Explainable Machine Learning for Cyberattack Identification from Traffic Flows

TL;DR

This paper presents an explainable machine learning approach to detect cyberattacks on traffic management systems using traffic flow data, emphasizing interpretability and addressing real-world challenges.

Contribution

It introduces a deep learning-based anomaly detection system with explainability techniques tailored for cyberattack identification in traffic networks.

Findings

Key indicators for attack detection identified as Stop Duration and Jam Distance

Explainability methods reveal critical decision factors and errors

Challenges include data inconsistencies and stealth attacks in low traffic

Abstract

The increasing automation of traffic management systems has made them prime targets for cyberattacks, disrupting urban mobility and public safety. Traditional network-layer defenses are often inaccessible to transportation agencies, necessitating a machine learning-based approach that relies solely on traffic flow data. In this study, we simulate cyberattacks in a semi-realistic environment, using a virtualized traffic network to analyze disruption patterns. We develop a deep learning-based anomaly detection system, demonstrating that Longest Stop Duration and Total Jam Distance are key indicators of compromised signals. To enhance interpretability, we apply Explainable AI (XAI) techniques, identifying critical decision factors and diagnosing misclassification errors. Our analysis reveals two primary challenges: transitional data inconsistencies, where mislabeled recovery-phase traffic misleads the model, and model limitations, where stealth attacks in low-traffic conditions evade detection. This work enhances AI-driven traffic security, improving both detection accuracy and trustworthiness in smart transportation systems.