• No results found

Analyzing Dissemination Redundancy to Achieve Data Consistency in VANETs

N/A
N/A
Info
Downloaden
Protected

Academic year: 2021

Share "Analyzing Dissemination Redundancy to Achieve Data Consistency in VANETs"

Copied!
3
0
0

Bezig met laden.... (Bekijk nu de volledige tekst)

Download het nu ( 3 pagina )

Hele tekst

(1)

Analyzing Dissemination Redundancy to Achieve Data

Consistency in VANETs

Stefan Dietzel

DIES Group University of Twente The Netherlands

s.dietzel@utwente.nl

Jonathan Petit

DIES Group University of Twente The Netherlands

j.petit@utwente.nl

Frank Kargl

Institute of Distributed Systems Ulm University Germany

frank.kargl@uni-ulm.de

Geert Heijenk

DACS Group University of Twente The Netherlands

geert.heijenk@utwente.nl

ABSTRACT

It is generally agreed that VANET security needs to rely on entity-centric trust, as well as data-centric methods. Entity-centric trust typically involves signatures and certificates, while data-centric methods leverage on consistency checks. One way to implement data consistency checking is to ex-ploit redundant information dissemination to detect incon-sistencies. In this paper, we propose a metric to investigate the degree of redundancy that different types of informa-tion disseminainforma-tion protocols exhibit. We evaluate our met-ric using simulations of Geocast and aggregation protocols. Results show that geocast largely eliminates redundancy, whereas aggregation keeps more redundant communication paths.

Categories and Subject Descriptors

C.2.0 [Computer-Communication Networks]: General

Keywords

VANET, security, data consistency, metrics, simulation

1.

INTRODUCTION

In recent years, vehicular ad hoc networks (VANETs) have received increasing attention from academia and industry alike. Foreseen applications include safety warnings, traf-fic efficiency enhancements, and multimedia services. Nu-merous protocols have been proposed to provide the neces-sary information dissemination. For some applications, in-formation about the 1-hop broadcast area around a vehicle is sufficient. Other applications, especially those for nav-igation support, need to disseminate information in larger areas. Schoch et al. [6] propose a categorization of dissemi-nation protocols, differentiating single-hop beaconing, multi-hop Geocast, advanced information dissemination, and in-network aggregation. We focus on the last three categories, which all disseminate information in a multi-hop fashion in larger areas.

Copyright is held by the author/owner(s).

VANET’12, June 25, 2012, Low Wood Bay, Lake District, UK.

ACM 978-1-4503-1317-9/12/06.

Security is generally acknowledged as a primary challenge in VANETs [4, 2]. The original approach to protect vehic-ular communication is based on entity-centric trust, which is established by signing packets with ECDSA signatures and by establishing a public key infrastructure that issues certificates to vehicles. This approach is currently being standardized as IEEE 1609.2.

Entity-centric trust ensures that the originators of mes-sages are actual vehicles or authorized infrastructure. How-ever, prohibitive cost and complex management of trusted hardware make it likely that knowledgable attackers will be able to access key material in vehicles they physically own. Entity-centric trust does not protect from data alteration attacks mounted by such insider attackers. Using obtained key pairs, attackers can either maliciously generate wrong information or modify information they process as part of multi-hop dissemination protocols.

Therefore, research papers [5, 3], as well as standardiza-tion activities (e. g., IEEE 1609.2) propose to complement entity-centric trust with data-centric methods to check for consistency. The central idea is to rely on physical models,

local sensors, or data redundancy to detect spurious data.

Various approaches leveraging on physical models and lo-cal sensors have been investigated. However, these proposals focus mainly on single-hop applications and corresponding dissemination protocols.

In this paper, we assess data consistency approaches based on data redundancy. Our goal is to analyze whether the re-dundancy present in current protocol proposals can be ex-ploited to achieve data consistency in multi-hop dissemina-tion protocols.

2.

REDUNDANCY METRICS

We represent the communication network with a directed graph G = (V, E) where vertices represent vehicles and edges represent that a vehicle is within 1-hop communica-tion range of another vehicle. Informacommunica-tion that is observed by a source s ∈ V is forwarded over multiple forwarding nodes f1, . . . , fm ∈ V to a destination d. To compensate

packet loss, protocols often forward information using mul-tiple paths from s to d. For the transfer of a single message,

(2)

s

1

3

2 4

d

Figure 1: An example graph showing critical nodes, namely 2 and 4, on a path between source s and destination d.

we distinguish two subgraphs of G, namely Gs and G(s,d),

where G ⊇ Gs⊇ G(s,d).

We use Gs= (Vs, Es) to represent all transfers of a single

message, that is, all forwarding paths starting at s. Hence, (vi, vj)∈ Es if, and only if, viforwards the message, which

vj then receives. Vs contains all vertices in V that are

con-nected to an edge in Es. Further, G(s,d) = (V(s,d), E(s,d))

represents successful transfers from s to d. Thus, V(s,d)and

E(s,d)contain all vertices and edges that are part of a path

from s to d in Gs. Ideally, d receives the message

unmod-ified via all paths. Due to transmission errors, as well as malicious vehicles, some of the received messages might be modified.

We assume a single insider attacker a ∈ V \ {s, d} in the network whose goal is to alter the message that is trans-ferred from s to d who are both honest. That is, whenever

a receives s’ message for forwarding, a will modify it. We

assume that we cannot distinguish a from normal vehicles beforehand, because the attacker vehicle creates messages that conform to the communication protocol and, in gen-eral, behaves according to the protocol except for modify-ing message content. Moreover, we assume that d does not know s’ identity beforehand. Because honest nodes modify forwarded information in advanced dissemination protocols such as in-network aggregation, we cannot assume that a can be detected using entity-centric methods alone. We consider

a to be successful if a is able to modify all copies of the

mes-sage that d receives from s. In order to be successful, a needs to be in V(s,d)and part of all possible paths from s to d in

G(s,d). A message transfer is called attackable if there exists

at least one a ∈ V(s,d)\ {s, d} such that for all paths p from

s to d in G(s,d), a is on p.

2.1

Node-disjoint paths

We use the number of node-disjoint paths (P) to char-acterize how resilient a message transfer is against insider attackers. If a node exists that is part of all paths between

s and d, then G(s,d) becomes disconnected after removing

this node. Thus, the size of the graph’s minimum vertex cut is one. Applying Menger’s theorems, that means that the number of node-disjoint paths between s and d in G(s,d) is

equal to 1. We can use maximum flow algorithms to com-pute the number of node-disjoint paths efficiently. Figure 1 shows an example graph with one node-disjoint path.

If a protocol is not attackable, there are at least two paths from s to d that have no common nodes apart from s and

d. However, for P = 2, it is still undecidable which node is

the attacker. ForP ≥ 3, an attacker can be detected given an honest majority. However, a straight-forward majority vote is not possible in all network topologies, because even

a single attacker can control a large share of incoming edges to the destination d.

2.2

Critical nodes

In case we haveP = 1, there is at least one node in the network that can successfully attack the message transfer from s to d. However, not all nodes on the node-disjoint path between s and d can attack successfully. Therefore, we calculate the critical nodes (C) on the path between s and d. A node is critical if its removal would disconnect

G(s,d), as shown in Figure 1. In case P ≥ 2, the number

of critical nodes is automatically 0. The more nodes on the path between s and d are in the set of critical nodes, the more likely it is that an attacker that is randomly positioned in the network is successful. Namely, the chance of success is

P (a ∈ V \ {s, d} successful) = C |V \ {s, d}|.

Together,P and C describe the trade-off between commu-nication efficiency and attack resilience due to redundancy.

3.

ANALYSIS AND DISCUSSION

To validate our metrics, we apply them to widely-used multi-hop data dissemination protocols. We implemented representatives of the following protocol families.

Baseline. As baseline we use a graph that resembles the

result of a na¨ıve flooding with perfect packet delivery even over multiple hops. The baseline gives an estimate of the maximum achievable redundancy.

Geocast. We use an adaptive, probabilistic gossiping

protocol, namely Advanced Adaptive Geocast (AAG) [1]. In AAG, each node determines the message forwarding proba-bility based on the current perceived node density according to 2-hop neighborhood information.

Aggregation. We use a basic aggregation scheme as

representative for in-network aggregation protocols. The scheme uses fixed size road segments, for which all atomic observations are averaged. For calculating our metrics, we assume that a message from the source reaches the destina-tion if the destinadestina-tion receives an aggregate that the source message contributed to.

Our simulations are done using JiST/SWANS.1 We con-sider both city and highway scenarios with changing node density. For the city scenario simulations, we place all nodes randomly on a pre-defined road network. For the highway scenario simulations, nodes are randomly distributed on a single stretch of road. We do not consider node mobility at this point, because we focus on single message transfers between a source and destination and can assume that the basic network characteristics, e. g., node density, remain the same during one message transfer.

Figure 2 shows the number of node-disjoint paths in a city with varying node density. For the baseline, P grows linearly in the number of nodes, which is expected, because the graph is more connected with higher node density. For the aggregation protocol, the number of disjoint paths grows as well, but at a lower rate. Figure 3 shows that the number of critical nodesC = 0 for the baseline. For the aggregation protocol, C also converges to 0 as the node density grows. The results for AAG in Figure 2 show a much lower number of node-disjoint paths, which stays constant with growing

(3)

                 !!! "#

Figure 2: Number of node-disjoint paths P for

dif-ferent node densities in a city.

                        ! 

Figure 3: Number of critical nodes C for different

node densities in a city.

numbers of nodes. This is due to the fact that AAG au-tomatically reduces redundancy by lowering the forwarding probability in high node density scenarios. Consequently, Figure 3 shows a higher number of critical nodes for AAG.

In the highway scenario, we see similar results for all pro-tocols. However, the aggregation protocol performs almost equal to the baseline in the highway case. The reason is that the aggregation protocol needs to disseminate only 10 segments in the highway scenario because the highway only consists of a single stretch of road.

We observe that for AAG, all metrics are consistent for both city and highway scenario, as well as for different node densities. In all settings, AAG performs almost optimal in terms of communication efficiency. However, the low redun-dancy due to efficient communication comes at the cost of possible attacks. Aggregation shows a high level of redun-dancy for all scenarios. However, aggregation only dissem-inates summarized information. As a result, the utility of the disseminated information may be lower. Moreover, the aggregation protocol’s performance decreases notably in a city scenario, illustrating the drawbacks of a fixed segments scheme.

4.

CONCLUSION AND FUTURE WORK

Data consistency is an important building block for secure vehicular communication systems. Focusing on entity-based solutions backed by a public key infrastructure, data

con-sistency measures have been widely neglected by existing research. We argue that redundant forwarding paths are a promising technique to enable consistency checks especially in multi-hop data dissemination protocols.

Previous research on such multi-hop dissemination proto-cols has focused on aspects like communication efficiency, therefore aiming to remove any dissemination redundancy. We complement this research by analyzing how likely it is for a randomly selected unknown attacker to dominate all paths from a source to a destination. Our metrics, the num-ber of node-disjoint paths and the derived numnum-ber of critical nodes, are efficient to compute due to their relation to the well-researched maximum flow problem in graph theory.

We validate our metrics using simulations in different sce-narios. Our results show that AAG, an efficient Geocast protocol, reduces communication redundancy to a point that enables single attackers to fully control the information flow between a vehicle pair in certain scenarios. We therefore conclude that current routing protocols will have to be mod-ified to deal with attacks on data consistency. A simple ag-gregation protocol shows more promising results in terms of redundancy. Ideally, future protocols will optimize path redundancy and bandwidth consumption at the same time. We are currently extending our metrics to accomplish more complex attacker models. In addition, we are assess-ing protocols that use this conflict detection as a baseline to identify the spurious information in conflict situations.

5.

ACKNOWLEDGEMENTS

The research leading to these results has received funding from the European Union’s Seventh Framework Programme project PRESERVE under grant agreement№ 269994.

6.

REFERENCES

[1] B. Bako, F. Kargl, E. Schoch, and M. Weber. Advanced adaptive gossiping using 2-hop neighborhood

information. Global Telecommunications Conference,

2008. IEEE GLOBECOM 2008. IEEE, pages 1–6, 2008.

[2] F. Dressler, F. Kargl, J. Ott, O. K. Tonguz, and L. Wischhof. Executive Summary - Inter-Vehicular Communication. In Dagstuhl Seminar 10402

-Inter-Vehicular Communication, Schloss Dagstuhl,

Wadern, Germany, October 2010. Dagstuhl. [3] P. Golle, D. Greene, and J. Staddon. Detecting and

correcting malicious data in vanets. In Proceedings of

the 1st ACM international workshop on Vehicular ad hoc networks, VANET ’04, pages 29–37, New York, NY,

USA, 2004. ACM.

[4] F. Kargl, P. Papadimitratos, L. Buttyan, M. M¨uter, E. Schoch, B. Wiedersheim, T.-V. Thong,

G. Calandriello, A. Held, A. Kung, and J.-P. Hubaux. Secure vehicular communication systems:

implementation, performance, and research challenges.

IEEE Comm. Magazine, 46(11):110–118, 2008.

[5] M. Raya, P. Papadimitratos, V. D. Gligor, and J.-P. Hubaux. On Data-Centric Trust Establishment in Ephemeral Ad Hoc Networks. In 2008 IEEE

INFOCOM - The 27th Conference on Computer Communications, pages 1238–1246. IEEE, 2008.

[6] E. Schoch, F. Kargl, M. Weber, and T. Leinmuller. Communication patterns in vanets. Comm. Magazine,

Referenties

Download het nu ( PDF - 3 pagina - 102.88 KB )

GERELATEERDE DOCUMENTEN

Paul Benneworth Columnist. Features

Because the simple if unpalatable truth is that the World Trade Organisation's Most From the EU in 2019, it'll take several years to negotiate a Favoured Nation rules mean that

An Abstraction-Refinement Theory for the Analysis and Design of Real-Time Systems (Extended Version)

If the output sets of all components are subsets of the input sets of the respective connected components, if all components are input-independent and if all components

Noncovalent Targeting of Nanocarriers to Immune Cells with Polyphosphoester‐Based Surfactants in Human Blood Plasma

Figure 4. a,b) Cell interactions of NCs after blood incubation: PPE-coated PS or PMMA NCs were exposed to human blood plasma and the cellular uptake (150 µg mL −1 , 2 h)

Properly Edge-colored Theta Graphs in Edge-colored Complete Graphs

Our main result characterizes the difference between CD-critical colored complete graphs and essentially multipartite tournaments in terms of the (non)existence of PC theta graphs,

The Efficiency of Briefly Presenting Word Forms in a Computerized Repeated Spelling Training

In the present study, we thus compared direct train- ing and transfer effects of Dutch rule-based words and loan words in a repeated spelling interven- tion with a visual

The EmojiGrid as a Tool to Assess Experienced and Perceived Emotions

Relation between the mean valence and arousal ratings for images from the Pictures with Social Context and Emotional Scenes (PiSCES) database, obtained with the a 7-point Likert

What’s Inside Your Head Once You’ve Figured Out What Your Head’s Inside Of

In this article, we investigate the foundations for a Gibsonian neurosci- ence. There is an increasingly influential current in neuroscience based on pragmatic and

A bioartificial kidney device with polarized secretion of immune modulators

(A) Scheme of the experimental set up used for the study of the release of the pro-inflammatory cytokines, here after exposure to LPS and measure of IL-6, IL-8