**1. Introduction**

Authentication is an important function in security as it ensures that the identity of an entity is recognized by a system whose services the entity would like to access. Authentication is usually combined with other security functions like authorization where the entity, once authenticated, is authorized to access specific services or data. The verification of the identity can be implemented using different means including information known by the entity (e.g., login/password) based on what the entity is (e.g., biometric features). This information can be provided only once at the beginning of the interaction between the entity and the system or more than once either periodically or in a continuous way. The latter methods are considered more robust than one time login against external attacks because an attacker, who aims to impersonate the real entity, has to provide authentication information more than once, which is considerably more difficult [1,2]. On the other side, the request for an additional login/password after the initial login may negatively impact the usability of the human-machine interface [3]. In this context, the concept of continuous authentication has been mostly proposed in the literature for human authentication. It makes use of the physiological and behavioral biometrics using built-in sensors and accessories. For example, the research results in the literature have proven that persons can be uniquely identified by the way they use mobile devices [1,4], they type on a keyboard [5] or perform different activities. Details on the literature results are provided in the following paragraphs.

Continuous authentication can be performed in the application scenarios where the entity must access services to the system for a considerable amount of time and where the biometrics information can be collected from the authentication system. For example, smart city application scenarios could benefit from this approach [6]. Various techniques to implement continuous authentication for persons have been proposed and validated by the research community in recent times. While continuous authentication has been researched for human beings in recent years, there has been limited attention to other entities especially in the transportation domain (e.g., a study on the identification of transport modes rather than transport vehicles is Reference [7]). Details on the existing related work are presented in Section 2.

#### *Our Contribution*

This paper proposes a proof of concept on the application of the continuous authentication technique (used in the literature to identify human beings) to the road transportation domain and more specifically to the problem of device identification where the device is actually a vehicle (i.e., a car in this paper). This paper investigates the possibility of authenticating a car on the basis of its "biometrics" derived from the way the car responds to the irregularities (e.g., potholes, bumpers) of the road surface. The rationale is that the components (e.g., bumpers) of different cars provide a different response to the same segment of the road surface. Such responses can be evaluated by using the digital output provided by Inertial Measurement Units (IMU) and its components (e.g., accelerometers, gyroscope) installed in a car in a similar way that continuous authentication is implemented for human beings using wearable sensor or smartphones (which also contain IMUs). This paper presents the evaluation results for the application of techniques derived from the literature on continuous authentication. In particular, two different approaches are compared both from an identification accuracy and an execution time point of view. The results presented in this paper show that each vehicle can be uniquely identified with high accuracy by the analysis of the data collected by Inertial Measurement Unit (IMU) accelerometers and gyroscopes while the car is driving. To the knowledge of the authors, it is the first time that the concept of continuous authentication is applied to vehicles (i.e., car).

A potential scenario for the use of continuous authentication of vehicles (or cars as the two terms will be used with the same meaning in the rest of this paper) is based on Intelligent Transport Systems (ITS) applications, where the authentication of the vehicle is needed a number of times during the vehicle trip like "insurance as you drive" or electronic tolling. The continuous authentication can complement (as multi-factor) authentication based on cryptographic means or replace it when the set-up of a Public Key Infrastructure (PKI) is too costly or complex to achieve. Then, the motivation of the paper is to propose a different form of device (i.e., the car) identification and authentication when a cryptographic mean cannot be applied or in case of the compromise of the cryptographic system (e.g., PKI) and the presence of an invalid cryptographic information (e.g., certificate) in the vehicle. In other words, this approach can be applied in all the cases where a cryptographic mean is not available, either because it is not implemented or because it has been compromised. The authors agree that, in the majority of the cases, a cryptographic solution is the primary solution because of its proven effectiveness. In addition, it can be noted that there are also examples of regulations for commercial vehicles were data is manipulated and tampered even if the cryptography authentication is not compromised [8]. Because the form of authentication described in this paper is based on the data analysis, it can mitigate such issues. The proposed approach is based on the consideration that modern vehicles are increasingly equipped with a variety of sensors including IMU, which are used for a variety of purposes but mostly to improve transportation comfort and driveability [9]. Many authors have also proposed the use of smartphones mounted in the vehicle for easier accessibility to the data generated by the built-in IMU [10].

The deployment scenario is similar to the continuous authentication of a human-using behavioral metric. In an initial training phase, data samples are acquired through remote communication by an entity external (e.g., a cloud application) to the vehicle. Then, discriminating features are identified and extracted from the data. In a subsequent phase, an authentication system (either based on the same cloud application or connected to it) uses a smaller data subset and compares it against the training model for identification. The two key performance metrics are (a) the identification accuracy and (b) the processing time for authentication, which is proportional to the amount of the data, which must be processed. Because IMU data ca have hundreds of samples per second, a dimensionality reduction is necessary, while preserving the identification accuracy. In this paper, we used professional IMUs to record the data (while driving) originating from accelerometers and gyroscopes with high sample rates. In the subsequent analysis, the sampling rate is decreased to the rate commonly used by mass market smartphones.

In this initial study, the focus is to investigate the capability of authenticating the vehicle (i.e., car) in similar conditions and on the same road surface. In a practical application of this concept, different variables can influence the classification accuracy including the driver, different loads in vehicle (number of passengers), aging of the vehicle (e.g., tyre consumption) and different environmental conditions (e.g., rain, sunny weather). Each of these variables can influence the application of the method, but it is important to investigate the impact of each variable independently starting from a baseline. We also note that there is already an extensive literature on the identification of the driver and his/her driving style based on data collected by accelerometers (see References [7,11]) and it was not the intention to repeat such specific analysis here. Then, the focus of this paper was to establish a baseline where the most effective continuous authentication methods could be identified in a quantitative way. Future developments will evaluate the impact of each of the variables (see also Conclusions section).

The structure of this paper is as follows: Section 2 provides an overview of the related work on continuous authentication in all domains, authentication of vehicles and on the use of IMU to collect behavioral statistics in ITS. Section 3 describes the materials used in the experimental work. Section 4 describes the adopted methodology to collect the data and to perform the authentication. Section 5 provides the results of the implementation of the authentication where the impact of different hyper-parameters was quantitatively evaluated. Section 6 summarizes and discusses the key findings from the results and identify potential future developments.

## **2. Related Work**

A very recent (2019) survey [12] reviews the techniques for continuous authentication using Internet of Things devices. Another review provides an overview of the state of art on continuous authentication using mobile devices [1]. Both surveys are specific to the problem of continuous authentication of human beings on the basis of behavioral bio-metrics rather than explicit and single phase authentication mechanisms like the password, a Personal Identification Number (PIN), or a secret pattern on the display of the smartphone. Both reviews highlight the weaknesses of the traditional approaches and the advantages of the continuous authentication approach. For example, passwords or PINs can be forgotten or systems may be vulnerable immediately after the initial login. In addition, some authentication mechanisms require the implementation of sophisticated Public Key Infrastructure (PKI)s, which are also vulnerable to attacks. To overcome these issues, the biometrics and security research communities have developed techniques for continuous authentication on mobile devices [1]. Most of these methods make use of physiological and behavioral biometrics, using built-in sensors and accessories such as the gyroscope, touch screen, accelerometer, orientation sensor and pressure sensor, to monitor and authenticate the identity of the user.

In this review of the state-of-the-art, we focus specifically on continuous authentication based on accelerometers and gyroscopes as these components are also used in this paper for vehicle authentication. This type of continuous authentication is based on the concept of identifying the gait of a human being while s(he) is performing a specific activity like walking, running or lifting an object. The data needed to perform the continuous authentication are often measured using the built-in components of a smartphone like accelerometers. Once the raw data are collected and measured, discriminative features are extracted, which are then fed into a classifier to distinguish users. This is a similar approach used in this paper. Various approaches are used in the literature and it is quite common to use either (or both) time domain and frequency domain representations of the recordings of the accelerometers and gyroscopes data. For example, the authors in Reference [13] extract statistical features from sensor readings, which are then used for user classification using a Support Vector Machine (SVM) machine learning algorithm. The statistical features used in [13] are mean, standard deviation, kurtosis, skewness, entropy and so on, both in the time domain and in the frequency domain. Then, from the methodology point of view, the approach used in Reference [13] is very similar to this paper with the fundamental difference that this paper focuses on vehicle authentication, which is a novel approach in the literature. In a similar way, the authors in Reference [14] have used the accelerometer data from a smartphone attached to a pocket of a person while walking. Each step was the gait, which could be used for authentication. An important element in the methodology was the segmentation of the accelerometer recordings to identify the repeated steps. Then, the identified segments were fed to a SVM classifier. The issue that persons are walking at different speeds was mitigated using Dynamic Time Warping (DTW). The appropriate segmentation of the recordings and the different speeds of the entity is also a problem addressed in this paper. A similar approach was also used by the authors in Reference [15], where the main coefficients of the frequency domain transform (based on FFT) of accelerometers data of walking persons were used for person authentication. Instead of using the Fast Fourier Transform (FFT), the authors have applied the Wavelet transform in Reference [16] in the context of a similar scenario of the previous papers: person authentications through mobile phone built-in accelerometers. Another recent paper, which presents continuous authentication of human beings using accelerometers recordings is Reference [17] which focuses on passive and continuous user authentication by analyzing and recognizing the unique characteristics of the physical activity patterns of human beings. A number of statistical features were extracted from the sensors recording—mean, standard deviation, skewness, kurtosis, energy and entropy in the time domain and frequency domain. Then, three machine learning algorithms (e.g., SVM, Random Forests and Decision Trees) were used for classification and authentication. As we have described in this section, there is an extensive literature on continuous authentication of human beings using accelerometers and gyroscopes and extraction of statistical features. The novel approach presented in this paper is to apply the techniques described above for the continuous authentication of vehicles which has never been investigated in the literature.

Authentication of vehicles is mostly based on cryptography means [18] and it has been applied to various interactions between vehicles and specific applications like the vehicle to the electric grid infrastructures in Reference [19] or for C-ITS applications [20]. In many cases, the authentication and authorization process is standardized as in the case of C-ITS domain [21–23]. Various cryptographic architectures are proposed for vehicular networks including PKI or Identity-based cryptography.

The use of IMU and their digital output in ITS applications has received considerable attention in recent years thanks to the increasing computing power of smartphones and their built-in IMU. On the other side, no papers have used such data to implement the continuous authentication of vehicles. The focus has been mostly on the estimation of the driver style (e.g., aggressive) using data from accelerometers in Reference [24] or (in a similar way) the driving behavior as in Reference [25]. A paper that is mostly similar to ours is Reference [7] where the transport mode (e.g., vehicle, bicycle) is identified on the basis of the digital output from IMUs, while this paper focuses on the identification of the specific vehicle in a specific transport mode.

Then, we can conclude that the idea of using the concepts of continuous authentication of human beings to vehicle is rather novel and it will be comprehensively explored in the rest of this paper.

#### **3. Materials**

The goal of the experiment was to obtain cars' driving characteristics under comparable driving conditions. We planned an Experimental Lap (EL) (in the rest of this paper, the term EL and lap will be used with the same meaning) inside the Joint Research Centre (JRC) area with conventional road rules and realistic traffic. This lap had a length of 2065 m and average driving time of 182.5 s (see Figure 1). To collect the measurements, every car had to drive this lap for at least twenty times in a row with just a tiny stop between each other (from 2 to 10 s). We distinguish and label the three types of points on the EL as follows—Orientation Point (OP) (e.g., any kind of left or right turn that we later used to separate the smaller parts of the EL), Speed Bump (SB) (e.g., four big speed bumps spread through the EL) and Road Feature (RF) (any roughness on the surface of the road, such as speed bump or an asphalt joint). Examples of those points with their descriptions and Global Navigation Satellite Systems (GNSS) positions are in Table 1. The disposition of the points is also marked in the map of the EL (see Figure 1), the photo documentation of the most significant ones is shown in Figure 2 and a description of the most significant points with the related latitude and longitude is provided in Table 1. The EL starts at *OP*01 and continues in clockwise.

**Figure 1.** Map of the Experimental Lap (EL) with marked points and the most important segments.


**Table 1.** Description and GNSS position of points recognised in the EL.

For the IMU, we used the microelectromechanical system based motion tracker supplied by Xsens with the model number *MTi* − 100 − 2*A*8*G*4 (Xsens Technologies B.V., Enschede, The Netherlands). This sensor device is designed to measure the three axis acceleration and rate of turn in 2000 Hz sample rate and three axis magnetic field in 100 Hz sample rate. The IMU was mounted using a strong double

sided foam tape at the same spot and orientation for every car. For details see Figure 3. We decided to place the sensor on the top of car's dashboard in the middle of the car. No measuring tools were used and the alignment was fully empirical. The x-axis of the IMU was always pointing towards the driving direction and z-axis in the vertical direction. The car position was also recorded using the GNSS receiver with the antenna mounted on the car's roof. The set used for this experiment consisted of twelve different cars. The specifications of the vehicles are listed in Table 2 and the photo documentation of those cars is in Figure 4. The same driver and co-driver were present in every car during the experimental data collection (i.e., driving the car) to minimise the potential bias of the driver. We highlight that half of the used vehicles were of the same model (Panda Active). The choice of such datasets with a predominance of vehicles of the same model and brand was intentional. While, this aspect is not quite relevant in the continuous authentication of human beings (because each human being is unique), this aspect is quite relevant in device authentication as discussed in the related literature [26], where it is discussed how intra-model classification is more difficult than inter-model classification (because components of the same model are the same or similar). To clarify—intra-model classification is when the devices are of the same model and brand (e.g., mobile phones of brand/model Sony Experia or Fiat Panda as in this scenario), while inter-model classification is when devices are of a different brand and/or models. We wanted to target the most difficult problem of intra-model classification rather than inter-model. This is why we have used a majority of vehicles of the same brand and mostly of the same model.

**Figure 2.** Photo documentation of the most significant points detected on the EL.


**Table 2.** Order and specifications of used cars.

**Figure 3.** Alignment and orientation of IMU used during measurements.

**Figure 4.** Photo documentation of the cars set used in this paper.

#### **4. Methodology**

#### *4.1. Workflow*

A pictorial description of the methodology workflow is provided in Figure 5, where each step is described in detail in the following subsections.

**Figure 5.** Methodology workflow.
