privacy-aware vanet security: putting data-centric misbehavior and sybil attack detection schemes...

HANYANG UNIVERSITY INFORMATION SECURITY & PRIVACY LAB

Privacy-Aware VANET Security: Putting Data-Centric Misbehavior and Sybil Attack

Detection Schemes into Practice Rasheed Hussain*, Sangjin Kim**, and Heekuck Oh*

*Hanyang University, **Korea University of Technology and Education, South Korea

2012-08-18

Rasheed Hussain

Information Security & Privacy Laboratory @ Hanyang University ` [email protected]

Agenda

Main Theme

Introduction

Problem Statement

System Model, Threat Model and Contribution

Proposed Scheme

Performance Evaluation

Discussion and Limitations

Conclusion

2


Main Theme

Data-Centric Misbehavior Detection Scheme (MDS) and Entity-Centric MDS in privacy aware VANET (conditional anonymous)

Incorporating both MDS and SAD (Sybil Attack Detection)

PAB (Post-Alarm Behavior) in ROEI (Region of Expected Infection)

Verification of position information

Based on realistic road conditions (traffic regimes)

Independent decision on the part of every individual node

Threshold revocation scheme

3


Introduction[1/3]

Security primitives in VANET

Maybe different from traditional security primitives

For instance, message confidentiality in VANET depends upon the type of the message. Safety-related messages may not need to be encrypted

Message integrity (liability issues)

Type of messages

Misbehavior in VANET (selfish reason/malfunction)

e.g. a vehicle might send false report on congestion, accident or road block

Not everybody is malicious!!

Revocation depends upon DoC (Degree of Consequences)

Proceed from taking out the wrong information (revocation of message) all the way to the revocation of the node)

“Trust on information rather than source of information”

4


Introduction[2/3]

Are the trust-management based solutions feasible for VANET? (so many proposed schemes)

NO!!!!

Ephemeral nature of VANET

Privacy is one of the prime security primitive in VANET Secure privacy aware beaconing

Incorporate the opposite direction nodes to help in determining the soundness of information

Warning/Alarm/Critical Message types maybe finite in number

Nodes cross-check the subsequent actions with predefined natural actions

Position consistency with virtual ears(by beacon messages) and verified with virtual eyes (Radar)

5


Introduction[3/3]

Ruj et al. scheme has severe deficiencies If the reported position is not consistent with the alert raised then the message is incorrect and discarded (fig. 1)

6


Problems in Ruj et al.’s scheme Pseudonyms must not change for certain time after alert is sent

Privacy (?)

Size of Relay messages grows by the factor of the size of MA

Flooding (same alert many times)

Beacon format is not defined

Negation Message Attack (NMA)

A node must report the event before it physically crosses the crash

site

Message duration (FT) may not be sound for relay messages

Vehicles have to wait for beacon from both originator and relayer (?)


Problem Statement

In a privacy aware VANET architecture with privacy-aware

beaconing scheme where two messages provide un-linkability;

how to detect MDS and SAD with real traffic density?

AS ∝ 1/P (AS denotes Sybil attack and P denotes Privacy)

Privacy preserving beaconing and warning messages

Decide the course of action on the basis of underlying traffic density

Threshold density calculation from received beacon messages

8


Network/Threat Model, Contribution [1/4]

Management hierarchy and functional hierarchy

Entities Registration/ Overall

Management

Certification Revocation

Functional Assistance/Gateway

Terminals to clouds

Operation

DMV (Department of Motor

Vehicles) and Cloud Infrastructure

RCA

(Regional CA)

RAs (Revocation

Authorities)

RSSI (Road-side Static Infrastructure)

and RSMI (Road- side Mobile Infrastru

cture)

Vehicular Nodes (OBUs)

Level 1

Level 2

Level 3

Level 4

9

Management Hierarchy Functional Entities



Threat/Attacker Model

Insider who deviates from normal VANET behavior or infringes with a user’s privacy

Having more computation and communication resources

Can eavesdrop on wireless channel

Forges identities, tracking, and diffuse wrong information in VANET

Manipulates with input data for assembling messages



Functional VANET architecture

DMV RA’s

RCA’s

RSSE

11

RSME Domain

V2V

V2I



Objectives and Contribution Devise an algorithm to incorporate both MDS and SAD

Agree upon a tradeoff solution for real time traffic density calculation

Privacy preserving beaconing and critical warning messages

Leverage location verification by virtual ears and virtual eyes

Incorporate two-ways traffic and exploit the S-C-F strategy for misbehavior detection

Additional Objectives Loose Authentication

Conditional anonymity

Non-repudiation

Assumptions Beacons can be received from 1-hop neighbors

Vehicles leverage TRH and omni-directional radar for position verification

DMV (department of motor vehicles), RCAs (Regional CAs), RSI

Beaconing Identityless (our WISA’09* Paper)

Relaying mechanism (Efficient Flooding)

Threshold based probabilistic vehicular density calculation

12

*R. Hussain, S. Kim, and H. Oh, “Towards Privacy Aware Pseudonymless Strategy for Avoiding Profile Generation in

VANET” In: H.-Y Yoon, M. Yung (Eds.) WISA 2009. LNCS, vol. 5932, pp. 268-280. Springer, Heidelberg (2009)


Proposed Scheme [1/6]

Baseline

Beacon format

Mb= (m, Gid, σ ,δ) where m is beacon data, σ = HMAC. (T||Gid||Data) and

δ = HMAC. (T||Gid||Data||σ)

RSI are semi-trusted and Vehicles not trusted

TRH are employed in RSUs and OBUs

Alert message types stored in OBUs beforehand

iVK

idK

13



Warning Message (WM) Sensed

Relayed

Where λ = (EID, LID, Gids, ΔL, ΔT)

Type EID LID Gid T lociT Sig. (EID, LID, Gid, T, lociT)

1 1 16 2 8 16 42

iTRHK

Type T lociT Gid λ Sig. (T, lociT,Gid, λ)

1 8 16 2 22 42

iTRHK

14


Proposed Scheme [3/6] Alerts and Invalid actions

List of invalid events (LIE) d is the safe distance

e.g. a car moving with 80kmph and after observing alert, it will reduce to 20kmph, then it will travel less about 100m in the next 2 seconds, thus the positions sent

in the beacons will be less than d=100m apart

Invalid actions after alert is issued

15



Hybrid Mechanism depending upon current T. density

MDS (Misbehavior Detection System)

SAD (Sybil Attack Detection)

Dense Traffic Regime (SAD) and Sparse Traffic Regime (MDS)

Privacy aware traffic density calculation

ROEI (Region of Expected Infection) for MW storage and Relay

Location verification

Misbehavior (Data-Centric)

Sybil Attacks (Entity-Centric)

Goal

Lx

Observer o

MW

received

Sensed MR

16


Proposed Scheme [5/6] MW received

Check for Freshness

Check if already received

Check movement trajectory

Calculate Density and decide whether MDS or SAD

Wait for beacon from the same vehicle

Verify position

Check for PWM (Post- Warning measurements)

Verify the message from opposite side vehicles

Collect beacons for certain time (tk+1-tk) and calculate Threshold density

Compare the number of alarms with the no. of vehicles (only in one direction)

b

ti

ti ib

tf

bXvD

k

k

1

)(

• Indicator Variable Xb, where Xb=1 if beacon received is from vehicle ahead, and Xb=0 if beacon is from behind or opposite side

•

𝑋𝑏 = 1 𝑖𝑓 𝑏𝑒𝑎𝑐𝑜𝑛 𝑠𝑒𝑛𝑑𝑖𝑛𝑔 𝑣𝑒ℎ𝑖𝑐𝑙𝑒 𝑖𝑠 𝑎ℎ𝑒𝑎𝑑 𝑋𝑏 = 0 𝑖𝑓 𝑏𝑒𝑎𝑐𝑜𝑛 𝑠𝑒𝑛𝑑𝑖𝑛𝑔 𝑣𝑒ℎ𝑖𝑐𝑙𝑒 𝑖𝑠 𝑏𝑒ℎ𝑖𝑛𝑑

𝑜𝑟 𝑖𝑛 𝑜𝑝𝑝𝑜𝑠𝑖𝑡𝑒 𝑑𝑖𝑟𝑒𝑐𝑡𝑖𝑜𝑛

Spatial Checks Temporal Checks Behavioral Checks Integrity Checks

Cosine Similarity

17



Discussion

Position Vs Information

WPWI (Wrong Position – Wrong Information)

RPWI (Right Position – Wrong Information)

WPWI (Wrong Position – Right Information)

RPRI (Right Position – Right Information)

Assume, there is one time relay minimum

Sensed Vs Relayed Alarms

Combine the number of senders and cross-check with the traffic D(v)t

Target

Not Likely

Sensed Relayed

Distinct Sensed Distinct Relayed

18


Performance Evaluation [1/2]

Security

Message authentication

Message integrity

Privacy protection

Anonymity revocability

Message revocation and user revocation

Partial brute-force strategy

Non-frameability

Privacy

Revocation with order O(d+g) for beacons and O(d.g) for MW

Since d<<g so the order of revocation in case of beacon is O(g)

19


Performance Evaluation [2/2] Computational Overhead

Comparison with other schemes

Scheme Certificates

with Beacons Profile

Generation RSU as

Bottleneck Privacy

Computations

Mb MW

Zhou et al. Dependent on Pseudonym

change N/A N/A

Ruj et al. Dependent on Pseudonym

change

Tp +3Tm

+ 2TH

2Tp + 6Tm +

4TH

Our scheme

2H

Tp + 3Tm + 2TH

Tp= Time of Pairing operation ,Tm=Time of point multiplication , H= Hash operation

20


Discussion

Merits of proposed scheme

Privacy-aware threshold-based density calculation

User privacy

Conditional anonymity

No need for RSU support

No Temporary identities are used which lead to profilation

Utilized opposite traffic for SCF (store-carry-forward)

Anonymous position verification

Limitations

Beacon frequency

Flyover scenario

3D position verification (if possible)

The relay mechanism may introduce some overhead temporarily

21


Conclusion

HMDS: Hybrid MDS (Flexible)

Privacy-aware Density-based scheme

Efficient position verification

Misbehavior is detected with independent position

verification

Immune to Sybil attacks

Incorporating 2-way traffic

22


23

privacy-aware vanet security: putting data-centric misbehavior and sybil attack detection schemes...

Education

privacy privacy

privacyaware vanet security

privacyaware beaconing

user s privacy

prime security primitive

hanyang university4

hanyang university5

hanyang university8