18-07-2013, 03:55 PM
Footprint: Detecting Sybil Attacks in Urban Vehicular Networks
Detecting Sybil Attacks.pdf (Size: 631.59 KB / Downloads: 26)
Abstract
In urban vehicular networks, where privacy, especially the location privacy of anonymous vehicles is highly concerned,
anonymous verification of vehicles is indispensable. Consequently, an attacker who succeeds in forging multiple hostile identifies can
easily launch a Sybil attack, gaining a disproportionately large influence. In this paper, we propose a novel Sybil attack detection
mechanism, Footprint, using the trajectories of vehicles for identification while still preserving their location privacy. More specifically,
when a vehicle approaches a road-side unit (RSU), it actively demands an authorized message from the RSU as the proof of the
appearance time at this RSU. We design a location-hidden authorized message generation scheme for two objectives: first, RSU
signatures on messages are signer ambiguous so that the RSU location information is concealed from the resulted authorized
message; second, two authorized messages signed by the same RSU within the same given period of time (temporarily linkable) are
recognizable so that they can be used for identification. With the temporal limitation on the linkability of two authorized messages,
authorized messages used for long-term identification are prohibited. With this scheme, vehicles can generate a location-hidden
trajectory for location-privacy-preserved identification by collecting a consecutive series of authorized messages. Utilizing social
relationship among trajectories according to the similarity definition of two trajectories, Footprint can recognize and therefore dismiss
“communities” of Sybil trajectories. Rigorous security analysis and extensive trace-driven simulations demonstrate the efficacy of
Footprint.
INTRODUCTION
OVER the past two decades, vehicular networks have
been emerging as a cornerstone of the next-generation
Intelligent Transportation Systems (ITSs), contributing to
safer and more efficient roads by providing timely
information to drivers and concerned authorities. In
vehicular networks, moving vehicles are enabled to com-
municate with each other via intervehicle communications
as well as with road-side units (RSUs) in vicinity via
roadside-to-vehicle communications. In urban vehicular
networks where the privacy, especially the location privacy
of vehicles should be guaranteed [1], [2], vehicles need to be
verified in an anonymous manner. A wide spectrum of
applications in such a network relies on collaboration and
information aggregation among participating vehicles.
Without identities of participants.
RELATED WORK
While it was first described and formalized by Douceur [3],
the Sybil attack has been a severe and pervasive problem in
many forms. In a Sybil attack, an attacker can launch a Sybil
attack by forging multiple identifies, gaining a dispropor-
tionately large influence. In the literature, there have been
many different approaches proposed to detect or mitigate
the attack.
Many studies have followed Douceur’s approach, focus-
ing on how to establish trust between participating entities
based on trusted public key cryptographies or certificates in
distributed systems, for example, P2P systems [3], [5], sensor
networks [6], [7] and mobile ad hoc networks [8]. Although
deploying trusted certificates is the only approach that has
the potential to completely eliminate Sybil attacks, it also
violates both anonymity and location privacy of entities. In
addition, most of these schemes rely on a centralized
authority that must ensure each entity is assigned exactly
one identity. Moreover, it is possible for an attacker to violate
the assumption, getting more than one identities. This
mechanism also has the problem of key revocation which is
challenging, particularly in wireless mobile networks.
Generating Location-Hidden Trajectory
Location-Hidden Authorized Message Generation
In order to be location hidden, authorized messages issued
for vehicles from an RSU should possess two properties,
i.e., signer ambiguous and temporarily linkable. The signer-
ambiguous property means the RSU should not use a
dedicated identity to sign messages. The temporarily
linkable property requires two authorized messages are
recognizable if and only if they are generated by the same
RSU within the same given period of time. Otherwise, a
long-term linkability of authorized messages used for
identification eventually has the same effect as using a
dedicated identity for vehicles.
CONCLUSION AND FUTURE WORK
In this paper, we have developed a Sybil attack detection
scheme Footprint for urban vehicular networks. Consecu-
tive authorized messages obtained by an anonymous
vehicle from RSUs form a trajectory to identify the
corresponding vehicle. Location privacy of vehicles is
preserved by realizing a location-hidden signature scheme.
Utilizing social relationship among trajectories, Footprint
can find and eliminate Sybil trajectories. The Footprint
design can be incrementally implemented in a large city. It
is also demonstrated by both analysis and extensive trace-
driven simulations that Footprint can largely restrict Sybil
attacks and can enormously reduce the impact of Sybil
attacks in urban settings (above 98 percent detection rate).