Privacy-Aware VANET Security: Putting Data-Centric Misbehavior and Sybil Attack Detection Schemes into Practice
1. Privacy-Aware VANET Security: Putting
Data-Centric Misbehavior and Sybil Attack
Detection Schemes into Practice
Rasheed Hussain*, Sangjin Kim**, and Heekuck Oh*
*Hanyang
University, **Korea University of Technology and Education,
South Korea
2012-08-18
Rasheed Hussain
HANYANG UNIVERSITY
INFORMATION SECURITY & PRIVACY LAB
3. rasheed@hanyang.ac.kr
`
Main Theme
Data-Centric Misbehavior Detection Scheme (MDS) and
Entity-Centric MDS in privacy aware VANET (conditional
anonymous)
Incorporating both MDS and SAD (Sybil Attack
Detection)
PAB (Post-Alarm Behavior) in ROEI (Region of Expected
Infection)
Verification of position information
Based on realistic road conditions (traffic regimes)
Independent decision on the part of every individual
node
Threshold revocation scheme
Information Security & Privacy Laboratory @ Hanyang University
3
4. rasheed@hanyang.ac.kr
`
Introduction[1/3]
Security primitives in VANET
Maybe different from traditional security primitives
For instance, message confidentiality in VANET depends upon the type of
the message. Safety-related messages may not need to be encrypted
Message integrity (liability issues)
Type of messages
Misbehavior in VANET (selfish reason/malfunction)
e.g. a vehicle might send false report on congestion, accident or road
block
Not everybody is malicious!!
Revocation depends upon DoC (Degree of Consequences)
Proceed from taking out the wrong information (revocation
of message) all the way to the revocation of the node)
“Trust on information rather than source of information”
Information Security & Privacy Laboratory @ Hanyang University
4
5. rasheed@hanyang.ac.kr
`
Introduction[2/3]
Are the trust-management based solutions feasible for
VANET? (so many proposed schemes)
NO!!!!
Ephemeral nature of VANET
Privacy is one of the prime security primitive in VANET
Secure privacy aware beaconing
Incorporate the opposite direction nodes to help in determining the
soundness of information
Warning/Alarm/Critical Message types maybe finite in number
Nodes cross-check the subsequent actions with predefined natural
actions
Position consistency with virtual ears(by beacon messages) and
verified with virtual eyes (Radar)
Information Security & Privacy Laboratory @ Hanyang University
5
6. rasheed@hanyang.ac.kr
`
Introduction[3/3]
Ruj et al. scheme has severe deficiencies
If the reported position is not consistent with the alert raised then
the message is incorrect and discarded (fig. 1)
Information Security & Privacy Laboratory @ Hanyang University
6
7. Problems in Ruj et al.’s scheme
Pseudonyms must not change for certain time after alert is sent
Privacy (?)
Size of Relay messages grows by the factor of the size of MA
Flooding (same alert many times)
Beacon format is not defined
Negation Message Attack (NMA)
A node must report the event before it physically crosses the crash
site
Message duration (FT) may not be sound for relay messages
Vehicles have to wait for beacon from both originator and relayer (?)
Information Security & Privacy Laboratory @ Hanyang University
`
rasheed@hanyang.ac.kr
8. rasheed@hanyang.ac.kr
`
Problem Statement
In a privacy aware VANET architecture with privacy-aware
beaconing scheme where two messages provide un-linkability;
how to detect MDS and SAD with real traffic density?
AS ∝ 1/P (AS denotes Sybil attack and P denotes Privacy)
Privacy preserving beaconing and warning messages
Decide the course of action on the basis of underlying traffic density
Threshold density calculation from received beacon messages
Information Security & Privacy Laboratory @ Hanyang University
8
9. rasheed@hanyang.ac.kr
`
Network/Threat Model, Contribution [1/4]
Management hierarchy and functional hierarchy
Management Hierarchy
Level 1
Level 2
Functional Entities
Entities Registration/ Overall
Management
DMV (Department of Motor
Vehicles) and Cloud Infrastructure
Certification
Revocation
RCA
(Regional CA)
RAs (Revocation
Authorities)
Level 3
Functional Assistance/Gateway
Terminals to clouds
RSSI (Road-side Static Infrastructure)
and RSMI (Road- side Mobile Infrastru
cture)
Level 4
Operation
Vehicular Nodes (OBUs)
Information Security & Privacy Laboratory @ Hanyang University
9
10. Network/Threat Model, Contribution [2/4]
Threat/Attacker Model
Insider who deviates from normal VANET behavior or infringes with a user
’s privacy
Having more computation and communication resources
Can eavesdrop on wireless channel
Forges identities, tracking, and diffuse wrong information in VANET
Manipulates with input data for assembling messages
Information Security & Privacy Laboratory @ Hanyang University
`
rasheed@hanyang.ac.kr
12. rasheed@hanyang.ac.kr
`
Network/Threat Model, Contribution [4/4]
Objectives and Contribution
Devise an algorithm to incorporate both MDS and SAD
Agree upon a tradeoff solution for real time traffic density calculation
Privacy preserving beaconing and critical warning messages
Leverage location verification by virtual ears and virtual eyes
Incorporate two-ways traffic and exploit the S-C-F strategy for misbehavior
detection
Additional Objectives
Loose Authentication
Conditional anonymity
Non-repudiation
Assumptions
Beacons can be received from 1-hop neighbors
Vehicles leverage TRH and omni-directional radar for position verification
DMV (department of motor vehicles), RCAs (Regional CAs), RSI
Beaconing
Identityless (our WISA’09* Paper)
Relaying mechanism (Efficient Flooding)
Threshold based probabilistic vehicular density calculation
*R. Hussain, S. Kim, and H. Oh, “Towards Privacy Aware Pseudonymless Strategy for Avoiding Profile Generation in
VANET” In: H.-Y Yoon, M. Yung (Eds.) WISA 2009. LNCS, vol. 5932, pp. 268-280. Springer, Heidelberg (2009)
Information Security & Privacy Laboratory @ Hanyang University
12
13. rasheed@hanyang.ac.kr
`
Proposed Scheme [1/6]
Baseline
Beacon format
Mb= (m, Gid, σ ,δ) where m is beacon data, σ = HMAC. KV
i
(T||Gid||Data) and
δ = HMAC. K d i(T||Gid||Data||σ)
RSI are semi-trusted and Vehicles not trusted
TRH are employed in RSUs and OBUs
Alert message types stored in OBUs beforehand
Information Security & Privacy Laboratory @ Hanyang University
13
14. rasheed@hanyang.ac.kr
`
Proposed Scheme [2/6]
Warning Message (WM)
Sensed
Type
EID
LID
Gid
T
lociT
Sig.K TRH (EID, LID, Gid, T, lociT)
1
1
16
2
8
16
42
i
Relayed
Type
T
lociT
Gid
λ
Sig. KTRH (T, lociT,Gid, λ)
1
8
16
2
22
42
i
Where λ = (EID, LID, Gids, ΔL, ΔT)
Information Security & Privacy Laboratory @ Hanyang University
14
15. rasheed@hanyang.ac.kr
`
Proposed Scheme [3/6]
Alerts and Invalid actions
List of invalid events (LIE)
d is the safe distance
e.g. a car moving with 80kmph and after observing alert, it will reduce to 20kmph
, then it will travel less about 100m in the next 2 seconds, thus the positions sent
in the beacons will be less than d=100m apart
Invalid actions after alert is issued
Information Security & Privacy Laboratory @ Hanyang University
15
16. rasheed@hanyang.ac.kr
`
Proposed Scheme [4/6]
Misbehavior (Data-Centric)
MW
received
Goal
Sybil Attacks (Entity-Centric)
Lx
Sensed
MR
Observer o
Hybrid Mechanism depending upon current T. density
MDS (Misbehavior Detection System)
SAD (Sybil Attack Detection)
Dense Traffic Regime (SAD) and Sparse Traffic Regime (MDS)
Privacy aware traffic density calculation
ROEI (Region of Expected Infection) for MW storage and Relay
Location verification
Information Security & Privacy Laboratory @ Hanyang University
16
17. rasheed@hanyang.ac.kr
`
Proposed Scheme [5/6]
•
•
Indicator Variable Xb, where Xb=1 if beacon
received is from vehicle ahead, and Xb=0 if
beacon is from behind or opposite side
𝑋𝑏 = 1
𝑖𝑓 𝑏𝑒𝑎𝑐𝑜𝑛 𝑠𝑒𝑛𝑑𝑖𝑛𝑔 𝑣𝑒ℎ𝑖𝑐𝑙𝑒 𝑖𝑠 𝑎ℎ𝑒𝑎𝑑
𝑋𝑏 = 0
𝑖𝑓 𝑏𝑒𝑎𝑐𝑜𝑛 𝑠𝑒𝑛𝑑𝑖𝑛𝑔 𝑣𝑒ℎ𝑖𝑐𝑙𝑒 𝑖𝑠 𝑏𝑒ℎ𝑖𝑛𝑑
𝑜𝑟 𝑖𝑛 𝑜𝑝𝑝𝑜𝑠𝑖𝑡𝑒 𝑑𝑖𝑟𝑒𝑐𝑡𝑖𝑜𝑛
i t k 1
D (v ) t
i t k
MW received
Check for Freshness
Check if already received
Check movement trajectory
X bbi
fb
Wait for beacon from the
same vehicle
Cosine Similarity
Spatial Checks
Temporal Checks
Behavioral Checks
Integrity Checks
Calculate Density and decide
whether MDS or SAD
Collect beacons for certain
time (tk+1-tk) and calculate
Threshold density
Verify position
Check for PWM (PostWarning measurements)
Compare the number of
alarms with the no. of
vehicles (only in one
direction)
Verify the message from
opposite side vehicles
Information Security & Privacy Laboratory @ Hanyang University
17
18. rasheed@hanyang.ac.kr
`
Proposed Scheme [6/6]
Discussion
Position Vs Information
WPWI (Wrong Position – Wrong Information)
RPWI (Right Position – Wrong Information)
WPWI (Wrong Position – Right Information)
RPRI (Right Position – Right Information)
Target
Not Likely
Assume, there is one time relay minimum
Sensed Vs Relayed Alarms
Sensed
Relayed
Distinct Sensed Distinct Relayed
Combine the number of senders and cross-check with the traffic D(v)t
Information Security & Privacy Laboratory @ Hanyang University
18
19. rasheed@hanyang.ac.kr
`
Performance Evaluation [1/2]
Security
Message authentication
Message integrity
Privacy protection
Anonymity revocability
Message revocation and user revocation
Partial brute-force strategy
Non-frameability
Privacy
Revocation with order O(d+g) for beacons and O(d.g) for MW
Since d<<g so the order of revocation in case of beacon is O(g)
Information Security & Privacy Laboratory @ Hanyang University
19
20. rasheed@hanyang.ac.kr
`
Performance Evaluation [2/2]
Computational Overhead
Comparison with other schemes
Computations
Scheme
Certificates
with Beacons
Profile
Generation
RSU as
Bottleneck
Privacy
Mb
Zhou et al.
Dependent on
Pseudonym
change
Ruj et al.
Dependent on
Pseudonym
change
Our scheme
MW
N/A
N/A
Tp +3Tm
+ 2TH
2H
2Tp + 6Tm +
4TH
Tp + 3Tm +
2TH
Tp= Time of Pairing operation ,Tm=Time of point multiplication , H= Hash operation
Information Security & Privacy Laboratory @ Hanyang University
20
21. rasheed@hanyang.ac.kr
`
Discussion
Merits of proposed scheme
Privacy-aware threshold-based density calculation
User privacy
Conditional anonymity
No need for RSU support
No Temporary identities are used which lead to profilation
Utilized opposite traffic for SCF (store-carry-forward)
Anonymous position verification
Limitations
Beacon frequency
Flyover scenario
3D position verification (if possible)
The relay mechanism may introduce some overhead temporarily
Information Security & Privacy Laboratory @ Hanyang University
21
22. rasheed@hanyang.ac.kr
`
Conclusion
HMDS: Hybrid MDS (Flexible)
Privacy-aware Density-based scheme
Efficient position verification
Misbehavior is detected with independent position
verification
Immune to Sybil attacks
Incorporating 2-way traffic
Information Security & Privacy Laboratory @ Hanyang University
22