• Open Access

SDRP: a secure distributed revocation protocol for vehicular environments

Authors


Abstract

Secure routing protocols that are based only on cryptographic techniques cannot guarantee security against all attacks. Among solutions that have been proposed to enhance the security in vehicular networks are the distributed revocation protocols, which provide vehicles with the ability to quickly detect and avoid malicious attacks. However, most of the proposed revocation protocols are vulnerable to colluding attacks conducted by malicious nodes, a situation which results in denial of service. In this work, we propose a new and robust distributed revocation protocol for vehicular ad hoc networks, called Secure Distributed Revocation Protocol (SDRP), with the main objective to exclude misbehaving nodes conducting or not a colluding attack from the routing operation in VANET. We present an evaluation analysis of SDRP on the basis of the simulation results and show that our scheme provides a high detection rate of misbehaving nodes with a low rate of false positives even in the presence of a large number of attackers. Copyright © 2012 John Wiley & Sons, Ltd.

1 Introduction

Vehicular ad hoc networks (VANETs) have attracted recently much attention in the networking community as well as in the transportation research community. They are emerging as one of the most important practical applications of mobile ad hoc networks [1, 2]. In VANET, vehicles are equipped with various kinds of on-board sensors, radio interfaces, and processing units capable of detecting dangerous situations and notifying the drivers in the vicinity through warning messages [3]. Unfortunately, just like any other applications, road safety applications in VANET are subjected to malicious behavior of vehicles preventing messages from reaching their destination, thereby causing even more dangerous situations.

Most of VANET applications are based on multi-hop communication between vehicles, and vehicular routing protocols assume a trustworthy collaboration among network participants [4]. However vehicles colluding in malicious activities may divert the traffic toward or away from intended destinations, forward and relay packets incorrectly, drop packets, or other non-cooperative behavior [5]. Such attacks are often known as Byzantine attacks [6]. Authentication and cryptographic techniques may minimize these attacks but cannot alone prevent them from happening as colluding vehicles are often internal adversarial nodes and have valid cryptographic keys [7]. As a result, attackers can inject falsified control packets and disrupt the network operation [8].

There are several schemes and protocols proposed to secure communications in vehicular networks. Harsch et al. proposed a set of plausibility checks that must be performed by relay nodes before accepting to forward packets [9]. The proposed scheme is not sufficient to ensure forwarding properly the safety messages because relay nodes are not subject to verification in the selection phase. Pathak et al. proposed the Geographical Secure Path Routing (GSPR) [10], which is a secure position-based routing protocol for VANET. According to the detailed description of GSPR provided by authors in [11], a node x is deemed malicious by another node Y by analyzing its behavior or based on warning messages sent by one-hop neighbors. This protocol is vulnerable to blacklisting attacks, as mentioned by the authors. Such attack could prevent forwarding safety messages to the desired destinations if many nodes are blacklisted.

Now, it is clear that the fast identification of bad nodes and their revocation from the network would prevent attacks and enhance the security of routing. Basically, node revocation consists in marking the identity or the corresponding cryptographic keys of a node as invalid, and it can be achieved through a centralized or a distributed manner [12]. Centralized approaches are simple as they assume the presence of a powerful central base station with enough capabilities to monitor, detect, and revoke the credentials of misbehaving nodes [12, 13]. Distributed solutions, on the other hand, are more complex because a set of nodes is responsible for making revocation decisions. In addition, this set should work in the presence of intruders that might coordinate among themselves to launch and execute the attack procedure against legitimate nodes to disconnect them from the network [14]. However, distributed approaches are more complex in processing than the centralized ones; they exhibit the advantage of working well with large-scale ad hoc networks such as VANETs. Indeed, revoking some nodes can be performed locally, which makes the revocation process faster and reduces the incurred communication overhead.

The design of an efficient revocation system for vehicular networks based on a distributed approach is a challenging task because of the nature of vehicular networks, which are characterized by a highly dynamic network topology and real-time requirements for road safety applications. This can be achieved by implementing revocation protocols in the application layer or in the network layer. The protocols developed for application layer [15] cannot prevent using malicious nodes as relays because the detection is not carried out in the network layer.

The distributed treatment of accusation messages can be carried out following two classes of revocation protocols:

  1. The suicide based protocols in which an accusation message leads to revoking both the accused and accuser nodes [16-18]. However, this class of protocols encourages the selfish behavior, as no node is willing to risk its presence in the network. So, it is not recommended for VANET.
  2. The threshold-based revocation protocols in which weights are assigned to accusation messages and an accusation quotient is calculated. A node is revoked in this case, if its accusation quotient exceeds a predefined threshold. The protocol LEAVE, developed for the context of VANET in [19], is a typical distributed revocation protocol falling within this class. However, the problem of this protocol and others similar to it is the possibility to exclude a large number of honest nodes from the network in the existence of sufficient number of colluding malicious nodes, as a result of surpassing the predefined threshold. Furthermore, because of the fact that these protocols mostly decrease the weights of accusation messages, revoking compromised nodes would require a high number of accusation messages issued from honest nodes. This cannot be fulfilled in most situations, notably if compromised nodes cheat and pretend to be cooperative, and at the same time report false accusations.

In this paper, we propose a new distributed revocation protocol for vehicular networks called “Secure Distributed Revocation Protocol” (SDRP). SDRP is intended to be used in conjunction with a routing protocol for excluding misbehaving nodes locally from the routing operation. Honest nodes are able to revoke malicious nodes either by detecting their malicious activity using the promiscuous mode [20] or by analyzing the received accusation messages. Our revocation scheme is designed so as not to exhaust the system resources, and takes into account the specific properties of vehicular networks. We assume that honest nodes form the majority of nodes and that any node can revoke any other node. Moreover, unlike most of the threshold-based revocation protocols, our revocation protocol uses a special function to detect malicious nodes, taking into account the most powerful adversary nodes that are formed of undetected colluding and compromised nodes. In addition, SDRP minimizes the probability of success of the denial-of-service (DoS) attack resulting from falsified accusation messages. We also show that SDRP offers a high detection rate (DR).

The rest of the paper is organized as follows: In Section 2, we discuss related works. In Section 3, we describe the system model used in our study followed by an overview of our scheme in Section 4. We describe the details of SDRP in Section 5. In Section 6, we present the performance results of SDRP and their analysis. Finally, we conclude our paper and discuss future works in Section 7.

2 Related Work

Recently, many strategies have been proposed to deal with misbehaving nodes in distributed networks. All the proposed techniques can be classified into two categories—preventive and reactive:

  1. Preventive strategies aim to encourage nodes to be cooperative through incentive systems [21-23]. However, these strategies are effective only against selfish nodes and cannot dissuade malicious nodes from harming the network operation.
  2. Reactive strategies consist of punishing misbehaving nodes typically by deactivating their keys [14, 24, 25]. The deactivation of node's keys can be permanent, which leads to prevent it definitively to communicate with other nodes [25] or temporarily if keys are blacklisted only for a specific duration [26].

As described in [[25, 26]], the revocation of a node can be local or global. If the involved credentials are deemed invalid only by some nodes of the networks, the revocation is considered as local, and as global, if the node is no longer considered a legitimate member [8, 18]. The global revocation can be achieved by broadcasting the revocation information throughout the network.

Whether the revocation was local or global, permanent or temporary, the fast exclusion of bad nodes from the network operations is an important task, especially if packets are transmitting time-critical data. In this context, we discuss some of the distributed approaches proposed for mobile ad hoc networks and VANET.

In [25], Chan et al. proposed a distributed revocation scheme for sensor networks using a pairwise key pre-distribution scheme, where each node carries a preloaded vote that can be used to notify other nodes for a compromised node. In this scheme, a node is revoked only if a threshold number of votes have been reached. However, if the number of colluding attackers surpasses the threshold, the revocation may affect the network availability as a result of the exclusion of a significant number of honest nodes.

Another revocation scheme has been proposed by Crépeau et al. for wireless ad hoc networks [27]. The scheme is less vulnerable to collusion attacks because the votes issued (accusation messages) from a node are inversely weighted according to the number of its accusers and its issued accusation messages. In this scheme, each node can participate in the detection and the revocation process by sending accusation messages, which makes it less scalable for large networks such as VANETs.

Clulow and Moore proposed in [16] a radical strategy called “suicide for the common good,” in which any node can revoke another node from the network only by broadcasting a “suicide note” that leads also to its own revocation. Despite the simplicity of this approach, there are some drawbacks such as the fast network depletion when revocation decisions are made erroneously by malicious nodes. Additional extensions and improvements for the previous approach have been proposed in [17, 18] to adapt it to the context of vehicular networks. However, all the suicide based approaches provoke the selfish behavior where nodes may not be willing to risk their presence in the network.

Raya et al. presented in [19] a protocol called LEAVE designed for the vehicular environment. In this protocol, each node that detects an attacker broadcasts a warning message. Once a node receives enough warning messages from its neighbors, it adds the identified malicious node to a local blacklist and propagates a “disregard message,” which includes a limited number of the associated supporting signatures contained in the received warning messages. Any node receiving the “disregard message” should revoke the accused node immediately.

All the schemes presented earlier are voting-based revocation schemes and potentially lead to the revocation of a high number of honest nodes when the presence of a sufficient number of colluding attackers surpassing the threshold. This results in a high rate of false positives.

3 System Model

In this section, we start by giving an exhaustive description of the model used to thwart attackers and make the routing process more efficient. Then, we describe the adversary model adopted in this paper.

3.1 Routing protocol with revocation

In VANETs, nodes can exchange safety messages by using a secure routing protocol as in [10]. But, that cannot prevent selecting malicious nodes as forwarders. In addition, because of the high mobility of nodes, the routing protocol may select for each packet a different forwarder. Therefore, identifying all malicious nodes at once or using them as forwarders can dramatically drop the performance of the system. For this reason, the routing protocol should cooperate with the revocation protocol as illustrated in Algorithm 1:

image

To forward a packet, the routing module must select a candidate node x among neighbors. As some messages are real-time constrained (e.g., safety messages), the packet can be forwarded to x before evaluation. Then, the SDRP has to evaluate x and decide whether x is malicious or not. If x is deemed a well-behaving node, the packet is considered forwarded correctly. Else, the routing module has to select another candidate to route the packet through. The secure protocol should be able to detect most of attacks against the routing process through mechanisms such as the following:

  1. Verification of position claim: almost all unicast routing protocols proposed for inter-vehicular communication are position based [28]. Hence, verifying the position is crucial to secure routing knowing that the forged position information has a severe impact on the performance and the security [29]. Several location verification approaches developed in the literature [30, 31] can be used in our scheme.

  2. Verification of routing protocol execution: the adversarial nodes may attempt to compromise the network operation by exhibiting arbitrary (Byzantine) behavior [32]. They are able to corrupt, replay, fabricate routing packets, modify the hop count field, and may attempt to misroute them in any possible manner. In general, they cannot be expected to let the routing protocol execute properly. Therefore, detecting such misbehaving activities can be achieved by measuring the following metrics:

    • Packets dropped ratio: it represents the ratio of the dropped packets by a node per burst period.

    • Packet delivery ratio: it represents the ratio of successfully delivered packets by a node by burst period.

3.2 Adversary model

The main objective of our proposed protocol is to exclude misbehaving nodes from the routing operation in VANET. Misbehaving nodes may be represented in nodes that are handled by selfish controllers, nodes that are compromised by malicious attackers, or nodes that are affected by an equipment failure. In this paper, we consider the worst case of misbehaving nodes, which are defined as compromised nodes controlled by colluding malicious attackers. We assume that those misbehaving nodes are able to communicate with each other, which means that they are able to mount coordinated attacks to prevent messages from reaching their destinations. These attacks can be classified in two main categories: attacks against the routing protocol and attacks aiming at excluding a high number of honest nodes from the network, and thus reducing the chance to forward safety messages properly.

4 Scheme Overview

Our distributed revocation protocol consists of three modules: a misbehavior detection module (MDM), an accusations processing module (APM), and a neighbors' advertiser module (NAM). These modules and their interconnection are illustrated in Figure 1.

Figure 1.

A general scheme for the distributed revocation.

The MDM comprises typically an autonomous intrusion prevention system, which analyzes the activities of all nodes within range to detect the bad nodes using promiscuous mode [20]. It can prevent nodes to forward malicious messages to avoid disturbing the network using database of attack signatures. In the case where a malicious node M is detected by a verifier node e, it must add M to its blacklist, e being a node executing the revocation protocol. Thus, the messages of M will be ignored by e, and it will no longer be used by e as a relay for its outgoing packets. Node e then uses the NAM module to periodically broadcast an accusation message to notify its one-hop neighbors with its latest addition to its blacklist.

An accusation message include the pseudonyms of all accused nodes and their number, the pseudonym of the accuser, a timestamp to ensure the freshness, the digital signature, and the certificate of the accuser node to authenticate the source of the message. The format of the message is illustrated in Figure 2. Upon receiving an accusation message, a node adds the identifiers of all accused nodes to an accusation list for a specified duration (the lifetime of a pseudonym [18]), which gives a chance for falsely accused nodes to join again the network. This list will be used only if there is a node to be evaluated (e.g., a candidate node c specified by the routing protocol for relaying packets). For this purpose, we developed a new algorithm described later to calculate an accusation quotient based on the recorded information in the accusation list. The accusation quotient's value is then compared with a predefined threshold to decide whether or not the evaluated node is to be added to the blacklist.

Figure 2.

SDRP message format.

It is important to note that the identities of the malicious nodes contained in the accusation messages received from neighboring nodes are not added to the blacklist directly because it leads to ignoring all the messages issued from accused nodes, and provoke the loss of important information that can be useful to determine a potential colluding set of compromised nodes. Therefore, it would be beneficial for our revocation protocol to use two lists: an accusation list and a blacklist.

5 Revocation Procedure

Most of the existing voting-based revocation solutions use all the accusation messages issued against a node, to calculate the accusation quotient. In our solution, we do not use all of them necessarily because part of them might be issued by misbehaving nodes. Therefore, we developed a new function, named Rev, which is used to detect and filter out malicious accusation messages and to exclude them from the calculation of the accusation quotient. An accusation message is deemed malicious if the revocation's value assigned to the accuser node is less than the value assigned to the accused node.

5.1 Filtering function

Before defining the function filter, we have to be able to distinguish between the accusation behavior of a compromised node from that of an honest one. To that effect, we have considered two situations:

  1. The number of malicious nodes is not sufficient to revoke an honest node from the network.
  2. The number of malicious nodes is sufficient to revoke any neighboring node.

In the first situation, malicious nodes are not able to revoke any honest nodes by falsifying accusations; they are only able to launch traditional attacks such as dropping packets, which are detected by the MDM. To detect colluding attacks in this case, we define a function of similarity inspired from the human character, which considers a person similar to another one if they have similar behaviors. Let c be the candidate node and Nc, v the common set of neighbors to c and the verifier node v (node executing the procedure of verification). Let Ax be the set of nodes accused by node x and E the set of accusations such that (x, y) ∈ E means that y is accused by x. So, the similarity between two nodes can be expressed as follows:

display math(1)

where

display math
display math

From Equation (1), it is clear that a full similarity means that two nodes give the same evaluation for all the neighboring nodes.

To make Equation (1) more meaningful and effective, it is necessary that the node under evaluation must have a high similarity with most of the nodes in the network because the honest nodes represent the majority in the network. Therefore, in the presence of several nodes in the neighborhood, Equation (1) can be rewritten as follows:

display math(2)

In the second situation, the number of malicious nodes is big enough to revoke neighboring nodes, by pretending to be cooperative and issuing false accusations against honest nodes. The situation is getting worse if malicious nodes are not detectable by MDM. Therefore, the APM's role is to prevent such revocation of a high number of honest nodes.

Now, assume that a node z accuses an honest node and at the same time generates many accusations. So, the node z must be penalized by taking its |Az| to increase the credibility of the accused node x (x is a node that we measure its credibility). But, when the node x is not accused by z, we take its Āz (the more the node z issues accusation messages, the more x increases the credibility of the accused nodes). Therefore, we define the credibility function Cred(x) that takes into account two cases. In the first case, a node x under evaluation is assumed to be accused by a given node z, and in the second case, x is not accused (z, x) ∉ E. The expression of this function can be written as follows:

display math(3)

Now, it is clear that function Sim gives a high weight to accusation messages issued from honest nodes and that the function Cred rejects accusation messages from colluding malicious nodes. We define a composite function Rev, which takes into consideration both evaluations of Sim and Cred. This function allows us to control the tradeoff between Sim and Cred through two weighting factors α and β as in the following:

display math(4)

where

display math(5)

Assigning a higher value to α leads to a revocation mode where a node is revoked based on fewer accusation messages, whereas a higher value of β leads to a revocation mode that comes with a low risk of revoking a higher number of honest nodes.

Therefore, specifying the best values for α and β is ultimately tied to the strategy of attacks. We provide in this subsection a proposal for how to deal with attackers changing their strategies of attacks continuously. A typical defense mechanism against such attackers needs changing values of α and β in a real-time manner for the purpose of maximizing the system's security. This can be achieved efficiently by monitoring the ratio of the blacklisted neighbors. If this ratio surpasses a predefined threshold (depending on the required quality of service), it would be mandatory to evaluate the honesty of nodes according to the new α and β, which are defined as follows:

display math(6)

BL is the set of blacklisted nodes in the neighborhood, Nb is the number of neighbors, and θ is a predefined positive real number. We choose θ > 1 if we would like to make α converge quickly to 1 (if high DR is required) and θ < 1 if lower false positive is required.

5.2 Revocation method

In this section, we describe how a node is revoked. A node v, which evaluates a candidate node c selected by the secure routing protocol, executes the revocation procedure as described in Algorithm 2. Let N(x) be the set of nodes neighboring node x and Nx, y be the set of nodes that are common neighbors to both node x and node y; that is, Nx, y = N(x) ∩ N(y). We also define Lc as the set of nodes that are accusers of node c. The revocation procedure consists of calculating the accusation quotient Qc of the candidate node c. If Qc reaches a predefined threshold Th, the node c is considered as malicious or compromised and is therefore revoked.

The calculation of Qc is achieved through the use of the revocation function Rev by applying this function on every node “a” that is both an accuser of c and an element of the common set of nodes neighboring c and v. We establish a list Lc of such nodes such that Rev(a) ≥ Rev(c). The accusation quotient Qc is calculated as the ratio of the number of nodes in Lc and the number of nodes in the common neighbors to node c and node v. That is,

display math(7)
image

5.2.1 Example of revocation

To illustrate how the revocation procedure works, we consider the following example: considering two sets of nodes denoted by set1 and set2. set1 comprises two malicious nodes labeled 1 and 2, respectively (cf. Figure 3), and set2 comprises only honest nodes; all nodes of two sets are in the vicinity of each other. We assume that all the nodes of set1 generate accusation messages against all the nodes of set2. Figure 3 represents the accusation graph, where an arc starting from a node in set1 and arriving to another in set2 represents an accusation. We assume also that the MDM of honest nodes cannot detect any malicious activities, and therefore, they do not generate any accusation message.

Figure 3.

Illustration of the accusation graph.

Now, assume that node 4 is selected as a candidate forwarder by the routing protocol. SDRP allows evaluating the honesty of node 4 by using the revocation function.

It is worth noting that accusation messages from node x against node 4 will be accepted only if Rev(x) > Rev(4). But, before that, we have to calculate the two functions (Sim and Cred) constituting the revocation function.

  1. Computing the similarity (Sim function): From Figure 3 and using Equation (2), node 4 gained a considerable similarity value because of the fact that it has an accusation behavior similar to four nodes representing the majority in the neighborhood. That can be expressed by
    display math
  2. Computing the credibility (Cred function): Because of accusation messages of nodes 1 and 2 against the majority of nodes in the neighborhood, the credibility function (see Equation (3)) assigns high values to the accused nodes 3, 4, 5, 6, and 7. These values of credibility increase with the number of accusation messages issued by node 1 and node 2.

After computing the Sim and the Cred functions, the Rev function assigns node 1 and node 2 lower values, and their accusation messages will be rejected. This results in reducing the chance of DoS caused by the falsification of accusation messages.

5.2.2 Complexity analysis

The analysis of the computation complexity of any algorithm is very important; it provides theoretical estimates for needed resources and the response time.

Considering a verifier node v and a candidate node c and using Equations (2) and (3), we can verify that the complexity of Sim and Cred is O(n), where n is the number of common neighbors of c and v (Nc, v). As a result, the computation of the Rev function, which is the weighted sum of Sim and Cred, takes time O(n). Moreover, the revocation function is computed in the Algorithm 2, by the verifier node v for the node c and its accusers. Hence, if m(m < n) is the length of the list Lc (list of nodes belonging to Nc, v and accusing the node c), the computational complexity takes time O(m × n).

As the case of all the existing security schemes, our revocation procedure requires increasing computation resources as much as the number of colluding malicious nodes increases. However, in most cases, verifying the honesty of nodes under normal circumstances requires limited computational resources.

6 Performance Evaluation

In this section, we describe and analyze the performance results obtained through the different scenarios of simulations of SDRP. We conducted all simulations in the network simulator NS-2 [33] using a freeway traffic model. For all the scenarios, we selected 300 nodes randomly distributed in a highway of 5-km length with three lanes/directions that gives an average density of 1 vehicle per 100 m. We consider also that a vehicle has a transmission range of 300 m, following to the standard of IEEE 802.11p where a transmission range can up to 1000 m [34]. Two thresholds, 0.5 and 0.25, are used as in [35], to evaluate the robustness and the effectiveness of SDRP with a proportion of malicious nodes equal to 30%. So, in the case of a threshold equal to 0.25, the accusation quotients of honest nodes can easily exceed the threshold if malicious nodes falsify their accusations. All the parameters used in the simulations are summarized in Table 1.

Table 1. Simulation parameters.
SimulatorNS-2 version 2.30
Antenna range300 m
Number of nodes300
Mobility modelFreeway
Freeway length5 km
Number of lanes/direction4
Time interval between two consecutive accusation messages1 s
Rate of malicious nodes30%
Accusation quotient threshold0.25, 0.5

We choose to evaluate the effectiveness of our algorithm using two metrics:

  • Packet delivery ratio (PDR): it represents the proportion of the data packet received by destination nodes.
  • End-to-end delay (EED): it represents the average time taken by data packet to reach the destination.

In the course of our experiments, we consider that each node uses the greedy forwarding routing strategy in association with our revocation scheme. We assume that honest nodes are able to generate an accusation message against a neighboring malicious node with a uniform probability equal to 0.8.

Two different scenarios of coalition between malicious nodes are considered.

  • Scenario of non-colluding nodes: in this scenario, each malicious node can send individually falsified accusation messages against their neighbors.
  • Scenario of colluding nodes: in this scenario, attackers facing our system are not expected to accuse a high number of nodes in order to avoid being detected and revoked easily, but they tend to coordinate their attacks and accuse only a specific set of honest nodes.

A Packet delivery ratio

First, we evaluate the PDR by changing the ratio of accused nodes in the case of non-colluding attacks. Figure 4 shows that without using the procedure of revocation, the PDR performances drop to less than 10% with only 10% of malicious nodes in the network and reach nearly 0% if malicious are more than 25%. But, with the use of our revocation protocol, the PDR reaches 85% in the presence of 10% of malicious nodes and surpasses always 38% even in the presence of 30% of malicious in the network.

Figure 4.

Impact of the ratio of malicious nodes on the PDR.

Secondly, we consider that a fixed percent of nodes in the network coordinate an attack against a set of nodes, and we measure the PDR in this case by adjusting the ratio of accused nodes. Simulation results as displayed in Figure 5 show that in the presence of 30% of colluding attackers, PDR decreases as the percentage of accused nodes increases from 0% to 50%, then it increases again for a percentage of accused nodes higher than 50%. This is due to the fact that the APM was able to detect the malicious nodes and revoke most of them if they accuse either a large or a small number of honest nodes. Our protocol gives a high performance of up to 86% in the presence of a lower number of attackers (10% and 20%).

Figure 5.

Impact of the ratio of accused nodes on the PDR.

B End-to-end delay

The EED increases with the increase of the ratio of nodes dropping packets or running an attack, as can be seen in the graphs of Figure 6. This is primarily due to the fact that increasing the ratio of bad nodes reduces the probability to find an honest farthest forwarder as targeted by the greedy forwarding strategy, which increases the number of hops and the EED.

Figure 6.

Impact of the ratio of malicious nodes on the EED.

In the case of colluding attacks and by adjusting the ratio of honest nodes, Figure 7 shows that malicious nodes are able to decrease the performance (increase significantly the end-to-end delay) if they do not issue a high number of accusation messages against a large number of honest nodes. For a ratio of accused nodes varying from 0% to 50%, the EED always increases. But, for a rate higher than 50%, it decreases thanks to the APM module, which runs the revocation procedure and prevents DoS attacks. Figure 7 shows also that the ratio of malicious nodes can dramatically increase the EED, for example, from 0.067 s in presence of 10% of malicious to nearly 0.1 s in the presence of 30%.

Figure 7.

Impact of the ratio of accused nodes on the EED.

C Impact of the weighting factors on the revocation function

In the previous simulation scenarios, we have set the values of α and β to 0.5. Now, we see the impact of changing their values on the performance of the system.

As mentioned before, α and β can be determined in an adaptive way (Equations (5) and (6)). To determine the impact of the choice of weighting factors values on the DR and the false positive rate (FPR), we conducted an extensive set of experiments, and in the course of our experiments, we varied the values of α and β as illustrated in Table 2. We can see also that the DR increases as the value of α increases (β decreases) because when the Sim function in Equation (4) is disabled or have a low weight factor, the Cred function requires only a low number of accusation messages to revoke nodes. This can increases the DR and unfortunately increases the FPR. So, it is clear now that β in the case of colluding attacks must have a high value and vice versa.

Table 2. Detection rate (DR) and false positive rate (FPR) with different values of α and β.
αβDR (%)FPR (%)
015.410
0.250.7539.420.01
0.50.586.710.14
0.750.2595.387.98
1099.8933.27

D Comparison with other protocols

To more evaluate the effectiveness of our protocol, we choose to compare its performances with other proposed schemes. For a fair comparison between these protocols, we considered two scenarios according to the following assumptions:

  • An honest node accuses a malicious node if the latter is a neighboring node for a period longer than a specific amount of time referred to as minimum time for detection (MTD).

  • In the calculation of the DR, we only consider detections that are asserted by APM, and nodes are excluded if and only if they are deemed malicious by the APM. Two performance metrics considered during the evaluation of SDRP are the following:

    • The DR which denotes the percentage of detected compromised nodes.

    • The FPR which denotes the percentage of honest nodes which are mistakenly regarded as compromised nodes.

The results illustrated in Figure 8 show that our scheme, SDRP, outperforms LEAVE and Crépeau's scheme in terms of DR. We also note that the DR decreases as the MTD increases. This is explained by the fact that when MTD is low, there are not enough accusation messages issued by honest nodes, to revoke compromised nodes. Moreover, lower values of the MTD require having more new neighbors detecting malicious activities of the compromised node by MDM. Compared with the above results, Figure 9 shows that although the superiority of SDRP is maintained over the other schemes, decreasing the threshold value increases further the DRs of SDRP. However, we notice that when MTD = 0 (the case where each honest node issue an accusation message against a compromised neighboring node without waiting) does not necessarily lead to 100% DR. This is due to existing situations where compromised nodes constitute a local majority.

Figure 8.

Detection rates of malicious nodes (threshold = 0.5).

Figure 9.

Detection rates of malicious nodes (threshold = 0.25).

In terms of the rate of false positives, the results obtained for a threshold = 0.5, as illustrated in Figure 10, show that LEAVE by reducing the weights of accused nodes provides lower FPR and also lower DR (cf. Figure 9). However, our protocol “SDRP” gives a high DR (cf. Figure 9) and an FPR equal approximately to LEAVE rate and lower than Crépeau.

Figure 10.

Rate of false positives (threshold = 0.5).

Figure 11 shows that with (MTD > 6), SDRP outperforms all the other protocols because of the increasing weights of malicious nodes accusations that are sufficient to surpass the threshold 0.25.

Figure 11.

Rate of false positives (threshold = 0.25).

It is worth noting that the value of the threshold in all the previous schemes has opposite effects on the DR and the FPRs. So, it is necessary to choose this value carefully.

7 Conclusion and Future Works

Securing vehicular communication is a prerequisite for an efficient deployment of VANET safety-critical applications. In this work, we have proposed a new revocation protocol named SDRP. Unlike other revocation protocols that are designed without taking into account bandwidth limitation and real-time requirements of safety-related applications in VANET, our scheme is designed to operate in conjunction with other ad hoc routing protocols. The SDRP's main role is to verify and revoke compromised nodes on-demand based on requests from the routing module. SDRP contributes in preserving over-the-air resources by scrutinizing the behavior of candidate next-hop nodes and by providing fresh revocation information about the verified nodes. Through the simulation results that we described, we showed how our scheme outperforms other schemes by providing a higher DR for compromised activities and a lower rate of false positives. In the same time, it reduces the impact of the falsified accusations on the network availability.

As a future work, we intend to extend the proposed revocation scheme by providing how base stations can use the local revocation information of vehicles that are within their range, in order to make global revocation decision. We intend also to evaluate the performance of SDRP with different mobility models.

Ancillary