Intelligent Transportation System (ITS) is one of the leading smart systems which have been developed to obtain reliable transportation. One vehicle can establish a communication with other vehicles and/or infrastructure units using Vehicle-to-Everything (V2X) communications. Vehicles include all moving road entities, such as cars, bicycles, buses, trains and motorcycles. The road entity periodically broadcasts a message which contains status information, such as speed, directions and location. V2X supports several types of communication links as shown in Fig.1, e.g. Vehicle-to-Vehicle (V2V), Vehicle-to-Pedestrian (V2P), Vehicle-to-Grid (V2G) and Vehicle-to-Infrastructure (V2I).
As a consequence, the communication link between road entities is exposed to either internal or external cyber-attacks. External attacks means that unauthorized nodes launch the malicious behavior. Fortunately, the network can be protected against these attacks by applying conventional security schemes, such as encryption and authentication. Internal attacks means that authorized nodes initiate the malicious behavior. Unfortunately, the compromised nodes are hard to be detected because they have valid credentials. As a result, a trust-based model was studied to protect the network against internal attacks in [Trust1], by continuously monitoring the surrounding nodes' behavior. When a misbehavior node is detected, a warning alarm is sent to the network [general2].
There is a rich literature on developing security models to provide data confidentiality in V2X communications. For instance, Liu et al. [r3] designed a privacy-preserving ad conversion protocol for V2X-assisted proximity marketing that achieves input certification and output verifiability against malicious ad networks. Ulybyshev et al. [r4] suggested a data exchange method for V2X communications, to ensure data confidentiality and integrity. This method supports encrypted search over encrypted vehicle records that could be stored in untrusted cloud. Simplicio et al. [r5] improved the structure of SCMS's certificate revocation and linkage approach by addressing some limitations. The proposed modifications support the temporary revocation and linkage of pseudonym certificates. Furthermore, Cheng et al. [r7] presented a remote attestation security model based on a privacy-preserving blockchain. The model is comprised of two parts: identity authentication and the calculation of the nodes to make final decisions and write them into data blocks.
Recently, the authentication of V2X communications has been well studied. For instance, Yang et al. [vx1] implemented an authentication model for V2X communications. This model consists of two schemes: one scheme for V2V communications, and another for V2I communications. Villarreal-Vasquez et al. [vx3] proposed a dynamic approach which achieves the trade-off between safety, security and performance of V2X systems. However, the analysis is limited to V2V communications compliant with IEEE802.11p. In addition, Kiening et al. [vx4] studied the security requirements for V2X systems in particular trust assurance levels. A certification framework was designed to support trust establishment between road entities in V2X communications. Indeed, the node should be trusted if it has been correctly authenticated. Ahmed and Lee [general5] evaluated security services of the new LTE-based V2X architecture. Building on evaluation results, a practical solution was proposed to protect privacy and achieve security requirements of message exchange in V2X networks. Also, Jung et al.[r1] suggested a procedure and test scenario to achieve secure communication for autonomous cooperation driving. Furthermore, there are some research on ensuring data integrity. To defend against both false data injection and packet drop attacks, a new model was proposed in [r2] that particularly focuses on the security in sensing systems for V2X networks. However, far less effort has been devoted to defending against internal attacks.
To deal with internal attacks, this paper studies a global roaming trust-based model for V2X communications. The performance of the proposed model is then evaluated by comparing it with an existing model [J3]. The simulation results show that the proposed model outperforms the existing one. This paper makes two main contributions to the field of vehicular network security:
This paper proposes a global roaming trust-based model for V2X communications. Different from existing research, the nodes have global knowledge about malicious nodes in the network.
This paper compares the performance of the proposed model with the existing model in [J3]; the proposed model improves the False Negative Rate (FNR) by 33.5% when the percentage of malicious nodes is around 87.5%.
The remaining of this paper is organised as follows. Section II presents the system model. Section III provides a detailed description of the proposed trust model. Section IV includes both simulation setup and experimental results. Section V focuses on performance comparison with the existing model [J3]. Section VI draws conclusions.
Ii System Model
The considered network consists of road entities, which move at various speeds, and fixed Road Side Units (RSUs). Each road entity sends three types of messages: Beacon message which is sent periodically to inform the surrounding nodes about its current speed, location and direction; transaction message which contains confidential information and it is sent to the core network; and warning message that is sent to the surrounding RSUs when a malicious node is detected. Each time the road entity sends a message to the core network, it should go through the following phases:
Connectivity phase: each road entity examines its connectivity with the core network and the surrounding entities.
Communication phase: if the source entity has a connection with the core network, it forwards its packet to the nearest RSU. Otherwise, the packet is sent to a trusted entity to relay them to the core network.
Moreover, the considered network has two types of nodes which are normal and malicious nodes. The normal node keeps monitoring the surrounding environment and sends its packets to the core network. Also, it relays any received packet to the nearest RSU. On the other hand, the malicious node launches various attacks to disturb the network performance such as:
Selective forwarding attack: occurs when the malicious node drops some of the received packets randomly to escape punishment.
Recommendation attack: occurs when the malicious node sends bogus recommendations regarding other nodes:
In good-mouthing attack, the malicious node sends good recommendations regarding other malicious nodes as shown in Fig.2(a). In this attack, the malicious nodes could be considered as normal nodes. Thus, the malicious node disturbs the decision phase.
In bad-mouthing attack, the malicious node sends bad recommendations regarding other normal nodes as shown in Fig.2(b). In this attack, the normal nodes
may be classified by nodeas malicious nodes.
Iii Global Roaming Trust-based Model
The global roaming trust-based model maintains two levels of trust as shown in Fig.3: road entities level and RSU level. The road entity evaluates the trustworthiness of surrounding entities, and then sends warning messages to the surrounding RSUs when a malicious node is detected. When the RSUs receive high volume of warning messages from the surrounding entities, they generate an alarm and send it to the central unit. The details of this model are presented as follows.
First time communication
Have Previous Communication
Iii-a Road entity level
During time interval , each road entity measures the trustworthiness of all surrounding entities. Indeed, node continuously monitors its one-hop neighbors . Then, node is able to compute direct trust using the collected information. In addition, node sends recommendation requests to the surrounding nodes regarding node . The proposed model manages two trust components as follows.
Current Trust - : it is computed by node to evaluate the communication experience with node during time interval . It is calculated using
It is measured based on the following trust values:
Past trust - : it is a measure for the past behavior of node . The past trust is considered to prevent the non-continuous malicious behavior.
Direct trust - : it is an evaluation for the communication experience with the neighboring nodes . It is computed using
where is the number of successful interactions between node and node , and is the total number of interactions between node and node .
Indirect Trust - : it is a measure for the behavior of neighboring nodes using surrounding nodes' opinions. Node collects recommendations from the surrounding nodes regarding node . Before computing indirect trust, node applies the following steps:
Confidence value computation- : node measures the confidence value for each recommender node . is computed by
where is the confidence weight for uncertain recommendations.
Recommendations clustering: node classifies the received recommendations into two groups which are positive and negative recommendations using .
After that, each node calculates indirect trust for node by applying different weights and for and respectively. It is calculated using
where is the average value of positive recommendations; and the average value of negative recommendations. The weights are computed by
where and are the number of positive and negative recommendations respectively.
Local Trust - : each node is able to compute local trust for node and make a decision. Generally, local trust is computed using
where and are adjusted based on three factors which are the occurrence of current communications between node and node ; the existence of the recommendations about node ; and the presence of a previous connection between node and node . The measurement of and are described in Table I.
In addition, trust weights and are changed based on recommendation factor () and the number of neighbors. and are weights for indirect trust and (direct/current or past) trust respectively. represents the recommendation rate as follows:
where , and is the number of node neighbors at time .
Local decision: node has a local blacklist which has a list of malicious nodes based on the local decision. Thus, node stops the communication with any node in the blacklist. The decision is made using
where and are minimum and maximum trust thresholds, respectively. After that, the node updates its local blacklist and sends malicious and uncertain warning messages to the surrounding RSUs.
Iii-B RSU level
During time interval , where , RSUs start trust calculation phase. First, each RSU measures the percentage of malicious and uncertain alarms regarding node using
where and are the number of malicious and uncertain warnings respectively. Second, each RSU is able to make a decision regarding node j using
where and are the rates of malicious alarms and uncertain alarms respectively. They are calculated using
Finally, the RSU classifies node as malicious node when . Therefore, RSU sends malicious alarm to the central server.
Iii-C Global Trust decision
At this stage, central server can make global decision regarding node based on the alarms which are received from RSUs.
where is the number of malicious warnings that are received regarding node . Node is added to the global blacklist when it is classified as malicious node. Central server broadcasts the updated global blacklist to RSUs. Then, RSUs rebroadcast it again to all roads entities that are covered by the network. The road entities updates the local blacklist based on the received global blacklist.
Iv Simulation Analysis
This section describes the simulation setup for evaluating the performance of the proposed model. The effect of changing parameters on the false alarm rate is also analysed.
Iv-a Network specifications
We used MATLAB R2016b to conduct the simulation of a V2X network with 24 road entities and 9 RSUs with parameters as shown in Table II. The road entities move over an area of with various speed ranges. The considered area is composed of two intersections using three two-lanes roads. The road entity sends the transaction message to the core network directly or using a multi-hop routing protocol. To measure the performance of the proposed trust model, we study various types of malicious nodes: six selective forwarding attackers, three good-mouthing attackers and three bad-mouthing attackers.
|Simulation time (T)||100 iteration|
|Number of nodes||24 nodes|
Iv-B Simulation Results
In this section, we study the impact of changing parameters on the global trust measure and relate these to the false alarm rate. False alarm rate includes False Negative Rate (FNR) and False Positive Rate (FPR). FNR measures the rate of undetected attacks, whilst FPR measures the rate of classifying normal nodes as malicious. We run the simulations using the initial parameters . Then, we updated their values with the optimal ones.
Iv-B1 Effect of trust thresholds on false alarm rate
The simulation experiments were run with initial parameters. We study how various values of has an impact on false alarm rate. Also, it helps us to define the optimal value for . The corresponding results are shown in Fig.4 (a). The following remarks can be made:
FNR increases when the value of increases;
FPR rises significantly as long as the increases;
the impact of is high on FPR because as long as goes up that means the malicious range is expanded. As a result, many normal nodes are classified as malicious nodes;
when , it achieves low FNR and FPR values.
Moreover, we study how various values of has an impact on false alarm rate. The experiment was run with initial parameters and . The corresponding results are shown in Fig.4 (b). We notice that FNR slightly decreases when the value of increases, however, the FPR slightly goes up as long as the increases. We update initial value of with 0.7 which is the optimal value.
Iv-B2 Effect of recommendation factor ()
The simulation experiments were run with updated initial parameters. Here, we study the effect of various values of on the false alarm rate. By inspecting Fig.5 (a), the following remarks can be made:
FPR goes up when the value of increases to reach approximately 0.27, however, the FNR is stable while RC increases;
the has an impact on FPR only because is a part of the calculation of indirect trust weight . Therefore, giving high weight to indirect trust results high FPR. As a result, the model starts making false decisions regarding the normal nodes.
we choose as an optimal value which is the same as initial value.
Iv-B3 Effect of Confidence weight ()
We examine various values of to choose the value that achieves minimum false alarm rate, as shown in Fig.5 (b). Key findings are:
FPR goes down when the increases because we give lower weight for the recommendations that are sent by uncertain nodes, however, the FNR decreases slightly when the increases.
majority of normal nodes are classified as uncertain, giving recommendations low weight results high FPR.
the initial value of is the optimal one.
V Performance Evaluation
We use the existing model in [J3] as a benchmark to evaluate the performance of the proposed model. The impact of various rates of malicious nodes on the false alarm rate is studied on the proposed model and existing model.
V-a Effect of selective forwarding attack on FNR
Generally, when the model has a low FNR, it is able to detect the most malicious nodes. The result that is shown in Fig.6 (a) represents the FNR for various percentages of malicious nodes. The following remarks can be made:
in the existing model, the FNR reaches to 0.73 when the percentage of malicious nodes is equal to 87.50%.
FNR values in the proposed model is reduced. Thus, the global decision has the minimum FNR value for all rates of malicious nodes.
V-B Effect of selective forwarding attack on PDR
To measure the model performance, we measure the PDR with different percentage of malicious nodes as shown in Fig.6 (b). Generally, the PDR is increasing when the percentage of malicious nodes is increasing. In addition, the existing model produces high PDR which results from the high FNR. On the other hand, the proposed model has lower PDR which improves the network performance.
V-C Measuring the improvement rate
We measure the improvement rate on FNR and PDR for the proposed model in comparison with the existing model [J3] as shown in Fig.7. We notice that the FNR is highly improved in the proposed model when the percentage of malicious nodes is equal to 12.50%. In addition, the rate at 50%, which is a high percentage, increases again to around 50%.
Moreover, we notice that the proposed model provides high improvement on PDR in comparison with the existing model, thus, it gains better network performance.
In this paper, we proposed a global roaming trust-based model for the V2X network. Various malicious behaviors are considered to study the performance of the proposed model which are selective forwarding attack, bad-mouthing attack and good-mouthing attack. We conducted various experiments with different percentage of malicious nodes. Comparison results showed that the proposed model improved FNR by 33.5% and PDR by 40% when the percentage of malicious nodes is equal to 87.50%. In future work, we will improve the proposed model to consider RSU attacks.