AbstractâIn any vehicular adhoc network, there is always a possibility of incorrect messages being transmitted either due to faulty sensors and/or intentional ...
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the WCNC 2009 proceedings.
Distributed Misbehavior Detection in VANETs Mainak Ghosh∗ , Anitha Varghese† , Arzad A. Kherani‡ and Arobinda Gupta§ ∗§ Department
of Computer Science & Engineering Indian Institute of Technology, Kharagpur Email: {mainakg,agupta}@cse.iitkgp.ernet.in †‡ General Motors India Science Lab, Bangalore Email: {anitha.varghese,arzad.kherani}@gm.com
Abstract—In any vehicular adhoc network, there is always a possibility of incorrect messages being transmitted either due to faulty sensors and/or intentional malicious activities. Detecting and evicting sources of such misbehavior is an important problem. We observe that the performance of misbehavior detection schemes will depend on the application under consideration and the mobility dynamics of the detecting vehicle. Further, the underlying tradeoff in any such detection algorithm is the balance between False Positives and False Negatives; one would like to detect as many misbehaviors as possible, while at the same time ensuring that the genuine vehicles are not wrongly accused. In this work we propose and analyze (via simulations) the performance of a Misbehavior Detection Scheme (MDS) for Post Crash Notification (PCN) application. We observe that the performance of this proposed scheme is not very sensitive to the exact dynamics of the vehicle on small scales, so that slight error in estimating the dynamics of the detecting vehicle does not degrade the performance of the MDS.
I. I NTRODUCTION AND M OTIVATION A vehicular ad hoc network (VANETs) is an ad hoc wireless communication system setup between multiple vehicles in a neighborhood. The communication can be only vehicleto-vehicle (V2V) or may also involve some roadside infrastructures. Some other applications have been proposed on VANETs for different purposes such as infotainment, safety, financial and navigational aid. The IEEE 1609.2 [1] standard provides public key cryptography based solutions for various desired security attributes such as message integrity, entity authentication, and nonrepudiation. In particular, appended to each message is (a) digital signature on the message using the private key of the sending entity, (b) public key of the sending entity, and (c) a certificate on the public key issued by a trusted third party, the Certificate Authority (CA). The security layer at any receiver is required to verify the digital signature of each message before passing it on to the relevant application layer. Before doing a heavyweight digital signature verification operation on the received message, the receiver first checks whether the certificate of the sender is in the copy of the Certificate Revocation List (CRL) available with the receiver’s security layer. The receiver would have downloaded the CRL during some of its last interaction with the infrastructure, which could be in the form of a Road Side Entity (RSE) connected to the CA. Certificates in the CRLs are expected to be corresponding to the detected misbehaving/malicious vehicles.
Owing to the sparse infrastructure presence in VANETs, detection of misbehaving vehicles (certificates) inevitably requires feedback from the participating entities. A participating vehicle runs some misbehavior detection scheme (M DS) to detect a misbehavior, which is then reported to the CA. The CA accumulates some number of reports of misbehavior against any certificate before revoking the certificate and populating the corresponding CRL. Any vehicle requesting for the CRLs then receives the new information, leading to eviction of newly detected misbehaving vehicles. The final security performance thus depends on the detection delay (DD), the reporting delay (RD), and the eviction delay (ED). Note that both reporting a misbehavior and evicting a vehicle necessarily require infrastructure support. In this work, we focus only on the design of misbehavior detection schemes. In this paper we propose an MDS and analyze the dependence of its reliability performance on the micro-mobility model of the vehicles and its parameter estimation. We believe that the qualitative understanding gained from this exercise carries over to other related MDSs. This work helps in understanding the tradeoff in the two conflicting performance indicators of an MDS, namely, (a) detection delay, and (b) reliability. In this paper, we focus on the Post Crash Notification (PCN) application. The PCN application informs the driver when there is a crashed vehicle ahead on the same roadway. A PCN alert is normally sent by a car involved in a crash. We assume a misbehavior model in which a car can send a false PCN alert even if there is no crash. However, in this initial work, we assume that the position information sent in the alert is correct even if the alert is false. A method to identify false alerts in PCN application is proposed. The proposed method is based on observing the driver action after a crash alert is raised, and measuring the deviation between the driver’s observed behavior and the expected behavior on a crash. Detailed simulation results are shown to observe the behavior of the method under different mobility models. A secondary contribution of this work is to propose some mobility models for VANETs that try to model the driving habits of different types of drivers. II. R ELATED W ORK Bai et al. [2] present a characterization and classification of a number of important V2V applications. The effects of channel characteristics on the performance of some classes
978-1-4244-2948-6/09/$25.00 ©2009 IEEE
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the WCNC 2009 proceedings.
of these applications have been studied [3][4]. The need for security in such applications has also been well-established. Several works [5][6][7][8] investigate the requirements and challenges involved in providing secure V2V communication, and propose general architectures for security in such scenarios. The 1609.2 standard [1] also proposes the functionalities of a security layer in V2V communication. However, though some of these works stress the need for misbehavior detection, no specific scheme for misbehavior detection is given for any application. Among applications that can benefit from misbehavior detection schemes, [9] and [10] discuss collision warning systems, both cooperative and autonomous. The first paper discusses the effect of different factors like error in estimating the position of the car on the performance of the system. The paper gives a sketch of how such errors can be tackled, but no misbehavior detection scheme is proposed. The second paper does a performance evaluation, but does not consider misbehavior. The effect of Sybil attacks on V2V communication and position verification schemes to mitigate them have been discussed in [11] and [12]. However, these schemes are very specific to one type of attack only. Golle et al. [13] present a model to integrate information from different sensors and use it to identify malicious information and malicious nodes. However, the algorithm for actual detection is only sketched through examples, and the computational aspects of the scheme are not investigated in detail. Rao et. al [14] propose dropping a packet at the security layer itself, even if the packet’s signature is not in its revocation list at the node, if the confidence on the security infrastructure (CoS) of the node is low. However, their scheme does not address misbehavior detection in scenarios where the misbehaving node may have a valid and recent certificate. III. S YSTEM M ODEL Vehicles move in lanes on a highway with constant number of lanes. Every lane has a designated average speed and the vehicle moves with that average speed when it is in that lane. We consider a single hop broadcast model in which a PCN alert raised by a car is communicated to other cars in its neighborhood. An alert also contains GPS information which can be used to identify the lane number from which the alert is coming. A misbehaving vehicle can raise an alert even if there is no crash. The misbehavior can have many causes. We focus on application layer attacks that causes a car to falsely raise an alert, but the GPS information sent in the alert is correct. The mobility of the cars in the absence of any crash (called the free-flow model) is modeled as a Markov process with an n×n transition probability matrix P, where n is the number of lanes. We consider a discretized model, where time is divided into slots, and the vehicle makes a decision on the lane to be followed in next slot at the end of every slot. The (i, j)th entry of P gives the probability that the driver, if currently on lane i, will change to lane j in the next time slot. At every time slot, the driver decides whether to change lanes or not,
and then moves in the lane decided with the average speed of that lane for the duration of the time slot. The mobility of a given vehicle is influenced by the movement of other vehicles around. We are not modelling this aspect in this preliminary analysis. If a crash occurs, then the movement of the car at the crash site is governed by the transition probability matrix T. For two lanes (0 and 1), if the crash occurred in the first lane, T would be of the form � � 0 1 T= 0 1 As the vehicle approaches the crash site, its movement transitions from the free-flow model dictated by P to that given by T. During this transition, the movement of the vehicle can be modeled by a modulated transition probability matrix M of the form M = (1 − α)P + αT, where 0 < α < 1 and the value of α increases as the distance to the crash site decreases. It may be noted that though we use the Markov model, the technique for misbehavior detection proposed in this paper is more general and can be easily extended to work with any mobility model. IV. D ETECTING FALSE A LERTS A. Overview The proposed approach relies on observing the driver’s behavior after receiving an alert. Based on other neighborhood or visual inputs, the driver can determine if there is really a crash or if the alert is false. If the driver finds the alert to be true, he/she will take necessary actions and the car will move according to the crash-modulated mobility model defined above until it crosses the crash site. On the other hand, if the driver finds the alert to be false, he/she will continue to move following the free-flow mobility model since there is no crash. To detect if the alert is true or false, the position of the car is sensed at each time slot from the time the alert is received till the car passes the crash site. Based on the initial lane the car was in when the alert is received and the lane the crash is reported from, an expected trajectory of the car following the crash-modulated mobility model can be calculated. The difference between these two trajectories, the one actually followed by the car and the expected trajectory if the crash is real is calculated. The alert is detected as false if the difference between the two trajectories is above a certain threshold (i.e., the car did not follow the trajectory it should have followed if the crash was real, which is taken as an indication that the driver detected the alert to be false). Otherwise the alert is declared as true. Let (x, y)t denote the actual position of the car at the tth time slot, where x is the distance of the car from the point the alert was received, and y is the current lane number of the car. Similarly, let (x� , y � )t denote the expected position of the car at the tth time slot. Then the distance d between two trajectories over τ
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the WCNC 2009 proceedings.
time slots �τstarting from the time the alert is received is given by d = t=1 [(xt − x�t )2 + (yt − yt� )2 ]. The following table shows the different possible cases that can arise depending on whether the alert is true or false and whether it is detected correctly or not. Detected(dist> �) Not Detected(dist< �)
Misbehavior True Positive False Negative
Legitimate False Positive True Negative
The probability that the expected path and the free-flow path are the same is also the probability that the misbehavior of the sender is not detected. Let us assume for simplicity that the PCN-modulated speed structure (dependence on lane) is same as the free-flow speed structure. We say that there was a misbehavior if the path followed by the vehicle deviated by at least � from the average expected behavior. Thus, note that this deviation is not a sample-pathwise deviation (Even though one can get into those complicated schemes where the actual sample path is compared with the expected one, while the expected one also depends on the recent history etc, for the initial understanding of the system, we do not get into those details). A large � would imply that a misbehavior is reported only if the deviation between the actual behavior and the expected behavior is large. Intuitively, this will result in a decrease in the number of false positives in the MDS. But, since the number of instances in which a misbehavior is reported decreases, this would result in longer detection delay in the MDS. Inversely, if � is set to a small value, delay in misbehavior detection would be low, but the number of false positives, and hence the reliability will go down. Thus, the probability that the misbehavior is not detected is (assuming a constant speed throughout for the sake of simplicity) � PL0 L1 PL1 L2 . . . PLτ −1 Lτ I{� τt=1 |Lt −(� τi=1 Mi )(L0 ).L| Ti,y if x < y. – i > m: If it is larger � than m then he/she will move towards lane n. So, Ti,k = 1, 1 ≤ k ≤ n such that Ti,x > Ti,y if x > y – i = m: If it is equal, we check if i is less than the middlemost lane value. This gives rise to three cases again. ∗ m < (n + 1)/2: Handle as i > m case. ∗ m > (n + 1)/2: Handle as i < m case. ∗ m = (n + 1)/2: Handle in any one of the above ways.
The parameter α denotes how quickly the driver responds to the crash and reverts to the crash-modulated model. Let the crash site be at distance D from the current position. Then, three possible models for α (x > 0) can be (1) Linear (α = x/D), (2) Cautious (α = (x/D)δ ,δ < 1), and Aggressive (α = (x/D)δ , δ > 1). In the Cautious case, the driver switches towards T fast, In the extreme case, δ = 0, indicating that the driver switches to T immediately. In the Aggressive case, the driver does not switch towards T much initially, but does so rapidly at the end as it approaches the crash site. In the extreme case, it will switch at the last time slot before the crash. Note that though α has been modeled as a continuous function, its values at the discrete time slots are relevant to us. B. Results for Constant Lane Velocity The first set of results presented considers that all lanes have the same average speed. We also assume that qi = q for all i, i.e., the lane-changing behavior of the driver is independent of the lane he/she is in. The simulation is done by varying the parameter q in P from 0 to 1 to simulate different free-flow driver behaviors. The combinations of < T, α > simulated are , and . The number of runs are chosen to ensure that the 95% confidence interval for all results are within 5% of the reported mean. Figure 1 shows the variation of U (�∗ ) as q is varied, with < T, α > = for different weights w. Figure 2 shows the corresponding �∗ for which the minimum is obtained. It is seen that for each w, U (�∗ ) remains almost the same with variations in q, indicating that the same level of tradeoff between false positives and false negatives can be achieved for different q values. It also indicates that the minimum value is fairly robust with respect to errors in estimating the model parameter q. Note that for w = 0.75, U (�∗ ) values for lower q values is slightly higher. This is because a lower q value indicates a lane-sticking free-flow trajectory in which the driver stays mostly in one lane. Along with this, T = Lazy implies that the crash-modulated trajectory will be very close the free-flow trajectory. Thus, in case of false alerts, the deviation between the actual trajectory (free-flow) and the expected crash-modulated trajectory is very low in more cases as compared to that for higher q values. Thus the probability of a false negative increases for smaller q even with small values of �. As w is increased, the effect of this increased false negative becomes more prominent at lower q, raising U (�∗ ). However, the curve for w = 1 shows that the probability of false negatives can still be made very small with a suitable choice of �. The value of �∗ is seen to decrease slightly with increasing q. However, the slope is relatively small and hence the value of �∗ is also fairly robust with respect to small errors in estimating q. Figure 3 shows the variation of U (�∗ ) as the parameter q is varied, with < T, α > = for different weights w. The values for w = 1 are not shown any further as it is close to 0 in all cases, with the curve being parallel to the curve for w = 0.75. Figure 4 shows the corresponding �∗
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the WCNC 2009 proceedings.
0.9
1
w=0 w = 0.25 w = 0.5 w = 0.75 w = 1.0
0.8
w=0 w = 0.25 w = 0.5 w = 0.75
0.8
0.7 0.6
ε∗
U(ε∗)
0.6 0.5 0.4 0.4 0.3 0.2
0.2
0.1 0
Fig. 1. Variation of constant lane velocity.
0.2
U (�∗ )
0.4
q
0.6
0.8
with q for < T, α > = with
0.9
w=0 w = 0.25 w = 0.5 w = 0.75 w = 1.0
0.8 0.7 0.6
ε∗
0.5 0.4 0.3 0.2 0.1 0
Fig. 2. Variation of lane velocity.
�∗
0.2
0.4
q
0.6
0
1
0.8
1
with q for < T, α > = with constant
0.2
0.4
q
0.6
0.8
Fig. 4. Variation of with q for < T, α > = with constant lane velocity.
driver. Hence, even for somewhat higher q values, the number of samples with very low deviation increases, increasing the false negative probability even for higher q values in this case. The value of �∗ is seen to mostly remain constant with increasing q, with slight variation in some cases. However, the slope is still very small during these variations and hence the value of �∗ is fairly robust with respect to small errors in estimating q. 0.7
w=0 w = 0.25 w = 0.5 w = 0.75
0.6
0.7
0.4 0.3 0.2 0.1 0
0.2
0.4
q
0.6
0.8
1
U (�∗ )
Fig. 5. Variation of with q for < T, α > = with constant lane velocity.
1
0.8
0.6
w=0 w = 0.25 w = 0.5 w = 0.75
ε∗
w=0 w = 0.25 w = 0.5 w = 0.75
0.6
0.5
U(ε∗)
for which the minimum is obtained. As before, it is seen that for each w, U (�∗ ) remains almost the same with variations in q, indicating that the the minimum value is fairly robust with respect to errors in estimating the model parameter q. Note that even though the risk-averse model makes the driver move away as much as possible from the crash site, the actual possible movement with 3 lanes is small. Hence the behavior seen in this case is similar to that seen for the lazy model shown earlier. The value of �∗ is seen to vary slightly with increasing q. However, the slope is still relatively small and hence the value of �∗ is also fairly robust with respect to small errors in estimating q.
1
�∗
0.4 0.5 0.2
U(ε∗)
0.4 0.3
0
0.2
0.2
q
0.6
0.8
1
Fig. 6. Variation of with q for < T, α > = with constant lane velocity.
0.1 0
0.4
�∗
0.2
0.4
q
0.6
0.8
1
Fig. 3. Variation of U (�∗ ) with q for < T, α > = with constant lane velocity.
C. Results for Non-Constant Lane Velocity
Finally, Figure 5 shows the variation of U (�∗ ) as the parameter q is varied, with < T, α > = for different weights w. Figure 6 shows the corresponding �∗ for which the minimum is obtained. U (�∗ ) again remains almost the same with variations in q for all values of w other than 0.75. For w = 0.75, U (�∗ ) is higher again because of the influence of higher false negatives for lower q values. Note that a risk-averse, cautious driver goes away from the crash lane as fast as possible, and then basically behaves as a lane-sticking
We also simulated cases in which different lanes have different average speeds, for < T, α > = . The lanes have increasing speeds from lane 1 to lane 3. The simulation is done by again varying the parameter q from 0 to 1 in P to simulate different free-flow driver behaviors. The 95% confidence interval of all results are within 5% of the reported value, except for the case of w = 0.5 where it is slightly higher. Figure 7 shows the variation of U (�∗ ) as the parameter q is varied, with < T, α > = , for different
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the WCNC 2009 proceedings.
0.9
w=0 w = 0.25 w = 0.5 w = 0.75
0.8 0.7
U(ε∗)
0.6 0.5 0.4 0.3 0.2 0.1 0
0.2
0.4
q
0.6
0.8
1
Fig. 7. Variation of U (�∗ ) with q for < T, α > = with non-constant lane velocity.
weights w. Figure 8 shows the corresponding �∗ for which the minimum is obtained. The �∗ values shown are normalized with respect to the maximum of the �∗ values for all q, as the maximum possible deviation varies with q. The maximum deviation is found to be approximately 10000 for w = 0.5 and around 27000 for w = 0, 0.25. It is seen that for each w, U (�∗ ) remains almost the same with variations in q, indicating that the same level of performance can be achieved for different q values. It also indicates that the minimum value is fairly robust with respect to errors in estimating the model parameter q. Note that in case of non-constant velocities, a difference in lane by 1 can translate into a large difference in the deviation as moving to a faster lane allows the car to move faster. Hence there are very few values with very low values of deviation between the actual and the expected crash-modulated trajectories. Thus, the rise in U (�∗ ) for smaller q values seen for the constant-velocity cases is absent here. The value of �∗ is seen to decrease with increasing q. The decrease is not steep except for some q values for w = 0.5. However, the decrease is more in comparison with the constant-velocity case, indicating that the robustness of �∗ is less when the lane velocities are different. This is expected as a lane change to a faster or slower lane causes a larger deviation in this case due to the difference in the horizontal position (distance from the crash site). 1
w=0 w = 0.25 w = 0.5 w = 0.75
0.8
ε∗
0.6
0.4
0.2
0
0.2
0.4
q
0.6
0.8
1
�∗
Fig. 8. Variation of with q for < T, α > = with non-constant lane velocity.
VI. C ONCLUSION In this paper, we have presented and evaluated a misbehavior detection scheme for PCN application. The results indicate that the scheme peforms well in detecting misbehaviors while reducing the chance of false positives and false negatives. It is also quite robust with respect to small errors in estimating the parameters of the mobility model. This is important as in
a practical setting, the model parameters assumed need to be estimated from observed data, and small errors in estimating the parameters should not significantly affect the performance of the system. It is to be noted that even though a Markovian model is assumed for mobility of vehicles, the basic approach of using the deviation between actual and expected trajectories for misbehavior detection is equally applicable for other mobility models also as long as an expected trajectory in the presence and in the absence of a crash can be derived. Finally, this initial work assumes that even in a false alert, the position information will be correct, which may not be true in practice. We are currently investigating the design of an MDS that does not require this assumption, hence allowing for a broader and more practical misbehavior model. R EFERENCES [1] IEEE Trial-Use Standard for Wireless Access in Vehicular Environments - Security Services for Applications and Management Messages, IEEE Std 1609.2-2006, 2006. [2] F. Bai, H. Krishnan, V. Sadekar, G. Holland, and T. ElBatt, “Towards characterizing and classifying communication-based automotive applications from a wireless networking perspective,” in 1st IEEE Workshop on Automotive Networking and Applications (AutoNet 2006), 2006. [3] Q. Xu, T. Mak, J. Ko, and R. Sengupta, “Vehicle-to-vehicle safety messaging in dsrc,” in VANET ’04: Proceedings of the 1st ACM international workshop on Vehicular ad hoc networks. New York, NY, USA: ACM Press, 2004, pp. 19–28. [4] J. Yin, T. ElBatt, G. Yeung, B. Ryu, S. Habermas, H. Krishnan, and T. Talty, “Performance evaluation of safety appliations over dsrc vehicular ad hoc networks,” in VANET ’04: Proceedings of the 1st ACM international workshop on Vehicular ad hoc networks. New York, NY, USA: ACM Press, 2004, pp. 1–9. [5] M. Torrent-Moreno, M. Killat, and H. Hartenstein, “The challenges of robust inter-vehicle communications,” in Vehicular Technology Conference, 2005. VTC-2005-Fall. 2005 IEEE 62nd, vol. 1, 2005, pp. 319–323. [6] M. Raya, P. Papadimitratos, and J.-P. Hubaux, “Securing Vehicular Communications,” IEEE Wireless Communications Magazine, Special Issue on Inter-Vehicular Communications, vol. 13, no. 5, pp. 8–15, 2006. [7] P. Papadimitratos, V. Gligor, and J.-P. Hubaux, “Securing Vehicular Communications - Assumptions, Requirements, and Principles,” in Workshop on Embedded Security in Cars (ESCAR) 2006, 2006. [Online]. Available: http://www.escar.info/06/general.html [8] M. Gerlach, A. Festag, T. Leinmuller, G. Goldacker, and C. Harsch, “Security Architecture for Vehicular Communication,” in 5th International Workshop On Intelligent Transportation, Mar. 2007. [9] H.-S. Tan and J. Huang, “DGPS-based vehicle-to-vehicle cooperative collision warning: Engineering feasibility viewpoints,” Intelligent Transportation Systems, IEEE Transactions on, vol. 7, no. 4, pp. 415–428, Dec. 2006. [10] T. ElBatt, S. K. Goel, G. Holland, H. Krishnan, and J. Parikh, “Cooperative collision warning using dedicated short range wireless communications,” in VANET ’06: Proceedings of the 3rd international workshop on Vehicular ad hoc networks. New York, NY, USA: ACM Press, 2006, pp. 1–9. [11] B. Xiao, B. Yu, and C. Gao, “Detection and Localazation of Sybil Nodes in VANETs,” in Workshop on Dependability Issues in Wireless Ad Hoc Networks and Sensor Networks (DIWANS), Sept. 2006. [12] T. Leinmuller, E. Schoch, and F. Kargl, “Position verification approaches for vehicular ad hoc networks,” IEEE Network, 2006. [13] P. Golle, D. Greene, and J. Staddon, “Detecting and correcting malicious data in vanets,” in VANET ’04: Proceedings of the 1st ACM international workshop on Vehicular ad hoc networks. New York, NY, USA: ACM, 2004, pp. 29–37. [14] A. Rao, A. Sangwan, A. Kherani, A. Varghese, B. Bellur, and R. Shorey, “Secure V2V Communication With Certificate Revocations,” 2007 Mobile Networking for Vehicular Environments, pp. 127–132, 2007.
