GCP: Guarded Collaborative Perception with Spatial-Temporal Aware Malicious Agent Detection

To overcome the inherent limitations of single-agent perception systems, particularly their restricted field-of-view (FoV) and environmental occlusions, collaborative perception (CP) has emerged as a promising paradigm that leverages multi-agent data fusion to enhance perception comprehensiveness and accuracy [18, 19]. The evolution of CP systems has witnessed various fusion strategies, from early approaches like raw-data-level fusion [1] and output-level fusion [20], which faced significant challenges in communication overhead and perception quality due to their high bandwidth requirements and information loss, respectively, to more sophisticated intermediate-level feature fusion methods. Notable advances in intermediate fusion include DiscoNet [21], which employs a teacher-student framework to learn an optimized collaboration graph for efficient knowledge transfer, and V2VNet [22], which leverages graph neural networks for efficient neighboring vehicle information aggregation in dynamic traffic scenarios. Where2comm [4] further advances the field by introducing a confidence-aware attention mechanism that simultaneously optimizes communication efficiency and perception performance through selective information sharing. While these developments have improved performance-bandwidth trade-offs, they have exposed critical vulnerabilities in CP systems, particularly regarding robustness against adversarial attacks and system failures, which is the main focus of this paper.

The vulnerabilities in CP systems can be broadly categorized into systematic and adversarial challenges, each presenting unique threats to system reliability and safety. On the system front, inherent issues such as communication delays, synchronization problems, and localization errors have been addressed by recent works. CoBEVFlow [23] introduced an asynchrony-robust CP system to compensate for relative motions to align perceptual information across different temporal states, while CoAlign [24] developed a comprehensive framework specifically targeting at unknown pose errors through adaptive feature alignment. However, beyond these system challenges lies a more insidious threat, namely, adversarial vulnerabilities introduced by malicious agents within the collaborative system. These adversaries can compromise system integrity by injecting subtle adversarial noise into shared intermediate representations, potentially causing catastrophic failures in critical scenarios. Initial investigations by Tu et al. [14] demonstrated how untargeted adversarial attacks could compromise detection accuracy in intermediate-fusion CP systems through feature perturbation. Zhang et al. [13] advanced this research by incorporating sophisticated perturbation initialization and feature map masking techniques for more realistic, targeted attacks in real-world settings. Nevertheless, these attack methods lack sophistication in attack region selection and output perturbation constraints, making them potentially detectable by conventional defense mechanisms while highlighting the need for more robust security measures.

In response to emerging threats, the research community has developed various defensive strategies, primarily focusing on output-level malicious agent detection through hypothesis-and-verification frameworks, each offering unique approaches to system security. ROBOSAC [15] employs an iterative approach with Hungarian matching to achieve perception consensus among collaborators, systematically identifying and excluding potentially malicious agents from the collaboration process. MADE [16] enhances this concept by introducing a comprehensive multi-test framework that leverages both match loss and collaborative reconstruction loss to ensure robust consistency verification among perception results. Zhang et al. [13] further contribute to this effort by utilizing occupancy maps for discrepancy detection, providing an additional layer of security through spatial consistency checking. While these outlier-based detection methods show promise in identifying obvious attacks, they remain vulnerable to sophisticated attacks that produce subtle yet dangerous perturbations in CP outputs, particularly in scenarios involving coordinated malicious activities. Recent advances have begun exploring intermediate feature-level inconsistency detection to improve both efficiency and detection accuracy [17]. However, existing approaches generally overlook the temporal dimension of collaborative messages and assume simplified intrusion models, limiting their effectiveness against advanced persistent threats. To address these limitations, we propose a comprehensive defense framework that considers both spatial and temporal aspects of malicious agent detection, offering a more robust and complete solution to the security challenges in CP systems.

Consider a scenario with $N$ CAVs, where the CAV set is denoted as $\mathcal{N}$. CAVs exchange collaboration messages with each other, and each CAV can maintain up to $K$ historical messages from its collaborators. For the $i$-th CAV, we denote its raw observation at time $t_{i}$ as $\mathbf{O}_{i}^{t_{i}}$, and use $\Phi_{\mathtt{{enc}}}^{i}$ to represent its pre-trained feature encoder that generates intermediate feature map $\mathbf{F}^{t_{i}}_{i}=\Phi_{\mathtt{{enc}}}^{i}(\mathbf{O}_{i}^{t_{i}})$. The collaboration message transmitted from the $m$-th CAV to the $i$-th CAV at time $t_{i}$ is denoted as $\mathbf{F}_{m\rightarrow i}^{t_{i}}$. Based on the received messages at current timestamp and historical $k\ (0\leq k\leq K)$ timestamps, the $i$-th CAV uses a feature aggregator $f_{\mathtt{{agg}}}^{i}(\cdot)$ to fuse these feature maps and adopts a feature decoder $\Phi_{\mathtt{{dec}}}^{i}(\cdot)$ to get the final CP output, which is expressed as:

where $\mathbf{Y}_{i}^{t_{i}}$ is the CP result of the $i$-th CAV at time $t_{i}$. There are two important notes in terms of the formulation described in Eq. 1: i) the times $t_{i-1},t_{i-2},\cdots,t_{i-k}$ are not necessary to be equally distributed, and the time intervals between two consecutive times can be irregular. ii) When the length of historical times $k$ equals 0, the $i$-th CAV outputs the CP results without referring to the temporal contexts of messages of collaborative CAVs, which degrades to the settings used in most existing works like ROBOSAC [15] and MADE [16].

The CP framework defined in Section III-A becomes vulnerable when malicious agents exist among the collaborative CAVs. At time $t_{i}$, we denote the set of malicious agents as $\mathcal{M}_{t_{i}}\subseteq\mathcal{N}$. We assume that malicious agents can request and transmit collaborative messages to benign agents before being identified, and their adversarial messages follow a specific time distribution $\mathcal{D}$ (detailed in Section V-A). Once the victim CAV recognizes the malicious agents at a certain frame, it will discard the received messages from those malicious agents and cut off the connections with them until the next frame starts. Meanwhile, the malicious agents are assumed to have white-box access [25] to the model parameters since all agents in the CP system must share the same model architecture to enable feature-level cooperation. The malicious agents attack the CP system by transmitting perturbed feature maps to the victim CAV, resulting in its perception degradation. A general attack procedure can be described as follows.

1. 1.

   Observation Encoding: Each malicious agent encodes its raw observation at time $t_{j}$ into an initial feature map $\mathbf{F}^{t_{j}}_{j}=\Phi_{\mathtt{{enc}}}^{j}(\mathbf{O}_{j}^{t_{j}})$, preparing to combine with adversarial perturbations.

2. 2.

   Perturbation Generation: In general cases, the malicious agents generate perturbations [26, 27] by multi-step iterations, aiming to maximize the distance between CP results and ground truth (GT) while ensuring the input perturbation amplitude is lower than a certain value (using local prediction if GT is not available), which is represented by:

   $\displaystyle\operatorname*{arg\,max}_{\delta}\mathcal{L}(\mathbf{Y}_{\delta}^{t_{j}},\mathbf{Y}_{\mathtt{gt}}^{t_{j}}),\quad\mathtt{s.t.}\quad\|\delta\|\leq\Delta_{i},$

   (2)

   where $\delta$ is the perturbation, $\Delta_{i}$ is the maximum allowable input perturbation amplitude, $\mathcal{L}(\cdot)$ is the Loss function, $\mathbf{Y}_{\delta}^{t_{j}}$ and $\mathbf{Y}_{\mathtt{gt}}^{t_{j}}$ represent the perturbed CP results and the ground truth at time $t_{j}$, respectively. However, single-shot outlier-based detection can easily identify this general perturbation generation. Section III-C introduces a more elaborated attack targeted at CP systems.

3. 3.

   Attack Triggering: After multi-step iterations, the malicious agents generate intricately optimized perturbation and send it to the victim agent. Without defense, the victim agent will incorporate this adversarial message into the fusion based on Eq. 1, yielding attacked CP results with low accuracy.

For previous outlier-based methods like ROBOSAC [15] and MADE [16], the core idea is to check the spatial consistency between ego CAV and CP outcomes. However, they only clip the perturbation at the input level, and the output detection errors are significant and randomly distributed, which can be easily detected by outlier-based defense methods. Intuitively, we want to emphasize that a good attack targeted at the CP system should satisfy two conditions: (i) both the input and output perturbation should not exceed a certain level; (ii) the output perturbation should be more distributed in the regions where the victim vehicle (i.e., agent or CAV) is less sensitive so that the victim vehicle can hardly discern whether the unseen detections could benefit from collaboration or just fake ones. Following the above ideas, we design a novel blind area confusion (BAC) attack as shown in Figure 2. The steps are elaborated below.

Message Request. Following our threat model, a malicious CAV $i$ can participate in the CP system before being identified. During this initial phase, it masquerades as a benign agent to establish communication with the victim’s ego vehicle. Specifically, the malicious CAV requests feature messages $\mathbf{F}_{e\rightarrow i}^{t_{k}}$ from the victim’s ego agent at timestamp $t_{k}$. These messages contain valuable information about the victim’s perception capabilities and limitations, which will be exploited in subsequent attack stages. Note that in our low frame rate setting (e.g., 10 FPS), the attack generation and feature fusion can be completed within the same frame, eliminating the need for temporal prediction compensation that would be required in high FPS scenarios.

Differential Detection. After obtaining a victim’s messages, the malicious CAV $i$ performs a comparative analysis between independent and CP results to infer the victim’s blind spots. The malicious CAV first generates two types of perception results: single perception $\mathbf{Y}_{s}^{t_{k}}=\Phi_{\mathtt{{dec}}}^{i}\left(\mathbf{F}_{e\rightarrow i}^{t_{k}}\right)$ using only the victim’s transmitted features, and CP $\mathbf{Y}_{c}^{t_{k}}=\Phi_{\mathtt{{dec}}}^{i}\left(f_{\mathtt{{agg}}}^{i}\left(\mathbf{F}_{i\rightarrow i}^{t_{k}},\mathbf{F}_{e\rightarrow i}^{t_{k}}\right)\right)$ using both local and the victim’s features. Let $\mathbf{Y}_{s}^{t_{k}}\cap\mathbf{Y}_{c}^{t_{k}}$ denote the matched bounding boxes between single and CP results. Based on this matching, the system partitions all detections into two categories: victim-only detections $\mathbf{Y}_{vic}^{t_{k}}=\mathbf{Y}_{s}^{t_{k}}$ (marked in purple), and non-victim detections $\mathbf{Y}_{nvic}^{t_{k}}=\mathbf{Y}_{c}^{t_{k}}\setminus(\mathbf{Y}_{s}^{t_{k}}\cap\mathbf{Y}_{c}^{t_{k}})$ (marked in blue). This differential detection process reveals the spatial distribution of the victim’s unique detections, providing crucial insights into its perception strengths and potential blind spots, which form the foundation for subsequent targeted perturbation generation.

Blind Region Segmentation. The differential detection map is processed through an adaptive region growing algorithm to partition the BEV detection map into confident area (CA) and blind area (BA), as shown in Algorithm 1. The algorithm first uses $Cluster()$ to determine the victim grid $e$ by finding the grid point with the minimum total distance to all victim-detected objects, establishing a perception-centric coordinate system. It then initializes seed grids from $\mathbf{Y}_{vic}^{t_{k}}$ as CA seeds (value 1) and $\mathbf{Y}_{nvic}^{t_{k}}$ as BA seeds (value -1). When $\mathbf{Y}_{nvic}^{t_{k}}$ is empty, which occurs in limited perception range scenarios, the grid farthest from $e$ is selected as the BA seed to reflect natural perception degradation with distance. The region growing process utilizes two priority queues ($\mathbf{Q}_{ca}$, $\mathbf{Q}_{ba}$) to manage confident and blind area expansion. The $GetNeighbors()$ function implements an adaptive neighbor selection mechanism:

where $Dist(s,e)$ computes the Euclidean distance between grid $s$ and victim grid $e$, $D_{norm}=\sqrt{H^{2}+W^{2}}$ is the normalization factor based on BEV detection map dimensions (height $H$ and width $W$), $K_{base}=6$ establishes a hexagonal-like growth pattern, and $\gamma_{d}=0.3$ controls the decay rate. This distance-adaptive design ensures denser expansion near the victim and sparser expansion in distant regions, naturally modeling spatial perception reliability [28]. The algorithm expands both regions simultaneously through $Queue.Pop()$ (which removes and returns the next grid point from the front of the queue) and $Queue.Append()$ (which adds a new grid point to the end of the queue) operations. The initial queues $\mathbf{Q}_{ca}$ and $\mathbf{Q}_{ba}$ are created using $Queue\{m\}$, which constructs priority queues containing all grid points $m$ that are labeled as confident area (1) or blind area (-1) respectively. These queue operations enable systematic breadth-first expansion of regions. As grid points are popped from either queue for processing, their unassigned neighbors receive the corresponding label (1 for CA, -1 for BA). They are appended to the appropriate queue for future expansion. The final binary mask $\mathbf{M}_{c}^{t_{k}}$ is created by converting BA labels (-1) to 0, yielding a binary representation where 1 indicates confident areas and 0 represents blind areas. This region-growing process naturally forms boundaries between different perception zones, effectively capturing the spatial characteristics of the victim’s perception capabilities.

Perturbation Optimization. BAC perturbation optimization aims to make the perturbation mostly distributed in the victim-blind area of the BEV detection map while adaptively controlling the perturbation magnitude. This optimization problem can be formulated as:

where $\mathcal{L}(\cdot)$ denotes the optimization loss function, $\mathbf{M}_{\delta}=\mathbf{1}-\mathbf{M}_{c}^{t_{k}}\{\mathbf{D}_{i}^{t_{k}}\{\mathbf{Y}_{\delta}^{t_{k}}\}\}$ is the inverted confidence mask, $\sigma(\cdot)$ is the sigmoid activation function, $|\cdot|$ computes element-wise absolute values, $\Delta_{i}$ bounds the input perturbation magnitude, $\Delta_{o}$ bounds the output perturbation magnitude, and $w_{\delta}$ is a positive weighting parameter.

This optimization formulation incorporates several innovative design principles for effective and stealthy attacks. First, instead of a simple loss function, it employs a weighted loss function where $\odot$ denotes element-wise multiplication. The weight $\mathbf{W}_{\delta}$ is carefully designed to guide the spatial distribution of perturbations, ensuring more targeted attacks. Second, the optimization adopts a dual-weight mechanism: the spatial guidance weight $\mathbf{M}_{\delta}$ directs perturbations towards the victim’s blind areas, while the adaptive suppression weight $\mathbf{S}_{\delta}$ automatically reduces weights when output perturbations become too large. The adaptive suppression is implemented through a sigmoid function, which provides smooth transitions when the prediction deviates from the ground truth beyond the threshold $\Delta_{o}$. This design ensures that the attack remains effective while avoiding generating easily detectable anomalies. Additionally, the input perturbation magnitude is constrained by $\Delta_{i}$ to maintain physical feasibility and attack stealthiness. After the optimization, the malicious CAV $i$ incorporates the optimized perturbation $\delta_{bsi}$ into its intermediate BEV feature before transmission to the victim CAV.

In this paper, we propose a robust framework to guard CP systems through spatial-temporal aware malicious agent detection. As illustrated in Fig. 3, GCP operates through a dual-domain verification process. First, it computes a confidence-scaled spatial concordance loss by estimating confidence scores for each grid cell in the BEV detection map, evaluating the consistency between the ego CAV’s observations and messages from the $i$-th neighboring CAV at the current time slot. Second, it performs temporal verification by analyzing the past $K$ frames from both the ego CAV and the $i$-th neighboring CAV to generate a BEV flow map for low-confidence detections, employing an LSTM-AE-based temporal reconstruction to verify motion consistency. The framework culminates in a comprehensive spatial-temporal multi-test that combines both consistency metrics to make final decisions on malicious agent detection. The following sections (IV-B to IV-D) provide the detailed descriptions of these core components.

Existing spatial consistency checking methods typically compare the difference between the ego CAV’s perception and CP without considering the ego CAV’s varying perception reliability across different spatial regions. This indiscrimination could result in mistaking true blindspot detection complemented by other CAVs as malicious signals. This occurs because the ego CAV’s perception reliability naturally decreases in occluded areas and at sensor range boundaries [28]. When other CAVs provide valid detections in these low-reliability regions, traditional methods may incorrectly flag them as inconsistencies by failing to account for the ego CAV’s spatially varying perception capabilities. To address this limitation, we propose a novel confidence-scaled spatial concordance loss (CSCLoss) that incorporates the ego CAV’s detection confidence when checking messages from the $i$-th CAV at time $t_{k}$. Let $\mathbf{Y}_{e}^{t_{k}}$ denote the ego CAV’s detected bounding boxes and $\mathbf{Y}_{e,i}^{t_{k}}$ represent the collaboratively detected bounding boxes at timestamp $t_{k}$. We first construct a weighted bipartite graph between these two sets, where edges represent matching costs based on classification confidence and intersection-over-union (IoU) scores. Since $|\mathbf{Y}_{e}^{t_{k}}|$ may differ from $|\mathbf{Y}_{e,i}^{t_{k}}|$, we pad the smaller set with empty boxes to ensure the one-to-one matching. The optimal matching $\mathcal{O}\{\mathbf{Y}_{e}^{t_{k}},\mathbf{Y}_{e,i}^{t_{k}}\}_{n=1}^{N}$ is then obtained using the Kuhn-Munkres algorithm [29]. To compute the CSCLoss, we first estimate a spatial confidence map $\mathbf{C}_{e}^{t_{k}}$ using the ego CAV’s feature map $\mathbf{F}_{e\rightarrow e}^{t_{i}}$:

where $\Phi_{conf}(\cdot)$ is a detection decoder that generates confidence scores for each grid cell in the BEV map [4]. The CSCLoss is then calculated by combining the optimal matching and confidence map:

where $\mathbf{C}_{e}^{t_{k}(j)}$ is the confidence score for the grid cell containing bounding box $\mathbf{Y}_{e}^{t_{k}(j)}$, $c\in\mathcal{C}$ represents a prediction class, $\mathcal{M}(\cdot)$ computes the matching cost between two boxes:

where $p_{1}$ and $p_{2}$ are the class $c$ posterior probabilities for boxes $y_{1}$ and $y_{2}$, respectively, $z_{1}$ and $z_{2}$ are their spatial coordinates, and $\phi$ is a weighting coefficient. Typically, when temporal context is not applicable, a spatial anomaly can be assumed to be detected when $\mathcal{L}_{csc}$ exceeds a threshold $\alpha$.

Bird’s Eye View (BEV) flow [23] represents the consecutive motion vectors of detected objects across consecutive frames in the top-down perspective. By observing the flow of bounding boxes in the BEV space over time, we can capture the temporal dynamics and motion patterns of objects in the scene. For computational efficiency, we only perform temporal matching on two specific types of low-confidence BEV flows: (i) those with low detection scores from ego CAV’s own view, and (ii) ego CAV’s unseen detections that the collaborative agents complement. While temporal matching could be applied to all detected boxes, focusing on these low-confidence cases is particularly crucial as it is difficult for an ego CAV to judge whether they represent true objects or perturbations caused by malicious agents merely through single-shot spatial checks, especially when the added perturbation is subtle. To address this challenge, we utilize temporal characteristics to analyze their anomaly patterns. We first match the detected low-confidence bounding boxes of $\mathbf{Y}_{e,i}^{t_{k}}$ to those in the past $K$ frames $\mathbf{Y}_{e,i}^{t_{k-1}},\mathbf{Y}_{e,i}^{t_{k-K+1}},\cdots,\mathbf{Y}_{e,i}^{t_{k-K}}$. In the BEV detection map, each detected bounding box can be represented as a set of 4 corner points:

where $\{(x_{j}^{k},y_{j}^{k})\}_{k=1}^{4}$ represents the locations of 4 corners of bounding box $o_{j}$ in BEV detection map. Given the current-frame low-confidence bounding boxes set $\mathbf{O}_{e,i}^{t_{k}}\in\mathbf{Y}_{e,i}^{t_{k}}$, the ego CAV will generate BEV flow $\mathbf{I}_{e,i}^{t_{k}}$ by iteratively matching the bounding boxes in each historical frame. As shown in Algorithm 2, the matching process is a chain-based process, which means that we first find the best-matched bounding boxes $\mathbf{B}_{e,i}^{t_{k-1}}$ in $\mathbf{Y}_{e,i}^{t_{k-1}}$ for $\mathbf{O}_{e,i}^{t_{k}}$, then we keep searching for the best matched bounding boxes $\mathbf{B}_{e,i}^{t_{k-2}}$ in $\mathbf{Y}_{e,i}^{t_{k-2}}$ for $\mathbf{B}_{e,i}^{t_{k-1}}$, until the $K$-th frame has been matched. During this process, not all the bounding boxes in $\mathbf{O}_{e,i}^{t_{k}}$ in $\mathbf{Y}_{e,i}^{t_{k}}$ can be matched up to the $K$-th frame, we call the successfully matched bounding boxes as the candidate BEV flow $\mathbf{I}_{c}^{t_{k}}$. LSTM-AE is used to reconstruct it for further temporal consistency check. As for the unmatched BEV flow $\mathbf{I}_{u}^{t_{k}}$, they will result in additional time anomaly penalties. To maintain computational efficiency, we cache the historical matching chains for each tracked flow. This significantly reduces the computational complexity as previously established matches can be directly reused without re-computation, making the chain matching process highly efficient in practice. Note that consecutive $K$ frames are not always completely available for chain matching. There are two cases when the frame cache is not enough for chain matching.

• •

  Case 1: The ego CAV may have not collected up to $K$ frames of neighboring CAVs at the early stage. In this case, we only use spatial consistency to check the malicious agent until the cached messages are up to $K$ frames.

• •

  Case 2: Certain frames of neighboring CAVs have been identified as malicious messages and are thereby discarded. In this case, we use Kalman Filter (KF) [30] for interpolation (Please refer to Appendix A). We also set a maximum consecutive interpolation limit of $L$ to avoid the cumulative error. Once the consecutive interpolation frames exceed the limit $L$, all the cached frames will be refreshed.

For the generated candidate BEV flow, we further analyze their temporal characteristics based on the current and past $K$-frame messages from the $i$-th CAV. As shown in Fig 3, there are three key components of BEV flow reconstruction: LSTM encoder, LSTM decoder, and temporal reconstruction loss estimator.

LSTM encoder. Each candidate BEV flow $\mathbf{i}_{c}^{t_{k}}\in\mathbf{I}_{c}^{t_{k}}$ can be represented as $\mathbf{i}_{c}^{t_{k}}=[o_{k-K},o_{k-K+1},\cdots,o_{k}]^{\top}\in\mathbb{R}^{(K+1)\times 8}$, the LSTM encoder further encodes the high-dimensional input sequence into a low-dimensional hidden representation using the following equation:

where $\sigma_{o}(\cdot)=\sigma(w_{o}(\cdot)+b_{o})$ represents the output gate with activation function $\sigma(\cdot)$, weight $w_{o}$, and bias $b_{o}$. $H_{k-1}$ and $o_{k}$ represent the concatenation of the hidden state and the current input, respectively. $C_{k}$ represents the input gate calculated by:

where $\sigma_{f}(\cdot)$ is the forget gate, $\sigma_{g}(\cdot)$, $\hat{C}_{k}$, $C_{k}$ represent the input gate. The output vector will be repeated $K+1$ times to yield the final encoded feature vector:

where $M$ is the latent encoded feature dimension, $\Phi_{enc}^{lstm}\{\cdot\}$ is the LSTM encoding network model containing $M$ computation units following Eq. 9 to Eq. 11, and $\oplus$ represents the concatenation operation along the horizontal dimension.

LSTM decoder. The LSTM Decoder consists of a 3-layer network with $K$ LSTM cell units. Each LSTM cell processes each $\mathbb{R}^{1\times M}$ encoded feature. These LSTM units generate a $\mathbb{R}^{(K+1)\times M}$ output vector learned from the encoded feature, which is further multiplied with a $\mathbb{R}^{M\times 8}$ vector output by a TimeDistributed (TD) layer [31]. The TimeDistributed layer maintains the temporal structure by applying a fully connected layer to each time step output. Finally, the LSTM decoder generates a reconstructed vector $\hat{\mathbf{i}}_{c}^{t_{k}}$ with the same size as the input vector following:

where $\Phi_{dec}^{lstm}\{\cdot\}$ is the LSTM decoding network model, $\operatorname{\textbf{TD}}\{\cdot\}$ represents the TimeDistributed Layer funciton.

Temporal reconstruction loss estimator. To evaluate the loss between the input vector and output vector, we use Mean Absolute Error (MAE) as a metric, given by:

where $\hat{o}_{k-i}\in\hat{\mathbf{i}}_{c}^{t_{k}}$ is the reconstructed BEV flow vector at time $t_{k-i}$. The final temporal anomaly score is the sum of the candidate BEV flow reconstruction loss and the unmatched BEV flow penalty, given by:

where $\kappa_{p}$ is a constant penalty coefficient for the unmatched BEV flow.

To jointly utilize spatial and temporal anomaly results for malicious agent detection, we employ the Benjamini-Hochberg (BH) procedure [32, 16]. The BH procedure effectively controls the False Discovery Rate (FDR) - the expected proportion of false positives among all rejected null hypotheses, which is crucial in CP where false accusations can severely impact system reliability. For each CAV $i$ under inspection, we first compute a weighted combination of spatial and temporal scores:

where $\omega_{s}$ and $\omega_{t}$ are learnable weights. The BH procedure controls FDR through a step-up process that adapts its rejection threshold based on the distribution of observed p-values. Unlike traditional single hypothesis testing, the BH procedure maintains FDR control at level $\alpha_{bh}$ even under arbitrary dependencies between tests, making it particularly suitable for CP where agents’ behaviors may be correlated due to shared environmental factors or coordinated attacks. We formulate the hypothesis test $\mathcal{H}=\{\mathcal{H}_{0},\mathcal{H}_{1}\}$, where $\mathcal{H}_{0}:\mathcal{L}_{ST}\sim P_{normal}$ represents the null hypothesis that the combined score follows the distribution of normal agents, and $\mathcal{H}_{1}:\mathcal{L}_{ST}\nsim P_{normal}$ represents the alternative hypothesis. Since this distribution is typically intractable, we compute conformal p-values using the calibration set $\mathcal{S}$:

where $|\cdot|$ represents the cardinality of the set. Following the BH procedure, we sort the p-values in ascending order $\hat{p}_{(1)}\leq\hat{p}_{(2)}\leq...\leq\hat{p}_{(m)}$ for $m$ hypothesis tests. Let $j$ be the largest index satisfying:

Then, agent $i$ is classified as malicious when its p-value is less than or equal to $\hat{p}_{(j)}$, where $\alpha_{bh}$ controls the desired false detection rate.

Datasets. We conduct experiments using two data sets, namely, V2X-Sim dataset [2] and V2X-Flow dataset. V2X-Sim dataset is used for training and evaluating different CP models and CP defense methods, while V2X-Flow dataset is used for pre-training LSTM-AE in our GCP.

• •

  V2X-Sim Dataset. V2X-Sim [2] is a simulated dataset generated by the CARLA simulator [33]. The dataset contains 10,000 frames of synchronized multi-view data captured from 6 different connected agents (5 vehicles and 1 RSU), including LiDAR point clouds (32-beam, 70m range) and RGB images, along with 501,000 annotated 3D bounding boxes containing object attributes. The data is split into training, validation, and test sets with a ratio of 8:1:1.

• •

  V2X-Flow Dataset. To facilite the pre-training of LSTM-AE used in our GCP, we construct a V2X-Flow dataset based on V2X-Sim. We separate the annotations of the V2X-Sim dataset to generate the BEV flow of each bounding box using the chain-based BEV flow matching method mentioned in Section IV-C. The dataset split of V2X-Flow is the same as V2X-Sim.

Comparative results against different attacks. As shown in Table I, we evaluate our proposed GCP against various attack methods and time series modes on the V2X-Sim dataset. First, all defense methods demonstrate varying degrees of effectiveness compared to the no-defense baseline, which suffers severe performance degradation under all attack scenarios, especially for C&W attacks. While baseline methods show some defense capability, with MADE performing slightly better than ROBOSAC against conventional attacks (PGD, C&W, and BIM), they both exhibit significant vulnerability to our proposed BAC attack. Our proposed GCP consistently performs better across all attack scenarios and time series modes. For conventional attacks, GCP outperforms existing methods with consistent improvements (0.47%-0.79% in AP@0.5) across PGD, C&W, and BIM attacks. The advantage becomes more pronounced under our challenging BAC attack, where GCP significantly surpasses MADE and ROBOSAC by 12.64% and 8.53% in AP@0.5, respectively, while maintaining performance close to the upper bound with only 3.88% degradation. Across different time series attack modes (R-Mode, P-Mode, and S-Mode), GCP demonstrates consistent robustness, maintaining stable performance where baseline methods show varying degrees of degradation. These results validate the effectiveness of our spatial-temporal defense mechanism in handling diverse attack patterns in CP systems.