attacks [9], which involves adversarial adjustment of signal settings to negatively impact network-wide traffic operations. For example, an adversary with unauthorized access to the traffic signal control infrastructure can set the traffic signal timings to a sub-optimal configuration so as cause reduced intersection throughput and excessive queuing. This effect, albeit local, has impacts that propagate to neighboring intersections and, over longer periods of time, can cripple an entire network. We specifically consider two critical aspects of such attacks: their impact on network traf-fic conditions and their noticeability to the network operators/controllers and other users. Using a bicriteria optimization framework, we show that such unnoticeable but objective adjustments to the traffic signal settings over a pre-determined time period can create cascading traffic congestion in the urban road network.
Optimizing a dynamical traffic system to achieve the desired (adversarial) objective presents a challenging task. For instance, to model the timevarying network traffic conditions as a function of traffic signal timing changes, it is important to capture the traffic queue build-up and dissipation at each intersection in the network with reasonable level of detail. This renders the mathematical formulation of the optimization problem more complex and, thus, more difficult to solve. Moreover, to incorporate signalized intersection control in the formulation, it is essential to capture interactions between conflicting movements at the intersections. These typically require the use of integer variables, particularly if time is treated as a discrete variable. Examples of such formulations include [3,[14][15][16], which use large numbers of binary variables, and researchers often resort to meta-heuristic solution methods given such difficulties; see for example [7,9].
The dynamical nature of the problem coupled with the discrete nature of signal control introduces modeling complexities that we overcome with a super-graph representation of the problem. Our super-graph is a directed graph, which compactly captures the Spatio-temporal evolution of vehicular flow dynamics of any real-world traffic network. Using reasonable approximations, this equivalent representation of traffic allows us to exploit simple solution techniques that are based on dynamic programming principles. Moreover, the super-graph representation permit us to convert the bi-objective optimization signal tampering problem to a more tractable form with polynomial complexity. This is based on the total unimodularity property of the adjacency matrices of graphs, for which integer optimal solutions are obtained by solving the trivial linear relaxation of the respective problem [1,20]; further on this in Sec. 2.2. Finally, we also propose a network vulnerability measure based on the properties of the solution set obtained by solving the bi-objective attack problem. The solution set forms an Pareto-optimal frontier [4], its properties provide critical insights to the vulnerability of the network. In short, we develop a novel static representation of traffic network dynamics as static flows on a static directed graph in Sec. 2. We then present an attack model for urban road network traffic via signal tampering and demonstrate that it can be solved to optimality using classical bi-objective programming techniques that were developed for linear problems in Sec. 3. In Sec. 4, we conduct numerical experiments on a four toy networks to illustrate some of the insights that can be extracted from the Paretooptimal frontier that is obtained as an output of the bi-objective attack problem.
2 Modeling urban network traffic flows

Network traffic dynamics
We use a cell-based traffic flow model to capture the vehicular flow dynamics of an urban road network. That is, we divide network road segments (links) into smaller sections (cells) to capture the build-up and dissipation of congestion within the network links. The model assumes space and time to be discrete, and that flows across cell boundaries do not exceed the numbers of vehicles in the sending cells, the capacities of the two cells, or maximum occupancy of the downstream cell. Let T ≡ {0, 1, . . . , |T |} denote the set of discrete time steps with a finite horizon |T |. We use a uniform discrete time step length of ∆τ, that is, time t ∈ T represents t∆τ units of time (typically seconds) from the initial time step. Let C denote the set of network cells; the length of each cell ∆x depends on the distance traveled by a vehicle at free flow speed over an interval of length ∆τ. For example, if ∆τ = 1 second and the free-flow speed is 90 km/hr, then the cells are chosen to be ∆x = 25 meters in length and the road segments are discretized accordingly. We denote by x t i the occupancy of cell i ∈ C at time t ∈ T. We represent the flows between adjacent cells by objects Noticeability vs. Impact in Traffic Signal Systems that we refer to as "connectors" [21] and denote by y t ij the number of vehicles using connector (i, j) at time t ∈ T, i.e., the number of vehicles departing cell i ∈ C into adjacent cell j ∈ C at time t. We denote the set of connectors in the network by L. The flow capacity of cell i is denoted by Q i ; this represents the maximal number of vehicles that can flow through the cell in single time step (∆τ). We chose ∆τ so that Q i = 1 vehicle per ∆τ units of time (per lane) and adjust the cell lengths accordingly. We demonstrate below that little generality is lost in making this assumption. The maximum occupancy of cell i is denoted by N i ; this represents the maximal number of vehicles that can be present in the cell in units of vehicles per ∆x units of distance.
Network intersections are modeled as ordinary cells connected to transshipment nodes. The difference between nodes and cells is that network nodes only serve as transfer stations and do not hold any vehicles. The set of all such transshipment nodes in the network is denoted by B = B D ∪ B M , where B D and B M are sets of diverging and merging nodes, respectively; the former are nodes with one inbound connector (one incoming flow) and one or more outbound connectors, the latter are nodes with one or more inbound connectors and only one outbound connector. Intersections with multiple inbound flows and multiple outbound flows are represented by more than one node in B D and B M as illustrated below. For each i ∈ C ∪ B, we denote by Γ(i) − ⊂ C ∪ B the adjacent network objects that are in the immediate upstream of cell (or transshipment node) i. Similarly, Γ(i) + ⊂ C ∪ B is the set of adjacent cells or transshipment nodes that are in the immediate downstream of i. This cell-node representation is illustrated in Fig. 1 for a typical two intersection system.
Traffic dynamics. We divide the set of network cells C into disjoint sets of "ordinary" cells C O , "source" cells C R , and "sink" cells C S , i.e., C = C O ∪ C R ∪ C S . Ordinary cells are those on the interior of the network, while source and sink cells are on the boundary of the network. By boundary, we mean any object that is adjacent to the exterior of the network, this includes the extremities of the network and interior locations that are connected to interior sources or sinks (such as parking structures). For i ∈ C O the dynamics are given by the mass balance equation where {h} = Γ(i) − and {j} = Γ(i) + . For source cells i ∈ C R , the dynamics are written as where d t i is the exogenous demand at source cell i. Similarly, for i ∈ C S , the dynamics follow the mass balance equation Flows through diverge (i ∈ B D ) and merge (i ∈ B M ) nodes are represented, for each t ∈ T , by and respectively. To capture the physical constraints on the connector flow, we impose the constraint That is, the flow on the connector cannot exceed (i) the number of vehicles in the sending cell i (ii) the flow capacities of both the sending cell i and the receiving cell and (iii) the available space in the receiving cell j (accounting for departing flows y t jk ): Intersection conflicting movements. Additional constraints arise as a result of conflicts at network intersections. We now show that these constraints can be represented graphically. Consider a pair of intersection movements that conflict with one another, e.g., the two opposing through movements shown in Fig. 2a. The two movements are represented by connectors: (i, j) and (p, q). The conflict dictates that the connector flows cannot be simultaneously positive. To capture this, we can introduce a pair of binary variables α t ij , α t pq ∈ {0, 1} so that α t ij + α t pq ≤ 1 for all t ∈ T . For these two movements, the connector capacity constraints are given by y t ij ≤ Q ij α t ij and y t pq ≤ Q pq α t pq . For the case where both (i, j) and (p, q) have the same (single-lane) flow capacity: Q ij = Q pq = 1 vehicle per ∆τ, these constraints Thonnam Thodi, Mulumba, and Jabari Noticeability vs. Impact in Traffic Signal Systems can alternatively be written as along with y t ij , y t pq ∈ {0, 1}. In order to represent this graphically, we introduce two transshipment nodes, u and v as depicted in Fig. 2b and add the associated mass-balance equations to the system: and along with a capacity constraint on the new connector: Connectors (i, u) and (p, u) represent the outbound flows from cells i and p, while connectors (v, j) and (v, q) represent the inbound flows into cells j and q, respectively. Note that all of the associated connector flows y t iu , y t pu , y t uv , y t vj , and y t vq are binary variables in this modified representation. In this setup, separate cells for each of the turning movements proposed in previous work [3,14] is not needed. Our setup can also accommodate many different types of phasing schemes when considering signal timing; any two movements may proceed through the intersection simultaneously as long as they do not conflict. This is in contrast to the two phase setups in [16], [14] and [3]. Also, the binary variables α t ij representing the conflicting signal phases are no longer required to enforce conflict free flows at the intersection and we, henceforth, shall treat them as exogenous variables that are inferred from the other flow variables. We also note that approaches with different capacities (approaches with different numbers of lanes) can also be accommodated in this framework as illustrated in the simple example shown in Fig. 3.

Super graph: A static representation of traffic dynamics
We now demonstrate how the equations describing the system dynamics and the conflicting flows (b) Network representation of conflicting movements can be captured with a time-expanded static graph, which we refer to as the super-graph.
To illustrate, consider three adjacent cells i, j, k in the network as depicted in Fig. 4a. The massbalance equations governing the flow dynamics can be interpreted as flows through a network node. Take, for instance, the variable x t j representing the occupancy of cell j in time step t. This variable appears twice in the system of mass-balance equations: and in the next time step The variable x t j appears in the first equation with a Thonnam Thodi, Mulumba, and Jabari Noticeability vs. Impact in Traffic Signal Systems coefficient of +1 and in the second equation with a coefficient of -1. It can hence be interpreted as temporal flow from a node in time step t into another copy in time step t + 1. Similarly take the variable y t ij , in addition to its appearance in equation (15) with a coefficient of -1, it also appears in the mass balance equation with a coefficient of +1. It can be interpreted as a spatial flow. It can be easily seen that all cell occupancy variables {x t i } i∈C,t∈T and all connector flow variables {y t ij } (i,j)∈L,t∈T appear twice in the set of mass-balance equations, once with a coefficient of +1 and once with a coefficient of -1. The time expanded directed graph associated with the mass balance equations of cells i, j and k is depicted in Fig. 4b.
To incorporate the flow conservation constraints in the super-graph, we first introduce non-negative slack variables, denoted by s t i for each cell i, which represents the number of vehicles in cell i that do not advance to neighboring cell j during t. Hence, they are bounded from above by the maximum occupancy of cell i: and the flow restrictions (7) becomes an equality: Substituting y t ij − x t i = −s t i in the mass balance equation we obtain Then keeping (18) in tact and replacing (19) with (20), we have that each of the variables in the resulting system of equations {x t i , s t i } i∈C,t∈T and {y t ij } i∈L,t∈T appears twice, once with a coefficient of +1 and once with a coefficient of -1. The resulting graph for the three-cell example is illustrated in Fig. 4c.
Time t+1 (c) Graphical representation including flow restriction To fully capture the traffic dynamics, it remains to accommodate downstream restriction constraints on the flows (9). We do this by imposing a simple spatial capacity (max occupancy) constraint, which is natural: for all i ∈ C and all t ∈ T . That the resulting system of equations respects (9) by simply imposing (21) follows by noting that for any t, mass bal-  ance implies that x t+1 j = x t j + y t ij − y t jk and since the right-hand side of (21) is constant throughout the horizon T , we have that x t+1 j ≤ N j implies that x t j + y t ij − y t jk ≤ N j , which is the flow restriction constraint (9).
We illustrate the overall development of the super-graph for a network with both cells (road segments) and transshipment nodes (intersections) in Fig. 5a. A single layer of the supergraph corresponding to a single time step is shown in Fig. 5b. The demands {d t i } i∈C R ,t∈T can be accommodated by adding a fictitious super-source node R along with fictitious arcs emanating from R and terminating in the different copies of the source nodes with capacities equal to the demands. The same is done for the network sinks, where we create a super-sink node S and connect it to the sink nodes via arcs that are either uncapacitated (for free-boundaries) or are capacitated by the maximum occupancies of the sink cells of the network. The super-graph is illustrated in Fig. 5c.
In summary the network dynamics can be represented by a system of mass balance equations along with capacity constraints (8), (17), and (21).

Compact Notation
In this section, we formulate the optimal and adversarial control problem and show how the supergraph representation of traffic flow dynamics can be exploited in solving these problem efficiently. We first present a compact notation based on the supergraph developed above. We denote the supergraph by G = (V, A), where V are the super-graph nodes (vertices) and A are the directed arc in the super-graph. We denote by A V /S ⊂ A the set of non-sink arcs in the network (in essence A V /S excludes the fictitious arcs that terminate in the supersink node S). The subset of arcs corresponding to conflicting movements is denoted by A conf ⊂ A. Let b ∈ Z |V | denote the demand vector. Define D ≡ ∑ t∈T ,i∈C R d t i , then the element of the demand Thonnam Thodi, Mulumba, and Jabari Noticeability vs. Impact in Traffic Signal Systems vector are given by The arc flows consist of the variables {x t i , s t i } i∈C,t∈T and {y t ij } i∈L,t∈T , which for simplicity we denote as the vector x ∈ Z |A| . Let u ∈ Z |A| denote the upperbounds on the flows, which correspond to the spatial capacities {N i } i∈C and the temporal flow capacities {Q i } i∈L . The mass-balance equations are linear equations in the elements of the vector x and can hence be represented by a matrix operator on x, which we denote by A ∈ {−1, 0, 1} |V |×|A| . The mass balance equations are then written as Ax = b along with the bounds 0 ≤ x ≤ u. The matrix A is an arc-node incidence matrix. Such matrices are known to possess a property called total unimodularity (TU) [1,20]. In the context of mixed integer programming, when the constraints matrix is TU, the trivial linear relaxation produces integer optimal solutions. This is a property that we will capitalize on in the next section.

Optimal control policy
We define the optimal signal control policy as one that minimizes the total travel time of all vehicles in the system over the horizon of the problem. This is modeled as ∆τ1 |A V /S | x| A V /S , where 1 |A V /S | is a vector of ones of size |A V /S | and x| A V /S is the restriction of the vector x to arcs that lie in A V /S . Since all conflicts are accounted for in G naturally,the optimal control policy can be inferred from the solution of the network flow problem where one picks the solution of (23) that involves the minimal number of signal switches. Note that the constant ∆τ was dropped from the objective function as it has no effect on the solution (since it is a positive constant). In the next section, we will denote by x * the solution of (23) and x * conf ∈ {0, 1} |A conf | will denote the restriction of x * to the set A conf .

Adversarial signal control policy
The signal tampering problem is formulated as a biobjective optimization program, where we simultaneously seek to determine a control policy that leads to maximum adversarial impact in the network but at minimum noticeability. We call the resulting policy the adversarial signal control policy and denote by x A conf ∈ {0, 1} |A conf | the intersection flows that result from the adversarial policy. Let x * S and x A S denote the vector of flows into the sink node under optimal control and adversarial control, respectively. The adversarial control policy can be inferred from the solution of the bi-objective programming problem where the objective functions Z 1 : A V /S → Z + and Z 2 : A conf → Z + are given by and The function · 1 is the usual 1 -norm and · 0 is the 0 pseudo-norm. We assume that x * S and x * conf are known a-priori. Hence, minimizing Z 1 can be interpreted as maximizing the deviation in network travel times from the one achieved under optimal control. Minimizing Z 2 can be interpreted as finding a control strategy which results in smallest change in control variables from that achieved with optimal control. Hence, the bi-objective programming problem can interpreted as one that seeks to find a control policy that impacts performance greatly while simultaneously going unnoticed.
The first objective can be simplified to This follows from the equivalence of the system travel time minimizing solution and the maximal flow solution (see, e.g., [1]). Hence the cumulative vehicle arrivals (over time) curve under a optimal control solution lies above any other cumulative arrivals curve.
The second objective, Z 2 , is generally non-convex but noting that (feasible) flows in A conf are binary under the proposed representation for conflicting movements, we have the convex equivalent: (28) To further simplify this, we employ a standard trick used in linear programming: introduce two binary vectors denoted x + conf ∈ {0, 1} A conf and x − conf ∈ {0, 1} A conf and add the system of equations to the system. The addition of these constraints are equivalent, from the graph representation perspective, to every flow in the network corresponding to an element of x conf being replaced by an identical element of x + conf and a new mirror image in x + conf . By mirror image, what is meant here is a flow that connects the same two nodes with the same capacity but points in the opposite direction. Hence, this substitution has no impact on the graph structure of the problem or the total unimodularity of the constraints.
As far as the objective function Z 2 is concerned, the equality given in (29) results in the following bound: which means that, without loss of generality, Z 2 can be replaced by the linear objective function: The resulting bi-objective programming problem is Note that we employed the trivial linear relaxation in (37). This is warranted by the total unimodularity of the constraint set, that is, we are still guaranteed integer optimal solutions. This is true for each of the objective functions coupled with the constraints. Thus, it is also true for any weighted combination of the two objective functions, which is the standard approach to solving bi-objective programming problems. There also exist traditional techniques that ensure that all efficient solutions are discovered (i.e., the entire Pareto-optimal frontier is determined) [2,18]. Such techniques involve iteratively solving single objective problem but adding the other objective to the constraint set. In our case, this too does not violate total unimodularity. For example, minimizing Z 1 subject to (34) -(37) and Z 2 = z 2 for some given constant z 2 , we have the original TU system with rows from an identity matrix added to them. The latter operation is TU-preserving. The exact same argument is true in the case where one minimizes Z 2 subject to (34) -(37) and Z 1 = z 1 for some constant z 1 . Hence, efficient (polynomial-time) techniques can be employed to iteratively solve the bi-objective programming problem (32) -(37) and obtain the entire Pareto-optimal frontier. For the sake of completeness, we include the algorithm we employed below. To simplify notation, we represent the constraints (34) -(37) as the set X and with slight notation abuse, the vector x includes x + conf and x − conf .
Pareto frontier and network vulnerability. Each point along the Pareto-optimal frontier is a candidate solution which meets the dual criteria of maximum network vehicle throughput deviation and minimum noticeability. Due to the discrete nature of the problem, the pareto frontier is scatter-plot (a set of extreme points that are not connected). We shall illustrate the Pareto frontier as a piecewise linear curve (i.e., we will connect the points) to analyze the shape of the curve. We examine the concavity of the resulting curve and use this as a measure of vulnerability of the network. The more concave the curve is, the more vulnerable the network is to an adversarial attack. To visualize this, consider the Thonnam Thodi, Mulumba, and Jabari Noticeability vs. Impact in Traffic Signal Systems Algorithm 1: Pareto-optimal frontier for adversarial problem Data: Result: The Pareto-optimal frontier F 1 Initialize: z 2 , x ∈ X } 5 if (z [1] 1 , z [1] 2 ) = (z [2] 1 , z Calculate the weights: Solve the following two problems: Calculate candidate solution: 2 ) or (z 1 ,z 2 ) = (z two Pareto frontiers obtained for two different (hypothetical) networks A and B in Fig. 6. In Fig. 6, an amount equivalent to z 2 change in the signal control results in a change in throughput equal to z 1,A for network A and z 1,B for network B. Clearly, z 1,B > z 1,A , implying that network B is more vulner- able than network A. Note here that the slope measured at the origin, which we will denote by m A for network A, essentially tells how vulnerable the network is from an initial optimal state. The larger the value of m, the more vulnerable the network is to an attack. One can also investigate slope and curvature at various points along the curve to determine the vulnerability and stability of the network to prolonged attacks.

Numerical Experiments and Results
We perform numerical experiments to test the proposed adversarial model on a few selected road networks, and discuss the dependence of network vulnerability on the network structure, vehicular traffic demand and duration of attack. We consider three homogeneous (or regular) road networks with uniform degree distributions and one random (or irregular) network with non-uniform degree distribution for the experiment; see Fig. 7. All of the networks in the examples have the same spatial area (= 2.5 km 2 ), but vary in numbers of intersections, link lengths, origin (or destination) locations, and network regularity. These are detailed in Table 1.
All the road links in the network have a single lane and only permit one-way traffic. For each network, we conduct a set of experiments with different traffic demands and attack durations. We assume a discrete time step length of ∆τ = 2 seconds, a maximum cell occupancy (N i ) of 5 vehicles per cell, and a flow capacity of Q i = 1 vehicle per time step per Noticeability vs. Impact in Traffic Signal Systems  lane. These are typical values for an urban lane. The super-graph and bi-objective attack problem for the test networks are implemented using Python programming language and are available online [19]. All linear optimization programs are solved using the Gurobi optimization solver [8]. The experimental results are discussed below. Network vulnerability. We first investigate network vulnerability in general by examining the concavity of the Pareto frontier in Fig. 8 for the lowdensity and high-density networks under a uniform traffic demand of 600 vehicles per hour at the network sources (low traffic demands). The dura- tion of the attack is 15 minutes (450 time steps). We see a flatter curve in Fig. 8a compared to Fig. 8b indicating that the higher density network is more vulnerable in low demand scenarios. This is reasonable as Network C has more intersections per unit area than Network A.
Impact of network structure. To understand the relationship between network structure and network vulnerability, we compare the Pareto frontiers (on a normalized scale) obtained for all the test networks in Fig. 9. The attack duration is 15 minutes (450 times steps) in the experiments. Fig. 9a compares the networks under low traffic demands (400 veh/hr or 100 vehicles over the entire horizon at each source), Fig. 9b compares the networks under moderate traffic demands (800 veh/hr or 200 vehicles over the entire horizon at each source), and Fig. 9c compares the networks under heavy traffic demands (1200 veh/hr or 300 vehicles over the entire horizon at each source). In Fig. 9a, we see that at the origin point, the slope values follow: m D > m C > m B > m A , implying the Network D Noticeability vs. Impact in Traffic Signal Systems  is the most vulnerable and Network A is the least vulnerable in low demand scenarios. The high vulnerability of Network D could be attributed to its irregular structure and non-uniform degree distribution, for which there exist large degree nodes and are found to be more unstable under attacks. However, along the Pareto curve, the slopes reduce at a faster rate for Network D than Network A, implying that Network D tends to be more resilient than other networks under prolonged attacks. Similar insights can be observed from the Pareto curves obtained for the moderate and high demand scenarios in Fig. 9b and Fig. 9c.
Impact of traffic demands. We next study the effect of varying traffic demands; this is shown in Fig. 10. For each network, we observe that the number of non-dominated solutions defining the Pareto frontier increases as demands increase. The more interesting observation is the similar shapes of the curves across demand levels, particularly for the uniform networks (Networks A -C). This similarity suggests that demand levels have no impact on a network's vulnerability, which is defined by the shape of the Pareto frontier. We also see that the irregularity of Network D affords it less vulnerability to adversarial attacks than the uniform networks.
Impact of attack duration. Finally, Fig. 11 illustrates the impact of attack duration. There are two noteworthy observations: the first observation is that all four networks are more vulnerable to longer attacks. This is to be expected. The second observation is that the Pareto curves scale exponentially with duration and it appears that this scaling is the same across the four networks.