[ieee 2011 international conference on complex, intelligent and software intensive systems (cisis) -...
TRANSCRIPT
Securing Vehicular Ad-hoc Networks Against
Malicious Drivers: A Probabilistic Approach
Danda B. Rawat‡, Bhed B. Bista§, Gongjun Yan∗, and Michele C. Weigle†
‡Dept. of Electrical & Computer Engineering, Old Dominion University, Norfolk, VA, USA. Email: [email protected]§Faculty of Software & Information Science, Iwate Prefectural University, Japan 020-0193. Email: [email protected]
∗Department of NMIS, Indiana University Kokomo, Kokomo, IN, USA. Email: [email protected]†Dept. of Computer Science, Old Dominion University, Norfolk, VA, USA. Email: [email protected]
Abstract—Future development of Intelligent Transporta-tion Systems (ITS) depends on Vehicular Ad-hoc NETworks(VANETs) in which communications will help to improve trafficsafety and efficiency through exchanging information amongvehicles. As each vehicle cannot be a source of all messagesin VANET, most communications depend on the informationreceived from other vehicles. To protect VANET from maliciousaction, each vehicle must be able to evaluate, decide and reactlocally on information received from other vehicles. Messageverification is more challenging in VANETs since the securityand privacy of the participating vehicles, in general, and of thedrivers and passengers specifically is of major concern. Eachvehicle needs to verify the accuracy of the message and needsto verify that the received message is from a legitimate vehicle.In this paper, we propose a new algorithm to secure vehicularcommunication with the help of trust measured for the givenperiod using a probabilistic approach. The proposed algorithmsecures VANETs against the untrustworthy drivers. The proposedalgorithm is illustrated through numerical results obtained fromsimulations.
Index Terms—Vehicular networks, securing vehicular ad hocnetworks (VANETs), trust in VANETs,
I. INTRODUCTION
Vehicular communications can be considered as single hop
or multi-hop vehicle-to-vehicle (V2V) communications and/or
vehicle-to-roadside (V2R) communications. In V2R commu-
nications, roadside infrastructure works as a relay unit where
the received message can be forwarded to specific locations
or broadcast to all locations. In such communications, the
information of participating vehicles can be stored locally for
different legitimate purposes such as tracking back the vehicle
if it performs some malicious actions for VANETs. Cellular
infrastructure or base stations can be used as roadside units,
however, the use of such infrastructure in VANETs results in
high delay as the message travels from the transmission vehicle
to the base station, and then from the base station to receiving
vehicles, which is not desirable for time sensitive messages
[1], [2]. Furthermore, in this scenario, it may take more than
10 seconds to get call admission for a vehicle with the base
station. An alternative solution is to install access points (APs)
across the roads as in wireless local area networks (WLANs).
However, this solution might not be economically feasible.
In V2V communications, each vehicle receives a message
from other vehicles in a single hop or multiple hops without
using a roadside unit. In this scenario, vehicles form the
communication network in an ad-hoc manner and form a
Vehicular Ad-hoc Network (VANET) since a vehicle or driver
joins (enter to a highway) and leaves (take exit from the
highway) the network as per driver’s desire. In this type
of scenario, it is almost impossible to keep track of every
one in the network by ensuring security and privacy of the
participating drivers.
VANET is regarded as a subset of Mobile Ad-hoc NETwork
(MANET) and has unique characteristics [1], [2] (virtually
infinite energy supply, high mobility and dynamic change
in network topology, etc.). Because of these unique charac-
teristics of VANETs, the solutions and protocols proposed
for MANETs might not be directly applicable to VANETs
without any amendment. In VANETs, it is assumed that
individual vehicles are equipped with DSRC enabled com-
puting (processing, recording, positioning features etc.) and
communication system. Furthermore, VANETs are expected
to utilize a variety of wireless communication technologies
for road safety and comfort as well as infotainment applica-
tions. VANETs basically depend on communication systems,
applications (safety, comfort), incident detection and sensing
systems, and drivers (human behaviors) as shown in Figure 1.
Human behavior heavily affects the network topology, whereas
sensing and communication systems determine the perfor-
mance of the overall system. Thus, the accuracy of the incident
detection/sensing system and the communication system to
exchange the information with neighboring vehicles is of vital
importance. It is also well known that security schemes heavily
depend on the wireless systems and technologies that are used.
In V2R-based vehicular communication, trustworthiness of
the message can be easily verified since the locally centralized
roadside unit can keep track of the participating vehicles and
the received messages. Then centralized unit can aggregate the
messages and broadcast it to the vehicles. However, as men-
tioned, the message dissemination from source to destination
might face higher delay, which is undesirable in VANETs for
time critical messages. Even with prioritization of messages
as in [3], [4] the system might not be able to satisfy the delay
requirement of time sensitive high priority messages such as
message related to an accident. The apparent solution, in order
to have timely dissemination of messages towards a destination
region, is V2V-based vehicular communication. In such V2V-
2011 International Conference on Complex, Intelligent, and Software Intensive Systems
978-0-7695-4373-4/11 $26.00 © 2011 IEEE
DOI 10.1109/CISIS.2011.30
146
VehicularCommunications
or
VANETs
Communication
Systems
and
Technology
VANETs
ApplicationsDriver's/Human
Behaviors
Incident
Detection
and
Sensing
Systems
Fig. 1. Basic VANET Components and Their Inter-dependencies
based vehicular communications, individual vehicles work as
a router, destination and source of the message. Therefore,
it is challenging for a vehicle to verify whether the recently
received message is legitimate or not. In order to address
security in VANET, there have been different approaches
proposed in the literature [5]–[8]. VANETs can be secured
using cryptographic algorithms and protocols. Usually a third
party, believed as a trust center, is involved in these protocols
for key distribution, message authentication and digital signa-
tures. However, such mechanisms are not attractive solutions
in terms of trust as well as economics. Therefore, in this
paper, we are interested to accomplish automatic detection
of malicious vehicle/driver in VANET to provide genuine
message in the network. It is noted that if a message is not a
legitimate one or not from a legitimate vehicle, the received
message can be discarded. The malicious driver can be alerted
by sending a warning message.
In this paper, we consider a probabilistic approach to mea-
sure the trust of the received message by making observations
for a given time interval to verify whether the received
message is from a legitimate vehicle or not. It is worth noting
that the received message might be from a near the roadside
intruder or a malicious driver on the road. Observing the
message over the given time interval will help verify the
validity of the message. We also note that making a decision
with a single instance of the message can be inaccurate,
resulting misleading communications.
The paper is structured as follows: we present related work
in Section II. In Section III, we present the problem statement.
Section IV deals with the proposed approach, followed by the
algorithm in Section V and simulation results in Section VI.
Finally, we conclude the paper in Section VII.
II. RELATED WORK
VANETs have attracted interest in both academia and indus-
tries [1], [2] such as Car to Car communication [9] as well as
projects such as NoW [10], PReVENT [11], ORBIT [12], and
PATH [13]. These works cover almost all aspects of vehicular
communications [1], [1].
VANETs are highly dynamic in nature because of the high
speeds of vehicles and the highly personal nature of informa-
tion sharing. Therefore, existing methods for wireless security,
trust and privacy might not be suitable in VANETs. Recent
works include [8], [14] for security in VANETs. However, in
order to implement the existing security and trust mechanisms
in VANETs, we need trust centers installed along the highways
as roadside units. This might lead to many questions such
as Who will be the owner? Is it trustworthy to all? Is
it cost effective? In [14], a cryptographic algorithm along
with position information has been considered to implement
security in VANETs.
In [15], the authors discussed privacy and proposed cen-
trally assigned digital pseudonyms. The authors in [16] have
proposed a method in which vehicles change their pseudonyms
in a certain region (where the many vehicles are within the
communication range) pointed by the system. This method
cannot work in the case when there are not a sufficient number
of vehicles. To overcome this, authors in [17] have proposed a
method which works based on self signed digital pseudonyms.
We note that most of the research and proposed solutions in
privacy and trust are mainly focused on the use of pseudonyms
and the algorithms for changing them. However, implementing
pseudonyms in VANET is challenging. Generally, VANET
security systems should protect the privacy of both drivers and
passengers [8], however it should be able to help establish the
liability of drivers. In such cases, trust is an important factor
while implementing privacy and security in VANET to prevent
a generic attack on the network. Verification of the message
received from other vehicles is required to protect the network
from malicious drivers. As we know vehicles are personal
devices and are owned for long time, it is required to protect
personal information from being disclosed to unauthorized
users for their privacy. A vehicle can collect messages from
any vehicle but the vehicle might not be able to verify whether
the message itself is legitimate one. It is worth noting that
the privacy level of VANETs after implementing wireless
communications should be at least the same level that is
obtained without implementing wireless communications [18].
Specific privacy threats in VANETs include: tracking a specific
vehicle, cheating with information, and so on. The general
principle of privacy in VANETs is to protect the participating
drivers/vehicles against the non-authorized users. However
information should be discloseable to authorized parties.
As mentioned, trust provides VANET security. Thus, trust
establishment and maintenance for fixed infrastructure based
wireless communication networks, such as cellular systems
and Internet, requires a lengthy process but it is assumed to
be validated for a long time. For such infrastructure based
wireless systems, assuming that base stations in cellular sys-
tems or access points in WLAN trust are trustworthy, existing
approaches to trust management can be applied with minor
modification. In contrast, the frequently changing topology
and network life-time in VANETs make trust management
a challenging problem and requires considerable attention.
Therefore, we focus on trust establishment in VANETs. When
vehicles are within the communicating range with others, they
start to interact with each other. In VANETs, each vehicle may
147
not be able to detect an incident since a vehicle might be
looking for traffic updates which might be miles away from
the incident area. In such a scenario, a vehicle has to rely on
the information received from other vehicles. Without having
proper mechanism for trust management, communication in
VANET might be prone to security threats.
Our research work in this paper checks the trustworthiness
of the received message by observing the received message
from a given vehicle over a given time interval and determine
corresponding suspicion level and trust level for a given
vehicle where the identity of drivers/vehicles are unknown. By
looking at the suspicion or trust level of the given vehicle for
given time period, one can easily decide whether the received
message is legitimate or not. It is important to note again that
the decision made based on a single instance might not be fair
enough to measure the validity of the received message.
III. PROBLEM STATEMENT FOR TRUSTWORTHY
In ad-hoc based V2V communications, as each vehicle
works as a router and a destination for the received message,
it is important to verify the integrity and legitimacy of the
received message. Observing the single activity of message
transmission by a vehicle might not be enough to treat it
as malicious. Thus in order to have secure communication
in VANET, where message integrity is ensured with the help
of some automatic methods where the actual identity of the
participating vehicles are not used or unknown. This method
should also ensure the privacy and/or security of drivers while
securing the VANETs.
IV. PROPOSED APPROACH
We use the following analysis for malicious driver detection
and to determine the trustworthiness of the received message
based on suspicion and trust levels.
We consider that Xi(t) is the message transmitted by a
vehicle i in a VANET at time slot t. We use attack probability
(pa) which tells us how strong the attack is, which implies
the willingness of a vehicle being an attacker in VANET. A
given vehicle i will attack the VANET with probability pa by
sending manipulated information Xi(t)± � with the � amount
of extra or less amount of message with pa probability. It is
worth noting that the message Xi(t)± � results in false alarm
resulting in a decrease in trust of VANETs.
Basically, for the transmitted message Xi(t), the received
signal without any modification over the network is given by
ℋ0 : yi(t) = Xi(t)± � + wi(t)ℋ1 : yi(t) = Xi(t) + wi(t)
(1)
where ℋ0 and ℋ1, respectively, represent the manipulated and
non-manipulated/original messages, and wi(t) is the additive
white Gaussian noise (AWGN) that corrupts the received
signal.
In this section, a novel method is presented to detect a
malicious driver based on the received messages over a given
time interval and measure the trustworthiness of the given
vehicle using a probabilistic approach. It is noted that in
the VANET scenario where no malicious drivers are present,
it is not required to use the proposed method and secure
VANET against malicious drivers since the method might
introduce computation overhead in the network. However,
we consider that there is at least one malicious driver in a
VANET among N participating vehicles for given geographic
location and individual vehicle interact and communicate with
each other to get upcoming traffic updates using suitable
wireless communication technologies. It is also noted that
many communicating vehicles will be sending the copies
of the message for comparison. In this context, legitimate
vehicles will send the original messages whereas the malicious
vehicles will send manipulated messages. Comparing copies of
the received messages, individual vehicle can identify whether
they receive the message ℋ0 or ℋ1. Then, we define the
suspicion level of a vehicle/driver i as
�i(t) ≡ P (Ti = M ∣Ot) (2)
where Ti is the type of driver that could be Malicious (M) or
Honest (H), and Ot is the observation collected for the interval
[1, t]. It is noted that if t is high then more messages will be
used to calculate the suspicion level of the given vehicle.
Then, using Bayesian criterion, the suspicion level of a
vehicle/driver i can be written as
�i(t) =P (Ot∣Ti = M)P (Ti = M)
∑N
m=1 P (Ot∣Tm = M)P (Tm = M)(3)
Without loss of generality, we consider that any vehicle can
be malicious with probability P (Ti = M) = �. Then the
equation (3) is expressed as
�i(t) =P (Ot∣Ti = M)
∑N
m=1 P (Ot∣Tm = M)(4)
Now, we can write
P (Ot∣Ti = M) =
= P (X(�)∣Ti = M,O�−1)P (O�−1∣Ti = M, )
=...
=t∏
�=1
P (X(�)∣Ti = M,O�−1)
=t∏
�=1
⎡
⎣
N∏
j=1,j ∕=i
P (Xj(�)∣Tj = H)
⎤
⎦P (Xi(�)∣O�−1)
︸ ︷︷ ︸
�i(�)
=
t∏
�=1
�i(�)
(5)
Equation (5) represents the probability of reports at time slot
t conditioned that node i is malicious.
148
Again it is noted that the driver with Xi(t) information
can transmit the same information if it is not malicious (or
genuine) or transmit with some extra or less information
Xi(t)± � if it is malicious.
Using equation (3) and (5), the suspicion level �i(t) of the
vehicle/driver i can be written as
�i(t) =
t∏
�=1
�i(�)
N∑
j=1
t∏
�=1
�j(�)
(6)
It is worth noting that the suspicion level and trust level of
a driver are regarded as complement/opposite characteristics,
thus the trust level �̂i(t) of a vehicle/driver i can be computed
from its suspicion level �i(t) as
�̂i(t) = 1− �i(t) (7)
This value gives the trust level of a participating vehicle/driver
i. It is important to note that the vehicle with trust level closer
to 1 is the legitimate one whereas the vehicle with trust level
closer to 0 (or less than certain threshold value) is malicious.
V. THE ALGORITHM
Based on the analysis presented above, the algorithm is
stated in Algorithm 1.
Algorithm 1 Malicious Driver Detection
1: Input: receive messages from N participating vehicles
over the observation period t, and take an initial threshold
value �T
2: repeat
3: compute trust values {�̂i(t)}Ni=1
4: for each vehicle i do
5: if �̂i(t) < �T then
6: vehicle/driver i is untrustworthy so the message from
the vehicle i is removed from further consideration
to transmit to other vehicles.
7: else
8: vehicle/driver i is trustworthy so the message from
vehicle i is accepted, and will be considered for
further transmission to other vehicles.
9: end if
10: end for
11: until message is received from other vehicles
12: Output: Trust level of vehicle/driver i and trustworthy
message of driver i.
It is worth noting that the threshold value �T will be
changing on the fly based on its history at each vehicle. The
typical initial value of the threshold is equal to 0.5, that is,
�T = 0.5.
VI. SIMULATION AND PERFORMANCE EVALUATION
In order to corroborate our theoretical findings, we have
performed extensive simulations. We consider a Gaussian
noise for SNR levels.
We have considered the VANET scenario where the ve-
hicles are moving on a road segment of 10 miles with a
4 lane highway. The rate of vehicles entering the road is
1 vehicle/sec/lane. Vehicles transmit some information to other
vehicles so that one can easily identify whether the vehicle
is performing as a trustworthy one or not. We note that
each vehicles run Algorithm 1 to measure the trust level
and to validate the messages. All vehicles are assumed to be
equipped with communication and computing equipment so
that they can communicate with their neighboring vehicles.
Specifically, as the given vehicle receives a regular messages
from other vehicles, it computes the trust level for the message
transmitting vehicle and validates the message based on the
trust level by comparing with given threshold value.
In the first experiment, we have performed simulations to
find the received power level for a given transmit power level
and the distances used in DSRC enabled vehicles using signal
propagation models presented in [19]. We also note that with
the help of speed limit information, we incorporate attenuation
factors during received power calculations. That is, high speed
limit implies that the road is rural and low/city speed limit
implies that the communicating environment is urban/city. It is
worth noting that this speed limit information can be obtained
with the help of positioning system such as GPS, GALILEO
or GLONASS. All vehicles use transmission power within
the range proposed for DSRC standard [20], [21] (that is
maximum transmit power 35dBw corresponds to maximum
transmission range 1000m). Figure 2 shows the variation
of received power for different SNRs and distance between
transmitter and receiver vehicles. As expected the received
power fluctuation is higher in the case of low SNR value than
that with high SNRs. Furthermore, as it is expected, with the
increasing distance, the received power level decreases.
In the second experiment, calculated trust levels are used
for given vehicles based on the received messages for different
SNR values. We consider that some vehicles act as malicious
by changing some information with � amount while they
transmit the message to other vehicles. We have considered
that there will be at least one malicious driver in the system.
We first look at the trustworthiness of a vehicle for different
SNR values. With an increasing SNR value, the corresponding
trustworthiness value increases as shown in Figure 3. If the
trustworthiness value is 1, a vehicle can conclude that it
is communicating with a trustworthy vehicle. Furthermore,
because of the interference and noise, even if the trust level is
approximately equal to 1 or greater than the given threshold
value �T , a vehicle can think of communicating with a
legitimate vehicle. We also plot the trust levels of genuine and
malicious drivers for different SNR values shown in Figure 3.
We note that the trust levels for trustworthy drivers increases
with increasing SNR values and reaches to 1. However, the
149
0100
200300
400500
600700
800900
1000
−5
0
5
10
15
20
25
30
−100
−60
−20
20
60
100
Distance (m)SNR (dB)
Receive power (dBm)
Fig. 2. Variation of received signal power for different SNRs and distancesbetween transmitter and receiver vehicles.
−5 0 5 10 15 20 25 300.3
0.4
0.5
0.6
0.7
0.8
0.9
1
SNR (dB)
Trust level
Trust levels of malicious drivers/vehicles
Trust levels of genuine drivers/vehicles
Fig. 3. Trust levels of genuine and malicious drivers for different SNR values
trust levels for untrustworthy drivers remains below 0.5 for
all SNR values and are constant even for high SNR values
(10dB − 30dB) as shown in Figure 3. It can be observed than
one can use threshold �T = 0.5 or can adapt according to the
operating environment.
Figure 4 shows the Receiver Operating Characteristics
(ROC) curves, which is a plot of true positive rate versus the
false positive rate. By looking at the ROC in Figure 4, we note
that the performance of VANETs degrades significantly even
when there are less malicious drivers than the genuine drivers
in vehicular communications.
It is important to note that the trust level based on a single
instance of a received message might mislead the decision.
Thus, we have considered the decision based on an observation
0 0.2 0.4 0.6 0.8 1
0.82
0.84
0.86
0.88
0.9
0.92
0.94
0.96
0.98
1
Probability of false alarm
Probability of detection
N=200 with no attacker
N=150 with no attacker
N= 100 with no attacker
N=100 with 20 attackers
Fig. 4. ROC curves for different scenarios for pa = 75% in false alarmattack environment.
period which incorporates the temporary history of the drivers.
As the observation time increases, the decision will be more
accurate however the time needed to make the decision will
be high which might not be suitable. There should be some
trade-off between the observation time and the time needed to
report the decision.
It is also noted that a given vehicle can make a correct
decision as expected when there are a smaller number of
malicious drivers present. Furthermore the correct decision
will be easy for higher SNR values.
We conclude this section by noting that using a probabilistic
approach to measure the trust level, VANETs can be secured
against malicious drivers from possible changes in message
and thus we can have safer driving.
VII. CONCLUSION
In this paper we have proposed a method to determine the
trust levels of the communicating drivers and check the validity
of received messages. Information dissemination in VANETs
depends on the message received from other participating
vehicles and thus each vehicle needs to verify the accuracy
of the message and that the message comes from a legitimate
vehicle. Based on the trust level, which uses probabilistic
approach for a given observation period, a vehicle can judge
the received message and decide whether the message will
be considered for further transmission or not. As noted, trust,
privacy, and security in VANETs for future development of
intelligent transportation systems are of vital importance. This
paper has provided a mechanism to measure the trustworthy
levels of participating vehicles. We also found that for high
SNR values the trust level is high for genuine vehicles/drivers,
however the trust level is low for malicious drivers. We have
presented the simulation results to support our theoretical
claims.
150
REFERENCES
[1] D. B. Rawat and G. Yan, Infrastructures in Vehicular Communications:
Status, Challenges and Perspectives. Dr. M. Watfa, Eds. IGI Global,2010.
[2] S. Olariu and M. C. Weigle, Eds., Vehicular Networks: From Theory
to Practice. CRC Press / Taylor & Francis, March 2009.[3] D. B. Rawat, D. C. Popescu, G. Yan, and S. Olariu, “Enhancing VANET
Performance by Joint Adaptation of Transmission Power and ContentionWindow Size,” 2011, in press.
[4] D. B. Rawat, G. Yan, D. C. Popescu, M. C. Weigle, and S. Olariu, “Dy-namic adaptation of joint transmission power and contention window inVANET,” in Proceedings of the IEEE Vehicular Technology Conference
- Fall, Anchorage, Alaska, September 2009, pp. 1–5.[5] M. Raya, P. Papadimitratos, J. Hubaux, and E. de Lausanne, “Securing
Vehicular Communications,” IEEE Wireless Communications, vol. 13,no. 5, pp. 8–15, 2006.
[6] P. Papadimitratos, V. Gligor, and J. Hubaux, “Securing VehicularCommunications-Assumptions, Requirements, and Principles,” in Work-
shop on Embedded Security in Cars (ESCAR), vol. 2006, 2006.[7] M. Gerlach, A. Festag, T. Leinmuller, G. Goldacker, and C. Harsch,
“Security Architecture for Vehicular Communication,” 2nd International
Workshop on Intelligent Transportation – WIT 2005, 2005.[8] M. Raya and J.-P. Hubaux, “The Security of Vehicular Ad hoc Net-
works—,” in SASN ’05: Proceedings of the 3rd ACM workshop on
Security of ad hoc and sensor networks. New York, NY, USA: ACM,2005, pp. 11–21.
[9] “ Car to Car Communication Consortium (C2CCC). http://www.car-to-car.org ,” 2011.
[10] “ Network on Wheels (NoW). http://www.network-on-wheels.de ,” 2011.[11] “ PREVENT project. http://www.prevent-ip.org ,” 2011.[12] “ DISCO Lab. http://discolab.rutgers.edu/traffic ,” 2011.[13] “ California Partners for Advanced Transit and Highways (PATH).
http://www.path.berkeley.edu ,” 2011.[14] G. Yan, S. Olariu, and M. Weigle, “Providing VANET security through
active position detection,” Computer Communications, vol. 31, no. 12,pp. 2883–2897, 2008.
[15] F. Dotzer, “Privacy Issues in Vehicular Ad hoc Networks,” in Privacy
Enhancing Technologies, 2005, pp. 197–209.[16] A. R. Beresford and F. Stajano, “Mix Zones: User Privacy in Location-
aware Services,” in PERCOMW 2004, Washington, DC, USA, 2004, p.127.
[17] P. Golle, D. Greene, and J. Staddon, “Detecting and Correcting Mali-cious Data in VANETs,” in Vehicular Ad hoc Network 2004 –VANET’04,New York, NY, USA, 2004, pp. 29–37.
[18] J. Serna, J. Luna, and M. Medina, “Geolocation-Based Trust for Vanet’sPrivacy,” in Fourth International Conference on Information Assurance
and Security, 2008. ISIAS’08, 2008, pp. 287–290.[19] T. Rappaport, Wireless Communications: Principles and Practice. Pren-
tice Hall PTR New Jersey, 2002.[20] R. Sengupta and Q. Xu, “DSRC for Safety Systems,” vol. 10, no. 4.
California PATH – Partners for Advanced Transit and Highways, 2004,pp. 2–5.
[21] “ Vehicle Safety Communications Project Task 3 Final Report: IdentifyIntelligent Vehicle Safety Applications Enabled by DSRC,” VehicleSafety Communications Consortium consisting of BMW, Daimler-Chrysler, Ford, GM, Nissian, Toyota, and VW.
151