LLM-Orchestrated Multi-Layer Digital Twin Network for Cyber-Resilient Traffic Management

Modern connected traffic systems are increasingly vulnerable to cyberattacks capable of propagating rapidly across networked infrastructure, inducing unsafe signal states, traffic congestion, and emergency response delays. Existing anomaly detection approaches including statistical thresholds, rule-based Automated Traffic Signal Performance Measures (ATSPM) and Signal Phase and Timing (SPaT) flags, and classical machine-learning methods such as Isolation Forest and one-class Support Vector Machines operate on limited data modalities and cannot capture cross-layer cyber-physical interactions or operator intent, leaving critical detection gaps in complex attack scenarios. This project develops a distributed multi-layer digital twin (DT) network for urban traffic systems, enhanced by a large language model (LLM) for context-aware cyber anomaly detection. The framework mirrors physical traffic behavior, cyber infrastructure status, and operational decision processes across a corridor of 4–6 interconnected intersections, enabling early identification of unsafe and malicious events that threaten roadway safety. Each traffic unit is represented by coordinated Physical, Cyber, and Decision Layers: the Physical Layer models real-time mobility and safety conditions using ATSPM, SPaT/MAP data, and detector activity; the Cyber Layer mirrors controller firmware, communication telemetry, and roadside unit status; and the Decision Layer captures operator actions, timing plan updates, and agency-defined safety constraints. A customized transportation-aware LLM ingests both structured telemetry and unstructured logs to generate semantic feature embeddings that capture cross-layer and cross-node dependencies. A hybrid neural anomaly detection engine integrates Temporal Convolutional Networks (TCNs) to learn evolving traffic and communication behaviors over time with Graph Neural Networks (GNNs) to capture spatial interactions and coordinated disruptions across interconnected intersections. This TCN–GNN architecture enables accurate recognition of both localized cyber intrusions and distributed corridor-level attacks. Detection performance is validated against controlled cyber-attack scenarios—including SPaT spoofing, firmware manipulation, and malicious timing-plan overrides—executed within the DT environment. Upon anomaly detection, the LLM generates actionable mitigation suggestions, such as isolating compromised controllers or reverting to safe fallback signal plans, which are evaluated within the digital twin to ensure that every recommendation supports operational safety, low latency, and service continuity. The 12-month effort proceeds in two phases: development and calibration of the distributed multi-layer DTs with LLM integration for context modeling, followed by anomaly detection training, validation, and mitigation evaluation. Target performance metrics include detection accuracy of at least 90%, false-positive rates below 10%, decision-support latency improvements of at least 30%, and safety metric improvements of at least 20%. The project delivers a pilot-ready prototype, detailed deployment guidelines, and an open software repository to accelerate adoption by transportation agencies.

Language

• English

Project

• Status: Active
• Funding: $90,000.00
• Contract Numbers:

  69A3552348323

• Sponsor Organizations:

  Office of the Assistant Secretary for Research and Technology

  University Transportation Centers Program
  Department of Transportation
  Washington, DC  United States  20590
• Managing Organizations:

  Howard University

  2400 6th Street, NW
  Washington, DC  United States  20059
• Project Managers:

  Bruner, Britain

• Performing Organizations:

  Howard University

  2400 6th Street, NW
  Washington, DC  United States  20059
• Principal Investigators:

  Ahmed, Imtiaz

  Marin, Claudia

• Start Date: 20260202
• Expected Completion Date: 20261230
• Actual Completion Date: 0
• USDOT Program: University Transportation Centers Program
• Subprogram: Cybersecurity

Subject/Index Terms

• TRT Terms: Artificial intelligence; Computer security; Detection and identification systems; Digital twins; Highway safety; Intersections; Neural networks; Traffic signal control systems
• Subject Areas: Data and Information Technology; Highways; Operations and Traffic Management; Security and Emergencies;

Filing Info

• Accession Number: 01978543
• Record Type: Research project
• Source Agency: Research and Education for Promoting Safety (REPS) University Transportation Center
• Contract Numbers: 69A3552348323
• Files: UTC, RIP
• Created Date: Feb 3 2026 3:28PM