Network Anomalies Detection in Real Urban Infrastructure


Benedetto Marco Serinelli This email address is being protected from spambots. You need JavaScript enabled to view it. 

Anastasija Collen This email address is being protected from spambots. You need JavaScript enabled to view it. 

Niels Alexander Nijdam This email address is being protected from spambots. You need JavaScript enabled to view it. 

The ambition of the nIoVe project is to improve protection against Connected and Autonomous Vehicle (CAV) cyber-threats. Thus, nIoVe objective is to design a robust, resilient, and effective cyber-security solution to manage complex cyber-threat scenarios, reducing the impact of breaches.

One of the nIoVe outcomes is the design of a network monitoring tool, which can detect anomalies by analyzing the vehicle and infrastructure networks' statistical data deviation. The above tool acts as an anomaly-based Intrusion Detection System (IDS) which implements advanced anomaly detection techniques, employing Machine and Deep Learning methodologies. The tool was installed on a cost-effective and small-size Raspberry Pi 4 device.

Training on the open and public datasets, the anomaly-based IDS is able to detect malicious activities, such as DoS, DDoS, Brute Force dictionary attacks, Trojan Horse Malwares (Botnet), and scanning, by analyzing the network traffic flows in the one-vehicle Local Area Network (LAN) segment. First, the network traffic is aggregated and 80 network statistical traffic metrics are extracted for analysis, such as total length of exchange packet, the backward connection, and the connection duration, are extracted. The metrics are then provided as an input to the anomaly-based IDS, which classifies the network traffic flows as benign or malicious. In case of malicious traffic flows, the anomaly-based IDS triggers the nIoVe framework to estimate the malicious risk(s) and the selection of the appropriate countermeasures for blocking and restricting the attack's impact.

As a pilot, the nIoVe consortium set up the urban environment use-case by equipping a tram with a 4G router and several computing units, including the Raspberry Pi 4 device hosting the IDS as shown in Figure 2. The tram operates on its usual daily schedule, making round-trips from Moillesulaz to Palettes, in Geneva, Switzerland (, as depicted in Figure 1.

Figure 1: Tram 12 Roundtrip – Google Maps
Figure 2: ARM-based IDS tram installation

A first detection evaluation was performed, validating the IDS implementation by successfully detecting a scanning probe attack. Under careful planned conditions, as not to interfere with the actual tram's operation, an attack simulation was executed via nmap tool (, as illustrated in Figure 3 and Figure 4.

Figure 3: Execution of nmap scanning
Figure 4: First evaluation of the detected attacks

The nmap scan is classified as an infiltration attack and as such is detected correctly, as illustrated in Figure 4 with an accuracy of 89.5%. The figure however also shows the misclassification errors, namely the scanning was also predicted as DoS, Brute Force SSH and Botnet (Trojan Malware) attacks. Although the Machine Learning classifiers were trained to reduce the false alarms, the network traffic flows were occasionally incorrectly labelled due to the similarity of the different attacks. For example, the similarities in this case come from the attack creating too many requests to scan the network (scanning attack), which may lead to a reduced operation or crash of the target machine (DoS attack) and is similar in behaviour of attacks aimed at guessing the credentials for obtaining machine access (Brute Force SSH attack). Thus, the metrics, extracted from the nmap scan network traffic, show a similarity between DoS, Brute Force SSH and Botnet, at level three of the ISO-OSI model, the network layer.

The excellence of the nIoVe cybersecurity solution is aimed at the prevention of human harm in the context of Connected Automated Vehicle ecosystems. Leveraging and fusing the expert knowledge of the nIoVe consortium in the domains of cyber-threats, risks, mitigation and trust has allowed to design a robust framework that detects cyberattacks and applies recovery actions to the malicious activities, computing the correct attack attribution minimising the misclassification errors due to the employing of Machine Learning technologies. 

By accepting you will be accessing a service provided by a third-party external to