CSPM EDP Sciences logo
Submit your paper
Search
Menu
All issues Volume 5 (2026) Security and Safety, 5 (2026) 2025009 Full HTML
Issue
Security and Safety
Volume 5, 2026
Security and Safety in Intelligent Connected Vehicle
Article Number 2025009
Number of page(s) 24
Section Intelligent Transportation
DOI https://doi.org/10.1051/sands/2025009
Published online 23 September 2025

© The Author(s) 2025. Published by EDP Sciences and China Science Publishing & Media Ltd.

Licence Creative CommonsThis is an Open Access article distributed under the terms of the Creative Commons Attribution License (https://creativecommons.org/licenses/by/4.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. Introduction

The rapid development of Connected and Automated Vehicles (CAVs) over the past decade has led to significant advancements in traffic management, vehicle safety, and data-driven decision-making. By utilizing autonomous driving algorithms, Vehicle-to-Vehicle (V2V), and Vehicle-to-Everything (V2X) communication, CAVs enable real-time hazard detection, route optimization, and more efficient traffic flow, thereby reducing congestion, enhancing safety, and improving energy efficiency [1, 2]. However, the increasing complexity of system integration and automation presents new challenges, including failures related to safety and intentional security breaches, such as cyberattacks [3].

As shown in Figure 1, with the deep integration of the information world and the physical world, vehicles are facing multiple safety and security challenges. On one hand, traditional functional safety issues and cybersecurity concerns persist, such as functional safety problems caused by random hardware failures and system malfunctions, as well as cybersecurity issues arising from malicious attacks. On the other hand, cybersecurity and functional safety issues can interact and exacerbate each other, creating new challenges for integrated safety and security issues [4]. Vulnerabilities or backdoors, which are exploited as cybersecurity threats, can lead to system failures in both hardware and software, resulting in functional safety issues. Additionally, hardware and software failures in functional safety may undermine cybersecurity defenses, thereby exposing the system to more severe security risks.

thumbnail Figure 1.

The integrated safety and security challenge [4]

For example, in recent years, incidents resulting from integrated safety and security issues have become increasingly frequent. In 2015, hackers Charlie Miller and Chris Valasek remotely took control of a Jeep Cherokee, manipulating key functions such as steering, braking, and acceleration. This breach led to the recall of 1.4 million vehicles and significant financial losses for the company [5]. On the morning of September 1, 2022, hackers hijacked the YandexTaxi ride-hailing service, issuing counterfeit orders that caused all available taxis to converge at the same location (Kutuzovsky Prospekt in Moscow), resulting in a two-hour traffic jam [6]. On September 17 and 18, 2024, the “BP, Walkie-Talkie” remote-controlled bombing incident in Lebanon effectively obliterated the boundaries between traditional cybersecurity and physical security, highlighting the risk that all Information Technology, Information and Communications Technology, and Cyber-Physical Systems (CPS) products could be embedded with explosives [7]. As a result, addressing integrated safety and security issues has become an urgent priority.

To ensure the safety and security of CAVs, existing mechanisms incorporate both safety and security technologies. Safety technologies include automated driving systems, such as automated braking and adaptive cruise control, as well as passive safety features like crumple zones, seat belts, and airbags [8]. Security technologies, on the other hand, involve traditional internet security defenses, including encryption and authentication for authorization [914], and cyber security technologies focused on detection and analysis [1521].

However, the current integration of safety and security mechanisms to address the integrated safety and security issues in CAVs faces two fundamental challenges. On the one hand, safety and security technologies typically exhibit non-additivity and non-combinability: the combination of a safety measure and a security measure does not necessarily result in a unified safety and security system. For instance, the widely advocated V-model for functional safety [22] and the V-model for cyber security [23], when combined, reveal flaws, leading to conflicts between processes that require feedback-based modifications, resulting in cyclic or endless iterations of corrective adjustments. These conflicts often emerge during safety requirement analysis [24, 25]. On the other hand, CAVs represent autonomous intelligent cyber-physical systems characterized by stringent safety requirements (encompassing information security, functional safety, and personal safety), strong real-time constraints (millisecond-level response), and lightweight demands (with particular emphasis on limited onboard computing and storage resources). Consequently, an appropriate security technology must be developed to simultaneously address these three critical requirements.

Recently, the National Institute of Standards and Technology (NIST) publication “Developing Resilient Systems: A Systems Security Engineering Approach” proposed a method to enhance the resilience of network systems, encompassing four key characteristics: prevention, resistance, recovery, and adaptation [26]. This approach emphasizes the design of proactive security measures to prevent and resist security threats, ensuring that systems can quickly recover and adapt to evolving threat environments, thereby improving the stability and resilience of network systems during various security events [27]. In parallel, the U.S. National Highway Traffic Safety Administration (NHTSA) also began advocating for the “Design-in Cyber Resiliency” system safety concept in 2023, specifically targeting cyber resilience in automotive systems. This initiative aligns with the principles outlined by NIST, emphasizing the need to integrate resilience into system design from the outset to ensure the safety and security of intelligent and connected vehicles [28]. However, this approach mainly provides a systematic and engineering-based application of traditional defense theories and technical elements, without addressing the challenge of unknown attacks. Additionally, it lacks a clear and integrated framework to consolidate these elements, making it difficult for practitioners to develop a comprehensive solution in practice.

To overcome the limitations of existing works, we propose an endogenous security and safety approach for CAVs, employing a dynamic heterogeneous redundancy architecture. This approach addresses the reliance on prior knowledge by being robust to both known and unknown vulnerabilities and attacks, eliminating the need for pre-identified attack characteristics. It also resolves the non-additivity and non-combinability of safety and security measures, integrating them into a cohesive system, unlike traditional models that may lead to conflicts. Furthermore, this approach enhances resilience against unknown attacks and provides a clear, integrated framework, offering a comprehensive solution that consolidates safety and security measures for CAVs. The contributions of this paper can be summarized as:

  • We introduce the basic concept of integrated safety and security for CAVs, drawing from multiple interwoven domains, the vehicle-road-cloud ecosystem, as well as the design and development processes.

  • We propose a dynamic heterogeneous redundancy (DHR)-based safety and security monitoring module, structured around system kernel events. Empirical testing, along with existing theoretical analyses on DHR, demonstrates that the module effectively detects unknown failures, ensures functional safety, and identifies novel cyber-attacks, thereby enhancing cybersecurity.

  • Building upon the safety and security monitoring module, we further propose an endogenous security and safety approach for CAVs, which integrates mimicry defense, integrated safety and security monitoring, and dynamic reconfiguration. We implemented the prototype on automotive hardware (T-BOX, industrial PC and DSSAD), validating through penetration tests (122 cases) with 95.9% attack prevention at < 30% CPU overhead.

  • We outline potential future research directions for the assessment of the endogenous security and safety approach for CAVs, focusing on its lightweight design, high safety and security, quantification ability, and tracing functions.

The remainder of this paper is organized as follows: Section 2 introduces the fundamental concepts of integrated CAV safety and security. Section 3 proposes the dynamic heterogeneous redundancy-based monitoring module. The design and evaluation of the in-depth defense solution are presented in Section 4, followed by the comprehensive assessment direction in Section 5. Finally, Section 6 concludes this paper.

2. The basic concept of integrated safety and security of CAVs

The objective of functional safety is to ensure that a system or device can still perform its intended functions correctly when faced with random faults, system failures, or common-cause failures, thereby preventing personal injury, environmental damage, or property loss. This emphasizes the need to address the impact of non-human-induced random factors. The goal of cybersecurity is to ensure that a system or device, when subjected to intentional attacks caused by design flaws or vulnerabilities in its hardware or software, can continue to operate as expected, thereby preventing the leakage of sensitive information. To fully elaborate on the concept of integrated safety and security, we begin by describing the concept of integrated safety in typical scenarios.

2.1. The integrated safety and security for CAV from multiple interwoven perspectives

As the complexity of systems increases, the safety risk boundaries of CAVs continue to expand. As shown in Figure 2, failures related to “functional safety”, “cybersecurity”, and “data security”, including faults, insufficient functional design, cyberattacks, data breaches, and privacy violations, have become new risks that CAVs must face.

thumbnail Figure 2.

The integrated safety and security for CAV from multiple interwoven perspectives

Moreover, these various safety risks are not isolated within the vehicle systems. For instance, in cybersecurity threats, vulnerability-based attacks can bypass protective measures such as encryption and authentication, leading to data breaches and other data security incidents. Cyberattacks in the information domain may also result in failures in the Electrical/Electronic (E/E) system, causing physical domain injuries and triggering functional safety incidents. For example, hackers, after attacking and taking control of the Controller Area Network (CAN) through various means, may cause errors in vehicle control information, resulting in traffic accidents and personal and property damage [29]. Furthermore, attackers may exploit the same vulnerabilities and backdoors to cause large-scale vehicle accidents.

Most existing security measures primarily address individual security issues, and are insufficient to ensure the integrated safety and security of systems in the face of new integrated safety and security challenges [4]. Therefore, when designing cybersecurity defenses for CAVs, it is crucial to simultaneously address integrated security and safety issues. This requires collaborative research on functional safety, cybersecurity, and data security, in order to establish a multi-layered, integrated security and safety assurance mechanism.

2.2. The integrated safety and security from Vehicle-Road-Cloud perspectives

The “Vehicle-Road-Cloud Integration” refers to the use of next-generation information and communication technologies to integrate the physical, information, and application layers of humans, vehicles, roads, and clouds [30]. As shown in Figure 3, this integration enables fusion perception, decision-making, and control, resulting in improvements in vehicle mobility, traffic operations, safety, and efficiency within a cyber-physical system. In the Vehicle-Road-Cloud system, data interaction and fusion among the vehicle, road, and cloud break down the information silos that previously existed between different traffic systems, extending the scope of cybersecurity defenses. Any security vulnerability in any component of the vehicle-road-cloud network may lead to personal injury and property damage [31, 32].

thumbnail Figure 3.

The integrated safety and security from Vehicle-Road-Cloude perspectives

If the vehicle-road-cloud network is managed in isolation, only independent security issues in each part can be addressed. This approach is ineffective for dealing with security challenges that arise due to the coupling of components. Therefore, an integrated safety and security approach is required, considering the different boundaries, system characteristics, and security needs of the vehicle, road, and cloud components, to develop a complete security defense strategy that covers all components and stages of the Vehicle-Road-Cloud system’s lifecycle.

2.3. The integrated safety and security from design and development perspectives

During the design and development phases of product development, insufficient consideration of security can lead to significant challenges in addressing security issues later in the system’s implementation [33, 34]. As shown in Figure 4, specialized professionals often need to intervene in the later stages of the system lifecycle, applying external cybersecurity measures such as deploying firewalls, introducing intrusion detection systems, and implementing security protocols. While these measures are crucial for enhancing system security, they mainly serve as reactive solutions rather than preventing security issues from arising at the source.

thumbnail Figure 4.

The integrated safety and security from design and development perspectives

Although this approach can help mitigate flaws from the early design stages to some extent, it may introduce additional costs and complexity. More importantly, since these security measures are not integrated with the product’s functional design, they may fail to fully address security issues that were not adequately considered during the initial design phase. Therefore, to achieve more efficient and cost-effective security, it is essential to incorporate security considerations from the very beginning of the product development process [35]. This ensures the integration of safety and security, not as two separate systems where one protects the other, but as a single system designed to incorporate integrated security capabilities. This approach provides integrated safety and security throughout all stages of the system’s lifecycle.

3. The proposed integrated safety and security monitoring module

In this Section, the basic concept of the DHR architecture is first introduced, followed by a proposed defense-in-depth strategy based on DHR principles, which includes proactive threat detection, real-time threat defense, and post-incident threat analysis. Additionally, preliminary engineering validation results of the defense-in-depth strategy are presented.

3.1. The endogenous security and safety architecture for CAVs

In general, the functional safety risks of CAVs primarily stem from design flaws, while cybersecurity threats are typically attributed to system vulnerabilities. These two distinct sources of risk can lead to abnormal behaviors in actuators, threatening the overall safety and stability of the vehicle system [36].

The DHR architecture maps a diverse and evolving range of faults or vulnerability-based cyberattacks into safety events expressed in differential or common mode within the dynamic heterogeneous redundancy space. This transformation reduces the complexity of global static heterogeneous redundancy engineering to a more technically and economically advantageous local dynamic heterogeneous redundancy [36]. As shown in Figure 5, the DHR architecture, based on an asymmetric redundancy framework, regulates diversity (V) and redundancy (R) through feedback control (D) based on policy adjudication, achieving an integrated approach that satisfies both functional and cybersecurity safety requirements [37]. It includes input agents, actuator output selection, policy adjudication, feedback control, and variable operating scenarios (with variable operating scenarios denoted as actuator k). The input agent distributes tasks to the actuator set (i.e., multiple variable operating scenarios), which consists of heterogeneous actuators with the same functionality. The policy adjudication assesses the consistency of actuator outputs based on a consensus mechanism. The feedback controller determines whether to replace an abnormal actuator with a normal one from the component pool, based on the replacement instructions generated by the policy adjudication.

thumbnail Figure 5.

The endogenous security and safety architecture for CAVs

The DHR architecture is also highly sensitive to unknown design flaws and security vulnerabilities. Since it does not rely on predefined error modes or known attack signatures, it can effectively address new or unknown threats that traditional security mechanisms struggle to detect. Moreover, these features make DHR a crucial innovative architecture supporting the integration of functional and cybersecurity safety in CAVs. As outlined in the introduction, the NIST publication “Developing Resilient Systems: A Systems Security Engineering Approach” lacks a clear and integrated framework to consolidate these elements, making it difficult for practitioners to develop comprehensive solutions in practice. As shown in the Figure 5, the endogenous security and safety DHR architecture, as the “reinforced framework”, naturally incorporates various technical elements and methods listed in the NIST publication “Developing Resilient Systems: A Systems Security Engineering Approach” [26] into its structure, leveraging structural changes to achieve integrated safety and security.

3.2. The framework of integrated safety and security monitoring module

As shown in Figure 6, the safety and security monitoring module employs a dynamic heterogeneous redundancy architecture to monitor the operating status of system applications and abnormal call behaviors based on system kernel events, detecting anomalies and generating alerts. The module primarily consists of three functionalities: monitoring configuration, application status monitoring, and system call monitoring.

thumbnail Figure 6.

The framework of the integrated safety and security monitoring module

The monitoring configuration is adaptable to user requirements, allowing flexible configuration of critical business applications, including system monitoring thresholds, monitored objects, and monitoring metrics via configuration files. Application status monitoring involves process monitoring through native applications and restructured heterogeneous redundancy business programs, covering anomalies such as Process ID (PID) exceptions, Central Processing Unit (CPU) usage anomalies, and memory usage anomalies. System call monitoring, based on the system kernel call event callback model, monitors critical system call functions and shell command invocations, primarily including system functions for permission modifications in file management operations, shell command execution functions in process control, and anomalous shell command executions in Bash. Dynamic configuration is employed to monitor key system calls for critical business application processes, thereby minimizing the overhead of the monitoring system.

In this system, the operational status monitoring of applications is achieved by periodically retrieving kernel-related CPU and memory status information from the /proc filesystem within specified time intervals. The monitoring primarily focuses on process-specific data from /proc/pid/stat and /proc/pid/status paths, as well as thread information from /proc/pid/task/tid/stat. Through comprehensive analysis of multiple parameters – including CPU utilization (both average and instantaneous time consumption), memory usage (whether exceeding predefined thresholds or exhibiting gradual increases), memory release failures, and stability of file descriptor counts – the system determines whether abnormal performance overhead occurs during application execution.

Algorithm 1 implements an automated process monitoring system that initially retrieves a process list from configuration files, sequentially examines each process’s status, and triggers secondary confirmation followed by alert notifications upon detecting abnormal states (D/Z/T). For normal processes, it collects and analyzes CPU and memory usage data, issuing alerts when predefined thresholds are exceeded. The hierarchical detection mechanism (prioritizing state before resource monitoring) and modular architecture (featuring independent modules for anomaly determination, secondary verification, and data analysis) ensure both operational efficiency and system scalability. This design is particularly suitable for health monitoring of server daemons and microservices.

Algorithm 1Process monitoring

1: Input: Configuration file containing process list

2: Output: Alerts for abnormal processes or resource usage

3: procedure MainMonitoringProcess

4:  process_list ← READ_CONFIG_FILE()

5:  for each process_name in process_list do

6:   (pid, status) ← GET_PROCESS_INFO(process_name)

7:   if IS_ABNORMAL_STATUS(status) then

8:    if CONFIRM_ABNORMAL(process_name, pid, status) then

9:     SEND_ALERT(process_name, ”Abnormal process status:” + status)

10:    end if

11:    continue to next iteration

12:   end if

13:   cpu_usage ← GET_CPU_USAGE(pid)

14:   mem_usage ← GET_MEMORY_USAGE(pid)

15:   analysis_result ← ANALYZE_MONITORING_DATA(process_name, pid, cpu_usage, mem_usage)

16:   if analysis_result.needs_alert then

17:    SEND_ALERT(process_name, analysis_result.alert_message)

18:   end if

19:  end for

20: end procedure

21: function IS_ABNORMAL_STATUS(status)

22:  return status ∈ {’D’, ’Z’, ’T’}        ▷ D-Uninterruptible sleep, Z-Zombie, T-Traced

23: end function

24: function CONFIRM_ABNORMAL(process_name, pid, status)

25:  return TRUE             ▷ Example directly returns confirmed

26: end function

In terms of performance-oriented design, the safety and security monitoring module adopts a layered architecture to decouple functionalities, thereby reducing interdependence both within the module and across subsystems. As shown in Table 1, module comprises three core functional components: monitoring configuration management, application state monitoring, and system call monitoring. Specifically, the configuration module employs an event-driven blocking design, activating processing only upon receiving external commands. For application and system call monitoring, periodic direct retrieval of kernel-mode data is implemented, which eliminates performance overhead from user-mode polling and minimizes redundant file handle operations that incur I/O costs.

Table 1.

Performance-oriented design of safety and security monitoring module

3.3. Empirical test

This paper utilizes Visual Studio as the development environment and implements the safety and security monitoring module in the C programming language. The module operates on a Linux 5.4.10 system version. Two tests are conducted to validate the effectiveness of the proposed safety and security monitoring module. The benchmark system used for comparison runs only a single process.

3.4. Functional failure test

This test aims to validate the effectiveness of the safety and security monitoring module when experiencing functional failures, such as system performance anomalies and failures in critical business processes.

As shown in the Figure 7, when the system performance ratio approaches 100% and a functional failure occurs, the monitoring of critical application processes may become distorted under a single-process monitoring configuration, as exemplified by the long-term performance monitoring distortion of the mgssh process. However, in the safety and security module based on the DHR architecture, the performance overhead of important processes during abnormal moments can be recorded with a precision as low as 0.01% in Figure 8a, and the module is dynamically configurable in Figure 8b. Based on predefined parameters, the abnormal service processes can be restarted, ensuring the normal continued operation of the system in Figure 8c.

thumbnail Figure 7.

Working under one process during functional failure
thumbnail Figure 8.

Working under DHR during functional failure. (a) Monitoring the application processes. (b) Dynamically configuring the application processes. (c) Restarting to normal operation.

3.5. Cyber attack test

This test aims to validate the effectiveness of the safety and security monitoring module in the presence of cyberattacks, such as code injection and reverse shell attacks.

In the safety and security monitoring module based on the DHR architecture, system calls are utilized to monitor network anomalies and prevent injection attacks and reverse shell attacks by analyzing information interception and transmission methods in the attack chain. As shown in the Figure 9, the module can detect abnormal behaviors such as unauthorized access, reading, writing, and backing up of system files. It is also capable of accurately analyzing the attack methods, identifying related information such as the attacker’s IP, port, and process in Figure 10, and issuing alerts while ensuring secure isolation. In contrast, the benchmark solution cannot simultaneously monitor the open, read/write, and backup activities, leading to incomplete security measures.

thumbnail Figure 9.

Detecting abnormal behaviors of system files
thumbnail Figure 10.

Identifying related information such as the attacker’s IP, port, and process

3.6. A review of theoretical analysis and validation of DHR

According to the literature [3, 4, 36, 38, 39], the DHR architecture not only inherently possesses high reliability due to its “heterogeneous" and “redundant" characteristics, which support automotive functional safety requirements, but also effectively addresses uncertain threats in cyberspace, such as unknown vulnerabilities and backdoors, through the integration of dynamic characteristics based on an output feedback mechanism with the “heterogeneous” and “redundant” features.

Currently, a substantial amount of research and application work on Dynamic Heterogeneous Redundancy architecture and its security analysis has been conducted in the academic community. This paper provides a review of the existing work based on three dimensions: application area, case study validation, and theoretical analysis, summarized in the Table 2. Survey on DHR architecture shows the conclusions as follow:

  • While traditional internet domains (e.g., servers and network equipment) impose less stringent requirements on lightweight implementation, automotive demand rigorous lightweight solutions and real-time guarantees (usually with response latency less than 10ms) due to constrained onboard computational resources. Notably, the DHR architecture simultaneously addresses both functional safety and cyber security through its dynamic heterogeneous redundancy design, establishing an integrated safety-security assurance mechanism.

  • From applications in multiple domains, the security analysis of DHR architecture primarily relies on complex mathematical modeling, such as discrete-time Markov chain models, Generalized Stochastic Petri Net (GSPN), and probabilistic mathematical models. These theoretical models assist researchers in analyzing the system’s security and robustness from the perspectives of functional failures, cyberattacks, and other factors, providing strong theoretical support.

  • Practical validation of the DHR architecture in systems such as automotive, routers, and distributed storage has demonstrated that dynamic heterogeneous redundancy can significantly enhance system security, particularly in the face of functional failures and cyberattacks. These practical applications validate the adaptability and defensive capabilities of the DHR architecture in various environments.

Table 2.

Key characteristics of existing validation and theoretical analysis of DHR

Based on the above conclusions, it is evident that the safety and security analysis of the DHR architecture extends beyond traditional functional testing, encompassing system attack success rates, performance overhead, spatiotemporal efficiency, and other factors. Through various types of testing and validation, the DHR architecture can provide comprehensive safety and security solutions for multiple systems.

4. The in-depth defense approach of providing endogenous security and safety for CAVs

4.1. The proposed in-depth defense architecture for CAVs

Based on the structural advantages of the DHR architecture, we propose an in-depth defense framework for CAVs. As illustrated in Figure 11, this system achieves dynamic protection through an integrated “Prevention-Resilience-Recovery-Adaptation" mechanism: Proactive security detection identifies potential design flaws, system vulnerabilities, and backdoor risks during the development phase, achieving the goal of preventive protection. For residual known risks, conventional defense technologies provide precise protection, while the DHR architecture effectively intercepts unknown risks. During operation, if residual risks still cause system compromise, the dynamic redundancy reconfiguration capability of DHR architecture ensures rapid recovery to normal operational status, realizing system resilience objectives.

thumbnail Figure 11.

The proposed in-depth defense architecture for CAVs

Furthermore, for persistent residual risks, comprehensive data logging and AI-based deep analysis enable threat discovery and system-wide adaptation. This includes extracting new threat characteristics and feeding them back to front-end components (e.g., security detection and conventional defense mechanisms), forming a closed-loop “Detection-Defense-Optimization” cycle. This approach continuously enhances protection capabilities against CAV security threats, achieving dynamic optimization and security evolution.

4.2. The engineering implementation of the in-depth defense architecture

4.2.1. Overview

In accordance with the vulnerability analysis of CAVs illustrated in Section 2, the increasing integration of vehicles with external networks has significantly heightened system openness and complexity, thereby exposing numerous vulnerabilities. These vulnerabilities may be exploited by malicious attackers, leading to serious security issues such as unauthorized access, data breaches, and even loss of vehicle control. In response, we propose a comprehensive defense strategy tailored to address the vulnerabilities of CAVs.

As shown in Figure 12, the proposed solution offers integrated safety and security for CAVs through three stages: preemptive, in-process, and post-event measures. Preemptively, entry-point defenses, including information and application obfuscation technologies, are employed to block potential attacks before they occur. During an attack, dynamic reconfiguration in the autonomous driving domain enhances the system’s resistance to threats. After an event, detailed analysis is conducted through recording and traceability, utilizing threat attribution techniques to assess security incidents, support accountability, and guide system improvements. Additionally, the safety and security monitoring module spans the entire process, ensuring real-time detection and response to anomalous behaviors, thereby forming a dynamic safety and security network. We will introduce in-depth solution in the following section.

thumbnail Figure 12.

The workflow of the proposed in-depth solution

4.2.2. Pre-Entry: entry-point defenses

Traditional honeypot technologies [40] are typically deployed externally and operate independently from the business system. These systems detect attacks by analyzing traffic entering and exiting the honeypot. However, due to the limited computational resources available on the vehicle, it is not feasible to deploy heavyweight honeypot systems. In contrast, we integrate a mimic module with the security monitoring module, working in coordination with the Intrusion Detection and Prevention System (IDPS) and firewall. Upon detecting an attack, the system can immediately block the attack path, thereby ensuring the security of the on-board system.

The mimic module can be divided into two forms: mimetic applications (executable programs) and information obfuscation (text files). For example, in the case of mimetic functional applications, the design and deployment are based on the functional attributes of the domain controller. These applications are placed as executable traps within the system. In the autonomous driving domain, mimetic applications such as “CarControl” and “CanSend” can be designed. From the program names, these applications appear to be capable of controlling the vehicle and sending CAN bus messages, which are areas of interest for attackers. As such, attackers are likely to execute these applications to observe their outputs and effects. The business process of these mimetic applications is to trigger an alarm immediately after execution. This alarm indicates the presence of either an intruder or a malicious application attempting to compromise the vehicle system.

Information obfuscation involves masking critical system information and sensitive data. By applying information obfuscation techniques, vital system data can be concealed. Additionally, falsified data, which is anonymized, can be placed prominently within the system to attract attackers to interact with it. Combined with the security monitoring module, these interactions can be monitored for any abnormal behavior. Upon detection of such anomalies, the system will trigger an alert, recording the caller’s information along with the precise timestamp of the event in milliseconds. This, in conjunction with the IDPS and other components, enables the immediate disruption of the attack, protecting the system’s integrity. Table 3 illustrates the functional point and corresponding protection target of mimic module.

Table 3.

The functional point and corresponding protection target of mimic module

After handling the anomaly, the alarm is reported to the IDPS and Vehicle Security Operations Center (VSOC) via the security monitoring module.

4.2.3. In-process: autonomous driving domain defenses

The dynamic reconfiguration module primarily employs diversification techniques to secure binary files, third-party components, and library files. Through these diversification processes, the protected files, when loaded into memory, undergo randomization of their address space layout (e.g., heap, stack), effectively defending against attacks targeting the program’s address space.

As shown in Figure 13, this module consists of five key components: protection of dangerous functions, memory randomization, third-party component diversification, library environment diversification, and the randomization loader. The protection of dangerous functions and memory randomization are primarily aimed at securing binary files, ensuring that the generated files remain functionally consistent while being more secure. The third-party component and library environment diversification focus on generating multiple secure versions of third-party components and library files using diversification techniques. Ultimately, these components and library files are randomly loaded at runtime through the randomization loader, enhancing the overall safety and security of the system.

thumbnail Figure 13.

The workflow of dynamic reconfiguration

4.2.4. Post-entry: recording and traceability

The stringent standards require that the vehicle’s data storage system for automated driving (DSSAD) ensure the collection of critical data during autonomous driving mode for accident analysis and liability determination. Building on these standards, this paper further develops advanced techniques for recording and reconstructing key data that exceed the stringent requirements, achieving an integrated approach to functional safety and cybersecurity in both recording and analysis.

Figure 14 shows the workflow of recording and tracing. Firstly, the system extracts key parameters such as the vehicle’s longitudinal and lateral speeds, acceleration, and steering angles to capture functional safety-related information. At the same time, network security-related data, including intrusion detection logs and communication traffic, is collected. Through integrated analysis, the system can identify functional safety-related causal scenarios, such as vehicle rollovers, steering issues, and acceleration/braking events, as well as network threat scenarios, including pre-configured backdoors, remote code execution, and man-in-the-middle attacks.

thumbnail Figure 14.

The workflow of recording and tracing

Furthermore, the system employs a functional resonance chain and automated attack generation technology to trace hazard/threat events and assess risks. To address the intertwined Safety and Security issues resulting from the convergence of functional resonance chains and network threat pathways, a novel method for event traceability and joint risk assessment based on system process theory and Bayesian networks are proposed in Algorithm 2. This approach ensures the accurate recording and tracing of relevant information in the event of functional failures or malicious network attacks, enabling joint analysis and risk assessment of functional failures and network threats. It provides robust technical support and safeguards for the allocation of liability in autonomous vehicle accidents.

Algorithm 2Integrated safety and security recording and tracing analysis

1: Input:

2:  𝒟 = 〈P,C,T〉          ▷ DSSAD data

3:  P = (v, a, δ, dobs, …)      ▷ Physical parameters

4:  C = (IDS logs, comm traces, …)      ▷ Cyber evidences

5:  T = {t0, t1, –, tn}         ▷ Timestamps

6: Output:

7:  ℛjoint ∈[0, 1]k         ▷ Joint risk assessment

8:  𝒢causal = (V,E)         ▷ Causal graph

9: procedure SafetyAnalysis(P)

10:   ℳdyn ← Load3DOFModel()

11:   ℋ ← Ø

12:   for (pi, ti) ∈ P̅ do

13:    if v i 2 R i g > t w 2 h c g $ \frac{v_i^2}{R_i g}>\frac{t_w}{2 h_{c g}} $ then

14:     ℋ ← ℋ∪ {Rollover}

15:    end if

16:    if d obs i < v i 2 2 a max $ d_{\mathrm{obs}}^i<\frac{v_i^2}{2 a_{\max }} $ then

17:     ℋ ← ℋ∪ {Collision}

18:    end if

19:   end for

20:   return ASIL_Quantification(ℋ)

21: end procedure

22: procedure SecurityAnalysis()

23:   𝒢attack ← (𝒩, )

24:   for cjC̅ do

25:    if IsMalicious(cj) then

26:     𝒩 ← 𝒩 ∪{nj}

27:      ∪ {ej}

28:    end if

29:   end for

30:   𝒢′attack ← ProbabilisticInference(𝒢attack, α = 0.3)

31:   return CVSS_Mapping(𝒢′attack)

32: end procedure

33: procedure Main

34:   P̅,C̅ ← TemporalAlignment(P,C,T)

35:   Rs ← SafetyAnalysis()

36:   Rc ← SecurityAnalysis()

37:   𝒢causal ← ConstructDAG(Rs,Rc)

38:  ℛjoint ← DempsterShaferFusion(Rs,Rc)

39:  return 〈ℛjoint, 𝒢causal

40: end procedure

4.3. Evaluation

The software development for this defense-in-depth solution will utilize C/C++ and Python, and will be developed in a Linux-X86 environment (Ubuntu 20.04, kernel version 5.0 or higher). A unified cross-compilation tool chain will be configured on the server for use by developers to compile the software code. The software is designed to be compatible with Linux-X86 (Ubuntu 20.04), Linux-ARM, and QNX platforms.

4.3.1. Penetration Testing design

To validate the effectiveness of the proposed in-depth solution, we design a comprehensive penetration test. As shown in Figure 15, the penetration test consist of three steps:

  • Port Scanning and Brute Force Attack: The attacker begins by scanning the target system’s ports to identify open ports and services. Once exploitable service ports are found, the attacker attempts a brute force attack, trying multiple passwords or exploiting known vulnerabilities to gain access to the service.

  • Sensitive File Copying and Configuration Tampering: After successfully brute-forcing the service port, the attacker leverages the gained access to copy sensitive files from the system. These files may contain critical configuration information or system credentials. The attacker then modifies these configurations to further infiltrate the system or prepare for subsequent attacks.

  • Exploiting Stack Overflow Vulnerabilities: After obtaining sensitive files, the attacker analyzes them for potential vulnerabilities, such as stack overflow vulnerabilities. Upon identifying an exploitable vulnerability, the attacker carefully crafts malicious code and injects it into the system via the overflow. This code may be used to further control the system, steal data, or provide a backdoor for other attackers.

thumbnail Figure 15.

The Penetration Testing design

4.3.2. Overall Protection Evaluation

In response to attacker threats, the in-depth solution can emulate Secure Shell (SSH) services to promptly detect and block external attacks, defend against port scanning and brute force attacks, monitor sensitive file access to address data security incidents, and use dynamic memory restructuring to prevent the execution of malicious code (blocking vulnerability exploitation) while cutting off external attacks. Table 4 presents a comparison chart of the protections offered by the deep defense solution. It effectively defends against password brute force and stack overflow attacks and records logs of port scanning and file operations.

Table 4.

Overall protection evaluation

Typical test case 1: Validation of the effectiveness of the in-depth solution strategy in countering brute-force attacks to obtain system account passwords.

Figure 16a shows that before enabling mimicry obfuscation, system account passwords can be obtained through brute-force attacks. Figure 16b demonstrates that root access to the system is acquired based on the brute-force results, allowing successful execution of operations. In Figure 16c, after enabling mimicry obfuscation, it becomes impossible to obtain system account passwords through brute-force attacks, effectively resisting password cracking attempts. Additionally, the brute-force attack is logged, as shown in Figure 16d.

thumbnail Figure 16.

Overview of results in countering brute-force attacks to obtain system account passwords. (a) Before enabling mimicry obfuscation, system account passwords can be obtained through brute-force attacks. (b) Root access to the system is acquired based on the brute-force results. (c) Impossible to obtain system account passwords through brute-force attack. (d) The brute-force attack is logged.

Typical test case 2: Validation of the effectiveness of the in-depth solution strategy in countering typical heap overflow and stack overflow vulnerabilities.

According to statistics, 70% of vulnerabilities in digital products are related to memory safety issues. In 2022, memory corruption was the most common type of zero-day attack, accounting for 67.55% of attacks1. This study verifies the effectiveness of the proposed protection scheme using typical heap overflow and stack overflow vulnerabilities as examples.

The protective effects before and after enabling dynamic reconfiguration were evaluated using a stack overflow vulnerability. Figure 17a illustrates that before enabling dynamic reconfiguration, malicious code was injected through the system’s port 1235 by parsing packets, leading to out-of-bounds read/write operations that manipulated the control pointer and successfully injected a backdoor shell through port 4444. Figure 17b shows that the system’s root access was successfully compromised via port 4444. However, after enabling dynamic reconfiguration, the attempt to exploit the stack overflow vulnerability to obtain backdoor access to the system failed, as depicted in Figure 17c.

thumbnail Figure 17.

Overview of results in countering Stack overflow attack. (a) Manipulated the control pointer and successfully injected a backdoor shell. (b) The system’s root access was successfully compromised. (c) The attempt to exploit the stack overflow vulnerability to obtain backdoor access to the system failed

As shown in Figure 18a, malicious code is injected through the system’s port 4567, exploiting a heap overflow vulnerability to modify function parameters in the adjacent heap space. This enables the injection and activation of a shell backdoor through port 1338, successfully obtaining root privileges, as illustrated in Figure 18b. However, after the protection scheme is enabled, the attempt to exploit the heap overflow vulnerability to gain backdoor access fails, as depicted in Figure 18c.

thumbnail Figure 18.

Overview of results in countering Heap overflow attack. (a) Manipulated the control pointer and successfully injected a backdoor shell. (b) The system’s root access was successfully compromised. (c) The attempt to exploit the heap overflow vulnerability to gain backdoor access fails

4.3.3. Functionality and Performance Evaluation

The dynamic reconstruction module enhances system security through techniques such as memory randomization, protection of critical functions, library environment diversification, and randomized loaders. As shown in Table 5, post-reconstruction, application performance impact remains minimal, with CPU overhead of no more than 30%, memory overhead of no more than 10%, and additional load times of 10–50 milliseconds for a 10 MB program. These measures effectively reduce the exploitation of vulnerabilities while maintaining system efficiency.

Table 5.

Functionality list and performance evaluation

In addition to conventional tests such as heap overflow and stack overflow, this study comprehensively evaluated 122 test cases covering mainstream vulnerability types including format string attacks and integer overflows. The dynamic reconfiguration mechanism demonstrated effective defense against 117 of these cases, achieving an overall defense success rate exceeding 95.9% with vulnerability type coverage reaching 90%.

The mimetic camouflage module focuses on disguising system, application, and information components to thwart potential attacks. This functionality operates in a static or trigger-based manner, resulting in negligible performance or resource overhead. By leveraging lightweight mechanisms, the module provides robust defense without compromising computational resources.

The security monitoring module ensures comprehensive system protection through efficient monitoring configurations, system call analysis, and application status tracking. Resource consumption remains well-controlled, with CPU usage below 4% per core and virtual memory overhead under 10 MB. This module enables real-time threat detection and response while preserving system stability and performance.

5. Potential assessment research directions of endogenous security and safety for CAVs

As demonstrated through the case study, the endogenous security and safety architecture based on DHR not only enables the detection of unknown anomalies but also defends against network attacks stemming from unknown threats. This approach ensures functional safety while providing distinctive network security defense capabilities. As the saying goes, ‘You cannot improve what you cannot measure’. Therefore, exploring the resilience evaluation of deep defense strategies is of critical importance. This paper proposes potential research directions from four aspects: lightweight, high safety and security, quantifiability, and forensics.

Lightweight Defense Optimization. Facing the predominance of remote attacks (95% of 295 incidents in 2023 [41]), our approach focuses on developing adaptive defense algorithms for resource-constrained CAV systems. Building on the DHR architecture’s dynamic reconfiguration capabilities (Section 4.2.3), we prioritize high-risk attack paths through intelligent resource allocation, maintaining real-time response within strict computational limits (validated 18% overhead in Table 5). This threat-aware scheduling mechanism enhances protection coverage while optimizing the security-performance trade off inherent in vehicular systems.

High Security and Safety Assurance. To address inherent defects in complex vehicle software systems (with modern autonomous vehicles containing over 100 million [42]), we propose a focused formal verification approach for critical system components, prioritizing five key security properties: functional correctness, memory safety, concurrency control, security policy enforcement, and resource management. Given the impracticality of full-scale verification, our DHR architecture (Section 3.1) enables targeted verification of core modules (e.g., security choreographer in Section 3.2) while employing endogenous defense mechanisms to protect non-verified components through dynamic heterogeneous redundancy (Figure 6), achieving both comprehensive security coverage and practical feasibility.

Quantifiable Safety and Secuirty. Quantifying safety for CAVs is critical to reduce traffic fatalities, with potential to save millions of lives by improving safety by an order of magnitude (e.g., from 5 × 10−7 to 5 × 10−8 fatalities per driving hour [43]). However, current standards like ISO 26262 (functional safety) [22], ISO/PAS 21448 (Safety of the Intended Functionality) [44], and ISO/SAE 21434 (Cybersecurity) [23] lack explicit quantitative frameworks, posing challenges for safety and security co-engineering. To address this, we propose a multi-layered defense approach, leveraging serial reliability modeling to ensure robust system resilience even if individual layers are compromised, while correlating attack vectors and quantifying layer-wise reliability for comprehensive protection. This method aligns with the need for measurable safety benchmarks and enhances the security architecture of autonomous driving systems.

Autonomous Vehicle Accident Traceability. Determining liability in autonomous driving accidents requires resolving intertwined safety and security challenges, such as distinguishing cyberattacks from system failures2. Key obstacles include modeling complex module interactions (e.g., perception, planning) amid dynamic environments and automating cyber threat chain analysis to address evolving attack patterns. A unified framework integrating functional safety (e.g., ISO 26262) and cybersecurity (e.g., ISO/SAE 21434) methodologies are critical for multi-layered traceability, aligning with the proposed defense architecture to enable root-cause analysis and accountability.

6. Conclusion

Safety and security are often studied separately, leading to a trade-off where safety mechanisms may weaken security mechanisms, and vice versa. This paper presents an endogenous security and safety approach utilizing dynamic heterogeneous redundancy technologies. We introduce integrated safety and security for CAVs, based on the vehicle-road-cloud ecosystem and relevant design processes. Then, we propose a DHR-based safety and security monitoring module, centered on core system events, which effectively detects unknown failures, ensures functional safety, and identifies novel cyber-attacks, as confirmed by empirical tests and theoretical analyses, thereby enhancing cybersecurity. Building on the preliminary comprehensive analysis, an in-depth strategy is proposed, combining mimicry defense, safety and security monitoring, and dynamic reconfiguration to detect failures, ensure safety, and counter cyber threats. A prototype implementation, coupled with penetration testing, demonstrates the approach’s effectiveness. Finally, we provide assessment direction, emphasizing its lightweight design, robust security, quantification abilities, and tracing functions.

In the future, we will focus on advancing the system’s practical deployment, including its integration into commercial vehicles for real-world applications. While this preliminary phase intentionally emphasizes qualitative verification, we acknowledge the importance of quantitative assessment - forthcoming research will systematically evaluate specific metrics. Additionally, further theoretical investigation of the endogenous security and safety approach will be conducted, emphasizing coupled modeling of functional safety and cybersecurity, as well as risk traceability.

Acknowledgments

Thanks to Yuanyuan Liu and the anonymous reviewers for their helpful comments and suggestions.

Funding

This work was supported in part by the National Key Research and Development Program of China under Grant 2023YFB2504800; in part by the Natural Science Foundation of Jiangsu Province under Grant BK20230134.

Conflicts of interest

The authors declare no conflicts of interest.

Data availability statement

No data are associated with this article.

Author contribution statement

Qi Liu led the conceptualization, methodology, and software development, and was responsible for the original draft writing. Yufeng Li contributed to the conceptualization, review of the manuscript. Zhenkai Wang supported the software, formal analysis, investigation. Xiangyu Zheng assisted with data curation. Peng Wang oversaw the project, provided supervision. Peng Tang contributed to the investigation, and data visualization.

References

  1. Liu W, Hua M, Deng Z, et al. A systematic survey of control techniques and applications in connected and automated vehicles. IEEE Int. Things J. 2023; 10: 21892–21916. [Google Scholar]
  2. Chen L, Li Y, Huang C, et al. Milestones in autonomous driving and intelligent vehicles: Survey of surveys. IEEE Trans Intell Vehicles 2022; 8: 1046–1056. [Google Scholar]
  3. Li Y, Liu Q, Chen X, et al. Integrated safety and security enhancement of connected automated vehicles using DHR architecture. Security Safety 2023; 2: 2022009. [Google Scholar]
  4. Wu J. Endogenous security problems and countermeasures of intelligent connected vehicle. J Chongqing Univ Posts & Telecommun (Natural Science Edition) 2023; 35: 3. [Google Scholar]
  5. Charlie M and Valasek C. After Jeep Hack, Chrysler Recalls 1.4M Vehicles for Bug Fix. WIRED 2015, www.wired.com/2015/07/jeep-hack-chrysler-recalls-1-4m-vehicles-bug-fix/. [Google Scholar]
  6. Euronews. Gridlock as Hackers Order Hundreds of Taxis to Same Place in Moscow. Euronews 2022, https://www.euronews.com/my-europe/2022/09/02/gridlock-as-hackers-order-hundreds-of-taxis-to-same-place-in-moscow. [Google Scholar]
  7. Financial Times. Hizbollah walkie-talkies explode in Lebanon in second day of blasts. Financial Times 2024, https://www.ft.com/content/defb8bf1-da0b-403a-aa4d-d27a35d54201. [Google Scholar]
  8. Chen S, Wei X, Zhang G, et al. Active and passive safety enhancement for batteries from force perspective. Renewable Sustain Energy Rev 2023; 187:113740. [Google Scholar]
  9. Zhang J, Zhong H, Cui J, et al. Distributed and extensible cross-region vehicle authentication with reputation for vanets. IEEE Trans Intell Transport Syst 2023; 25: 74–89. [Google Scholar]
  10. Chen Y, Zhang J, Wei X, et al. Cross-Domain Authentication Scheme for Vehicles Based on Given Virtual Identities. IEEE Int Things J 2024; 11: 15869–158799. [Google Scholar]
  11. Cui J, Chen Y, Zhong H, et al. Lightweight encryption and authentication for controller area network of autonomous vehicles. IEEE Trans Vehicul Technol 2023; 72: 14756–14770. [Google Scholar]
  12. Baee MAR, Simpson L, Boyen X, et al. A provably secure and efficient cryptographic-key update protocol for connected vehicles. IEEE Trans Dependable Secure Comput 2023; 21: 4066–4083. [Google Scholar]
  13. Plattner M, Sonnleitner E, Ostermayer G. A Security protocol for vehicle platoon verification using optical camera communications. IEEE Tran Intell Transport Syst 2024; 25: 14698–14709. [Google Scholar]
  14. Shen Y, Cui J, Zhong H, et al. A Two-Layer Dynamic ECU Group Management Scheme for In-Vehicle CAN Bus. IEEE Trans Intell Transport Syst 2024; 25: 10431–10445. [Google Scholar]
  15. Liu Q, Li X, Sun K, et al. SISSA: Real-time Monitoring of Hardware Functional Safety and Cybersecurity with In-vehicle SOME/IP Ethernet Traffic. IEEE Int Things J 2024; 11: 27322–27339. [Google Scholar]
  16. Le TD, Truong HBH, Kim D. Multi-classification in-vehicle intrusion detection system using packet-and sequence-level characteristics from time-embedded transformer with autoencoder. Knowledge-Based Syst 2024; 299: 112091. [Google Scholar]
  17. Althunayyan M, Javed A, Rana O. A robust multi-stage intrusion detection system for in-vehicle network security using hierarchical federated learning. Vehicular Commun 2024; 49: 100837. [Google Scholar]
  18. Hoang TN, Kim D. Supervised contrastive ResNet and transfer learning for the in-vehicle intrusion detection system. Expert Syst Appl 2024; 238: 122181. [Google Scholar]
  19. Gong W, Yang S, Guang H, et al. Multi-order feature interaction-aware intrusion detection scheme for ensuring cyber security of intelligent connected vehicles. Eng Appl Artif Intell 2024; 135: 108815. [Google Scholar]
  20. Liu Z, Wan L, Guo J, Huang F, Feng X, Wang L, Ma J. PPRU: A privacy-preserving reputation updating scheme for cloud-assisted vehicular networks. IEEE Trans Vehicular Technol 2023; 74: 1877–1892. [Google Scholar]
  21. Sun H, Huang W, Weng J, et al. CCID-CAN: Cross-chain intrusion detection on CAN bus for autonomous vehicles. IEEE Int Things J 2024; 11: 26146–26159. [Google Scholar]
  22. International Organization for Standardization (ISO). ISO-26262: Road vehicles - Functional safety. Technical report, International Organization for Standardization; 2016. [Google Scholar]
  23. ISO/SAE 21434:Road vehicles, cybersecurity engineering; 2021. [Google Scholar]
  24. Kavallieratos G, Katsikas S, Gkioulos V. Cybersecurity and safety co-engineering of cyberphysical systems-a comprehensive survey. Future Internet 2020; 12: 65. [CrossRef] [Google Scholar]
  25. Cui J, Zhang B. VeRA: A simplified security risk analysis method for autonomous vehicles. IEEE Trans Vehicular Technol 2020; 69: 10494–10505. [Google Scholar]
  26. Möller DPF NIST cybersecurity framework and MITRE cybersecurity criteria. Guide to Cybersecurity in Digital Transformation: Trends, Methods, Technologies, Applications and Best Practices. Cham: Springer Nature Switzerland, 2023; 10494–10505. [Google Scholar]
  27. Ross R, Pillitteri V, Graubart R, et al. Developing cyber-resilient systems: A systems security engineering approach. Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, 2021. https://doi.org/10.6028/NIST.SP.800-160v2r1. [Google Scholar]
  28. National Highway Traffic Safety Administration (NHTSA). Design-in Cyber Resiliency: A System Safety Approach to Vehicle Cybersecurity. Washington, DC: NHTSA, 2023. [Google Scholar]
  29. Checkoway S, McCoy D, Kantor B, et al. Comprehensive experimental analyses of automotive attack surfaces. 20th USENIX security symposium (USENIX Security 11), 2011. [Google Scholar]
  30. Gao B, Liu J, Zou H, et al. Vehicle-Road-Cloud Collaborative Perception Framework and Key Technologies: A Review. IEEE Trans Intell Transport Syst 2024; 25: 19295–19318. [Google Scholar]
  31. Peng G, Tan H, Sun Y. Congestion of Intelligent Driver Model Integrating Fault-Tolerant Control to Boycott Cyber-Attacks in "Vehicle-Road-Cloud" Architecture Under C-V2x Environment. Available at SSRN 4822479, 2025. [Google Scholar]
  32. Jia S, Zhang T, Lin W, et al. An Evaluation Method of Vehicle-Road-Cloud Collaborative System Security Situation Based on (CD) 2-A Elastic Computing Framework. In: 2023 8th International Conference on Data Science in Cyberspace (DSC). IEEE, 2023: 546–550. [Google Scholar]
  33. Liu Q, Sun K, Liu W, et al. Quantitative risk assessment for connected automated Vehicles: Integrating improved STPA-SafeSec and Bayesian networt. Reliabi Eng Syst Safety 2025; 253: 110528. [Google Scholar]
  34. Li Y, Huang C, Liu Q, et al. Integrating security in hazard analysis using STPA-Sec and GSPN: A case study of automatic emergency braking system. Comput Secur 2024; 142: 103890. [Google Scholar]
  35. Auto-ISAC. Automotive cybersecurity best practices-executive summary 2018. [Google Scholar]
  36. Li Y, Liu Q, Zhuang W, et al. Dynamic heterogeneous redundancy-based joint safety and security for connected automated vehicles: Preliminary simulation and field test results. IEEE Vehicular Technol Mag 2023; 18: 89–97. [Google Scholar]
  37. Wang P, Zhai B, Li Y, et al. Endogenous Security Mechanism of Vehicle Network Based on Dynamic Heterogeneous Redundancy. J Electron Inf Technol 2023; 45: 272–281. [Google Scholar]
  38. Wu J. Cyberspace Mimic Defense. Switzerland: Springer, 2020. [Google Scholar]
  39. Ren Q, Hu T, Wu J, et al. C Multipath resilient routing for endogenous secure software defined networks. Comput Net 2021; 194: 108134. [Google Scholar]
  40. Franco J, Aris A, Canberk B, et al. A survey of honeypots and honeynets for internet of things, industrial internet of things, industrial internet of things, and cyber-physical systems. JIEEE Commun Surveys Tutor 2021; 23: 2351–2383. [Google Scholar]
  41. Upstream Security. Global Automotive Cybersecurity Report 2024[R]. Upstream Security, 2024. [Google Scholar]
  42. Vehicle Dynamics International. Vehicle cybersecurity: Control the code, control the road. 2020. [Google Scholar]
  43. National Highway Traffic Safety Administration (NHTSA) Traffic Safety Facts Research Note, Oct. 2019. https://www.nhtsa.gov/traffic-deaths-2018 [Google Scholar]
  44. Wang H, Shao W, Sun C, et al. A survey on an emerging safety challenge for autonomous vehicles: safety of the intended functionality. Engineering 2024; 33: 17–34. [CrossRef] [Google Scholar]
  45. Ren Q, Wu J, He L. Research on mimic DNS architectural strategy based on generalized stochastic petri net. J Cyber Secur 2019; 4: 37–52. [Google Scholar]
  46. Ouyang L. Research on Key Issues of Dynamic Heterogeneous Redundant Microcontroller. Doctoral dissertation, 2023. [Google Scholar]
  47. Ma H, Yi P, Jinag Y, He L. Dynamic heterogeneous redundancy based router architecture with mimic defenses[J]. J Cyber Secur 2017; 2: 29–42. [Google Scholar]
  48. Guo W. Research on Mimic Architecture and Key Technologies of Distributed Storage System. Doctoral dissertation, 2019. [Google Scholar]
  49. Zhu WJ, Guo YB, Huang BH. A mimic defense automaton model of dynamic heterogeneous redundancy structures. Acta Elec tronica Sinica 2019; 47: 2025–2031. [Google Scholar]
  50. Hu J, Yu Li, Li Z, Liu Q, and Wu J. Unveiling the Strategic Defense Mechanisms in Dynamic Heterogeneous Redundancy Architecture. IEEE Trans Network Serv Manage 2024; 24: 4912–4926. [Google Scholar]
  51. Wu T, Hu C, Qingnan C, Anbang C, Qiuhua Z. Defense-enhanced dynamic heterogeneous redundancy architecture based on executor partition. J Commun 2021; 42: 122–134. [Google Scholar]
  52. Wang W, Zeng J, Li G. Security analysis of dynamic heterogeneous redundant system. Comput Eng 2018; 44: 42–45. [Google Scholar]
Qi Liu

Qi Liu is an Assistant Researcher at the Endogenous Security Center of Purple Mountain Laboratories, China. His research interests include the safety and security of connected automated vehicles, statistical methods, and differential privacy.

Zhenkai Wang

Zhenkai Wang is an Intermediate Software Development Engineer at the Endogenous Security Center of Purple Mountain Laboratories, China. His primary research interests focus on information security and data security technologies related to connected vehicles.

Peng Wang

Peng Wang is in charge of the endogenous security direction of the Internet of Vehicles with Purple Mountain Laboratories, China. His research interests include the safety and security of connected automated vehicles.

Yufeng Li

Yufeng Li is a professor at the School of Computer Engineering and Science, Shanghai University, China. His research interests include safety and security of connected automated vehicles cybersecurity, broadband information network, and high-speed router core technology.

Xiangyu Zheng

Xiangyu Zheng is a Ph.D. candidate at the School of Computer Engineering and Science, Shanghai University, China. His research interests include the safety and security of connected automated vehicles and HARA.

Peng Tang

Peng Tang is an Assistant Researcher at the Institute of Big Data, Fudan University, China. Her research interest lies in the construction of an autonomous knowledge system in cyberspace.

All Tables

Table 1.

Performance-oriented design of safety and security monitoring module

In the text
Table 2.

Key characteristics of existing validation and theoretical analysis of DHR

In the text
Table 3.

The functional point and corresponding protection target of mimic module

In the text
Table 4.

Overall protection evaluation

In the text
Table 5.

Functionality list and performance evaluation

In the text

All Figures

thumbnail Figure 1.

The integrated safety and security challenge [4]
In the text
thumbnail Figure 2.

The integrated safety and security for CAV from multiple interwoven perspectives
In the text
thumbnail Figure 3.

The integrated safety and security from Vehicle-Road-Cloude perspectives
In the text
thumbnail Figure 4.

The integrated safety and security from design and development perspectives
In the text
thumbnail Figure 5.

The endogenous security and safety architecture for CAVs
In the text
thumbnail Figure 6.

The framework of the integrated safety and security monitoring module
In the text
thumbnail Figure 7.

Working under one process during functional failure
In the text
thumbnail Figure 8.

Working under DHR during functional failure. (a) Monitoring the application processes. (b) Dynamically configuring the application processes. (c) Restarting to normal operation.
In the text
thumbnail Figure 9.

Detecting abnormal behaviors of system files
In the text
thumbnail Figure 10.

Identifying related information such as the attacker’s IP, port, and process
In the text
thumbnail Figure 11.

The proposed in-depth defense architecture for CAVs
In the text
thumbnail Figure 12.

The workflow of the proposed in-depth solution
In the text
thumbnail Figure 13.

The workflow of dynamic reconfiguration
In the text
thumbnail Figure 14.

The workflow of recording and tracing
In the text
thumbnail Figure 15.

The Penetration Testing design
In the text
thumbnail Figure 16.

Overview of results in countering brute-force attacks to obtain system account passwords. (a) Before enabling mimicry obfuscation, system account passwords can be obtained through brute-force attacks. (b) Root access to the system is acquired based on the brute-force results. (c) Impossible to obtain system account passwords through brute-force attack. (d) The brute-force attack is logged.
In the text
thumbnail Figure 17.

Overview of results in countering Stack overflow attack. (a) Manipulated the control pointer and successfully injected a backdoor shell. (b) The system’s root access was successfully compromised. (c) The attempt to exploit the stack overflow vulnerability to obtain backdoor access to the system failed
In the text
thumbnail Figure 18.

Overview of results in countering Heap overflow attack. (a) Manipulated the control pointer and successfully injected a backdoor shell. (b) The system’s root access was successfully compromised. (c) The attempt to exploit the heap overflow vulnerability to gain backdoor access fails
In the text

Current usage metrics show cumulative count of Article Views (full-text article views including HTML views, PDF and ePub downloads, according to the available data) and Abstracts Views on Vision4Press platform.

Data correspond to usage on the plateform after 2015. The current usage metrics is available 48-96 hours after online publication and is updated daily on week days.

Initial download of the metrics may take a while.