22-09-2016, 03:59 PM
[attachment=71493]
a b s t r a c t
Sybil attacks have been regarded as a serious security threat to Ad hoc Networks and Sensor Networks.
They may also impair the potential applications in Vehicular Ad hoc Networks (VANETs) by creating an
illusion of traffic congestion. In this paper, we make various attempts to explore the feasibility of detecting
Sybil attacks by analyzing signal strength distribution. First, we propose a cooperative method to verify
the positions of potential Sybil nodes. We use a Random Sample Consensus (RANSAC)-based algorithm
to make this cooperative method more robust against outlier data fabricated by Sybil nodes. However,
several inherent drawbacks of this cooperative method prompt us to explore additional approaches. We
introduce a statistical method and design a system which is able to verify where a vehicle comes from.
The system is termed the Presence Evidence System (PES). With PES, we are able to enhance the detection
accuracy using statistical analysis over an observation period. Finally, based on realistic US maps and
traffic models, we conducted simulations to evaluate the feasibility and efficiency of our methods. Our
scheme proves to be an economical approach to suppressing Sybil attacks without extra support from
specific positioning hardware.
Introduction
Until recently, road vehicles were the realm of mechanical engineers.
However, with the plummeting costs of electronic components
and the permanent willingness of the manufacturers to
increase road safety and to differentiate themselves from their
competitors, vehicles are becoming ‘‘computers on wheels’’, or
rather ‘‘computer networks on wheels’’ [22]. Vehicular Ad hoc Networks
(VANETs) have the potential to not only facilitate the decision
making tasks of the drivers (e.g., trip planning based on traffic
congestion on the road), but also to improve highway safety (by
bringing information about catastrophic events and road conditions
to the driver’s attention). However, researchers [20,22] have
pointed out that VANETs are facing a number of security threats,
which may impair the efficiency of VANETs and even life safety.
One of these threats is Sybil attacks, in which a malicious vehicle
claims multiple fabricated identities. Sybil attacks can be harmful
to a variety of VANET applications. For example, a greedy driver
can fabricate that a number of vehicles are traveling nearby, which
creates an illusion of traffic congestion. Then, other vehicles will
choose an alternate route and evacuate the road for the greedy
driver. Since the fabricated vehicles are actually under the control of one malicious node, the malicious node may have further control
of other network protocols. For example, the large amount of Sybil
nodes may deviate the results of voting-based protocols from the
truth; the Sybil nodes may also launch Denial of Service (DoS) attacks
to impair the normal operations of data dissemination protocols,
such as [27,29,13]. Sybil attacks may even cause serious safety
threats. For example, in the application of deceleration warning
systems [20], if a vehicle reduces its speed significantly, it will
broadcast a warning to the following vehicles. Recipients will relay
the message to vehicles further behind. However, this forwarding
process can be intervened by a large number of malicious Sybil vehicles.
In this way, the malicious adversary can create a massive
pileup on the highway, potentially causing great loss of life.
Traditionally in Ad hoc Networks and Sensor Networks, three
types of defense against Sybil attacks are introduced, including:
radio resource testing, identity registration, and position verification
[9]. Radio resource testing is based on the assumption that
a radio cannot send or receive simultaneously on more than one
channel. It does not apply to VANETs since a greedy driver may
cheaply acquire multiple radios. Identity registration alone cannot
prevent Sybil attacks, because a malicious node may get multiple
identities by non-technical means such as stealing. Further,
strict registration causes serious privacy concerns. In position verification,
the network verifies the position of each node and ensures
that each physical node is bound with only one identity. A
number of position (or distance) verification techniques [3,1,24,4]
have been proposed recently. However, they either are designed
for indoor applications or rely on stationary base stations or specific
hardware. None of them would be suitable for the highly mobile
context of vehicular networks.
The motivation behind this paper is that we can estimate a
node’s position by analyzing its signal strength distribution and
then verify whether its position claim is consistent with the estimated
position. In traditional sensor networks, we cannot rely on
signal-strength-based position verification for two reasons. First,
since sensor nodes are static, we can only obtain a static pattern
of signal strength distribution and the accuracy is limited. We cannot
distinguish two physical nodes which are close to each other
either. Second, it is difficult to ensure that the position estimation
process is not intervened by potential Sybil nodes. However, the
unique properties of VANETs present us more opportunities to address
the problem from a different perspective. For example, we
can take advantage of the highly mobile context of VANETs to accumulate
more signal strength measurements.
In this paper, we study the feasibility of using signal strength
distribution analysis to detect Sybil attacks. First, we design a cooperative
detection method, in which multiple neighboring nodes cooperate
to measure the signal strength distribution of a suspicious
node and verify the physical position of the suspicious node. We
use a Random Sample Consensus (RANSAC)-based algorithm to increase
the estimation robustness against outlier data fabricated by
Sybil nodes. However, our simulation results illustrate that given
the unstable nature of radio propagation, this basic cooperative
method can only afford quite limited accuracy. Moreover, it is still
vulnerable to fabricated measurements by Sybil nodes. To make
this cooperative method apply to VANETs, one essential step is to
ensure that all signal strength measurements originate from honest
physical nodes instead of fabricated Sybil nodes. To solve this
problem, we propose the concept of Presence Evidence System
(PES). With this system, we can ensure that nodes in the opposite
traffic are physical nodes and we can have them as the trusty
sources of signal strength measurements. This system takes full
advantage of the inherent properties of VANETs such as high mobility,
road topology, as well as indirect support from roadside infrastructure.
From another aspect, we find that we can accumulate
more signal strength measurements by extending the observation
period, therefore improving the detection accuracy. Led by this inspiration,
we present a statistical detection method. The statistical
method performs hypothesis tests on accumulated measurements,
and tries to judge whether the measurements match a normal distribution
pattern. A Sybil node is reported if its distribution pattern
is inconsistent with its claimed physical position. We used simulations
to evaluate the performance of our final scheme. The simulations
are based on realistic US maps and traffic models. Our scheme
proves to be an economical and efficient way to suppress Sybil attacks
without the requirements of specific positioning hardware.
The rest of this paper is organized as follows. We introduce the
related work in Section 2. In Section 3, we define the attack model
and system assumptions. Section 4 presents the cooperative detection
method based on analysis of signal strength distribution.
Section 5 introduces the concept of Presence Evidence System. Section
6 proposes the statistical detection method to detect potential
Sybil nodes. Section 7 introduces the final integrated scheme. Section
8 evaluates our scheme by simulations based on realistic US
maps and traffic models. Section 9 discusses several related problems
and summarizes several unique features of our scheme. Finally,
we conclude the paper in Section 10.
2. Related work
Considerable attention from academia has been attracted by
emerging Vehicular Networks. There have been a few proposals
pointing out the importance of security in Vehicular Networks a common security threat of Sybil
attacks is introduced. In this attack, multiple identities are claimed
by a single malicious node with fabricated positions.
Sybil attacks are quite harmful for a variety of network applications.
Basically, in VANETs, Sybil attacks may easily create an illusion
of traffic congestion. What is more, Sybil attacks may have
a major impact on other existing VANET protocols, including MAC
layer, routing layer, as well as application layer. For example, in the
literature, the multi-hop broadcast protocol [13], the reliable MAC
protocol [27], the bandwidth sharing protocol [25], and the data
dissemination protocol [29] are all subject to Sybil attacks, because
they all rely on nodes’ cooperation to forward packets and a malicious
node may easily crack them by using its large number of fake
nodes.
Efforts have been made to detect Sybil nodes in Mobile Ad hoc
Networks and Sensor Networks. Newsome et al. [17] introduced
several techniques to detect Sybil attacks in ad hoc networks, including
radio resource testing, identity registration, and position
verification. Whereas radio resource testing replies on specific assumptions
on radio modules and identity registration alone is not
effective enough, position verification comes to be a more promising
approach for vehicular networks. The use of received radio signal
strength for positioning was proposed in [1]. It is designed
for indoor applications, relying on establishing a signal-strengthdistribution
map in advance. Demirbas et al. [5] introduced an
RSSI-based scheme for detecting Sybil attacks for resource-poor
sensor networks. The scheme takes advantage of statistical RSSI
readings in a stationary sensor network. Brands et al. [3] proposed
a distance bounding protocol that can be used to verify the proximity
of two devices connected by a wired link. Sastry et al. [24] proposed
a new distance bounding protocol, based on ultrasound and
radio wireless communication. The protocol can only make a rough
decision about whether or not a claimer is within a certain region.
Capkun et al. [4] presented a secure positioning scheme, which relies
on multiple base stations as reference points and supposes that
nodes are static. These schemes do not fit the highly mobile context
of VANETs.
Most recently, the detection of Sybil attacks has also been studied
in the field of Vehicular Networks. Golle [9] presented a security
framework which enables nodes to verify the validity of the
received data based on neighborhood observations. The scheme
focused on the reasoning of conflicting observations, but simply
assumed the nodes’ capability of detecting the distances to other
nodes or the precise locations of other nodes, which is exactly the
issue we studied in this work. Leinmuller et al. [14] used a set of
thresholds to verify a single node’s position claims. It is an effective
method to limit the range of a single node’s bogus position claims,
whereas our study deals with multiple nodes’ (multiple Sybils’) bogus
position claims. Especially, the Mobility Grade Threshold introduced
in [14] may not be efficient in case of multiple Sybil nodes
where each Sybil node holds in a relatively constant position. Yan
et al. [28] introduced several useful methods to verify the locations
of neighboring vehicles with the help of on-board radars. The authors
alleviated the line-of-sight limitation of a radar by using a
collaborative method. A Sybil attack detection scheme based on
roadside unit support was proposed in [19]; in this scheme, a vehicle
collects certified time stamps from roadside units as it is running,
and two nearby vehicles cannot have exactly the same series
of time stamps, otherwise they are Sybil nodes. The scheme relies
on a dense deployment of roadside units. Ghosh et al. [8] discussed
the misbehavior detection from the application layer. The authors
proposed a root-tree approach to achieve misbehavior detection
and identify the root cause. Above works use various methods from
different layers to detect attacks in VANET, but meanwhile all have
certain limitations. Sybil attacks remain to be an open issue in the
field of Vehicular Networks. The proposed scheme in this paper will
serve as a supplementary approach to suppressing Sybil attacks in
an economic way without the requirement for specific hardware.
3. Attack model and assumptions
In this section, we define the attack model of Sybil attacks and
then present the system assumptions which our study is based on.
3.1. Attack model
Sybil attacks refer to a malicious node illegitimately taking on
multiple identities [17]. In wireless networks, mobile nodes usually
discover new neighbors by periodically broadcasting beacon
packets, in which they claim their identities and positions. However,
given the invisible nature of wireless communication, a malicious
node can easily claim multiple identities without being
detected. Identity authentication does not help prevent Sybil attacks
in VANETs, since a malicious driver can still get additional
identity information by non-technical means such as stealing, or
simply borrowing from his friends. The goal of detecting Sybil attacks
is to ensure that each physical node is bound with only one
legal identity.
In this paper, we refer to a vehicle as a node in the context of
VANETs. We refer to a physical node claiming multiple identities
as a malicious node and, correspondingly, the malicious node’s
fabricated identities as Sybil nodes.
3.2. Assumptions
Our study on Sybil attacks are based on the following assumptions.
First, we focus on the most basic Sybil-attack threat, which
is caused by individual greedy drivers (vehicles). We assume that
most other drivers (vehicles) can be trusted. We do not consider
cooperative Sybil attacks, in which multiple malicious vehicles cooperate
to launch Sybil attacks. Second, all the vehicles, including
greedy drivers’ vehicles, are equipped with the same radio module.
The radio module may be based on any Radio Frequency (RF)
communication technique providing Received Signal Strength Indicator
(RSSI), such as DSRC [6]. Third, we assume that each vehicle
is equipped with GPS devices and digital maps. GPS positions are
supposed to be accurate. Finally, we assume that roadside base stations
are sparsely deployed along roads, and the identity authentication
infrastructure such as an Electronic License Plate (ELP) [12]
has been implemented for the whole network. Identity authentication
prevents a malicious vehicle from unlimitedly fabricating false
identities. Of course, as we mentioned before, identity authentication
alone cannot prevent Sybil attacks. Since roadside base stations
are sparsely deployed and the majority of road sections are
not covered by roadside base stations, we do not rely on direct support
from roadside stations.
4. Cooperative detection method
Traditionally, the detection of Sybil attacks usually relies on
three categories of approaches, namely radio resource testing,
identity registration, and position verification [17,9]. Radio resource
testing requires special radio modules such as multichannel
radio and identity registration alone does not work very
well in VANETs. Therefore, position verification is regarded as a
more promising approach for VANETs.
In this section, we propose a cooperative detection method for
verifying position claims by signal strength analysis. We design a
RANSAC (Random Sample Consensus)-based algorithm to improve
the robustness in estimating positions. We also explore the feasibility
of this cooperative method through simulations.
4.1. Cooperative method
The cooperative detection method detects potential Sybil nodes
by position verification, relying on monitoring the signal strength of periodical beacons. For clarity of description, we define three
categories of nodes’ roles: claimer, witness, and verifier. Each node
would periodically play all these roles, that is, each node is a
claimer, a witness as well as a verifier but at various moments and
for various purposes.
1. Claimer. Each node periodically broadcasts a beacon message
at beacon intervals, tb, for the purpose of neighbor discovery. In
the beacon message, it claims its identity and position such as GPS
position. At this moment, we name the node as a claimer. The goal
of our method is to verify its claimed position.
2. Witness. All neighboring nodes, within the signal range of
the claimer, would receive the previous beacon message. They
measure the signal strength and save the corresponding neighbor
information in their memory. Next time they broadcast a beacon
message, they will attach their neighbor list, including the signal
strength measurements for each received beacon, to the beacon
message. We name these nodes performing measurements and
reporting measurements as witnesses.
3. Verifier. We call a node performing position verification a verifier.
After receiving a beacon message, a node waits for a verifying
interval, tv, during which it collects enough signal strength
measurements concerning the previous beacon message from
neighboring witnesses. tv may be a little longer than the beacon intervaltb,
since after another interval oftb, each neighboring witness
should have broadcasted a beacon containing the expected measurements.
With the collected measurements, the node (verifier)
can locally compute an estimated position of the claimer. Then,
the node compares the estimated position with the previouslyclaimed
position of the claimer. If the difference exceeds a predefined
threshold Θ, the claimer is regarded as a Sybil node.
We take Fig. 1 as an example. Node s1, a claimer (a Sybil node),
broadcasts a beacon, claiming its identity and position. Node n1, a
verifier, collects all signal strength measurements from neighboring
witnesses which have received the beacon. Obviously, the final
estimated position of s1 would be near the position of node m, instead
of the position s1 claimed, as node s1 and m are physically the
same vehicle.
The beacon message can be in the following format:
{NodeID, Beacon#, Position, NebList, Signature}
NebList : {NodeIDi, Beacon#i, RSSi},
where NodeID is the claimer’s identity, Beacon# is a beacon sequence
number, Position is the sender-claimed position, NebList is
the sender’s most recent neighbor list containing signal strength
measurements, Signature is the digital signature for the whole
packet. In each item of NebList, RSSi
is the Received Signal Strength
of beacon Beacon#i recently received from neighboring node
NodeIDi
.
Therefore, the next step is to design a method to calculate the
estimated position based on collected measurements.
a b s t r a c t
Sybil attacks have been regarded as a serious security threat to Ad hoc Networks and Sensor Networks.
They may also impair the potential applications in Vehicular Ad hoc Networks (VANETs) by creating an
illusion of traffic congestion. In this paper, we make various attempts to explore the feasibility of detecting
Sybil attacks by analyzing signal strength distribution. First, we propose a cooperative method to verify
the positions of potential Sybil nodes. We use a Random Sample Consensus (RANSAC)-based algorithm
to make this cooperative method more robust against outlier data fabricated by Sybil nodes. However,
several inherent drawbacks of this cooperative method prompt us to explore additional approaches. We
introduce a statistical method and design a system which is able to verify where a vehicle comes from.
The system is termed the Presence Evidence System (PES). With PES, we are able to enhance the detection
accuracy using statistical analysis over an observation period. Finally, based on realistic US maps and
traffic models, we conducted simulations to evaluate the feasibility and efficiency of our methods. Our
scheme proves to be an economical approach to suppressing Sybil attacks without extra support from
specific positioning hardware.
Introduction
Until recently, road vehicles were the realm of mechanical engineers.
However, with the plummeting costs of electronic components
and the permanent willingness of the manufacturers to
increase road safety and to differentiate themselves from their
competitors, vehicles are becoming ‘‘computers on wheels’’, or
rather ‘‘computer networks on wheels’’ [22]. Vehicular Ad hoc Networks
(VANETs) have the potential to not only facilitate the decision
making tasks of the drivers (e.g., trip planning based on traffic
congestion on the road), but also to improve highway safety (by
bringing information about catastrophic events and road conditions
to the driver’s attention). However, researchers [20,22] have
pointed out that VANETs are facing a number of security threats,
which may impair the efficiency of VANETs and even life safety.
One of these threats is Sybil attacks, in which a malicious vehicle
claims multiple fabricated identities. Sybil attacks can be harmful
to a variety of VANET applications. For example, a greedy driver
can fabricate that a number of vehicles are traveling nearby, which
creates an illusion of traffic congestion. Then, other vehicles will
choose an alternate route and evacuate the road for the greedy
driver. Since the fabricated vehicles are actually under the control of one malicious node, the malicious node may have further control
of other network protocols. For example, the large amount of Sybil
nodes may deviate the results of voting-based protocols from the
truth; the Sybil nodes may also launch Denial of Service (DoS) attacks
to impair the normal operations of data dissemination protocols,
such as [27,29,13]. Sybil attacks may even cause serious safety
threats. For example, in the application of deceleration warning
systems [20], if a vehicle reduces its speed significantly, it will
broadcast a warning to the following vehicles. Recipients will relay
the message to vehicles further behind. However, this forwarding
process can be intervened by a large number of malicious Sybil vehicles.
In this way, the malicious adversary can create a massive
pileup on the highway, potentially causing great loss of life.
Traditionally in Ad hoc Networks and Sensor Networks, three
types of defense against Sybil attacks are introduced, including:
radio resource testing, identity registration, and position verification
[9]. Radio resource testing is based on the assumption that
a radio cannot send or receive simultaneously on more than one
channel. It does not apply to VANETs since a greedy driver may
cheaply acquire multiple radios. Identity registration alone cannot
prevent Sybil attacks, because a malicious node may get multiple
identities by non-technical means such as stealing. Further,
strict registration causes serious privacy concerns. In position verification,
the network verifies the position of each node and ensures
that each physical node is bound with only one identity. A
number of position (or distance) verification techniques [3,1,24,4]
have been proposed recently. However, they either are designed
for indoor applications or rely on stationary base stations or specific
hardware. None of them would be suitable for the highly mobile
context of vehicular networks.
The motivation behind this paper is that we can estimate a
node’s position by analyzing its signal strength distribution and
then verify whether its position claim is consistent with the estimated
position. In traditional sensor networks, we cannot rely on
signal-strength-based position verification for two reasons. First,
since sensor nodes are static, we can only obtain a static pattern
of signal strength distribution and the accuracy is limited. We cannot
distinguish two physical nodes which are close to each other
either. Second, it is difficult to ensure that the position estimation
process is not intervened by potential Sybil nodes. However, the
unique properties of VANETs present us more opportunities to address
the problem from a different perspective. For example, we
can take advantage of the highly mobile context of VANETs to accumulate
more signal strength measurements.
In this paper, we study the feasibility of using signal strength
distribution analysis to detect Sybil attacks. First, we design a cooperative
detection method, in which multiple neighboring nodes cooperate
to measure the signal strength distribution of a suspicious
node and verify the physical position of the suspicious node. We
use a Random Sample Consensus (RANSAC)-based algorithm to increase
the estimation robustness against outlier data fabricated by
Sybil nodes. However, our simulation results illustrate that given
the unstable nature of radio propagation, this basic cooperative
method can only afford quite limited accuracy. Moreover, it is still
vulnerable to fabricated measurements by Sybil nodes. To make
this cooperative method apply to VANETs, one essential step is to
ensure that all signal strength measurements originate from honest
physical nodes instead of fabricated Sybil nodes. To solve this
problem, we propose the concept of Presence Evidence System
(PES). With this system, we can ensure that nodes in the opposite
traffic are physical nodes and we can have them as the trusty
sources of signal strength measurements. This system takes full
advantage of the inherent properties of VANETs such as high mobility,
road topology, as well as indirect support from roadside infrastructure.
From another aspect, we find that we can accumulate
more signal strength measurements by extending the observation
period, therefore improving the detection accuracy. Led by this inspiration,
we present a statistical detection method. The statistical
method performs hypothesis tests on accumulated measurements,
and tries to judge whether the measurements match a normal distribution
pattern. A Sybil node is reported if its distribution pattern
is inconsistent with its claimed physical position. We used simulations
to evaluate the performance of our final scheme. The simulations
are based on realistic US maps and traffic models. Our scheme
proves to be an economical and efficient way to suppress Sybil attacks
without the requirements of specific positioning hardware.
The rest of this paper is organized as follows. We introduce the
related work in Section 2. In Section 3, we define the attack model
and system assumptions. Section 4 presents the cooperative detection
method based on analysis of signal strength distribution.
Section 5 introduces the concept of Presence Evidence System. Section
6 proposes the statistical detection method to detect potential
Sybil nodes. Section 7 introduces the final integrated scheme. Section
8 evaluates our scheme by simulations based on realistic US
maps and traffic models. Section 9 discusses several related problems
and summarizes several unique features of our scheme. Finally,
we conclude the paper in Section 10.
2. Related work
Considerable attention from academia has been attracted by
emerging Vehicular Networks. There have been a few proposals
pointing out the importance of security in Vehicular Networks a common security threat of Sybil
attacks is introduced. In this attack, multiple identities are claimed
by a single malicious node with fabricated positions.
Sybil attacks are quite harmful for a variety of network applications.
Basically, in VANETs, Sybil attacks may easily create an illusion
of traffic congestion. What is more, Sybil attacks may have
a major impact on other existing VANET protocols, including MAC
layer, routing layer, as well as application layer. For example, in the
literature, the multi-hop broadcast protocol [13], the reliable MAC
protocol [27], the bandwidth sharing protocol [25], and the data
dissemination protocol [29] are all subject to Sybil attacks, because
they all rely on nodes’ cooperation to forward packets and a malicious
node may easily crack them by using its large number of fake
nodes.
Efforts have been made to detect Sybil nodes in Mobile Ad hoc
Networks and Sensor Networks. Newsome et al. [17] introduced
several techniques to detect Sybil attacks in ad hoc networks, including
radio resource testing, identity registration, and position
verification. Whereas radio resource testing replies on specific assumptions
on radio modules and identity registration alone is not
effective enough, position verification comes to be a more promising
approach for vehicular networks. The use of received radio signal
strength for positioning was proposed in [1]. It is designed
for indoor applications, relying on establishing a signal-strengthdistribution
map in advance. Demirbas et al. [5] introduced an
RSSI-based scheme for detecting Sybil attacks for resource-poor
sensor networks. The scheme takes advantage of statistical RSSI
readings in a stationary sensor network. Brands et al. [3] proposed
a distance bounding protocol that can be used to verify the proximity
of two devices connected by a wired link. Sastry et al. [24] proposed
a new distance bounding protocol, based on ultrasound and
radio wireless communication. The protocol can only make a rough
decision about whether or not a claimer is within a certain region.
Capkun et al. [4] presented a secure positioning scheme, which relies
on multiple base stations as reference points and supposes that
nodes are static. These schemes do not fit the highly mobile context
of VANETs.
Most recently, the detection of Sybil attacks has also been studied
in the field of Vehicular Networks. Golle [9] presented a security
framework which enables nodes to verify the validity of the
received data based on neighborhood observations. The scheme
focused on the reasoning of conflicting observations, but simply
assumed the nodes’ capability of detecting the distances to other
nodes or the precise locations of other nodes, which is exactly the
issue we studied in this work. Leinmuller et al. [14] used a set of
thresholds to verify a single node’s position claims. It is an effective
method to limit the range of a single node’s bogus position claims,
whereas our study deals with multiple nodes’ (multiple Sybils’) bogus
position claims. Especially, the Mobility Grade Threshold introduced
in [14] may not be efficient in case of multiple Sybil nodes
where each Sybil node holds in a relatively constant position. Yan
et al. [28] introduced several useful methods to verify the locations
of neighboring vehicles with the help of on-board radars. The authors
alleviated the line-of-sight limitation of a radar by using a
collaborative method. A Sybil attack detection scheme based on
roadside unit support was proposed in [19]; in this scheme, a vehicle
collects certified time stamps from roadside units as it is running,
and two nearby vehicles cannot have exactly the same series
of time stamps, otherwise they are Sybil nodes. The scheme relies
on a dense deployment of roadside units. Ghosh et al. [8] discussed
the misbehavior detection from the application layer. The authors
proposed a root-tree approach to achieve misbehavior detection
and identify the root cause. Above works use various methods from
different layers to detect attacks in VANET, but meanwhile all have
certain limitations. Sybil attacks remain to be an open issue in the
field of Vehicular Networks. The proposed scheme in this paper will
serve as a supplementary approach to suppressing Sybil attacks in
an economic way without the requirement for specific hardware.
3. Attack model and assumptions
In this section, we define the attack model of Sybil attacks and
then present the system assumptions which our study is based on.
3.1. Attack model
Sybil attacks refer to a malicious node illegitimately taking on
multiple identities [17]. In wireless networks, mobile nodes usually
discover new neighbors by periodically broadcasting beacon
packets, in which they claim their identities and positions. However,
given the invisible nature of wireless communication, a malicious
node can easily claim multiple identities without being
detected. Identity authentication does not help prevent Sybil attacks
in VANETs, since a malicious driver can still get additional
identity information by non-technical means such as stealing, or
simply borrowing from his friends. The goal of detecting Sybil attacks
is to ensure that each physical node is bound with only one
legal identity.
In this paper, we refer to a vehicle as a node in the context of
VANETs. We refer to a physical node claiming multiple identities
as a malicious node and, correspondingly, the malicious node’s
fabricated identities as Sybil nodes.
3.2. Assumptions
Our study on Sybil attacks are based on the following assumptions.
First, we focus on the most basic Sybil-attack threat, which
is caused by individual greedy drivers (vehicles). We assume that
most other drivers (vehicles) can be trusted. We do not consider
cooperative Sybil attacks, in which multiple malicious vehicles cooperate
to launch Sybil attacks. Second, all the vehicles, including
greedy drivers’ vehicles, are equipped with the same radio module.
The radio module may be based on any Radio Frequency (RF)
communication technique providing Received Signal Strength Indicator
(RSSI), such as DSRC [6]. Third, we assume that each vehicle
is equipped with GPS devices and digital maps. GPS positions are
supposed to be accurate. Finally, we assume that roadside base stations
are sparsely deployed along roads, and the identity authentication
infrastructure such as an Electronic License Plate (ELP) [12]
has been implemented for the whole network. Identity authentication
prevents a malicious vehicle from unlimitedly fabricating false
identities. Of course, as we mentioned before, identity authentication
alone cannot prevent Sybil attacks. Since roadside base stations
are sparsely deployed and the majority of road sections are
not covered by roadside base stations, we do not rely on direct support
from roadside stations.
4. Cooperative detection method
Traditionally, the detection of Sybil attacks usually relies on
three categories of approaches, namely radio resource testing,
identity registration, and position verification [17,9]. Radio resource
testing requires special radio modules such as multichannel
radio and identity registration alone does not work very
well in VANETs. Therefore, position verification is regarded as a
more promising approach for VANETs.
In this section, we propose a cooperative detection method for
verifying position claims by signal strength analysis. We design a
RANSAC (Random Sample Consensus)-based algorithm to improve
the robustness in estimating positions. We also explore the feasibility
of this cooperative method through simulations.
4.1. Cooperative method
The cooperative detection method detects potential Sybil nodes
by position verification, relying on monitoring the signal strength of periodical beacons. For clarity of description, we define three
categories of nodes’ roles: claimer, witness, and verifier. Each node
would periodically play all these roles, that is, each node is a
claimer, a witness as well as a verifier but at various moments and
for various purposes.
1. Claimer. Each node periodically broadcasts a beacon message
at beacon intervals, tb, for the purpose of neighbor discovery. In
the beacon message, it claims its identity and position such as GPS
position. At this moment, we name the node as a claimer. The goal
of our method is to verify its claimed position.
2. Witness. All neighboring nodes, within the signal range of
the claimer, would receive the previous beacon message. They
measure the signal strength and save the corresponding neighbor
information in their memory. Next time they broadcast a beacon
message, they will attach their neighbor list, including the signal
strength measurements for each received beacon, to the beacon
message. We name these nodes performing measurements and
reporting measurements as witnesses.
3. Verifier. We call a node performing position verification a verifier.
After receiving a beacon message, a node waits for a verifying
interval, tv, during which it collects enough signal strength
measurements concerning the previous beacon message from
neighboring witnesses. tv may be a little longer than the beacon intervaltb,
since after another interval oftb, each neighboring witness
should have broadcasted a beacon containing the expected measurements.
With the collected measurements, the node (verifier)
can locally compute an estimated position of the claimer. Then,
the node compares the estimated position with the previouslyclaimed
position of the claimer. If the difference exceeds a predefined
threshold Θ, the claimer is regarded as a Sybil node.
We take Fig. 1 as an example. Node s1, a claimer (a Sybil node),
broadcasts a beacon, claiming its identity and position. Node n1, a
verifier, collects all signal strength measurements from neighboring
witnesses which have received the beacon. Obviously, the final
estimated position of s1 would be near the position of node m, instead
of the position s1 claimed, as node s1 and m are physically the
same vehicle.
The beacon message can be in the following format:
{NodeID, Beacon#, Position, NebList, Signature}
NebList : {NodeIDi, Beacon#i, RSSi},
where NodeID is the claimer’s identity, Beacon# is a beacon sequence
number, Position is the sender-claimed position, NebList is
the sender’s most recent neighbor list containing signal strength
measurements, Signature is the digital signature for the whole
packet. In each item of NebList, RSSi
is the Received Signal Strength
of beacon Beacon#i recently received from neighboring node
NodeIDi
.
Therefore, the next step is to design a method to calculate the
estimated position based on collected measurements.