arxiv: 2604.12408 · v1 · submitted 2026-04-14 · 💻 cs.CR · cs.AI

Recognition: unknown

Security and Resilience in Autonomous Vehicles: A Proactive Design Approach

Chieh Tsai, Murad Mehrab Abrar, Salim Hariri

Authors on Pith no claims yet

Pith reviewed 2026-05-10 16:15 UTC · model grok-4.3

classification 💻 cs.CR cs.AI

keywords autonomous vehiclescybersecurityresilienceanomaly detectionintrusion detectionperception attacksredundancyV2X security

0 comments

The pith

Redundancy and anomaly detection let autonomous vehicles keep operating during sensor and software attacks.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper classifies cyberattacks on autonomous vehicles across layers including perception, control, V2X communications, and supply chains. It then proposes a resilient architecture that combines redundant and diverse components, adaptive reconfiguration, and both anomaly-based and hash-based intrusion detection. Experimental tests on a physical Quanser QCar platform show these techniques can identify depth camera blinding and perception software tampering quickly enough to switch to backups. A reader would care because successful attacks on perception or decision systems could cause crashes, and the work shows a concrete way to reduce that risk through layered defenses rather than isolated fixes.

Core claim

An AV resilient architecture that integrates redundancy, diversity, adaptive reconfiguration, and anomaly- and hash-based intrusion detection can detect depth camera blinding attacks and software tampering of perception modules, with fast anomaly detection plus fallback mechanisms ensuring operational continuity under adversarial conditions, as shown in platform experiments.

What carries the argument

The AV Resilient architecture, which applies redundancy, diversity, and adaptive reconfiguration together with anomaly- and hash-based intrusion detection across perception, control, and communication layers.

If this is right

Depth camera blinding attacks can be detected in time to activate backup sensors or modes.
Software tampering in perception modules triggers intrusion detection before faulty data reaches the decision system.
Fallback and backup mechanisms allow the vehicle to continue moving safely rather than stopping abruptly.
Layered threat modeling plus practical detection methods together reduce the impact of V2X and supply-chain exploits.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The same layered redundancy and detection pattern could apply to other sensor-heavy systems such as delivery robots or traffic infrastructure.
Extending the taxonomy to include coordinated multi-vehicle attacks would test whether the current detection thresholds still hold.
Regulatory requirements for AV certification could incorporate mandatory redundancy and real-time anomaly checks based on these results.
Further integration with predictive models might allow proactive reconfiguration before an attack fully develops.

Load-bearing premise

That combining redundancy, diversity, adaptive reconfiguration, and anomaly or hash detection will reliably handle every attack type in the taxonomy and keep the vehicle safe in real-world adversarial settings.

What would settle it

A test showing that an attack on the perception or control layer bypasses both the anomaly detector and the redundant paths, causing loss of safe control or a collision despite the fallback mechanisms.

Figures

Figures reproduced from arXiv: 2604.12408 by Chieh Tsai, Murad Mehrab Abrar, Salim Hariri.

**Figure 2.** Figure 2: Two operational scenarios for the backup/fallback mechanism: [PITH_FULL_IMAGE:figures/full_fig_p010_2.png] view at source ↗

**Figure 3.** Figure 3: Intrusion Detection Techniques: anomaly-based (perception) and [PITH_FULL_IMAGE:figures/full_fig_p011_3.png] view at source ↗

**Figure 4.** Figure 4: Simplified Autonomous Vehicle Behavior Model [PITH_FULL_IMAGE:figures/full_fig_p011_4.png] view at source ↗

**Figure 5.** Figure 5: Anomaly-based Intrusion Detection Methodology [PITH_FULL_IMAGE:figures/full_fig_p012_5.png] view at source ↗

**Figure 6.** Figure 6: Setup of the depth camera blinding attack experiment on QCar [PITH_FULL_IMAGE:figures/full_fig_p014_6.png] view at source ↗

**Figure 7.** Figure 7: Software-based attack: ECU perception module compromise on [PITH_FULL_IMAGE:figures/full_fig_p015_7.png] view at source ↗

**Figure 8.** Figure 8: Distribution of Random Forest abnormal-class probability scores [PITH_FULL_IMAGE:figures/full_fig_p017_8.png] view at source ↗

**Figure 9.** Figure 9: Success rate of hash-based integrity validation across vehicle [PITH_FULL_IMAGE:figures/full_fig_p018_9.png] view at source ↗

**Figure 10.** Figure 10: System response timeline under software tampering. The attack [PITH_FULL_IMAGE:figures/full_fig_p019_10.png] view at source ↗

**Figure 11.** Figure 11: QCar speed profile during ECU tampering. After the attack is [PITH_FULL_IMAGE:figures/full_fig_p020_11.png] view at source ↗

read the original abstract

Autonomous vehicles (AVs) promise efficient, clean and cost-effective transportation systems, but their reliance on sensors, wireless communications, and decision-making systems makes them vulnerable to cyberattacks and physical threats. This chapter presents novel design techniques to strengthen the security and resilience of AVs. We first provide a taxonomy of potential attacks across different architectural layers, from perception and control manipulation to Vehicle-to-Any (V2X) communication exploits and software supply chain compromises. Building on this analysis, we present an AV Resilient architecture that integrates redundancy, diversity, and adaptive reconfiguration strategies, supported by anomaly- and hash-based intrusion detection techniques. Experimental validation on the Quanser QCar platform demonstrates the effectiveness of these methods in detecting depth camera blinding attacks and software tampering of perception modules. The results highlight how fast anomaly detection combined with fallback and backup mechanisms ensures operational continuity, even under adversarial conditions. By linking layered threat modeling with practical defense implementations, this work advances AV resilience strategies for safer and more trustworthy autonomous vehicles.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper offers a layered attack taxonomy for AVs and a practical resilient architecture with hardware tests on two perception attacks, but the experiments leave the broader claims under-supported.

read the letter

The paper's main offering is a taxonomy of AV attacks spanning perception, control, V2X, and supply-chain layers, followed by an AV Resilient architecture that pulls together redundancy, diversity, adaptive reconfiguration, anomaly detection, and hash-based checks. It then shows results from Quanser QCar runs where the setup caught depth-camera blinding and perception-module tampering and switched to fallbacks to keep the vehicle moving. That hardware tie-in is the clearest strength; it moves past pure design talk and demonstrates one workable path for quick detection plus continuity on a real platform. The authors also do a reasonable job connecting the threat model to concrete choices like fast anomaly triggers and backup mechanisms, which could help engineers sketch out similar stacks. The limitation that stands out is the narrow scope of the validation. The taxonomy lists V2X exploits and supply-chain compromises as serious risks, yet the reported tests cover only the two perception cases. Without data on how the same mechanisms perform against those other threats, or any quantitative numbers, error rates, or baseline comparisons, it is difficult to judge whether the architecture actually delivers the claimed operational continuity across the full range. The work sits at the level of a solid design proposal rather than a comprehensive evaluation. It is aimed at AV security practitioners and applied researchers who want a concrete starting architecture they can adapt or extend. Readers hunting for new theoretical results or exhaustive adversarial testing will probably find it light. I would send it for peer review. The safety stakes are high enough that referees could usefully press for expanded experiments or clearer metrics, and the core ideas are coherent enough to benefit from that feedback.

Referee Report

2 major / 2 minor

Summary. The paper presents a taxonomy of cyberattacks on autonomous vehicles across perception, control, V2X, and supply-chain layers. It proposes an AV Resilient architecture integrating redundancy, diversity, adaptive reconfiguration, and anomaly/hash-based intrusion detection. Experimental validation on the Quanser QCar platform is reported for detecting depth-camera blinding attacks and perception-module tampering, with fallback mechanisms claimed to ensure operational continuity under adversarial conditions.

Significance. If the architecture can be shown to generalize beyond the two tested perception-layer attacks, the work would offer a practical proactive design framework that links threat modeling to implementable defenses, advancing AV security research. The use of a physical platform for validation is a strength, but the narrow experimental scope limits the current significance.

major comments (2)

[Experimental validation] Experimental validation section: only depth-camera blinding and perception-module tampering are tested on the Quanser QCar. The taxonomy explicitly includes V2X exploits and supply-chain compromises, yet no results, detection mechanisms, or fallback analysis are provided for these; this gap directly undermines the central claim that the architecture ensures continuity against the full attack range.
[AV Resilient architecture] Architecture description: while redundancy, diversity, and anomaly detection are outlined, no concrete mapping or pseudocode shows how these components detect or mitigate V2X or supply-chain attacks in time to trigger safe fallback; without this, the claim of broad resilience remains ungrounded.

minor comments (2)

[Abstract] Abstract and results lack any quantitative metrics (detection latency, accuracy, false-positive rates) or baseline comparisons, preventing evaluation of the claimed effectiveness.
[Experimental validation] Implementation details for the hash-based and anomaly detectors (e.g., thresholds, sensor fusion rules) are missing, hindering reproducibility.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback on our manuscript. The comments highlight important aspects of experimental scope and architectural detail that we will address through targeted revisions to clarify the work's contributions without overstating its current validation.

read point-by-point responses

Referee: Experimental validation section: only depth-camera blinding and perception-module tampering are tested on the Quanser QCar. The taxonomy explicitly includes V2X exploits and supply-chain compromises, yet no results, detection mechanisms, or fallback analysis are provided for these; this gap directly undermines the central claim that the architecture ensures continuity against the full attack range.

Authors: We agree that the experimental validation is limited to the two perception-layer attacks that could be physically realized on the Quanser QCar platform. The manuscript's central claim is that the AV Resilient architecture offers a general framework linking threat modeling to defenses, with the reported experiments serving as concrete demonstrations of its core mechanisms (anomaly detection, redundancy, and fallback). In the revision we will add an explicit scope statement in the experimental section and a new subsection that maps the architecture's components to V2X and supply-chain scenarios, describing example detection rules and reconfiguration triggers even though full empirical results for those layers are not yet available. revision: yes
Referee: Architecture description: while redundancy, diversity, and anomaly detection are outlined, no concrete mapping or pseudocode shows how these components detect or mitigate V2X or supply-chain attacks in time to trigger safe fallback; without this, the claim of broad resilience remains ungrounded.

Authors: The current architecture section presents the high-level integration of redundancy, diversity, anomaly/hash detection, and adaptive reconfiguration. We accept that additional concreteness is needed to support claims of applicability across the taxonomy. The revised manuscript will include pseudocode for the detection-to-reconfiguration decision loop, with explicit branches for V2X message integrity checks and supply-chain hash verification, together with timing estimates for triggering safe fallback modes. revision: yes

Circularity Check

0 steps flagged

No circularity: design proposal and hardware validation with no derivations or self-referential reductions

full rationale

The paper presents a taxonomy of AV attacks across layers, proposes an AV Resilient architecture combining redundancy/diversity/reconfiguration with anomaly/hash detection, and reports hardware experiments on Quanser QCar for depth-camera blinding and perception tampering. No equations, fitted parameters, predictions derived from inputs, or self-citations appear as load-bearing elements in the provided text or abstract. The central claims rest on the described experimental outcomes rather than reducing to the inputs by construction, satisfying the self-contained criterion for a score of 0.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

Only the abstract is available; the work rests on standard domain assumptions about AV vulnerabilities rather than new free parameters or invented entities.

axioms (1)

domain assumption Autonomous vehicles rely on sensors, wireless communications, and decision-making systems, making them vulnerable to cyberattacks and physical threats.
This premise is stated directly in the opening of the abstract and underpins the entire taxonomy and defense design.

pith-pipeline@v0.9.0 · 5472 in / 1360 out tokens · 79499 ms · 2026-05-10T16:15:10.652197+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

36 extracted references · 6 canonical work pages · 1 internal anchor

[1]

Autonomous vehicle implementation predictions

Todd Litman. Autonomous vehicle implementation predictions. 2017

2017
[2]

Connected and automated vehicle systems: Intro- duction and overview.Journal of Intelligent Transportation Systems, 22(3):190–200, 2018

Steven E Shladover. Connected and automated vehicle systems: Intro- duction and overview.Journal of Intelligent Transportation Systems, 22(3):190–200, 2018

2018
[3]

Potential cyberattacks on automated vehicles.IEEE Transactions on Intelligent transportation systems, 16(2):546–556, 2014

Jonathan Petit and Steven E Shladover. Potential cyberattacks on automated vehicles.IEEE Transactions on Intelligent transportation systems, 16(2):546–556, 2014. 21

2014
[4]

Comprehensive experimental analyses of automotive attack surfaces

Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage, Karl Koscher, Alexei Czeskis, Franziska Roesner, and Tadayoshi Kohno. Comprehensive experimental analyses of automotive attack surfaces. In20th USENIX security symposium (USENIX Security 11), 2011

2011
[5]

Adver- sarial sensor attack on lidar-based perception in autonomous driving

Yulong Cao, Chaowei Xiao, Benjamin Cyr, Yimeng Zhou, Won Park, Sara Rampazzi, Qi Alfred Chen, Kevin Fu, and Z Morley Mao. Adver- sarial sensor attack on lidar-based perception in autonomous driving. InProceedings of the 2019 ACM SIGSAC conference on computer and communications security, pages 2267–2281, 2019

2019
[6]

Drone hack: Spoofing attack demonstration on a civilian unmanned aerial vehicle.(2012).Google Scholar, 2012

Daniel P Shepard, Jahshan A Bhatti, and Todd E Humphreys. Drone hack: Spoofing attack demonstration on a civilian unmanned aerial vehicle.(2012).Google Scholar, 2012

2012
[7]

Resilience and survivability in communication networks: Strategies, principles, and survey of disciplines.Computer networks, 54(8):1245–1265, 2010

James PG Sterbenz, David Hutchison, Egemen K C ¸ etinkaya, Abdul Jabbar, Justin P Rohrer, Marcus Sch¨ oller, and Paul Smith. Resilience and survivability in communication networks: Strategies, principles, and survey of disciplines.Computer networks, 54(8):1245–1265, 2010

2010
[8]

Resilience in intelligent transportation systems (its).Transportation Research Part C: Emerging Technologies, 100:318–329, 2019

Alexander A Ganin, Avi C Mersky, Andrew S Jin, Maksim Kitsak, Jef- frey M Keisler, and Igor Linkov. Resilience in intelligent transportation systems (its).Transportation Research Part C: Emerging Technologies, 100:318–329, 2019

2019
[9]

Per- ception, planning, control, and coordination for autonomous vehicles

Scott Drew Pendleton, Hans Andersen, Xinxin Du, Xiaotong Shen, Ma- lika Meghjani, You Hong Eng, Daniela Rus, and Marcelo H Ang. Per- ception, planning, control, and coordination for autonomous vehicles. Machines, 5(1):6, 2017

2017
[10]

Towards a functional system architecture for automated vehicles.arXiv preprint arXiv:1703.08557, 2017

Simon Ulbrich, Andreas Reschka, Jens Rieken, Susanne Ernst, Gerrit Bagschik, Frank Dierkes, Marcus Nolte, and Markus Maurer. Towards a functional system architecture for automated vehicles.arXiv preprint arXiv:1703.08557, 2017

work page arXiv 2017
[11]

Multi-modal sensor fusion for auto driving perception: A survey

Keli Huang, Botian Shi, Xiang Li, Xin Li, Siyuan Huang, and Yikang Li. Multi-modal sensor fusion for auto driving perception: A survey. arXiv preprint arXiv:2202.02703, 2022

work page arXiv 2022
[12]

Multi-sensor fusion in automated driving: A survey.Ieee Access, 8:2847–2868, 2019

Zhangjing Wang, Yu Wu, and Qingqing Niu. Multi-sensor fusion in automated driving: A survey.Ieee Access, 8:2847–2868, 2019. 22

2019
[13]

Remote attacks on automated vehicles sensors: Experiments on camera and lidar.Black Hat Europe, 11(2015):995, 2015

Jonathan Petit, Bas Stottelaar, Michael Feiri, and Frank Kargl. Remote attacks on automated vehicles sensors: Experiments on camera and lidar.Black Hat Europe, 11(2015):995, 2015

2015
[14]

Sok: Rethinking sensor spoofing attacks against robotic vehicles from a systematic view

Yuan Xu, Xingshuo Han, Gelei Deng, Jiwei Li, Yang Liu, and Tianwei Zhang. Sok: Rethinking sensor spoofing attacks against robotic vehicles from a systematic view. In2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P), pages 1082–1100. IEEE, 2023

2023
[15]

Attack-resilient sensor fusion for safety-critical cyber-physical systems.ACM Transactions on Embedded Computing Systems (TECS), 15(1):1–24, 2016

Radoslav Ivanov, Miroslav Pajic, and Insup Lee. Attack-resilient sensor fusion for safety-critical cyber-physical systems.ACM Transactions on Embedded Computing Systems (TECS), 15(1):1–24, 2016

2016
[16]

Illu- sion and dazzle: Adversarial optical channel exploits against lidars for automotive applications

Hocheol Shin, Dohyun Kim, Yujin Kwon, and Yongdae Kim. Illu- sion and dazzle: Adversarial optical channel exploits against lidars for automotive applications. InInternational conference on cryptographic hardware and embedded systems, pages 445–467. Springer, 2017

2017
[17]

Ana- lyzing and enhancing the security of ultrasonic sensors for autonomous vehicles.IEEE Internet of Things Journal, 5(6):5015–5029, 2018

Wenyuan Xu, Chen Yan, Weibin Jia, Xiaoyu Ji, and Jianhao Liu. Ana- lyzing and enhancing the security of ultrasonic sensors for autonomous vehicles.IEEE Internet of Things Journal, 5(6):5015–5029, 2018

2018
[18]

Can you trust autonomous vehicles: Contactless attacks against sensors of self-driving vehicle.Def Con, 24(8):109, 2016

Chen Yan, Wenyuan Xu, and Jianhao Liu. Can you trust autonomous vehicles: Contactless attacks against sensors of self-driving vehicle.Def Con, 24(8):109, 2016

2016
[19]

seeing is not always believing

Jinshan Liu and Jung-Min Park. “seeing is not always believing”: De- tecting perception error attacks against autonomous vehicles.IEEE Transactions on Dependable and Secure Computing, 18(5):2209–2223, 2021

2021
[20]

Decentralized detection of gps spoof- ing in vehicular ad hoc networks.IEEE Communications Letters, 22(6):1256–1259, 2018

Fahad Ali Milaat and Hang Liu. Decentralized detection of gps spoof- ing in vehicular ad hoc networks.IEEE Communications Letters, 22(6):1256–1259, 2018

2018
[21]

Gps spoofing detection via crowd-sourced information for connected vehicles.Computer Networks, 216:109230, 2022

Gabriele Oligeri, Savio Sciancalepore, Omar Adel Ibrahim, and Roberto Di Pietro. Gps spoofing detection via crowd-sourced information for connected vehicles.Computer Networks, 216:109230, 2022

2022
[22]

Frustum pointnets for 3d object detection from rgb-d data

Charles R Qi, Wei Liu, Chenxia Wu, Hao Su, and Leonidas J Guibas. Frustum pointnets for 3d object detection from rgb-d data. InProceed- ings of the IEEE conference on computer vision and pattern recognition, pages 918–927, 2018. 23

2018
[23]

Multi-view 3d object detection network for autonomous driving

Xiaozhi Chen, Huimin Ma, Ji Wan, Bo Li, and Tian Xia. Multi-view 3d object detection network for autonomous driving. InProceedings of the IEEE conference on Computer Vision and Pattern Recognition, pages 1907–1915, 2017

1907
[24]

Joint 3d proposal generation and object detection from view aggregation

Jason Ku, Melissa Mozifian, Jungwook Lee, Ali Harakeh, and Steven L Waslander. Joint 3d proposal generation and object detection from view aggregation. In2018 IEEE/RSJ international conference on intelligent robots and systems (IROS), pages 1–8. IEEE, 2018

2018
[25]

Exploring adversarial robustness of multi-sensor perception systems in self driving

James Tu, Huichen Li, Xinchen Yan, Mengye Ren, Yun Chen, Ming Liang, Eilyan Bitar, Ersin Yumer, and Raquel Urtasun. Exploring adversarial robustness of multi-sensor perception systems in self driving. arXiv preprint arXiv:2101.06784, 2021

work page arXiv 2021
[26]

Explaining and Harnessing Adversarial Examples

Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. Explaining and harnessing adversarial examples.arXiv preprint arXiv:1412.6572, 2014

work page internal anchor Pith review arXiv 2014
[27]

On adversarial robustness of trajectory prediction for autonomous vehicles

Qingzhao Zhang, Shengtuo Hu, Jiachen Sun, Qi Alfred Chen, and Z Morley Mao. On adversarial robustness of trajectory prediction for autonomous vehicles. InProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 15159–15168, 2022

2022
[28]

Efficient adversarial training with transferable adversarial examples

Haizhong Zheng, Ziqi Zhang, Juncheng Gu, Honglak Lee, and Atul Prakash. Efficient adversarial training with transferable adversarial examples. InProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 1181–1190, 2020

2020
[29]

Autonomous vehicle security: A deep dive into threat modeling.arXiv preprint arXiv:2412.15348, 2024

Amal Yousseef, Shalaka Satam, Banafsheh Saber Latibari, Jesus Pacheco, Soheil Salehi, Salim Hariri, and Partik Satam. Autonomous vehicle security: A deep dive into threat modeling.arXiv preprint arXiv:2412.15348, 2024

work page arXiv 2024
[30]

Anomaly behavior analysis of iot protocols.Modeling and design of secure internet of things, pages 295–330, 2020

Pratik Satam, Shalaka Satam, Salim Hariri, and Amany Alshawi. Anomaly behavior analysis of iot protocols.Modeling and design of secure internet of things, pages 295–330, 2020

2020
[31]

Anomaly-based intrusion detection system for autonomous vehicles, 2023

Murad Mehrab Abrar. Anomaly-based intrusion detection system for autonomous vehicles, 2023

2023
[32]

GPS-IDS: An anomaly-based GPS spoofing attack detection framework for autonomous vehicles,

Murad Mehrab Abrar, Amal Youssef, Raian Islam, Shalaka Satam, Banafsheh Saber Latibari, Salim Hariri, Sicong Shao, Soheil Salehi, 24 and Pratik Satam. Gps-ids: An anomaly-based gps spoofing at- tack detection framework for autonomous vehicles. arXiv preprint arXiv:2405.08359, 2024. Submitted 14 May 2024; Revised 17 December 2024

work page arXiv 2024
[33]

Authenticate and verification source files using sha256 and hmac algorithms

Wisnu Uriawan, Ray Ramadita, Rizky Dwi Putra, Rizqi Ilham Siregar, and Risyad Addiva. Authenticate and verification source files using sha256 and hmac algorithms. 2024

2024
[34]

Intelligent obstacle resilience in au- tonomous vehicles under security threats

Chieh Tsai and Hariri Salim. Intelligent obstacle resilience in au- tonomous vehicles under security threats. pages 34–41, 11 2025

2025
[35]

Qcar2: Autonomous vehicle simulation platform

QCar2 Developers. Qcar2: Autonomous vehicle simulation platform. https://www.qcar2.com. Accessed: 2025-08-18

2025
[36]

GitHub repository; accessed 19 August 2025

AVP-Dataset: Autonomous Vehicle Perception Dataset.https:// github.com/mehrab-abrar/AVP-Dataset/, 2023. GitHub repository; accessed 19 August 2025. 25

2023