1. Introduction
As vehicle technology merges with energy, the Internet of Things (IoT), and communication fields, vehicles are developing towards electrification and intelligence. Considering the limited battery power of electric vehicles during long-distance travel, a vehicle charging network system that can provide a real-time travel charging solution will surely appear. Predictably, in order to collect nearby charging piles status information, the system has to allow access to large-scale heterogeneous terminal devices. For example, there are numerous video sensors and smoke sensors to monitor whether the charging environment is safe, voltage and current sensors to detect the power condition of all charging piles, and mobile terminals to activate charging piles for massive users, etc. Since a large number of terminal devices are difficult to monitor, malicious terminals will have the opportunity to access. Once malicious illegal terminals access the system, they can easily crash the charging facility, steal charging vehicles’ information, and even further implant viruses to make vehicles uncontrollable. Though the 5G protocol optimizes identity security by introducing temporary identification [
1], malicious illegal devices can still access the system by forging legal identification. Therefore, it is necessary to design a more reliable access authentication scheme for a vehicle charging network system to ensure system security and full function.
Some trusted access authentication schemes have been proposed [
2,
3,
4,
5]. However, they are difficult to work in the vehicle charging network system with large-scale heterogeneous terminal access. First, since the vehicle charging network system accesses various heterogeneous terminals, there are inevitably terminals whose computing capabilities are insufficient to support the general access authentication solution based on cryptography (i.e., PKI [
6,
7]). To provide verification information, terminals need to have the computing capability of encryption and decryption. Unfortunately, some terminals with poor or even no computing capabilities (such as smoke sensors) cannot complete the encryption and decryption. Thus, they may be denied access to sensitive information, which will prevent the system from functioning well. Therefore, it is necessary to design a unified authentication solution for heterogeneous terminals in the vehicle charging network system.
Second, access authentication based on device fingerprint [
8] is an available unified solution, but its authentication robustness is relativity poor and the processing overhead is relativity high. Specifically, the device fingerprint can be extracted according to the radio frequency (RF) wireless signal difference caused by the hardware defects inherent in terminal manufacturing. Through identifying the legitimacy of the device fingerprint, the system can decide whether to allow terminal access. Nonetheless, due to the RF wireless signal difference caused by hardware defects is subtle, the fingerprint features extracted under different environments (such as occluded materials and weather conditions) vary greatly. This will inevitably result in poor authentication robustness. Additionally, though the authentication scheme based on device fingerprint eliminates encryption and decryption, the overhead brought by fingerprint identification is still not negligible. This will lead to a high authentication delay required for trusted access.
Third, since there are massive terminals in a vehicle charging network system, all access authentication requests processed by the cloud server will bring huge delay overhead. Specifically, in order to meet the charging needs of all electric vehicle users, the number of charging piles provided in the vehicle charging network system is huge. Correspondingly, the amount of terminals that need to access the system is even greater. This means that highly concurrent access authentication requests will widely exist in the system. In this case, the centralized authentication request processing architecture that is authenticated locally by the system or delivers all the device fingerprints to the cloud server for identification will bring a huge authentication waiting overhead.
To address the above challenges, we propose a trusted access authentication solution based on end-edge-cloud collaboration for the terminals in a vehicle charging network system. Our solution provides an efficient and reliable device identification method for large-scale heterogeneous terminals in the system, and only allows the identified legal terminals access to ensure the vehicle charging network system’s security. Specifically, our contributions are listed as follows:
(1) End-Edge-Cloud Collaborative Authentication Framework. To alleviate the non-negligible authentication waiting latency when large-scale heterogeneous terminals concurrently access requests in a vehicle charging network system, we propose an End-Edge-Cloud Collaboration framework. Through the cooperation of local servers, edge servers, and one center cloud server jointly executing access requests from massive terminals, the framework can provide efficient and reliable access authentication services for large-scale terminals. This effectively improves the quality of service (QoS) of delay-sensitive and computation-intensive access authentication tasks in a vehicle charging network system.
(2) Unified Trusted Access Authentication Model. To address the problem of heterogeneous terminal access in a vehicle charging network system, we designed a novel unified trusted access authentication (UTAA) model based on device fingerprints. Taking the feature of RF signal transmitted by terminals as the device fingerprint, the UTAA model provides a bypass authentication solution which is independent of the computing and storage capabilities of terminals. Via well-designed data construction and the powerful feature extraction capabilities of Swin-Transformer [
9], the UTAA model effectively mitigates environmental interference and improves the robustness of fingerprint recognition. This ensures the reliability of access authentication. Moreover, benefiting from the feature extraction capabilities of Swin-Transformer, only a small amount of fingerprint data can accurately identify the legitimacy of terminals, which actually reduces the authentication overhead.
(3) Access Authentication Overhead Minimization. Although our UTAA model optimizes the authentication overhead for a single terminal, there still exists a heavy access authentication response latency for vehicle charging network systems with numerous and dynamic authentication requests. To further optimize authentication latency, authentication tasks that cannot be executed locally are transmitted to appropriate edge or cloud servers for cooperative execution. Then, the global access authentication response time can be expressed as the sum of transmission delay and authentication delay. With the goal of minimizing global access authentication response time, we design an authentication task scheduling scheme based on Advantage Actor Critic (A2C) [
10] to decide which server the current authentication tasks are offloaded to for executing.
(4) Experimental Evaluation in Real Environment. We conduct comprehensive experiments to evaluate the proposed scheme in this paper. Experimental results demonstrate that the device fingerprints extracted by our UTAA model have environment stability, time stability, and location stability. Compared with traditional manual feature extraction schemes, the UTAA model reduces the number of packets required for authentication by two orders of magnitude, while ensuring superior authentication performance. Moreover, our end-edge-cloud collaborative authentication framework reduces the global authentication latency by about two times compared to the centralized processing schemes. Such results indicate that our solution can ensure trusted and reliable access authentication for a vehicle charging network system with large-scale heterogeneous terminals.
2. Related Work
The vehicle network system has to connect complex and massive terminals, which will give malicious terminals the opportunity to access. To ensure system security, trusted access schemes that allow legitimate terminals and deny illegal terminals are necessary. The common trusted access technologies are usually implemented based on cryptography [
6,
7,
11,
12]. Taking the PKI-based authentication scheme as an example, through the certification authority which verifies whether the current terminal is legal, the scheme can ensure that only trusted terminals have access [
6,
7]. This scheme has been widely adopted for quite some time, but there is a risk of key disclosure [
13]. To overcome the shortcoming, some trusted authentication schemes combined with emerging potential technologies were proposed. For example, Lai et al. [
14] proposed an authentication scheme based on 5G infrastructure, but the security of the 5G network architecture is still insufficient. Thanks to the distributed nature of blockchain, Guo et al. [
15] proposed a PKI security enhancement scheme based on the blockchain, but there is a non-negligible energy overhead. Aiming to provide weightless and secure identity authentication, trusted authentication methods through fingerprint (i.e., biometric fingerprint [
16], device fingerprint [
17,
18,
19,
20,
21]) are expected to show their strengths.
Identifying the terminals legitimacy based on device fingerprints [
17,
18,
19,
20,
21] is considered an innovative access authentication scheme. Due to the unique benign hardware defects that inevitably exist in the manufacturing process of terminal devices, there will be subtle differences in the RF signals emitted by different terminals. The subtle signal differences are impossible to forge, as existing strategies cannot calibrate this unique slight difference [
22]. Thus, extracting device fingerprints from the channel state information (CSI) of RF signals is widely appreciated. Nevertheless, there are difficulties in extracting accurate device fingerprints based on CSI since the channel characteristics are easily affected by environmental interference. Firstly, buildings in the propagation path of individual subcarriers in the signal can cause varying degrees of transmission loss to the subcarriers, resulting in changes in the recovered CSI [
23,
24]. Secondly, in the case of such vehicle charging network systems with high terminal mobility and intensive human activities, the change of channel characteristics is more complicated [
25]. These device fingerprints extracted from CSI, which change with the environment and location, will drastically reduce the accuracy of terminal legitimacy identification.
There have been several works dedicated to extracting fingerprints with environmental stability and location stability from CSI. For example, Hua et al. [
26] pointed out that using the carrier frequency offset (CFO, which can be inferred from CSI) of the wireless RF signal as a device fingerprint can effectively improve the stability of fingerprint features. Liu et al. [
27] proposed a solution that extracts the nonlinear phase error (which can be inferred from CSI) between different subcarriers of the RF signal as a device fingerprint. Specifically, nonlinear phase errors are due to in-phase/quadrature (I/Q) component imbalances or oscillator imperfections. This phase characteristic remains consistent among subcarriers and does not vary with location and external environment, which ensures the stability of device fingerprints. Similarly, Lin et al. [
28] proposed a fingerprint extraction mechanism based on signal amplitude vibrations, and they further devised a method to remove amplitude disturbances such as those caused by resolution errors of variable gain amplifiers. Though the above works resist certain environmental and location interference, the authentication accuracy based on the device fingerprint under complex environments is still poor. This is because the current extraction of fingerprint features usually relies on the experience of experts to extract them manually. Manually extracted fingerprints may ignore some invisible features, causing invalid fingerprints in complex environments. Moreover, the above methods require more fingerprint data to ensure the accuracy of access authentication, which will lead to greater authentication overhead.
Since the authentication overhead of only a single terminal is already high, the authentication overhead in the vehicle charging network system connected by large-scale terminals with high concurrent access requests is even more immeasurable. Massive authentication tasks will cause heavy pressure on the system. To alleviate the pressure on the system, the cloud computing solution that uploads the authentication task to the central cloud server for processing is greatly appreciated [
29,
30,
31]. However, there will be a certain queuing delay on account of the relatively long distance and less central cloud. Accordingly, distributed computing architecture solutions such as edge computing came into existence [
32,
33,
34]. By distributing computing resources close to users, edge computing architecture can effectively overcome the shortcomings of centralized cloud architecture. Nevertheless, it is difficult to bear excessive computing requests because edge nodes usually have poor computing power. Once there are too many authentication requests within the scope of the edge server, queuing delays will inevitably occur. This therefore will introduce a problem of computational task offloading. To fully utilize the resources of edge computing and cloud computing, we consider an end-edge-cloud collaborative solution to process the massive authentication requests, which can provide a trusted access authentication service for vehicle charging network systems with large-scale terminals.
3. System Design
In this section, we introduce the detailed design of trusted access authentication scheme that can address the large-scale heterogeneous terminal access challenge faced by a vehicle charging network system.
3.1. Overview of the Framework
To address the challenges of large-scale heterogeneous terminals access authentication in vehicle charging network systems, we propose an End-Edge-Cloud Cooperation framework. The framework takes the advantage of edge computing and cloud computing to provide efficient and reliable authentication service for large-scale terminals. Moreover, our novel unified trusted access authentication (UTAA) model based on the robust and unforgeable terminal fingerprint characteristics offers a lightweight and fast authentication for the heterogeneous terminals in the framework.
As shown in
Figure 1, the framework contains three layers. The first one is the center cloud layer equipped with a center cloud node. The center cloud node has sufficient computing and storage resources but may be far from the terminals. The second one is the edge cloud layer equipped with many edge cloud nodes. Each edge cloud node has many mobile edge computing (MEC) servers located between the center cloud and the terminals. Therefore, it has much more computing and storage resources than the terminals, but maybe less than the center cloud. Particularly, all the MEC servers at different edge cloud nodes can process the access authentication tasks cooperatively to provide feasible, secure, and scalable authentication services. In this way, it can improve the quality of service (QoS) for the access authentication tasks which are time-delay sensitive and computing-intensive. The third layer is the access request layer. At this layer, a tremendous amount of access requests is generated from different types of terminals. Many of them are limited in terms of computer and storage resources. This may prevent them from performing common authentication algorithms [
6,
7,
11,
12] that require encryption and decryption calculations.
To address the problem of heterogeneous terminals access authentication, in the proposed end-edge-cloud cooperative authentication framework, the center cloud node and all the edge cloud nodes are configured with our novel unified trusted access authentication (UTAA) model. The UTAA model provides a bypass authentication method based on the fingerprint characteristics extracted from the wireless signal between the terminal and the authentication nodes. Therefore, it is independent of the computing and storage ability of terminals. The access authentication response time contains transmission delay the UTAA model is two orders less than that of the previous studies [
26,
27,
28]. This enables the UTAA model to largely reduce the authentication delay for a single terminal. Furthermore, combined with the elaborate design of data preprocessing, data expansion, data augmentation in constructing a model training dataset, the UTAA model can achieve accurate, robust, and fast authentication for heterogeneous terminals.
Although our UTAA model optimizes the authentication delay for a single terminal, there still exists a heavy access authentication response time overhead for large-scale vehicle charging network systems with numerous and dynamic authentication requests. If all the authentication tasks are offloaded to the center node, it must lead to a certain transmission delay caused by the heavy request traffic and the long transmission distance. Actually, it is inappropriate for heavy authentication requests to occupy too many core network processing resources. This is because it will hinder the processing of core services. However, if all the authentication tasks are offloaded to the edge cloud node nearest from the terminals locally, it may cause the inability of some nodes to process the task timely due to the imbalance authentication request distribution in space. As a result, our goal is to optimize the global access authentication response time by offloading the authentication task to the appropriate UTAA model collaboratively.
3.2. Unified Trusted Access Authentication (UTAA) Model
To address the limitations of the current device fingerprint-based authentication, we propose a unified trusted access authentication (UTAA) model. As shown in
Figure 2, the UTAA model contains two key stages, i.e., model offline training and online access authentication. Before being deployed in a practical vehicle charging network system to process online access authentication tasks, we need to train a robust Swin-Transformer-based authentication module at the model offline training stage. As shown in
Figure 2, the different steps of the model offline training stage are connected by the dotted arrows. We first collect the channel state information (CSI) from different terminals. Then, after the processes of data preprocessing, data expansion, and data augmentation in the step of
constructing a model training dataset, we obtain diverse and sufficient input samples to train a robust and lightweight
Swin-Transformer-based authentication module.
The
arrows with solid line represent the steps of the online access authentication stage in
Figure 2. The well-trained Swin-Transformer-based authentication module will be deployed in all the edge cloud nodes and the center cloud layer of the practical vehicle charging network system. Once an access authentication request is generated from a terminal, the UTAA model collects its channel state information (CSI) from the wireless signal between the terminal and the authentication nodes. After the step of data preprocessing, the valid phase and amplitude information are extracted from CSI and will be input to the Swin-Transformer-based authentication module for correct access authentication.
Unlike previous studies [
26,
27,
28] that only manually extracted a single feature from the amplitude or phase information of CSI, we aim to extract unforgeable and robust hardware features from the amplitude and phase of the CSI as device fingerprints. By integrating with the vehicle charging network system, the Swin-Transformer-based terminal authentication scheme can provide bi-directional authentication between the charging system heterogeneous sensor terminals and edge nodes. It effectively reduces the security risks of existing authentication mechanisms. Moreover, our solution requires only a small number of packets to authenticate the access of a single terminal. This greatly eases the computational overhead of access authentication and reduces the network burden.
3.2.1. Constructing Model a
Training Dataset
In order to obtain a robust and lightweight authentication model, we first need to construct a model training dataset with diverse and sufficient samples to address the problems of overfitting and instability caused by different environment interference. The training dataset construction is divided into three steps: (1) data preprocessing; (2) data expansion; (3) data augmentation. The purpose of data preprocessing is to extract valid phase and amplitude information from CSI. Then, the data expansion is responsible to expand the number of samples by using a sliding window to extract more samples from time-series CSI datasets. At last, data augmentation will largely enhance the sample diversity and further increase the number of samples to achieve a robust and correct access authentication model.
(1) Data Preprocessing. Orthogonal Frequency Division Multiplexing (OFDM) technology is widely used in 5G terminal equipment communication. Each OFDM signal consists of 64 subcarriers, including 52 orthogonal subcarriers and 12 additional null-subcarriers for calculating Inverse Fast Fourier Transform (IFFT). Channel State Information (CSI) is a sampled version of the Channel Frequency Response (CFR) and it directly reveals the phase, frequency, and amplitude information of the OFDM communication system channel. In addition, CSI is not only affected by propagation obstacles, signal reflections, and baseband data patterns, but also affected by the design of the signal processing circuit of the transmitter. Every signal processing circuit of different transmitters unavoidably has its unique and unforgeable hardware defect caused by the random errors in the production process [
22]. Therefore, CSI can be used as the basis of trusted device identification.
Remove invalid values. The extra 12 null-subcarriers are added for calculating the IFFT instead of transmitting the real communication data. The collected CSI from the 12 subcarriers is considered as invalid values. Since there is no channel state and hardware defect information in them, the invalid values should be removed. Then, 52 valid subcarriers are finally selected as model inputs.
Extract amplitude and phase. A set of CSI
is a set of
K discrete samples of the CFR within the bandwidth, using the subcarrier frequency difference as the frequency sampling interval.
K is 64 in the OFDM signal. The CSI value of the
subcarrier is represented by a complex number
:
where
I is the real part and
Q is the imaginary part. Based on Equation (
1), the phase and amplitude of the
subcarrier can be extracted according to the following two equations:
where
and
represent phase and amplitude of the
subcarrier, respectively [
27].
Unwrap Phase. As shown in Equation (
2), the arctangent function is required to calculate the system phase. Due to the limitation of the arctangent function, the calculated subcarrier phase will be phase-wrapped, i.e., there will be some jumps in the phase. While the true subcarrier phase is smooth, it is impossible that any jumps can occur. Therefore, in order to obtain the true subcarrier phase, an unwrapping operation is required. We randomly selected one data packet and calculated the raw phase of its 52 valid CSI subcarriers of a camera in our testbed. As shown in
Figure 3a, there are some jumps in the raw phase. After the phase unwrapping is performed on the raw phase, the subcarrier phase tends to smooth out in
Figure 3b.
Figure 3.
Phase unwrapping.
Figure 3.
Phase unwrapping.
(2) Data Expansion. Collecting CSI datasets is time-consuming and labor-intensive [
35]. It is difficult even impossible to build a complete CSI dataset with enough number of samples in all possible authentication environments with different objects movements or weather conditions. Due to the above limitations, it may lead to over-fitting problems in the trained model, i.e., poor generalization of the models to fit the unknown data distribution. Furthermore, it is difficult for traditional machine learning and deep learning techniques to effectively extract device fingerprint features from a small number of CSI samples.
In order to obtain as many data samples as possible, we perform data expansion on CSI data at this step. The sliding window is a direct but effective data expansion method for time-series datasets. We can collect one CSI sample from the corresponding packet. Accordingly, the CSI data can be considered as time-series data. Naturally, the sliding window data expansion method can be applied to it. An example of data expansion using a sliding window is shown in
Figure 4. By pre-setting the window size
as well as sliding stride
S, the sliding window will slide forward the time-series CSI data over
S CSI samples every time. In this way, the size of the datasets can easily be enlarged by
times finally.
(3) Data Augmentation. To further increase the number and diversity of training datasets, we introduce five data augmentation methods in this step. In reality, there may be unpredictable signal hiding, jitter, drift or interference caused by the changes of authentication environment, e.g., the movement of people, cars or weather variations. In order to enhance the robustness of terminal authentication for the device fingerprint extraction task, we use five specific data augmentation methods including adding Gaussian noise and the changes of dropout, crop, drift, and timewarp on the raw data to imitate the possible effect in different environments. In this way, the UTAA model can increase the diversity of training data and thus improve the augmentation stability against changeable environment interference. In particular, all the methods are applicable to both amplitude and phase data. What is more, they all can be easily applied to the model offline training stage. The detailed design of the five data augmentation methods is introduced as follows.
Gaussian noise adding: Add an independent and identically distributed additive Gaussian noise with expectation and standard deviation to the data according to the probability . This method is a straightforward and basic way to improve the robustness of the model, which is to add random noise to the training data.
Dropout change: Discard values of some random points in a series of data according to the probability and set the corresponding point value to the value of the previous point of the dropout point, which can imitate the loss of random points in practice.
Crop change: Crop the subsequence with a randomly specified number of subcarriers according to probability . To ensure consistent model input data format, the data are adjusted to a fixed length by linear interpolation. This method can imitate the loss of successive points in practice.
Drift change: Make data values randomly and smoothly drift away from their original values according to probability . The degree of offset is controlled by the maximum offset u and the number of offset points v.
TimeWarp change: Smoothly distort the time interval between samples according to probability . The TimeWarp change can be used to change the temporal position of the samples.
Based on our real training data collected from a camera,
Figure 5 shows the effects of the five data augmentation methods used in our work.
Figure 5a shows the raw phase data of 36 consecutive packets for the subcarrier with index
.
Figure 5b shows the effect after applying an additive Gaussian noise with
and
to the raw phase.
Figure 5c shows the effect after randomly dropping out the points in the raw phase and setting the corresponding point value to the value of the previous point of the discarded point.
Figure 5d demonstrates the effect of expanding the subsequence to the raw sequence length using linear interpolation after randomly cropping a subsequence from packet 30 to packet 35 for the raw phase.
Figure 5e shows the effect after random drifts of the raw phase.
Figure 5f shows the effect of smoothing the raw phase with time warping. From
Figure 5, we can see that the sample diversity can be largely increased by the five data augmentation methods, and the number of samples is also increased.
3.2.2. Swin-Transformer-Based Authentication Module
Although we have constructed a robust training dataset after the operations of data preprocessing, data expansion, and data augmentation, a lightweight and effective authentication method is needed. It should extract effective characteristics from the dataset automatically to perform fast and robust access authentication. In 2021, researchers proposed Swin-Transformer [
9]. Swin-Transformer uses a hierarchical Transformer structure with a shift-based self-attentive mechanism of non-overlapping windows, which gives Swin-Tansformer a faster computational speed and more flexible modeling capabilities. In this paper, we use Swin-Transformer as the backbone network to train the terminal class classifier. With the powerful feature extraction capability of our Swin-Transformer-based authentication module (STAM), we are able to extract multiple hardware features from the CSI as device fingerprints. The overall architecture of STAM is shown in
Figure 6. We introduce the details of our careful design of input, multi-characteristics extraction, and output classification in STAM.
Input of STAM. The input of STAM can be considered as two “pictures” of length
H, width
W, where
W denotes the number of valid subcarriers and
H denotes the number of packets. Based on
Section 3.2.1, we can see that
W is 52.
H can directly affect the speed and accuracy of access authentication. Intuitively, a larger
H can provide more information to gain a more accurate classification and authentication but more collecting time and data processing time for a specific classification scheme are required.
denotes the amplitude collected from the
CSI subcarrier extracted from the
packet, where
and
.
denotes the phase collected from the
CSI subcarrier extracted from the
packet. Therefore, the size of input is
W ×
H × 2.
Multi-characteristics extraction of STAM. As shown in
Figure 6, the input first passes through the block partitioning layer, which splits every “picture” into “sub-pictures” of size
. Every sub-block contains one “sub-picture” of amplitude and one “sub-picture” of phase. Consequently, each sub-block has a dimension of
. Each sub-block is then projected to dimension
C through a linear embedding layer, thus the output size of this layer becomes
. The STAM backbone consists of four stages, with stages 1, 2 and 4 containing two blocks and stage 3 containing six blocks. After the Swin-Transformer layer and the block merge layer in stage 1, the sub-block size increases by
times, and the sub-block dimension is converted to
. Both stage 2 and stage 3 contain a Swin-Transformer layer and a block merge layer as stage 1, both of which increase the sub-block size of the previous stage by a factor of 4 and expand the sub-block dimension by a factor of 2. The output dimension of stage 3 is
and stage 4 contains only the Swin-Transformer layer without changing the dimension. We collect the CSI samples and classification of every legal terminal in our training data. Their effective multi-characteristics with unique and unforgeable hardware defect information can be captured and recorded in the Swin-Transformer layers after offline training using supervised learning.
Output classification of STAM. The final output is classified after averaging the pooling layer with a multilayer perceptron. Because our training dataset has samples of all legal terminals, if a terminal is not in our training data, the output will label it as illegal. In this case, it will be denied to the network. Otherwise, it is labeled as legal and allowed to access the network. What is more, if it is labeled as legal, STAM also output its specific classification. An example of output is illustrated in
Table 1.
The number of packets
H is the key to affect the speed of access authentication [
27]. If a classification scheme has the ability to extract more effective information from less packets, it will achieve faster classification while maintaining high accuracy. Benefits from the robust multi-characteristics extraction capability, the number of packets of STAM to obtain equal or more accurate authentication is two orders less than that of the previous studies [
26,
27,
28] based on the extensive evaluations in
Section 4. This enables our UTAA model to largely reduce the authentication delay for a single terminal.
3.3. End-Edge-Cloud Cooperative Authentication Task Scheduling
Though the UTAA model optimizes the authentication delay of a single terminal, the authentication response time overhead for a vehicle charging network system with massive terminal access is still extremely heavy. In order to alleviate the authentication pressure, the authentication task can be delivered to the center cloud nodes with sufficient computing and storage resources for processing. However, it is difficult for the center cloud node, which is small in number and far away from the terminal, to process dynamic numerous authentication requests in real time. Moreover, the number of edge nodes is large and close to the terminal, but it is difficult to handle high concurrent authentication tasks due to their less computing and storage resources. To provide efficient authentication services for vehicle charging network system, we therefore consider a distributed end-edge-cloud collaborative solution that combines the advantages of cloud nodes and edge nodes. By dynamically offloading the authentication task to appropriate nodes, our solution is able to minimize the global authentication response time overhead.
To dynamically solve the optimal authentication task scheduling scheme, we model the end-edge-cloud collaborative solution in advance. As illustrated in
Figure 1, we consider a trusted access authentication architecture consisting of a set of terminals
that initiate authentication requests, a series of edge nodes
with certain computing resources, one remote cloud node
c with sufficient computing resources, and local computing node
l in a vehicle charging network system.
Each edge node , cloud node c, and local node l are deployed with the UTTA model for authenticating whether the terminal is trusted. Only trusted terminals are allowed to access. Accordingly, we mathematically formulate the problem of minimizing the authentication response latency and solve it based on the A2C algorithm. Details are as follows.
3.3.1. Task Scheduling Decision
The authentication tasks that cannot be executed by the local node
l in the vehicle charging network system will be transmitted to the network operator. At each time slot
t, the network operator should decide which external node should be used (i.e., edge node
or cloud node
c) to schedule the trusted authentication task. For ease of notation, we use
to denote all computation nodes (i.e., edge nodes
, cloud node
c, and local node
l), and
to indicate each computation node. Then, the computation capacities of each computation node
i can be represented by
. To indicate the authentication task scheduling decision of terminal
at time slot
t, we introduce a binary variable
. Specifically,
if the authentication task initiated by
n is offloaded to the external computation node for executing. In addition,
if the authentication task is executed by the local node
l. Accordingly, we obtain the following constraints:
3.3.2. Transmission Delay
Since authentication tasks need to be transmitted to an edge node
e or cloud node
c, transmission delay will inevitably occur when the authentication task is executed by external node. Specifically, a vehicle charging network system transmits the terminal
n’s authentication task to the external computing node through wireless channel applying the general OFDM technology. In addition, there is no transmission process if the authentication task is executed by local node
l. We denote the average noise power of wireless channel interference as
, the power to transmit the authentication task as
, and channel power gain which can be predicted by the network operator as
. Then, according to the Shannon formula, the wireless transmission rate
between terminals
n and computing node
i when the average link bandwidth is
B can be expressed as:
Assuming that the size of terminal
n’s authentication task transmitted by a vehicle charging network system to the computing node
i is
, then the transmission delay
at time slot
t can be expressed as:
3.3.3. Authentication Delay
To respond quickly to the massive authentication requests, we consider that the terminal
n’s authentication tasks can be scheduled to different external nodes
for execution. In this case, the total authentication response delay includes not only the transmission delay
, but also the authentication delay
for executing terminal
n’s authentication tasks by UATT models deployed on local node
l and each external node
i. According to the UTAA model described in
Section 3.2, the authentication delay
mainly contains the time overhead caused by data preprocessing and terminal legitimacy identification based on swin-transformer. The time overhead caused by these two procedures is proportional to the total number of terminals
N in the vehicle charging network system. Using
to indicate the computational requirements that are related to the total number of terminals
N, and
to indicate the allocated computing resources for terminal
n at computation node
i, then the authentication delay
at time slot
t can be expressed as:
3.3.4. Objective Function
In order to quickly respond to the authentication requests of large-scale terminals in the vehicle charging network system, our goal is to minimize the global authentication response latency that contains transmission delay
and authentication delay
. Let
and
represent the weights of transmission delay
and authentication delay
, respectively, then the objective function of our optimization problem can be expressed as:
where constraint
restricts that the authentication task scheduling decision is a binary vector with values 0 and 1, that is, the authentication task is either executed by a local node or by an external node. Constraint
restricts that terminal
n’s authentication task can only be executed by one computing node
i at time slot
t. Using
to denote the total computational power of computing node
i, constraint
restricts that the allocated computing resources for terminal
n at computation node
i cannot exceed the total computational power of computing node
i.
3.3.5. A2C-Based Authentication Task Scheduling Algorithm
To solve the objective function and overcome the dynamical authentication request in a vehicle charging network system, we propose a task scheduling algorithm based on A2C reinforcement learning. The optimal scheduling policy that minimizes the objective function is learned by the agent (i.e., the network operator in the remote cloud) through interacting with the environment over time. Specifically, we have:
- (1)
State space: The state space of this algorithm can be defined as , where the represents the scheduling decisions at the last time slot.
- (2)
Action space: The action space is defined as . As a matrix, ’s rows denote a set of terminals , and ’s columns indicate a series of computation nodes (i.e., E edge nodes, one cloud node, and one local node).
- (3)
Reward: Since the objective is to minimize the total authentication delay, the total accumulated reward can be defined as , where means the discount factor.
According to A2C reinforcement learning, the agent that learns authentication task scheduling will introduce two neural networks to approximate
actor and
critic, respectively. Specifically, the actor with parameter
maintains a policy function
to control the authentication task scheduling action. By estimating the value function
, the critic with parameter
can evaluate the pros and cons of an actor’s certain state. Based on critic’s each evaluation results, the actor will continuously update policy function
. The gradient update formula of the policy function
can be expressed as:
where
is the learning rate,
is the policy gradient that controls the direction of parameter updates,
indicates “advantage”, and
means the advantage of action
at state
. Details of the proposed solution for optimizing the global access authentication time are described in Algorithm 1. Specifically, the operator agent first selects a scheduling decision
for authentication tasks each time according to actor policy. Then, the actor executes the
to obtain the authentication latency
, while the critic computes the advantage function
based on the
over time, and evaluates the policy. Finally, the parameters
and
will be updated until the optimal task scheduling policy is obtained. Detailed flowchart of the algorithm operation is shown in
Appendix B.
Algorithm 1 A2C-based Task Scheduling Algorithm |
- 1:
Input: , , , B, ; - 2:
Output: scheduling decisions , global access authentication response time ; - 3:
Initialization: , , number of training iterations , number of time steps in each episode . - 4:
End initialization - 5:
for do - 6:
for do - 7:
for do - 8:
Select authentication task scheduling decision from policy ; - 9:
Execute authentication task scheduling decision and observe the state at next time slot and reward ; - 10:
end for - 11:
end for - 12:
Evaluate the policy by advantage function ; - 13:
Update network parameters and . - 14:
end for
|
5. Conclusions and Discussion
In this paper, we proposed a robust and lightweight trusted access authentication solution for terminals in a vehicle charging network system. By well-designed device fingerprint extraction and End-Edge-Cloud Collaborative fingerprint identification, our solution effectively addresses the difficulty of real-time unified authentication for large-scale heterogeneous terminals faced by the system. This will contribute to the security of the Internet of Vehicles, which is under intense development. Moreover, although the solution in this paper is designed for vehicle charging networks, it can actually be applied to many other systems with similar challenges.
However, there are still shortcomings in our work. First, although our solution achieves high authentication accuracy, the swin-transformer network with large volume and many parameters will inevitably lead to relatively high resource overhead. In response to this problem, in the future, we will further explore a lightweight trusted access scheme that can balance authentication accuracy and resource overhead. Second, in this paper, a part of our dataset is obtained through data expansion and data augmentation. This improves data richness to some extent, but the effect is limited. Therefore, one of our future tasks is to collect more data from the real environment to build a more complete dataset.