HANYANG UNIVERSITY INFORMATION SECURITY & PRIVACY LAB
Privacy-Aware VANET Security: Putting Data-Centric Misbehavior and Sybil Attack
Detection Schemes into Practice Rasheed Hussain*, Sangjin Kim**, and Heekuck Oh*
*Hanyang University, **Korea University of Technology and Education, South Korea
2012-08-18
Rasheed Hussain
Information Security & Privacy Laboratory @ Hanyang University ` [email protected]
Agenda
Main Theme
Introduction
Problem Statement
System Model, Threat Model and Contribution
Proposed Scheme
Performance Evaluation
Discussion and Limitations
Conclusion
2
Information Security & Privacy Laboratory @ Hanyang University ` [email protected]
Main Theme
Data-Centric Misbehavior Detection Scheme (MDS) and Entity-Centric MDS in privacy aware VANET (conditional anonymous)
Incorporating both MDS and SAD (Sybil Attack Detection)
PAB (Post-Alarm Behavior) in ROEI (Region of Expected Infection)
Verification of position information
Based on realistic road conditions (traffic regimes)
Independent decision on the part of every individual node
Threshold revocation scheme
3
Information Security & Privacy Laboratory @ Hanyang University ` [email protected]
Introduction[1/3]
Security primitives in VANET
Maybe different from traditional security primitives
For instance, message confidentiality in VANET depends upon the type of the message. Safety-related messages may not need to be encrypted
Message integrity (liability issues)
Type of messages
Misbehavior in VANET (selfish reason/malfunction)
e.g. a vehicle might send false report on congestion, accident or road block
Not everybody is malicious!!
Revocation depends upon DoC (Degree of Consequences)
Proceed from taking out the wrong information (revocation of message) all the way to the revocation of the node)
“Trust on information rather than source of information”
4
Information Security & Privacy Laboratory @ Hanyang University ` [email protected]
Introduction[2/3]
Are the trust-management based solutions feasible for VANET? (so many proposed schemes)
NO!!!!
Ephemeral nature of VANET
Privacy is one of the prime security primitive in VANET Secure privacy aware beaconing
Incorporate the opposite direction nodes to help in determining the soundness of information
Warning/Alarm/Critical Message types maybe finite in number
Nodes cross-check the subsequent actions with predefined natural actions
Position consistency with virtual ears(by beacon messages) and verified with virtual eyes (Radar)
5
Information Security & Privacy Laboratory @ Hanyang University ` [email protected]
Introduction[3/3]
Ruj et al. scheme has severe deficiencies If the reported position is not consistent with the alert raised then the message is incorrect and discarded (fig. 1)
6
Information Security & Privacy Laboratory @ Hanyang University ` [email protected]
Problems in Ruj et al.’s scheme Pseudonyms must not change for certain time after alert is sent
Privacy (?)
Size of Relay messages grows by the factor of the size of MA
Flooding (same alert many times)
Beacon format is not defined
Negation Message Attack (NMA)
A node must report the event before it physically crosses the crash
site
Message duration (FT) may not be sound for relay messages
Vehicles have to wait for beacon from both originator and relayer (?)
Information Security & Privacy Laboratory @ Hanyang University ` [email protected]
Problem Statement
In a privacy aware VANET architecture with privacy-aware
beaconing scheme where two messages provide un-linkability;
how to detect MDS and SAD with real traffic density?
AS ∝ 1/P (AS denotes Sybil attack and P denotes Privacy)
Privacy preserving beaconing and warning messages
Decide the course of action on the basis of underlying traffic density
Threshold density calculation from received beacon messages
8
Information Security & Privacy Laboratory @ Hanyang University ` [email protected]
Network/Threat Model, Contribution [1/4]
Management hierarchy and functional hierarchy
Entities Registration/ Overall
Management
Certification Revocation
Functional Assistance/Gateway
Terminals to clouds
Operation
DMV (Department of Motor
Vehicles) and Cloud Infrastructure
RCA
(Regional CA)
RAs (Revocation
Authorities)
RSSI (Road-side Static Infrastructure)
and RSMI (Road- side Mobile Infrastru
cture)
Vehicular Nodes (OBUs)
Level 1
Level 2
Level 3
Level 4
9
Management Hierarchy Functional Entities
Information Security & Privacy Laboratory @ Hanyang University ` [email protected]
Network/Threat Model, Contribution [2/4]
Threat/Attacker Model
Insider who deviates from normal VANET behavior or infringes with a user’s privacy
Having more computation and communication resources
Can eavesdrop on wireless channel
Forges identities, tracking, and diffuse wrong information in VANET
Manipulates with input data for assembling messages
Information Security & Privacy Laboratory @ Hanyang University ` [email protected]
Network/Threat Model, Contribution [3/4]
Functional VANET architecture
DMV RA’s
RCA’s
RSSE
11
RSME Domain
V2V
V2I
Information Security & Privacy Laboratory @ Hanyang University ` [email protected]
Network/Threat Model, Contribution [4/4]
Objectives and Contribution Devise an algorithm to incorporate both MDS and SAD
Agree upon a tradeoff solution for real time traffic density calculation
Privacy preserving beaconing and critical warning messages
Leverage location verification by virtual ears and virtual eyes
Incorporate two-ways traffic and exploit the S-C-F strategy for misbehavior detection
Additional Objectives Loose Authentication
Conditional anonymity
Non-repudiation
Assumptions Beacons can be received from 1-hop neighbors
Vehicles leverage TRH and omni-directional radar for position verification
DMV (department of motor vehicles), RCAs (Regional CAs), RSI
Beaconing Identityless (our WISA’09* Paper)
Relaying mechanism (Efficient Flooding)
Threshold based probabilistic vehicular density calculation
12
*R. Hussain, S. Kim, and H. Oh, “Towards Privacy Aware Pseudonymless Strategy for Avoiding Profile Generation in
VANET” In: H.-Y Yoon, M. Yung (Eds.) WISA 2009. LNCS, vol. 5932, pp. 268-280. Springer, Heidelberg (2009)
Information Security & Privacy Laboratory @ Hanyang University ` [email protected]
Proposed Scheme [1/6]
Baseline
Beacon format
Mb= (m, Gid, σ ,δ) where m is beacon data, σ = HMAC. (T||Gid||Data) and
δ = HMAC. (T||Gid||Data||σ)
RSI are semi-trusted and Vehicles not trusted
TRH are employed in RSUs and OBUs
Alert message types stored in OBUs beforehand
iVK
idK
13
Information Security & Privacy Laboratory @ Hanyang University ` [email protected]
Proposed Scheme [2/6]
Warning Message (WM) Sensed
Relayed
Where λ = (EID, LID, Gids, ΔL, ΔT)
Type EID LID Gid T lociT Sig. (EID, LID, Gid, T, lociT)
1 1 16 2 8 16 42
iTRHK
Type T lociT Gid λ Sig. (T, lociT,Gid, λ)
1 8 16 2 22 42
iTRHK
14
Information Security & Privacy Laboratory @ Hanyang University ` [email protected]
Proposed Scheme [3/6] Alerts and Invalid actions
List of invalid events (LIE) d is the safe distance
e.g. a car moving with 80kmph and after observing alert, it will reduce to 20kmph, then it will travel less about 100m in the next 2 seconds, thus the positions sent
in the beacons will be less than d=100m apart
Invalid actions after alert is issued
15
Information Security & Privacy Laboratory @ Hanyang University ` [email protected]
Proposed Scheme [4/6]
Hybrid Mechanism depending upon current T. density
MDS (Misbehavior Detection System)
SAD (Sybil Attack Detection)
Dense Traffic Regime (SAD) and Sparse Traffic Regime (MDS)
Privacy aware traffic density calculation
ROEI (Region of Expected Infection) for MW storage and Relay
Location verification
Misbehavior (Data-Centric)
Sybil Attacks (Entity-Centric)
Goal
Lx
Observer o
MW
received
Sensed MR
16
Information Security & Privacy Laboratory @ Hanyang University ` [email protected]
Proposed Scheme [5/6] MW received
Check for Freshness
Check if already received
Check movement trajectory
Calculate Density and decide whether MDS or SAD
Wait for beacon from the same vehicle
Verify position
Check for PWM (Post- Warning measurements)
Verify the message from opposite side vehicles
Collect beacons for certain time (tk+1-tk) and calculate Threshold density
Compare the number of alarms with the no. of vehicles (only in one direction)
b
ti
ti ib
tf
bXvD
k
k
1
)(
• Indicator Variable Xb, where Xb=1 if beacon received is from vehicle ahead, and Xb=0 if beacon is from behind or opposite side
•
𝑋𝑏 = 1 𝑖𝑓 𝑏𝑒𝑎𝑐𝑜𝑛 𝑠𝑒𝑛𝑑𝑖𝑛𝑔 𝑣𝑒ℎ𝑖𝑐𝑙𝑒 𝑖𝑠 𝑎ℎ𝑒𝑎𝑑 𝑋𝑏 = 0 𝑖𝑓 𝑏𝑒𝑎𝑐𝑜𝑛 𝑠𝑒𝑛𝑑𝑖𝑛𝑔 𝑣𝑒ℎ𝑖𝑐𝑙𝑒 𝑖𝑠 𝑏𝑒ℎ𝑖𝑛𝑑
𝑜𝑟 𝑖𝑛 𝑜𝑝𝑝𝑜𝑠𝑖𝑡𝑒 𝑑𝑖𝑟𝑒𝑐𝑡𝑖𝑜𝑛
Spatial Checks Temporal Checks Behavioral Checks Integrity Checks
Cosine Similarity
17
Information Security & Privacy Laboratory @ Hanyang University ` [email protected]
Proposed Scheme [6/6]
Discussion
Position Vs Information
WPWI (Wrong Position – Wrong Information)
RPWI (Right Position – Wrong Information)
WPWI (Wrong Position – Right Information)
RPRI (Right Position – Right Information)
Assume, there is one time relay minimum
Sensed Vs Relayed Alarms
Combine the number of senders and cross-check with the traffic D(v)t
Target
Not Likely
Sensed Relayed
Distinct Sensed Distinct Relayed
18
Information Security & Privacy Laboratory @ Hanyang University ` [email protected]
Performance Evaluation [1/2]
Security
Message authentication
Message integrity
Privacy protection
Anonymity revocability
Message revocation and user revocation
Partial brute-force strategy
Non-frameability
Privacy
Revocation with order O(d+g) for beacons and O(d.g) for MW
Since d<<g so the order of revocation in case of beacon is O(g)
19
Information Security & Privacy Laboratory @ Hanyang University ` [email protected]
Performance Evaluation [2/2] Computational Overhead
Comparison with other schemes
Scheme Certificates
with Beacons Profile
Generation RSU as
Bottleneck Privacy
Computations
Mb MW
Zhou et al. Dependent on Pseudonym
change N/A N/A
Ruj et al. Dependent on Pseudonym
change
Tp +3Tm
+ 2TH
2Tp + 6Tm +
4TH
Our scheme
2H
Tp + 3Tm + 2TH
Tp= Time of Pairing operation ,Tm=Time of point multiplication , H= Hash operation
20
Information Security & Privacy Laboratory @ Hanyang University ` [email protected]
Discussion
Merits of proposed scheme
Privacy-aware threshold-based density calculation
User privacy
Conditional anonymity
No need for RSU support
No Temporary identities are used which lead to profilation
Utilized opposite traffic for SCF (store-carry-forward)
Anonymous position verification
Limitations
Beacon frequency
Flyover scenario
3D position verification (if possible)
The relay mechanism may introduce some overhead temporarily
21
Information Security & Privacy Laboratory @ Hanyang University ` [email protected]
Conclusion
HMDS: Hybrid MDS (Flexible)
Privacy-aware Density-based scheme
Efficient position verification
Misbehavior is detected with independent position
verification
Immune to Sybil attacks
Incorporating 2-way traffic
22
Information Security & Privacy Laboratory @ Hanyang University ` [email protected]
23