Techniques for Verification of Broadcast Information in Vehicular Ad hoc Networks

Vehicular Ad hoc Networks (VANETs) is a network protocol designed for traffic safety applications. As other computer network protocols, it is also subject to several attacks that can have fatal consequences due to the VANET's intended usage. One of these possible attacks is location spoofing where the attacker is lying about a vehicle's position to disrupt VANET safety application. This attack can be performed either through existent vehicles or forging new identities by a Sybil attack. There are several publications that propose mechanisms to detect and correct malicious location advertisements. This article presents an overview of some of these verification mechanisms proposed in the literature.

Introduction
Increasing rate of traffic accidents concerns many governments. They deploy precautions on road infrastructures and design many traffic policies to amend this problem. However, the improvements that come with these solutions are not effective enough. There are approximately 30,000 deaths and 2.2 million injuries annually in the US alone, caused by traffic accidents. Drivers are the main factor contributing to these accident rates due to their lack of attentiveness and slow reaction times. Modern technologies can better cope with highly dynamic traffic conditions and provide avoidance techniques against traffic accidents.

VANETs are proposed for improving traffic safety. Vehicles have communication capabilities which allow them send and receive network packets. They periodically broadcast traffic safety messages called "Basic Safety Messages" (BSMs) to all the other vehicles in its communication range with the frequency of 10 BSMs/second. These messages include information about the sender vehicle's movement such as current speed, location, heading, brake status, etc. Other vehicles that hear these messages process them, take local actions (adjust their speed, move away, emergency brake, etc.) to avoid possible collisions, and flood/forward these BSMs to their neighbors. With the help of these periodic BSM advertisements and flooding throughout the VANET, every vehicle can construct a traffic awareness from a very large area and take preventive actions before it is too late to avoid collisions. The details of traffic safety mechanisms in VANETs and their special network protocol stack design can be found in VANET standards. In VANET network protocol stack, WAVE standards defines mechanisms from Application Layer to Network Layer while IEEE 802.11p specifies the Link Layer and Physical Layer. VANET's protocol stack is designed specially to address network issues that come with high mobility and high network overhead.

Security Issues
In VANET scenarios, every vehicle including emergency vehicles will be equipped with communication capabilities. In addition to collision avoidance, BSMs can also be used by the authorities for purposes such as locating a vehicle that is broken down, chasing vehicle of a criminal, etc. Therefore, it makes tampering with location information in BSMs very attractive for attackers. They can produce fake locations to cause accidents, mask the true location of a criminal's vehicle in a police chase and disrupt many other VANET safety applications.

Public Key Infrastructure
Easiest way for attackers to achieve location spoofing would be spoofing other existing vehicles' identities; however, Public Key Infrastructure (PKI) deployed in VANETs makes this a very challenging task. Each vehicle comes with a government issued public-private key pair and the private key is used to sign every BSM broadcast. Therefore, attackers will not be able to sign the BSM, which has a fake location inside, on behalf of a legitimate vehicle without knowing its private key. This leaves attackers only two choices; the attacker has to either forge valid public-private key pairs for non-existing vehicles he will use (Sybil Attack), or has his own real vehicles that will advertise the fake locations. Due to the high cost of the latter, Sybil attacks are usually the most popular way of performing these types of attacks.

Since traffic safety applications are highly dependent on accurate vehicle positions, there has been significant research in the literature towards efficiently verifying the location advertisements by the vehicles in VANETs. The subsequent sections present several publications in the literature, which propose techniques for this location verification.

Wireless Localization
Wireless localization is one of the techniques that can be used to detect fake location advertisements. Xiao et al. proposes a defense mechanism against Sybil nodes, which utilizes wireless localization for detecting them. They use the stationary base stations, aka Road Side Units (RSUs) located at the side of the roads all around the map in VANETs, to perform the localization. These RSUs have a wide radio range that allows the defense mechanism to be able to monitor a lot of vehicles at the same time. They can listen to VANET messages and they are all connected to each other by wired connections through the infrastructure.

When a vehicle keeps advertising its current location in its BSMs, the RSUs that can hear the vehicle will keep sampling the Received Signal Strength Indicator (RSSI) calculated from the transmissions of these messages. These RSUs are called "witnesses" by the authors for the localization algorithm. After witnesses sampling RSSIs for a sufficient amount of time, the localization algorithm will use these samples to estimate the position of the vehicle. The algorithm solves the below formula as an optimization problem where Mean Squared Error (MSE) is minimized by varying the vehicle's estimated position $$p$$.

$$MSE(p)=\dfrac{\sum_{i=1}^{k} (S_r(w_i) - S_m(w_i,p))^2}{k}$$

$$p$$ is the estimated position of the sender vehicle, $$k$$ is the number of witnesses, $$S_r$$ is the RSSI sampled at the witness $$w_i$$, $$S_m$$ is the RSSI that the witness $$w_i$$ is supposed to observe given the sender vehicle's estimated position $$p$$, according to the radio propagation model presented by Eltahir et al. Minimizing the Mean-Square Error (MSE) by varying $$p$$ gives us the optimal estimated position $$\hat{p}$$. This $$\hat{p}$$ is then compared to the position advertised by the vehicle. If they are different above a certain threshold, it means that the localized vehicle is an attacker node that is currently performing a Sybil attack. Afterwards, the attacker vehicle along with its Sybil nodes (its forged identities) can be removed from the VANET by warning all the victim vehicles so that they can drop all the packets sent by these malicious nodes.

Active Position Detection
Yan et al. proposes a defense mechanism against both aforementioned ways to perform position spoofing: attacker using a real car he owns or performing a Sybil attack. It makes use of front and rear radars that all future VANET-enabled vehicles are expected to have. It computes the cosine similarity between the path history built by the position advertisements by a target vehicle and the path history built by the positions calculated using the front/rear radar of either the observer vehicle itself if the target vehicle is in the radius of 200 meters, or radars of a trusted neighbor that is close enough to the target vehicle. If these two paths are different above a certain threshold, which is set and constantly updated according to the expected inaccuracy of GPS devices, the target vehicle will be marked as a malicious node broadcasting fake positions and all the vehicles in a VANET will isolate it from the communication. If the two paths are similar enough, the path history of the target vehicle that is saved inside the observer vehicle will be updated and the same computations will be repeated every time position advertisements are received.

This defense mechanism utilizes the trusted neighboring vehicles that is close to the target vehicle to obtain the radar readings; therefore, the mechanism an observer vehicle uses to construct its list of trusted vehicles plays an important role for the defense mechanism to work properly. All the vehicles of which the observer does not have a recorded path history yet will be regarded as untrusted until they can build a path history that is verified by all trusted vehicles. This initial trust establishment resembles building a credit history; until a person builds a credit history long enough with excellent payment record, the lenders will not trust him/her to give a loan. Also similar to the credit history, a currently trusted vehicle can later be regarded as compromised if its advertised path history becomes different than what other trusted vehicles compute based on their radar readings.

Position Verification by Plausibility Thresholds
Unlike the aforementioned techniques, the defense mechanism that Leinmuller et al. proposes in their paper does not require any special hardware or infrastructure to detect position spoofing. They use several plausibility thresholds that can be calculated and confirmed using already built-in mechanisms of VANET-enabled vehicles. These thresholds are the following:

Acceptance Range Threshold: This threshold is set by the maximum radio range of the observer vehicle. The vehicle will be able to receive messages successfully only from the vehicles within this radio range. Therefore, if it receives a message directly from a vehicle that is claiming to be further away than this threshold, that vehicle has to be lying about its position.

Mobility Grade Threshold: This threshold is designed to take into account the maximum speed that a vehicle can have at a certain time. The value it is set to depends on the speed limit on the current road and the make/model of the vehicle that is advertising its location. When a position advertisement is received, the observer vehicle will compare it with the last position advertised by this vehicle and determine if its mobility lie under the mobility grade threshold. If the vehicle seems to have moved faster than this threshold, it must be advertising fake location information.

Maximum Density Threshold: There can be a maximum number of vehicles that can be located in a certain area. Maximum density threshold considers the size of a certain area and dimensions of the vehicles that are currently claiming to reside there. If the number of vehicles in that area is larger than this threshold, all the messages from there will be ignored by every vehicle since it is a strong indication that there are active Sybil nodes in that area.

Map-Based Verification: Some fake locations advertised by attackers might be outside any of road on the map. Each vehicle can use its built-in navigation system to detect these implausible locations. Even though attackers will carefully craft their location advertisements most of the time, it is still a useful check in the defense mechanisms since it still works for few attack scenarios.

The proposed defense mechanism is generally run distributed by individual vehicles without collaboration to detect location attacks. However, detection by these plausibility thresholds might sometimes give false negatives or might not be sufficient alone. In that case, vehicles will collaborate to perform the defense. This collaboration involves synchronization of neighbor tables and reactive position requests to build a collective knowledge that can effectively fight against location attacks.

Position Verification by Formal Methods
Optimal position verification for Vehicular Networks based on formal decision theory frameworks have also been investigated in a series of recent papers e.g..