Longitudinal speed tracking control for an electric connected vehicle with actuator saturation subject to a replay attack

In this paper, a delay-tolerable and anti-windup control synthesis technique is proposed. Longitudinal speed tracking performed by an integrated electric drive (IED) system under the multi-domain constraints of network bandwidth and actuator saturation is investigated. Controller area network (CAN) connected to the Internet provide an interface for cyber attacks. In addition, the physical saturation characteristics of the electric drive motor sacrifice vehicle speed tracking performance. Based on above problems, a nominal controller satisfying energy-to-peak performance considering the attack-induced delays is designed. Then, an augmented closed-loop system is established including the nominal delay-tolerable controller and an anti-windup controller considering input saturation and random attack-induced delays. The delay-dependent uncertainty caused by attack-induced delay is expressed in the form of polytopes. Furthermore, the saturation nonlinearity is converted to sector-bounded uncertainty. Particle swarm optimization (PSO) algorithm is employed to find anti-windup controller matrices. Finally, the effectiveness and improvement of the proposed method based on MATLAB Simulink and hardware-in-the-loop (HiL) test platform are shown. The variation of speed tracking performance and oscillation damping capability under different attack energies is described.


Introduction
The key assembly component of connected vehicles is the integrated electric drive (IED) system which is composed of drive motor and transmission device. The vehicle speed tracking performance performed by an IED system directly affects driving quality [7]. With the development of electric vehicles and communication technologies, in-vehicle controller area network (CAN) connect to external networks providing drivers with more efficient, safe and enjoyable driving guidance [45]. Unfortunately, the wireless interfaces and malicious programs embedded in the in-vehicle network provide opportunities for attackers. Extensive vehicle attack experiments and in-vehicle network security protocol have been investigated [3,9,28]. Besides, Murvay et al. carried out a replay attack, a denial of service (DoS) and a distributed DoS attack on commercial vehicles [31]. Kang et al. employed a CAN Analyzer to carry out a deception attack [38]. Koscher et al. implemented a deception and a replay attack through on-board diagnostics (OBD) tool [20]. Han et al. have implemented a DoS attack, fuzzy attack, and replay attack on in-vehicle CAN through an OBDII port [14]. Woo et al. have carried out a remote replay attack on a vehicle through an OBDII and a malicious smartphone application [41]. These studies verified the vulnerability of CAN and proposed corresponding security protocols which prevent attack signals from being received. However, the attack signals occupy the limited bandwidth resource, resulting in communication delays.
A large number of studies have explored the influence of communication delays on system stability [22,24,40,49,50]. Compared with CAN-induced communication delays, the unknown, large, and timevarying attack-induced delays could render control system unstable. The resilient control under cyber attacks has been studied extensively [10,26,27,33,46]. The design approaches of delay-tolerable controller in the study of [23,43,44,50] are proposed to mitigate the tracking performance degradation and powertrain oscillation of IED system under cyber attacks. Zhu et al. designed a speed tracking control technology for an IED system. The speed tracking performance of the system is guaranteed under CAN-induced delays [50]. An attack-delay robust controller described in the form of a dynamic output-feedback control was investigated [23]. An event-triggered controller to alleviate communication congestion in an attack network environment was studied [44]. Xu et al. proposed a robust reset control to optimize the speed tracking performance under attack-delays in real time [43]. Apart from the bandwidth constraint, actuator saturation is also a critical concern in vehicle speed tracking control. Drive motor torque is limited, leading to the control performance degradation of the IED system. Besides, the delaytolerable controller presented in generalized proportion integration (PI) form are sensitive to actuator saturation, which could degrade the control performance because of signal distortion [25,47]. The integrator accumulates when input saturation happens resulting in more adjustment time and overshoot. In addition, stability analysis of closed-loop systems becomes more complicated when both delay and saturation exist in a control system. Theoretical methods considering the input saturation and short time delays have been investigated extensively [1,2,4,8,17,21,35,37,39,48]. Hussain et al. proposed a compensation control method for a system with time delay uncertainty, input nonlinearity, parameter uncertainty, and additional disturbance [16]. Besides, they proposed a compensation control method for an nonlinear system with state delay and input saturation [17]. The stability region and condition of a state delay system subject to input saturation were analyzed in [36]. A robust anti-windup controller is proposed to solve the stability problem of time-varying delay system described by Takagi-Sugeno (T-S) fuzzy models in [29]. Zhang et al. studied multi-motor coordinated control of heavy-haul locomotive considering drive motor saturation [47]. Some theories about fault-tolerance are also applied in saturation control, such as [11][12][13]19]. The time-invariant symmetric saturation value of driving motor is a simple fault form. In the context of longitudinal speed tracking control considering actuator saturation and time-varying attack-induced delays, however, there are a few results reported. To improve the sensitivity of the delay-tolerable controller to actuator saturation, we employ an anti-windup (AW) control method to mitigate the impact of actuator saturation, which is developed in [6,32,42]. This method can be retro-fitted to existing controllers, which is popular with practicing engineers and implemented by following two-step design procedure. First, we design a nominal controller that does not take into account saturation limitations. Then, an anti-windup compensator is designed to minimize the unfavorable effects induced by actuator saturation. Based on this approach, the nominal controller can independently determine the behavior of the closed-loop system when there is no saturation, which leaves more room for the delay-tolerable controller design. As for the validation, most of the existing investigations on attack-induced delays with actuator saturation have been evaluated through merely numerical simulation. Few investigations have carried out an experiment to explore the influence of attack signal on a control system. Therefore, this paper proposes a vehicle speed tracking controller co-design technique combining delaytolerable and anti-windup to improve the speed tracking performance and powertrain oscillation damping capability considering actuator saturation under a replay attack. Furthermore, contributions of this paper are introduced: (1) A controller design method of delay-tolerable and anti-windup synthesis technique is developed, which effectively suppresses the influence of input saturation and attack-induced delays. We propose an optimization solving method of nonlinear matrix inequalities by employing the a PSO method to obtain the anti-windup controller matrices. (2) The relationships between attack energy, bus load and communication delays are explicitly disclosed based on hardwarein-the-loop (HiL) tests. (3) Higher tolerance to the increase of attack energy, better speed tracking performance, and better oscillation damping capability are obtained, compared with traditional robust energyto-peak controller and delay-tolerable controller in [22], which is verified by MATLAB/Simulink and HiL experimental platform.

Problem formulation
2.1 Replay attack model Figure 1 shows a replay attack process. The key assembly of vehicle speed tracking IED system consists of a motor, a gearbox, a drive shaft, wheels, a vehicle control unit (VCU) and in-vehicle CAN. The proposed control algorithm is downloaded into VCU to complete speed synchronization control. Note that motor control is not the focus of this paper. Furthermore, to realize the real-time observation of the vehicle status, an OBDII is embedded in the in-vehicle CAN through a physical interface. If the mobile application (APP) connected with OBDII by Bluetooth is malware designed by the attackers, OBDII will send malicious data in CAN at attacker's request [41].

Vehicle speed tracking system modeling
can be obtained by pedal position. Furthermore, desired motor speed w * m , desired wheel speed w * w , desired motor output angle θ * m , desired wheel angle θ * w , and desired motor torque T * m can be obtained through the following relations.
where r w is the wheel radius, desired external load torque T * load , i 0 is the final drive ratio, i g is the gear ratio, Fig. 1 Process of a replay attack on an IED system of a connected vehicle c m is the motor damping, k f is the driveshaft stiffness, and V * x,max is the maximum expected speed. Vehicle speed tracking is achieved through an IED system and the state-space can be described by the following model [50].
is the axle wrap rate to evaluate powertrain jitter in engineering.
With the new vector T , the IED model in (2) is rewritten as follows: where The continuous-time system in (3) is transformed into the following discrete-time model, considering that the sampled signal is sent periodically with sampling period T s . where 2.3 Description of delay-tolerable system subject to attack-delays Figure 2 depicts the impact of replay attack messages from an OBDII node on communication network. Attackers replay higher-priority attack signals at a faster rate, resulting in random, long, time-varying, and unpredictable attack-delays. In the field of control application based on CAN network, a consensus assumption is established. That is, if the communication is not interrupted or bus-off, the transmission delays of CAN messages are bounded, and its upper bound could be obtained by experimental measurement or by upper bound estimation algorithms for communication delays in advance [5,18,30].
Assuming that the attack-induced random delays caused by attacks are bounded, and maximum delay τ max can be composed of ψ T s and Υ T s as follows.
where ψ ∈ Z + integer part and Υ ∈ R [0,1) is the fractional part of the ratio of maximum delay τ max to sampling period T s . Therefore, the IED discrete-time system in (4) can be rewritten as the following nonlinear system considering the impact of attack-delays on actual control input. where The nonlinear part in (6) can be linearized as follows by Taylor linear series expansion as in [34]. The h-order approximation of Δ(ε) is obtained by ignoring residual Θ h . Therefore, nonlinear part Δ i,k in (6) can be expressed by where l = 1, 2, · · · , h+1, Therefore, defining a new state vector T , the nonlinear system in (6) can be reformulated to the following state-space model: where

Nominal delay-tolerable controller solving
The design objective of the nominal delay-tolerable controller is to track the ideal vehicle speed and increase oscillation damping capability. Therefore, the weighted sum of the wheel speed error and wheel angle error are chosen as the first control output Z 1 , the axle wrap rate is selected as the control output Z 2 which is described as follows. where ], with χ 1 and χ 2 are the weighting factors between wheel speed error and wheel angle error. The nominal control law is designed as u(k) = K nom x 4 (k). Modeling error is considered to guarantee the stability of system in (8) and following energy-to-peak performance ignoring input saturation.
Then, the following lemma is introduced.
Lemma 1 [50] Suppose that the nominal delay -tolerable controller is designed. The nominal closedloop system in (8) is stable with energy-to-peak performance indexes ϑ 1 and ϑ 2 , if there exist a positive definite matrix ξ = ξ T , and matrices M and Y satisfying the following conditions: There are two energy-to-peak performance parameters ϑ 1 and ϑ 2 in Lemma 1. When speed tracking performance is satisfied, a smaller wrap rate is expected to obtained better oscillation damping capability. For given ϑ 1 , a smaller energy-to-peak performance index ϑ 2 means that the controlled output Z 2 which indicates wrap rate is smaller. Therefore, the nominal tracking controller gain is solved by following optimal problem.

Delay-tolerable control with anti-windup compensation
This section presents the design method of a closedloop control system considering attack-induced delays and input saturation. The nonlinear properties of input saturation can be described by piecewise linear saturation function as follows.
for i = 1, 2, . . . , n u , where n u is the dimension of control inputs. The relationship between nominal control input u(k) and saturated control input σ (u(k)) is expressed by where q(k) is the uncertainty which is caused by input saturation. The anti-windup control structure diagram is shown in Fig. 3. The nominal tracking controller and anti-windup controller are downloaded into VCU. An IED system communicates with the VCU via in-vehicle CAN. The AW controller in (19) modifies the input and output of the nominal controller when the control input exceeds the saturation boundary. Then, the anti-windup controller is described by following equations [15,42]: where with A aw , B aw , C aw and D aw is the anti-windup controller matrices, x aw1 (k) and x aw2 (k) are the state vectors of the anti-windup controller, V 1 (k) and V 2 (k) are outputs of the anti-windup controller which are used to modify the output and the input of the nominal controller, respectively. Furthermore, the controller gain is rewritten as follows by combining the nominal delaytolerable controller with the anti-windup controller.
where H = I n x1 ×n x1 , 0 (n x1 +n u )×n x1 T is the expanded matrix.

Integrated closed-loop system of delay-tolerable controller and anti-windup controller
The final closed-loop system considering control input saturation and attack-induced delays can be expressed as follows: for ∀i = 1, 2, . . . , (h + 1) ψ+1 . The control objective of the final closed-loop system is to balance tracking errors with control inputs considering attack-induced delays and input saturation. Therefore, the following linear quadratic regulator (LQR) indicator Φ is employed as the controlled output Z 3 .
The LQR performance can be further translated into a two norm of the control output Z 3 (k) as shown below. where Therefore, the augmented closed-loop system is designed as follows: wherẽ

Solving algorithm for PSO-AW controller
In this section, the theoretical feasibility of the control synthesis technology considering attack-delays and actuator saturation is analyzed. An nonlinear antiwindup controller solving method with the help of a PSO algorithm is developed, which is named as PSO-AW controller. The PSO algorithm is used to assist optimization problem expressed by nonlinear matrix inequalities. Finally, the anti-windup controller matrices are obtained by offline calculation.

Fitness function definition
In this section, the nonlinear problem caused by motor saturation is described by a kind of uncertain system with sector-bounded uncertainty [15,42]. The uncertainties q caused by actuator saturation contained in a conic sector [0, k i ], i = 1, 2, ..., n u which defined by q ∈ sect[0, L] will indirectly restrict the control input signal, where L = diag k 1 , k 2 , . . . , k n u and 0 < k i < 1. Then, regional stability will be achieved. The limitations of saturated nonlinearity is described by the following constraints: for any diagonal matrix W = diag 1 , 2 , . . . , n u . Then, the augmented closed-loop system in (24) is designed. Theorem 1 introduces the methods and conditions for solving the anti-windup controller matrices. (24)

Theorem 1 The closed-loop system in
Proof : Sufficient conditions to satisfy the asymptotic stability of the uncertain system in (24) considering H ∞ performance are established as follows: based on (24), we can have The constraint conditions in (25) caused by input saturation can be further expressed as follows: Therefore, the condition in (27) can be expressed by following matrix inequality by applying Schur complement: ⎡ In the reference of [50], apply a congruence transformation to (31) with diag {S, I, I, I, I }, the matrix inequalities in (31) can be described by (26) with polytopic inclusion method. Therefore, the Proof is thereby completed.

Searching algorithm of PSO-AW controller matrices
This section presents a searching method for antiwindup controller matrices A aw , B aw , C aw and D aw with PSO algorithm. Each particle P j contains the matrix elements in A aw , B aw , C aw , D aw . Therefore, the particle P j stands for A aw, j , B aw, j , C aw, j and D aw, j , where j is the particle number and N 1 is the total number of particles. The solving method is introduced below.
Step 1: Specify the boundary of the PSO optimization problem. Particles position P j (n) and velocity V j (n) are restricted by following conditions.
for n = 0, 1, . . . , N 2 , where n is the iteration step and N 2 is the maximum number of iterations.
Step 3: Particle velocity and position are updated. The following equations is used to describe the method to update the position and velocity of particles.
∀n = 1, 2, · · · , N 2 , where c 3 is the inertia weight, c 1 and c 2 are the accelerated constant, r a1 and r a2 are the random numbers drawn from 0 to 1.
Step 4: Calculate the fitness function given by following optimization problem with A aw, j , B aw, j , C aw, j and D aw, j as known.
The particles with the best fitness function are selected as the local optimal solution P pb j (n) represents the optimal H ∞ performance index γ in the nth iteration. P gb (n) is the global position of all particles up to the nth iteration, which is remembered as the global best position.
Step 5: After N 2 iterations, the optimal particles can be obtained as P = P gb (N 2 ).
Finally, the global optimal particle contain controller information. Thus, the AW controller matrices in (19) are obtained.

Simulation results
The improvement of the proposed method is studied. Simulations are carried out based on MATLAB Simulink (R2018b, MathWorks, USA) platform compared with a delay-tolerable algorithm designed by reference of [22]. The IED control system shown in Fig.  3 is used as the simulation framework. The proposed method is encapsulated in the VCU to calculate desired  In order to verify the improvement performance of the proposed algorithm in speed tracking and oscillation damping. The comparative simulation of the proposed controller and a delay-tolerable controller in [22] is performed under input saturation and random delays with maximum 100ms. Figure 4a-d shows the response of vehicle speed, motor torque, wrap rate and driveshaft torque. Figure 4a shows that the proposed controller reduces the effect of actuator saturation. Better speed synchronization performs with smaller overshoot and steady-state time even under attacks. Figure 4b shows the motor actual output torque of delay-tolerable controller fluctuates more. Vibration reduces powertrain life and provides poor ride comfort. Figure 4c shows the comparison of axle wrap rate responses of two controllers. Greater jitter of delay-tolerable controller during gear shift can be seen, while the proposed controller has smaller peaks and jitter. It indicates that the oscillation damping capability is improved.

HiL test results
The effectiveness and superiority of the proposed method is studied in this section. Experimental verification based on the HiL platform is employed as shown in Fig. 5. The hardware equipment includes two personal computers (PCs) named PC 1 and PC 2, a VCU, a Vector VN1640A CAN interface, a driver pedal, a dSPACE and a practical CAN bus. The baud rate of the CAN bus is 500kBuad. PC 1 runs MATLAB Simulink and ControlDesk. PC 2 runs MATLAB/Simulink and CANoe. Under the control of PC 2, Vector VN1640A added attack messages into CAN bus. Moreover, the schematic diagram of the HiL is shown in Fig. 6. The IED model is downloaded into dSPACE. The proposed control algorithm is downloaded into VCU by PC 1.
The messages sent by the IED system and VCU are transmitted on a 20ms period. CAN bus load and communication delay are important indexes to represent network communication quality. The root-mean-square error (RMSE) index is applied to evaluate the control system tracking effect. The initial speed of simulation is limited to [0, V * x,max ].

Verification of effectiveness and superiority under HiL Test
In this section, the proposed delay-tolerable and antiwindup synthesis controller are compared with an energy-to-peak controller without considering delay and actuator saturation and a delay-tolerable controller designed with reference to [22]. The design process of the energy-to-peak controller is similar to the delaytolerable controller, and it does not take into account the delay-dependent uncertainties. The IED system shown in Fig. 1 is built in dSpace. The algorithms are built in an actual VCU to track the step speed signal from 0km/h-30km/h. A set of attack messages with random transmission cycles are designed in CANoe to simulate replay attacks under a security protocol framework. The transmission period of the attack messages is randomly selected from 4ms to 10ms. The response of speed tracking and wrap rate with ten attack messages and 25 attack messages are shown in Figs. 7 and 8. Figure 7a shows the response of speed tracking. The speed response of energy-to-peak controller has the largest overshoot and delay-tolerable second. The proposed controller has smallest overshoot and reaches steady state fastest. Actuator saturation causes the integral module of the controller to accumulate, due to the performance of delay-tolerable controller reduced. Energy-to-peak controller has the worst performance due to the combined effect of actuator saturation and attack delays. Therefore, the proposed controller has the best speed tracking performance under the condition of actuator saturation with the presence of ten attack messages. Figure 7b shows the response of wrap rate. Energy-to-peak controller has the largest jitter, fol- lowed by delay-tolerable controller and proposed controller. The wrap rate of the IED system under proposed controller reaches steady state first. This means that the proposed control has the best oscillation damping capability under the condition of actuator saturation and ten attack messages. Figure 8a shows the speed tracking responses. The longitudinal speed of the IED system under energy- Fig. 6 HiL experimental platform schematic diagram to-peak control reaches about 38 km/h in 3 s, and the speed dropped to 0 km/h after 11.9 s. Therefore, we can see from that the energy-to-peak controller lost its control ability. The overshoot appears under the control of delay-tolerable controller, and there are fluctuations and steady-state errors in the steady state. The proposed controller reaches steady state first. We can conclude that under the condition of 25 attack messages and actuator saturation, the proposed controller has the best speed tracking performance. Figure 8b shows the wrap rate responses. The proposed controller reaches steady state first. Then, the delay-tolerable controller reaches. The energy-to-peak controller maintains −2.91rad/s after 11.9 s. It means that the powertrain system continues to vibrate. It is seen from Fig. 8a that the energy-topeak controller loses its control ability, and the vehicle is in a dangerous state under this test condition. However, the proposed controller show its superiority in oscillation damping.    Table 3 show that the speed RMSE values of the three methods are increasing, but energy-to-peak keeps largest, the delay-tolerable is the second, and the proposed method has the smallest speed RMSE value. This means that proposed method has the lowest sensitivity to the increase attack messages. Moreover, the proposed method not only has the best speed tracking effect under different bus load, but also has the strongest stability against bus load and communication delay changes. Delay-tolerable method is second. Energy-to-peak controller has the worst tracking performance and the highest sensitivity to communication delay changes. As shown in Fig. 9c and Table 4, the RMSE value of wrap rate of energy-to-peak controller keeps increasing with attack messages. When the delay is less than 4.551 ms, the RMSE value of proposed method has barely changed. In addition, the RMSE value of delay-tolerable method hardly changes when the communication delay is less than 1.418 ms, while the values gradually increase when the attack messages increase to more than 20. We can conclude that when the bus load rate exceeds 81.93%, the communication delay surges, which has a great impact on the tracking effect.

Conclusions
In this work, a delay-tolerable and anti-windup control synthesis technique with good robustness against attack-induced random delays and input saturation has been proposed for vehicle speed tracking control. Simulations maneuver subjected to random attack-delays is carried out based on MATLAB/Simulink to verify the proposed controller. Simulation results show that the proposed method achieves good speed tracking performance with less powertrain vibration compared with delay-tolerable controller designed by the reference of [22]. HiL tests are carried out at different attack energies compared with delay-tolerable controller in [22]  and energy-to-peak controller in step speed tracking conditions from 0 km/h to 30 km/h. The results of HiL test are summarized as follows: (1) If the attack energy increases, the bus load increases linearly and the average communication delay increases exponentially.
(2) The RMSE values of speed tracking and wrap rate of the proposed controller are the smallest under different attack energies, compared with delay-tolerable and energy-to-peak controller. It shows that proposed method has the better speed tracking performance and oscillation damping capability under different attack energies subject to input saturation. (3) The increase in attack energy has the greatest influence on the control performane of energy-to-peak controller, followed by the delay-tolerable controller, and finally the proposed controller. In the future, more control problems under multi-domain boundary conditions are expected to be studied. Besides, solving nonlinear matrix inequality problems is also a point worthy of future research.