Detecting Sybil attacks in vehicular networks

Abstract

A Sybil attack consists of an adversary assuming multiple identities to defeat the trust of an existing reputation system. When Sybil attacks are launched in vehicular networks, the mobility of vehicles increases the difficulty of identifying the malicious vehicle location. In this paper, a novel protocol for Sybil detection in vehicular networks is presented. Considering that vehicular networks are cyber-physical systems, the technique exploits well grounded results in the physical (i.e., transportation) domain to detect the Sybil attacks in the cyber domain. Compared to existing works that rely on additional cyber hardware support, or complex cryptographic primitives for Sybil detection, the protocol leverages the theory of platoon dispersion that models the physics of naturally occurring vehicle dispersion. Specifically, the proposed technique employs a certain number of roadside units that periodically collect reports from vehicles regarding their physical neighborhood. Leveraging from existing models of platoon dispersion, a protocol was designed to detect anomalously close neighborhoods that are reflective of Sybil attacks. To the best of the authors’ knowledge, this paper is unique in integrating a well established theory in transportation engineering for detecting cyber space attacks in vehicular networks. The resulting protocol is simple, efficient, and robust in diverse attack environments.

Introduction

Organizations in many countries today are investing in vehicular networks to leverage wireless networking support to improve state-of-the-art in road transportation. The US Federal Communications Commission (FCC) has allocated 75 MHz of spectrum in the 5.9 GHz band for Dedicated Short Range Communications, a set of protocols and standards for short to medium-range wireless communication for automotive use. Some recent vehicular networking efforts are the USDOT’s Vehicle Infrastructure Integration (VII), which is a cooperative initiative between USDOT and automobile manufacturers, focusing on feasibility of deploying communications systems for safety and efficiency of road transportation systems. The ERTICO partnership is a multi-sector partnership pursuing development and deployment of Intelligent Transport Systems across Europe. Apart from these efforts, a variety of VANET test-beds have been set up in academia also for basic research and development of services.

This paper addresses a critical and emerging security problem in vehicular networks, namely detecting the presence of Sybil attacks. Sybil attacks are classified as an attack on the trust of a peer-to-peer system by an attacker assuming many pseudonymous identities. Using these identities, the attacker can gain a disproportionately large influence on system functionality. In vehicular networks, the presence of a Sybil attack can have negative consequences. For instance, in an application like road safety, consider a single malicious vehicle, V _M , assuming a large number of fake identities incorrectly reporting road conditions. Other benign vehicles will tend to believe such a message, since it appears to be coming from multiple vehicles, and may adjust their routes. In such a case V _M can potentially obtain exclusive access to the road, which it otherwise could not. A number of other applications like content exchange, intelligent traffic signalling, and ramp metering can all be compromised in the presence of Sybil attacks. Unlike static networks like the Internet, vehicular mobilities make Sybil detection very difficult with the added spatio-temporal constraints.

Related work

The problem of detection Sybil attacks in VANETs has been previously studied. In [1] and [2], the proposed solution detects Sybil attacks when vehicles may only hold one valid pseudonym at a time. When a pseudonym need to be refreshed, a new pseudonym is obtained from a trusted Road-Side Unit (RSU). The consequence of this approach is a possibly complex pseudonym allocation mechanism implemented by the RSU network. Another technique leverages directional antennas to identify the location/direction of message arrival [3]. A vehicle launching a Sybil attack will likely be detected as many messages will arrive from the location/direction. However, in dense networks, localization errors can lead to frequent false positives. This scheme may be compromised as a smart attacker may use directional antennas to mislead its neighbors about its direction.

In [4], heavy-weight cryptographic techniques are leveraged for detecting Sybil attacks in VANETs. Specifically, each vehicle is given a list of pseudonyms to protect their privacy during communication. However, the pseudonyms of each vehicle are designed in such a manner wherein they are all hashed to a common value. By calculating the hashed values at Road Side Units, a central server can determine whether or not certain pseudonyms came from the same pool. Sybil attacks are detected if many pseudonyms from the same pool are detected in a short interval of time. Unfortunately, the computational complexity of cryptographic protocols in this technique is quite high.

In [5], GPS and RSSI signal measurements are used for detecting Sybil nodes. The proposed scheme uses Vehicle-to-Vehicle (V2V) communications to confirm reported positions of vehicles by referencing the RSSI measurements. To correct inaccuracies arising from RSSI measurement, caused by vehicle mobility, traffic patterns and support from roadside base stations are used. Specifically, statistical algorithms are implemented to verify the signal strength distribution of a suspect vehicle over time to significantly reduce the detection rate. In [6], analysis is performed to quantify performance of Sybil detection under assumptions like transmission range, antenna model, signal strength etc. Unfortunately, the un-reliability of RSSI measurements limits the practical reliability of these techniques [7]. In [8], inability of multiple vehicles to exhibit close temporal and spatial correlations at multiple locations is exploited for Sybil defense. The idea is to have RSUs sign location and timestamp information for vehicles as they move. Upon detecting groups of vehicles having many similar locations with similar timestamps, a Sybil attack is detected. The overhead in this scheme though is quite high, especially in the case of urban networks. Significant cryptographic overhead is incurred as RSUs have to sign each received message.

We also would like to point out two other areas of work that are also closely related to our problem of Sybil attack detection in vehicular networks. The first area is secure localization in wireless networks like sensor and mobile ad hoc networks [9, 10], wherein locations of nodes are determined in a secure manner. Our problem is similar, but orthogonal in the sense that we are attempting to verify integrity of relative location updates as vehicles move in the network. The other area we wish to highlight is the issue of detecting Sybil attacks and nodes in static networks like sensor, Internet scale, and social networks [11–14]. As can be observed, while the goal of these works are related to ours, the issue of vehicle mobility and unique mobility patterns of these nodes necessitates fundamentally new approaches for Sybil detection, which we attempt in this paper.

Contributions

Presented in this paper is an innovative protocol for Sybil detection in vehicular networks. Vehicular networks today are examples of cyber physical systems, where there is a clear integration of cyber and physical components. The premise of this paper starts with two simple questions: Can the natural physics of the underlying transportation domain be integrated with the Cyber domain in detecting Sybil attacks, and b) If so, can such an integration generate high quality solutions to detect Sybil attacks, while alleviating complexities (in the form of complex cryptography and additional hardware requirements) in the cyber domain. This papers yields a positive response to both questions.

The technique employs a certain number of road side units (RSUs) that periodically collect reports from communicating vehicles regarding this neighborhood. In the event of a vehicle performing Sybil attacks, the geographic proximity the Sybil identities will be long-term and repeating, while the geographical proximity of benign vehicles will short-term. To put it in terms of transportation engineering, Sybil identities will appear to “platoon” together, while identities of benign vehicles will eventually “disperse”. The dispersion of vehicles in roads occurs due to a combination of road conditions, vehicle dynamics and human factors. This theory has been extensively studied by transportation engineers in the last five decades in the form of a theory called “platoon dispersion” [15–18]. Integrating platoon dispersion models provide an alternative method for Sybil attack detection. To detect attacks, RSUs compare models of naturally occurring dispersion among benign vehicles with anomalously occurring platoons among Sybil nodes. Using a combination of both theoretical analysis and simulations, the simplicity, efficiency, practicality and quality of the protocol for Sybil detection in vehicular networks is demonstrated. To the best of the authors’ knowledge, this paper is unique in proposing an inter-disciplinary approach for addressing cyber space attacks in emerging vehicular networks.

Paper organization

The rest of the paper is organized as follows. Section ‘Platoon dispersion and its application to Sybil detection’ presents a brief overview of platoon dispersion theory in transportation engineering, and its application for Sybil detection in vehicular networks. Section ‘Research design and methodology’ presents the formal attack model, problem statement, overall framework, and protocol for Sybil detection. Section ‘Performance evaluations’ will demonstrate the performance of the protocol, and the paper concludes in Section ‘Conclusions’.

Platoon dispersion and its application to Sybil detection

Provided first is a brief overview of how models of dispersion among vehicles that naturally occur in roads have been studied by transportation engineers. Afterwards, a simplified example of how to use platoon dispersion theory for Sybil detection is presented. The discussions will help guide the proposed Sybil detection protocol discussed in the next section.

Platoon dispersion theory in transportation engineering

A platoon is a group of vehicles traveling in close proximity for some amount of time as shown in Figure 1. Ideally, consistent vehicle platooning is preferable and improves critical transportation parameters like signal optimization, congestion avoidance, improved road safety, and capacity [19–23]^a. Under normal traffic, vehicle platooning is short-term. Clearly, if all vehicles in an existing platoon are traveling at a constant speed, a platoon will never disperse. However, due to physical factors like road friction, vehicle characteristics and signalling, human factors, lane changes, and fatigue [24] cause platoons to disperse over time. The longer the travel time between points the greater dispersion, due to the difficulty of maintaining constant speed over longer time scales. This phenomena is called platoon dispersion, a simple illustration of which is shown in Figure 2.

An eight-car platoon. Real-life example of eight cars in a platoon configuration.

Full size image

Formation and dispersion of platoons. Illustration describing the various states of vehicle platoons.

Full size image

Platoon dispersion has been well studied in transportation engineering [15–17, 25–31], via two mathematical models. One is the (more popular) Robertson’s geometric distribution model [16] and the other is the Pacey’s normal distribution model [15]. Both models assume that road segment travel times follow some probability distribution. The Robertson platoon dispersion model follows a shifted geometric series, and has been implemented in traffic-simulation software like SCOOT [32], SATURN [33] and TRAFLO [34]. The basic of Robertson recursive platoon dispersion model takes the following form:

A numerical procedure was developed for the Robertson model in [25] by rewriting Equation 1 as,

where,

: arrival flow at the downstream location at time t-T (veh/hr);

q _t : departure flow at the upstream location at time t (veh/hr);

δ t: time step duration;

T _{m i n} : minimum travel time on the roadway;

T _{m e a n} : mean roadway travel time, measured in units of time steps.

: dimensionless platoon dispersion factor depending on the level We are also investigating moreof friction along the roadway;

: dimensionless travel-time factor;

R: smoothing factor governing dispersion, where 0≤R≤1;

σ: the standard deviation of link travel time assuming individual vehicle speeds follow normal distribution and are unchanged.

As can be seen from Equations 1, 2, 3 and definitions of parameters, all we need to know are the speed deviations σ among vehicles, and the mean travel time T _a between the upstream and downstream locations. If both can be determined (which is quite straightforward to obtain), one could compute platoon dispersion factors α and β. These parameters subsequently can be used to compute the smoothing factor R, from which the degree of how an upstream platoon will disperse at the downstream location can be computed.

Figure 3 shows an illustration of upstream platooning and its downstream dispersion, wherein the shaded portion represents similar vehicle speeds that tend to platoon together, while non-shaded portion represents varying speeds of vehicles that disperse from the original platoon. A numerical example of dispersion based on the Robertson model [16–18] is shown in Figure 4. Each observation (i.e., downstream) point is one mile apart, and the minimum travel time between each point is one minute. For small speed deviations, the dispersion in expected number of vehicles reaching the observation point is less than the case where the speed deviation increases. This leads to platoon sizes decreasing, progressively, as vehicles travel from one observation point to another.

Illustration of platoon dispersion model.

Full size image

Numerical example of platoon dispersion. Graph describing the decrease in platoon size as platoons reach various road side units.

Full size image

An illustrative example of Sybil detection using platoon dispersion

Consider a case where there are 50 vehicles in an upstream platoon. Let each vehicle have a unique identity given by {V₁,V₂,…,V₅₀}. Vehicle V₅₀ is malicious and possesses 50 fake identities $\left\{{\bar{V}}_1,{\bar{V}}_2,\dots ,{\bar{V}}_{50}\right\}$. When all vehicle communicate with each other (including V₅₀ with all of its identities to launch a Sybil attack), the up-stream platoon will appear to have 100 vehicles. With prior knowledge of road characteristics and (either currently sampled or prior estimates of) vehicle speeds, the dispersion parameters and the expected degree of dispersion at downstream can be computed. Say the smoothing factor is R=20%. If the Sybil, V₅₀, is part of the downstream platoon (recall shaded area in Figure 3), the number of identities actually seen in the downstream platoon is n _d =0.20 × 50 (benign vehicle identities) + 50 Sybil identities =60 identities. If the Sybil vehicle falls outside of the downstream platoon (recall the non-shaded area in Figure 3), then the number of identities actually seen in the downstream platoon is n _d =0.20×50=10 identities.

It is easy to see that abnormalities in the physical domain will manifest in the form of abnormal platooning (and ensuing dispersion) under Sybil identities in cyber space. If all the identities upstream (i.e. 100 of them) are benign, the number of vehicle identities in the downstream platoon is expected to be n _d =0.20×100=20. Sufficient abnormalities in platoon dispersion that are straightforward to determine leading to a natural, elegant, and simple technique to detect Sybil attacks. To the best of the authors’ knowledge, such a technique has not been attempted yet, and is formalized and elaborated in the next section.

In the previous section, a basic theory of platoon dispersion was illustrated, and how in principle can be leveraged for detecting Sybil attacks in vehicular networks. In this section, the protocol for detecting Sybil attacks via leveraging from platoon dispersion is presented. Several practical challenges in the actual design and implementation of the proposed protocol are addressed afterwards.

Vehicular network model

It is assumed that a certain number of Road Side Units (RSUs) are deployed in the vehicular network. The RSUs can communicate with each other and vehicles on the road. Communication is achieved through a 2-way radio, such as a DSRC (Dedicated Short Range Communications), to send and receive messages to other vehicles and RSUs. Each Vehicle V _x also has a unique identity that can identify it in the network. The identity for each V _x also acts as a unique public key P _x used for message encryption. Each vehicle maintains a secure private key for decryption of messages. Since energy is not a constraint, asymmetric encryption is feasible in vehicular networks [35]. Note that message confidentiality and privacy are not emphasized in this paper. It is assumed that some system exists for protecting confidentiality. If privacy is desired, techniques have been proposed for utilizing temporal pseudonyms that expire after a certain time [36], or using local coordination among vehicles and aggregating responses before forwarding messages. Such techniques do preserve vehicle privacy, and their usage will not affect the proposed protocol. Furthermore, a Central Coordination Authority (CCA) is involved in coordination among all RSUs, along with any key and pseudonym distribution among vehicles. The CCA and RSUs are assumed to be trusted.

For the proposed protocol, RSUs must have some prior information about vehicles and speed distributions along road segments. Such knowledge is reasonable and practical. In many countries across the world, including the US, efforts are being made to estimate vehicle densities and speed distributions for traffic management purposes. This is acheived using a variety of modern equipment like road side sensors, traffic light cameras and remote sensing imagery [37–40]. More discussion on this assumption and the accuracy of estimates are detailed in the next subsection during the description of the proposed protocol.

Simple attack model and problem definition

The attack model provides contextual information and elaborates the roles of the various agents. The attacker intends to subvert the integrity of peer vehicle communications by launching Sybil attacks. The attack has captured a certain number of legitimate identities (or keys) belonging to other vehicles. Such an attack model is practical, powerful, and has not been considered yet in related literature [1–6]. For example, a malicious parent could easily steal identities of multiple members of their family that have identities already provisioned. Clearly with more sharing of vehicles today (e.g., rental cars and car pools), the feasibility of skimming attacks in vehicles (or in related hardware) to steal identities is even more practical. With multiple legitimate identities in hand, the potency of an attacker is much higher. The mobile nature of vehicular networks makes detection of such identity thefts quite difficult in practice. It is assumed that the attacker will utilize all its Sybil identities to attack the network in an attempt subvert the network integrity. Note that in this paper, we consider for simplicity one attacker in the network. The protocols we propose can be directly applied to multiple (but non-colluding) attackers. Analyzing and enhancing protocols for thwarting colluding attackers is part of future work^b.

Given the attack model, the formal problem statement is to rapidly detect the presence of Sybil attacks in a vehicular network.

Proposed technique for Sybil detection in vehicular networks

Overview

In Section Platoon dispersion and its application to Sybil detection, the basic overview of platoon dispersion and how it can be leveraged in principle for Sybil detection was presented. Unfortunately, there is one critical challenge to overcome before practical Sybil attack detection via leveraging platoon dispersion. Recall from Section ‘Platoon dispersion theory in transportation engineering’ that existing models for platoon dispersion assume that vehicle speeds from an upstream point to a downstream point are unchanged. These speeds are then used to derive σ (which is used to derive Smoothing Factor R in Equation 2), that subsequently determines dispersion phenomena. Anomalies in the dispersion phenomena naturally provide an ideal foundation for detecting Sybil attacks in theory. However, in practice, vehicle do not travel with constant speed and speed can vary widely between vehicles. This is solved by using measurement samples from peer vehicles and incorporating these data to determine platooning anomalies. A high level of confidence of detecting Sybil attacks is possible through this method.

Protocols description and analysis

Protocols ?? and ?? executed by vehicles and RSUs, respectively, illustrate the proposed technique for Sybil detection. As demonstrated in Protocol ??, each Vehicle V _x will store the identities of all vehicles with which it has communicated when traveling between RSUs. These identities are forwarded to an RSU when the vehicle is in range. Upon a vehicle transmitting its internally stored list of other communicating vehicles, the list may be deleted. Additionally, vehicles do not have to disclose their location for the protocol to work.

Protocol ?? presents the steps executed by a downstream RSU R _d for Sybil detection. The inputs to the protocol are as follows. First, the Central Coordination Authority defines what constitutes a platoon. One simple way to define a platoon is to say all vehicles currently within the communication range of an RSU is a platoon. Alternate definitions can also exist depending on traffic models and does not change the protocol or its execution. Second, R _d will have prior models of vehicle densities and speed distributions from historical information. Such information can be obtained from a number of traffic management organizations. These organizations regularly collect information on vehicle volumes, densities, and speeds along road segments to improve congestion control, signalling, accident management, and other traffic attributes. A number of recent studies also propose innovative and accurate approaches to obtain such information including deployment of road side sensors and remote sensing imagery to obtain such information [37–40].

From such information, each RSU can derive the mean (${\mu }_N^{\ast }$) and standard deviation (${\sigma }_N^{\ast }$) of vehicle travel time based on the number of vehicles N traveling from upstream. Note that even if such information may be historical and may not reflect existing trends, it is always possible to obtain samples in real-time from current traffic to build accurate more profiles. Recall from Equation 2, that the smoothing factor R governing platoon dispersion is given by $R=\frac{\sqrt{1+{\sigma }^2}-1}{2{\sigma }^2}$, where σ is the standard deviation of link travel time assuming individual vehicle speeds follow normal distribution and are unchanged. To obtain σ, Equation 2 can be rewritten as $\sigma =\sqrt{\frac{1-R}{R^2}}$. In practice vehicle speeds and link travel times on roads between RSUs fluctuate. Assuming the link travel times of each vehicle follows normal distribution [41, 42] with parameters ${\mu }_N^{\ast }$, ${\sigma }_N^{\ast }$, and N vehicles in an upstream platoon, the probability density function (pdf) of σ is

Consequentially, the probability density function (pdf) for the smoothing factor R as $f_R\left(r\right)=\frac{1}{{\sigma }_N^{\ast }\sqrt{2\pi }}{e}^{-\frac{1}{2}\left(\frac{\sqrt{\frac{1-r}{r^2}}-{\mu }_N^{\ast }}{{\sigma }_N^{\ast }}\right)}$. The Cumulative Distribution Function (CDF) is then given by

The final input to the protocol is the confidence interval (ε) of Sybil Detection, that is predetermined by the Central Coordination Authority.

Once R _d obtains the number of vehicles n _d departing from R _u , it waits for T _{m i n} , the minimum travel time on the link. R _u starts receiving messages from vehicles regarding identities they had communicated with. Based on times of messages received, R _d determines the number of vehicles in the current platoon as Z. It then computes the platoon ratio as $m=\frac{Z}{Y}$ and F _R (r=m) from the CDF of the smoothing factor. There are two cases of interest here. When the Sybil attacker is part of an upstream platoon and part of the downstream platoon, the number of vehicles Y _d in the downstream platoon will be abnormally large as the Sybil identities will not disperse. In the second case, the Sybil vehicle is not in the downstream platoon, causing the number of vehicles Y _d in the downstream platoon will be abnormally less. This is due to large number of Sybil identities being dispersed. In the first case, F _R (r=m) will assume a large value as the platoon size will show little relative change, and in the latter case F _R (r=m) will assume a much smaller value as the relative change in platoon size is high. This is captured in Step 9 of Protocol ??, where abnormal platoons in both cases are checked to indicate a Sybil attack.

Only a limited number of numerically obtained parameters are used in the execution of the protocol. The critical parameters are ${\mu }_N^{\ast }$, ${\sigma }_N^{\ast }$ and ε. When ${\mu }_N^{\ast }$ is low, dispersion is low. This means that the likelihood of vehicles platooning together is higher, hence lowering the chances of detecting Sybil identities. On the other hand, ${\sigma }_N^{\ast }$ denotes the standard deviation or error in the estimation of link arrival time. If ${\sigma }_N^{\ast }$ is low, then the error in estimation of link arrival time is better, yielding a steeper CDF, which improves detection accuracy. The parameter ε determines the degree of confidence in detection. Finally, all of these parameters are integral to the attacker strength in terms of number of Sybil nodes during detection. Next, the impacts of these parameters on the performance of the protocol are detailed.

Performance evaluations

In this section, the performance evaluation of our protocol to detect Sybil attacks in vehicular networks are reported. Section ‘Preliminaries’ presents preliminaries, while Section ‘Analysis and simulation results’ illustrates performance data.

Preliminaries

The simulations were performed on Simulation of Urban Mobility (SUMO), which is an open source traffic simulation package [43]. SUMO allows importing custom maps, user-defined vehicle trips, and detailed simulation output for every vehicle. A map consisting of 10 intersections by 10 intersections was constructed to simulate a typical inner-city topology. The distance between each intersection 400 ft or approximately 122 m. This gives a block of 400 ft × 400 ft. The map was then populated with varying number of vehicles generated with random source/destination pairs with the trip defined as the shortest route between the source and destination. The simulator provides a high degree of configurability for the protocol analysis while providing reports in easy-to-process formats. Additionally, the simulator provides fine-grain data as information for every vehicle for every second is saved. We wish to point out that the grid based topology we employ is widely used for simulation purposes and hence we adopted it in this paper. Extending our simulations to more complex and realistic topologies is part of future work.

A normal distribution with the current case parameters were used to randomly assign start and maximum speeds for vehicles. The simulator then creates a simulation report after completion. The output file includes every vehicle’s speed, position, current road, position on road, and other data. Then these logs files were parsed to create individual files for every vehicle containing the timestep, vehicle speed, current position, and current road at that timestep.

The same data was used to create an output file containing the time a vehicle encountered a RSU and the speed of that vehicle. Note that RSUs were placed at each intersection. The simulator was utilized to learn ${\mu }_N^{\ast }$ and ${\sigma }_N^{\ast }$^c for various values of number of vehicles N from 10 to 1000. Unless otherwise stated, the confidence internal was ε=0.05, and all vehicles within a 0.5 mile range were considered as part of a platoon. All results were averaged over 50 iterations, with a μ=35 mph. Due to space limitations, only simulation data are reported and discussed. However, it should be noted that the analysis data agrees well with simulations results.

Analysis and simulation results

A road with a length of 10 miles was implemented for this study to allow for sufficient dispersion among vehicles. T _{m i n} and the average of σ^∗ (denoted as σ) are determined from simulation data, as shown in Figure 5. Then they were substituted in Equation 3 to determine the expected number of vehicles in the downstream platoon. As the number of vehicles increase, the trend remains the same. This sufficiently demonstrates the fidelity of the simulation environment in conducting further investigations. The trend also remains for road segments of different lengths, which are not reported due to space limitations.

Comparing platoon dispersion theory with simulations. Graph of the expected results from the platoon dispersion model along with the simulation calculated results.

Full size image

Figure 6 illustrates the basic features of our protocol, when the number of vehicles in upstream platoon n _u =50. The Y-axis denotes the detection time, or number of RSUs traversed before a detection of Sybil detection is made. In this case, σ^∗ is constant and fixed as 1.0. When μ^∗ increases, Sybil attacks are detected faster. This high value of μ^∗ causes increased dispersion which increases the chances of detecting anomalous platoons. Also, varying the percentage of Sybil attackers varies the detection time. When the percentage of Sybil attackers increase, anomalous platoons are easier to detect, quickening the detection time.

Sybil detection under varying percentage of Sybil vehicles. Chart characterizing at which road side unit Sybil nodes are detected against the percentage of vehicles classified as Sybil nodes.

Full size image

Figure 7 illustrates the trend of false negatives in the protocol. The number of vehicles in upstream platoon is still set as n _u =50, and σ^∗=1.0. As μ^∗ increases, the false negatives decreases. Again, the high value of μ^∗ increases dispersion and the chances of detecting anomalous platoons correctly which lowers false negatives. Interestingly, the false negatives rate decreases as the percentage of Sybil attackers increase. As more Sybil attackers leads to increased chances of detecting anomalous dispersion. For the case of Sybil attackers reaching 40% and above, the false negatives completely disappear, demonstrating that the protocol is robust against increasing degree of Sybil attacks.

False negatives under varying percentage of Sybil vehicles. Chart detailing the trend of the number of false negatives as the percentage of Sybil vehicles increases.

Full size image

In Figure 8, the trend of how increasing number of vehicles affects detection performance when the percentage of Sybil vehicles is 10% is shown. The observed trend is straightforward to interpret. When the number of vehicles decrease, σ^∗ increases. This causes increased platoon dispersion, thus accelerating the detection rate. When the number of vehicles increases, roads become congested and degree of dispersion decreases, causing an increased duration of Sybil detection.

Sybil detection versus number of vehicles. Chart describing the road side unit Sybil nodes are detected at with various number of total vehicles.

Full size image

In Figure 9, the trade-off between false negatives and false positives when N=50, μ^∗=2 and σ^∗=0.4 is shown. As we can see when the percentage of Sybil vehicles is low, the protocol yields excellent performance in terms of false positives and false negatives. Though, with increasing attack intensity the performance degrades. The false positive rate is decided by the parameter ε, which is user specified. When ε is low, the false positive rate is low and the false negative rate is higher, and vice versa. However, this is also sensitive to the number of Sybil vehicles. How to address this trade-off in practical settings is the topic of future research. One plan is to integrate long term predictions from RSUs leveraging platoon dispersion with short term prediction models using distributed computation among local vehicles. Also, adapting the protocol to changing road conditions under traffic dynamics is also part of future research.

False negatives versus false positives. Chart comparing the number of false negatives versus false positives.

Full size image

Advanced attack model

The previous results and discussions have pertained to a simple attack model where the Sybil vehicles broadcast all stored pseudonyms during an attack. Once an RSU network attempts to identify a Sybil attack, the Sybil vehicles may change their message distribution algorithms to avoid detection. The following scenarios describes alternate attack methods a Sybil vehicle can implement to avoid detection. To determine the robustness of the proposed protocol, the results of the protocol against different Sybil attack schemes are presented.

Normal dispersion attack efficiency scenario

The main objective of the attacker is to maintain the efficiency of an attack. Attack efficiency is defined as ratio of Sybil pseudonyms to benign pseudonyms. In other words, the attack efficiency can be defined as

The attacker wants to maintain a high efficiency in order to masquerade Sybil pseudonyms as benign pseudonyms. For this to become possible, the attacker must have a priori road information. Say, the attack releases a subset of V _s , called V_s,1, at an upstream RSU. At the downstream RSU, the attack can release a subset of V_s,1 such that it appears the platoon dispersed under normal circumstances. The number of pseudonyms to “disperse” can be derived from the a priori road information and platoon dispersion theory.

Normal dispersion attack efficiency results

There are some practical limitations to this attack scenario, which the our protocol to detect Sybil attacks exploits. In order to have an effective attack, V _s (set of Sybil identities) must be large compared to V _b (set of benign identities) otherwise the Sybil attack will have little influence on the benign vehicles. Using the previous example of Sybil nodes incorrectly reporting road conditions, if exactly 50% of the pseudonyms were Sybil and reporting false information while the other 50% (benign pseudonyms) are reporting true information. No decision could be made on what information to believe. Therefore, an attacker needs more than 50% Sybil pseudonyms to launch an effective attack.

The attack efficiency, e, is held constant as both the Sybil and benign pseudonyms are dispersing at the exact same rate, as shown in Figure 10. This effect leads to an exhaustion point for the Sybil pseudonyms, where there are no more available pseudonyms to use. The attacker cannot reuse previous pseudonyms for some time interval as that would trigger an attack detection. Essentialy, reuse of previously dispersed pseudonyms leads anomalous behavior and is caught by the protocol. Figure 11 shows at which RSU the attacker has completely exhausted all available pseudonyms. At that point, the attacker must cease to launch an attack for some time or risk being detected.

Effiency rate of Sybil attack under Normal Dispersion Efficiency Attack method. The efficiency rates of Sybil attacks under this method are held constant due to some pseudonyms being “dispersed” as the attacker moves. Benign vehicles disperse at the same rate leading to the constant efficiency.

Full size image

Id. of RSU where attacker exhausts all Sybil pseudonyms. The point of pseudonym exhaustion under the Normal Dispersion Efficiency Attack scheme. As the percentage of Sybil pseudonyms increase, the longer it takes for that set to exhaust. In the worst case, all pseudonyms are used by the 6^th RSU, showing comparable performance to the simple attack.

Full size image

Comparing the results of Figures 6, 7, 8, 9, 10 and 11, for the 10% and 20% Sybil pseudonyms cases, the attacker actually exhausts all available pseudonyms before the protocol could even detect an attack. The 30% to 60% cases show pseudonym exhaustion near the same point of detection, under the simple attack scheme. The highest percent Sybil pseudonym cases, 70% to 90% show a significant increase of attack duration before exhaustion. Under the simple attack method, these cases could be identified within 1 RSU. With the normal dispersion efficiency attack, the pseudonym exhaustion does not occur until the 6^th RSU. This may seem as a favorable scheme for the attacker, but even the best case of the simple attack method resulting in Sybil attack detection at the same RSU. The result of this simulation demonstrates the robustness of the protocol to multiple attack methods.

Minimum efficiency attack scenario

Similar to the Normal Dispersion Efficiency Attack, the Minimum Efficiency Attack (MEA) attempts to reduce the number of Sybil pseudonyms used while maintaining an influential attack on a vehicular network. The MEA reduces the number of pseudonyms used by computing the minimum number needed to gain an influence. The attack measures the number of vehicles neighboring platoon to obtain N _p . In order to influence the platoon, the attacker needs to use N _p +1 pseudonyms at a minimum. This allows the attacker to launch a new attack once it knows the attack will be detected. For example under the 80% Sybil case and 100 vehicles, the attacker knows that N _p =20. The attacker will then launch 21 of its 80 Sybil pseudonyms to start an advantageous attack. Knowing the detection scheme, the attacker also knows that this attack will be detected by the fifth RSU. Consequentially, the attacker retires the previous pseudonyms and launches a new attack with 21 of the remaining 59 pseudonyms available. This process continues until all of the attackers Sybil pseudonyms have been exhausted.

Minimum efficiency attack results

As the platoon travels, benign vehicles will disperse but the attack will maintain the original pseudonym number of N _p +1. Under this scheme, the attack efficiency of every case becomes over 100% efficient, as shown in Figure 12. This is ideal for an attacker that cannot obtain many pseudonyms from the network. Even the lowest Sybil percentage case (10%) increases to over 100% attack efficiency. This type is practical and ideal for attackers with very few Sybil pseudonyms. Some cases do not reach the high level of efficiency as in Normal Dispersion Efficiency attacks, but those cases have an increased duration before pseudonym exhaustion.

Minimum Efficient Attack efficiency as platoons reach RSUs further away. As an attack is launched, the attacker determines the minimum number of Sybil pseudonyms necessary to gain an advantage in the platoon. As the platoon disperses, the attacker increases its efficiency while minimizing the number of Sybil pseudonyms needed.

Full size image

For the cases of less than or equal to 50% Sybil pseudonyms, the attacker cannot launch an effective attack. Each of these cases can only launch one attack and are detected at the sixth RSU, as shown in Figure 13. So even though those cases reach an attack efficiency of over 100%, it is short-term as another attack cannot be launch. The efficiency immediately drops to below 100% after the fifth RSU when the attacker attempts to launch another attack. The cause of this drop is the number of Sybil pseudonyms remaining is less than the number of vehicles in the platoon.

Minimum Efficient Attack detection points as the percentage of Sybil pseudonyms increase. As the number of Sybil pseudonyms increase, the detection point of an attack increases. In each case, multiple attacks may be launched so the last detection points are shown.

Full size image

When the Sybil pseudonym percentage reaches 60%, detection time increases dramatically. The attacker knows when an attack will be detected, can retire the current Sybil pseudonyms, and use fresh pseudonyms from V _s . This action is equivalent to launching another attack even though the motive may be the same. For example, in the 60% case the attacker can launch two undetectable attacks until the number of Sybil pseudonyms is less than the platoon size. At this point, the attacker uses the remaining pseudonyms to launch a final attack. This attack will be detected in a few RSUs. The summation of total RSUs traversed before the final detection is shown in Figure 13. The high-percent-Sybil cases show an apparent defeat in the proposed protocol. This attack scheme could be countered with the addition of mechanism to detect additions of many vehicle pseudonyms. It should be noted, though, obtaining such a high percent of Sybil pseudonyms could be a difficult task in real life.

In this paper, a novel protocol for defending against Sybil attacks in vehicular networks is presented. The novelty comes from the fusion of physical phenomena and the cyber domain to detect Sybil attacks. The combination of physical and cyber environments makes the protocol effective, practical, efficient, and simple. Additionally, this paper presents advanced attack methods where the attacker knows the detection scheme and has a priori road information. The protocol shows similar performance for Normal Dispersion Efficiency Attack model, while the Minimum Efficiency Attack model may remain undetected at high Sybil percentages. Future work involves integration of machine learning algorithms with platoon dispersion and wireless communication support to not only detect the presence of Sybil attacks, but identifying which are the Sybil nodes. Advanced collusion attacks to validate our protocol performance are also underinvestigation.

^a In a recent 2011 study, platooning was exploited for content management in vehicular networks [44].

^b The issue of detecting attacks where identities are selectively used (in which case attack potency is lowered) is part of future work.

^c The subscript N in ${\mu }_N^{\ast }$ and ${\sigma }_N^{\ast }$ is dropped in this section for ease of readability.

Authors and Affiliations

1. Department of Computer Science, Missouri University of Science and Technology, Rolla, MO, (65401), USA

   Muhammad Al-Mutaz, Levi Malott & Sriram Chellappan

Corresponding author

Correspondence to Levi Malott.

Competing interests

The authors declare that they have no competing interests.

Authors’ contributions

MAM adapted the platoon dispersion Model to vehicular networks. He also conducted the theoretical analysis and also led the design of the proposed protocol. LM led all aspects of simulation studies, and results. He also conducted related work on Sybil attacks. SC defined the problem, and participated in the theoretical analysis. He also led the discussions on interpretations of the results and paper writing. All authors read and approved the final manuscript.

Open Access  This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made.

The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

To view a copy of this licence, visit https://creativecommons.org/licenses/by/4.0/.

Reprints and permissions