Survey on Misbehavior Detection in Cooperative Intelligent ... · Survey on Misbehavior Detection in Cooperative Intelligent Transportation Systems Rens W. van der Heijden, Stefan

1

Survey on Misbehavior Detection in CooperativeIntelligent Transportation SystemsRens W. van der Heijden, Stefan Dietzel, Tim Leinmüller, Frank Kargl

Abstract—Cooperative Intelligent Transportation Systems(cITS) are a promising technology to enhance driving safety andefficiency. Vehicles communicate wirelessly with other vehiclesand infrastructure, thereby creating a highly dynamic andheterogeneously managed ad-hoc network. It is these networkproperties that make it a challenging task to protect integrityof the data and guarantee its correctness. A major componentis the problem that traditional security mechanisms like PKI-based asymmetric cryptography only exclude outsider attackersthat do not possess key material. However, because attackers canbe insiders within the network (i.e., possess valid key material),this approach cannot detect all possible attacks. In this survey,we present misbehavior detection mechanisms that can detectsuch insider attacks based on attacker behavior and informationanalysis. In contrast to well-known intrusion detection for classi-cal IT systems, these misbehavior detection mechanisms analyzeinformation semantics to detect attacks, which aligns better withhighly application-tailored communication protocols foreseen forcITS. In our survey, we provide an extensive introduction to thecITS ecosystem and discuss shortcomings of PKI-based security.We derive and discuss a classification for misbehavior detectionmechanisms, provide an in-depth overview of seminal papers onthe topic, and highlight open issues and possible future researchtrends.

I. INTRODUCTION

Throughout the field of computer science, securing sys-tems against malicious attackers has become a fundamen-tal requirement for safe, secure, and dependable operationof applications. Today, professional attacks against systems,which are mounted by large criminal organizations or evengovernments, are becoming increasingly common [1], [2]. Atthe same time, computer systems are increasingly intertwinedwith the real world, making them more appealing targets.The term cyber-physical systems (CPS) has been coined toencompass systems that are characterized by a large de-ployment of networked devices equipped with both sensorsand actuators [3]. They are distinguished from traditionalembedded systems, where individual nodes interact with thereal world in strongly constrained environments. In contrast,CPS are highly networked, deployed in large regions, and maycontain nodes with heterogeneous computational power. Thecontent transferred in these networks is highly predictable,relating directly to real-world phenomena [4], [3], a fact thatenables novel techniques to detect attacks, collectively referred

R. W. van der Heijden and F. Kargl are with the institute of distributedsystems, Ulm University, Germany

S. Dietzel is at Humboldt-Universität Berlin, GermanyT. Leinmüller is with DENSO Automotive Deutschland GmbH, GermanyAuthor version of DOI:10.1109/COMST.2018.2873088 – c© 2018 IEEE

version at https://ieeexplore.ieee.org/document/8477005

to as misbehavior detection. A prominent example of sucha system is a cooperative intelligent transportation system(cITS), which consists of vehicles, road-side units and back-end systems, and which is the main focus of this survey. Attackdetection in general is an essential second layer of security fornetworks, especially for widely deployed networked systemsin potentially hostile environments, where attackers may havephysical access to a subset of the system. Furthermore, theimpact of such attacks is much greater, as they can easily betailored to cause real-world harm or loss of life. Therefore,misbehavior detection in both CPS and cITS is essential forthe secure and thus safe operation of these systems.

Cooperative Intelligent Transport Systems are networksdesigned to provide a variety of benefits [5], [6]. These includeimproved road-safety, greener driving through improved trafficmanagement, support for partially autonomous vehicles, andinfotainment services such as traffic information services. Thecharacterizing communication paradigm of all these applica-tions is that sensors are used to measure real world conditions,which are then communicated over a ubiquitous network. Thisnetwork is built up by equipping each vehicle with a wirelessinterface, creating a dynamic ad-hoc network that can be ac-cessed without further overhead, which is commonly referredto as a vehicular ad-hoc network (VANET). The VANET canalso include infrastructure components, referred to as road sideunit (RSU), which are sparsely positioned along the road. Theresulting network that includes sparse infrastructure is referredto as a vehicular network. Vehicles use the VANET to sendand receive information, building a world model from receivedmessages, which is used for the applications mentioned above.However, vehicles can also sense local information througha variety of sensors, especially with recent developments inpartially autonomous driving. This information, communicatedthrough vehicle-internal networks, is used for autonomousdecision making by the vehicle, either in dedicated drivingscenarios or with complete autonomy. These applications areoften supported by additional infrastructure in the back-endthrough the Internet. These extensions of a vehicular network,where cooperation between autonomous vehicles and back-endis central, are collectively referred to as cITS.

In addition to the benefits discussed above, cITS are ex-pected to support the deployment of autonomous drivingtechnologies with cooperation between vehicles. Both exist-ing applications, as well as envisioned future developments,present a host of new security challenges. One of these isthe integrity and correctness of transmitted information thatis exchanged between vehicles that use cITS applications. Awide body of work is aiming to provide this protection, which

arX

iv:1

610.

0681

0v2

[cs

.CR

] 2

9 N

ov 2

018

2

can broadly categorized into proactive and reactive mecha-nisms [7]. Proactive security aims to prevent potential attackersfrom system access, whereas reactive security assumes thatmalicious activity can be present within the system and needsto be detected and corrected. Note that in this context, outsiderrefers to an attacker without system access, whereas insiderrefers to a user with system access (i.e., able to transmitlegitimate messages), rather than the physical location of theattacker.

More specifically, proactive security refers to any kindof mechanism that enforces a security policy. This categoryincludes mechanisms such as integrity and authenticity checks(e.g., verifying cryptographic signatures), access control mech-anisms and many other systems. For instance, in cITS, thetypical approach is to use public key infrastructures (PKIs) andonly issue key material and certificates to vehicles and otherauthorized entities. All unauthorized entities are excludedfrom the system, because their messages do not contain validsignatures. The state of the art for such PKIs is discussed indetail in Section III-B. This creates a trusted perimeter that en-compasses all authorized entities, requiring potential attackersto possess valid credentials to access the system, reducing thenumber of attack vectors. However, if an attacker compromiseskey material or otherwise manipulates the messages that aretransmitted, attacks can still be successful.

Therefore, proactive mechanisms have to be complementedby reactive security. Reactive security consists of a detectionand reaction step, where attacks that are not prevented byproactive security can be stopped. Misbehavior detection isfirmly positioned in the category of reactive security mech-anisms and belongs to the detection step. In misbehaviordetection, the primary goal is to detect such attacks in thecITS; this survey aims to provide an overview of existingresults in this new context. In Section III-D, we discussthe attacks that are still possible in the context of proactivesecurity. This covers both general cITS and a specific exampleapplication, cooperative adaptive cruise control (CACC) [8],[9], [10], [11]. This application is a primary example of newdevelopments in the field of cITS, which has recently gainedthe interest of the security community. This example alsodemonstrates the connection to CPS by discussing attackson both the cyber (i.e., the network) and the physical (i.e.,misbehavior by manipulating the process).

Reactive security mechanisms have a long history in tradi-tional networks, where both intrusion detection systems (IDS)and intrusion prevention systems (IPS) are used. These areactively researched and many surveys on the topics exist [12],[13], [14], [15]. A general classification is through the methodof detection: either by recognizing known attack patterns(signature-based), detection of anomalous behavior (anomaly-based), or detection of specification deviations (specification-based). Each of these approaches can be viewed as a classifierof traffic as either benign or malicious. Misbehavior detectioninstead classifies messages as correct or incorrect, wherecorrectness refers to whether the messages reflect the realworld. This involves application semantics, which exist beyondthe communication that is analyzed (e.g., physical laws andprocesses in CPS and also cITS). An example is the area of

(a) Jamming attack

traffic jam ahead!

(b) Fake message injection attackFig. 1. Two examples for different types of misbehavior.

routing in ad-hoc networks, where the goal is to detect nodesthat exhibit incorrect or malicious forwarding behavior [16].

Because of the envisioned large-scale deployment and thedirect interaction with the physical world, it is likely thatintelligent transportation systems will attract a number ofattackers. Many different types of misbehavior and attacksare conceivable, and we will provide an in-depth discussionand categorization in Section IV. For now, consider twoexample attacks to demonstrate the range of possibilities.Figure 1a shows a jamming attack. Here, an attacker createsnoise on the wireless channel, which hinders the messagetransfer between two benign vehicles. To mount this attack,the attacker does not need any particular knowledge aboutthe semantics of the messages that the vehicles exchange. Itis enough for the attacker to know the specification of thewireless communication channel, which is publicly availablein standard documents.

Figure 1b demonstrates a completely different type ofattack. Here, the attacker uses knowledge of the protocolsemantics to create a message that informs the vehicles aheadof an (non-existent) traffic jam. Receiving vehicles will usethis message for routing decisions and might take an alternateroute. As a result, there might be less traffic on the originalroad, which is a direct benefit for the attacker. The mainharm caused in this case is that vehicles might slow downwhen approaching the non-existent traffic jam location, maybecreating a real traffic jam. In addition, the traffic participantsmight get confused in case they notice that there is no trafficjam on the original road. As a result the user acceptance ofthe system is lowered.

If we consider safety applications or automated driving [2],it is conceivable that attacks on intelligent transportationsystems can even lead to accidents, possibly threatening thelives of passengers. For instance, given a set of vehicles thatare using a platoon with reduced relative safety distance, anattacker could inject a fake message that indicates one ofthese vehicles is breaking, even though this is not the case. Insuch a situation, vehicles will immediately respond and in theworst case actually cause collisions to avoid the non-existentbreaking behavior claimed by the attacker. This type of attackhas been studied for its effectiveness in recent works [8],

3

but suitable countermeasures require the ability to detect falseinformation [11]. This is exactly what misbehavior detectionis designed to do.

II. RELATED SURVEYS & CONTRIBUTION

There is a large variety of surveys [6] that discuss variousaspects of cITS security, including authentication schemes,attack techniques, routing security, trust management, andrevocation. Compared to these works, we are more focused onmisbehavior detection as it relates to real-world processes, andwe aim to provide a detailed categorization of existing work.We also place all of the works into the same cITS context,which reveals some vulnerabilities related to assumptionson the attacks that no longer hold. This categorization thusprovides a much deeper insight into the developments of thefield over the past two decades, compared to existing work.

There are recent surveys on the security of areas of whichcITS can be considered a subset, such as trust in mobile ad-hoc networks (MANETs) [17], opportunistic networking [18],and CPS [19], [3]. Although these clearly also address issuesrelated to cITS, our survey has limited the scope to be ableto address the topic in more detail, considering the areaof misbehavior detection more specifically. Other interestingsurveys that have synergies with this one include a studyon attacks and countermeasures for GNSS spoofing [20], asystem that is essential for safe operation of cITS, and astudy on social network cooperation mechanisms in cITS [21].However, none of these surveys directly address security incITS as a primary focus; the unique requirements call fordifferent security mechanisms.

Recently, a number of authors have also written surveysaddressing security in cITS specifically. Azees et al. [22] pri-marily focus on VANETs as a special case of MANETs, a viewthat was common in the past, but which does not include in its’scope the most safety-critical classes of attacks. Instead, theauthors are discussing at routing-oriented attacks and defencemechanisms, while we focus on examining misbehavior de-tection with respect to cITS applications. Hasrouny et al. [23]and Sakiz & Sen [24] both address the cITS proper, but thesesurveys both place a much different focus.

The work by Hasrouny et al. [23] can be considered abroad introduction to the field, more akin to a tutorial: theauthors study the different attack techniques in a lot of detail.They continue with an extensive description of standardizationefforts with respect to security. The authors finally describepotential countermeasures for the discussed attacks. However,due to the very broad scope of their work, they cannot go intosufficient detail on detection specifically, and instead providescattered solutions for individual attacks. Our survey insteadaims at a much deeper understanding of the methods usedfor misbehavior detection, classifying by different schemeproperties. In particular, we identify patterns in how theliterature tackles the topic of detection, and also classify theprivacy and generalizability of each scheme.

Sakiz & Sen [24] also provide a survey of detection mecha-nisms for cITS: however, their scope of detection mechanismsincludes the largely parallel topic of routing security. This is

illustrated by the emphasis on denial of service, replay andnetwork layer attacks. For this reason, they are not able to gointo as much detail as we are able to on safety-critical attacktypes, such as data injection attacks. Unlike their survey, weprovide a qualitative discussion of the detection mechanisms,reflecting on their generalizability and what the weaknessesof each approach are. Our classification focusses on sharedcharacteristics, which helps technical readers to identify whichschemes are comparable, and it helps researchers identifyparallels between different schemes, as well as gaps for futurework.

In this article, focus on the specific area of misbehaviordetection, providing a comprehensive survey of different mis-behavior detection mechanisms for cITS. We also considerthe implications of this research for other CPS domains.Due to the challenging network topology and application-specific networking paradigms applied in cITS, we believethat misbehavior detection mechanisms for these systemsoffer interesting properties that can be transferred to otheruse cases. In particular, the issue of data injection attacksis a challenge that is also observed in other CPS, whilerouting attacks such as those covered by previous surveys arenetwork-specific. Our main contributions can be summarizedas follows: noitemsep,nolistsep• We start with a comprehensive overview of the state of the

art and current standardization efforts, including overallcITS security in Section III.

• We define misbehavior, an attacker model, and a noveltaxonomy for misbehavior detection in Section IV.

• We provide an extensive overview of seminal misbehav-ior detection works in Section V, using the taxonomyas a guideline1. We also provide a more fine-grainedclassification by how detection is performed, which helpsreaders identify relevant classes of mechanisms that haveorthogonal functionality.

• We discuss solved and open challenges (Section VI)and point out commonalities and differences of cITSmisbehavior detection and misbehavior detection in otherdomains (Section VI-C).

III. SYSTEM MODEL

A. cITS overview

The cITS system consists primarily of vehicle-to-vehicle(V2V) and vehicle-to-infrastructure (V2I) communication,which is proposed to be based on the IEEE 802.11p amend-ment, which specifies MAC and PHY layers for short-range communication between vehicles. Communication isperformed at 5.9 GHz with a communication range that istypically between 100 and 500 meters, and which is highlydependent on the scenario and buildings in the vicinity. IEEE802.11p has gained world-wide adoption as a basis on top ofwhich standardization agencies are building cITS applications.For example, the European telecommunications standardiza-tion organization, ETSI, has a family of standards for cITS,referred to as ITS-G5, which provides communication prim-itives. On top of these, safety and entertainment applications

1An earlier version of this paper was pre-published on Arxiv [25]

4

are being developed. Similar initiatives exist in the US in theIEEE 1609 family of standards, in conjunction with the Societyof Automotive Engineers (SAE).

In contrast to routing in classical IT systems such asthe Internet, multicast and broadcast are the predominantnetworking patterns in cITS [26]. These patterns are muchmore suitable for the envisioned applications, which vary fromlane change warnings to cooperative adaptive cruise control(CACC) and city-scale traffic flow optimization. CACC isan application that has gained significant attention in recentyears, and is essentially an extension of adaptive cruise control(ACC), where the safety distance between vehicles is reduced.In CACC, vehicles periodically exchange position informa-tion to form a very tight formation that would normally besusceptible to collisions [10]. This is is a form of partially au-tonomous driving that goes beyond the potential benefits fromsensor-equipped vehicles. The data exchanged between thenetwork participants, vehicles and infrastructure alike, sharethe property that they are relevant to all receivers. Therefore,addressing packets to specific vehicles does not make sense;instead, addressing refers to the local neighborhood (1-hopbroadcast), specific regions (geocast) and infrastructure. Thisstyle of addressing allows the network to exploit the simplefact that wireless networks are a broadcast medium by nature.

These communication patterns are supported by twomessage types in the European model: the periodiccooperative awareness message (CAM) [27] and the event-driven decentralized environmental notification message(DENM) [28]. In the US, standardization foresees a two-partbasic safety message (BSM) [29], [30] that roughly corre-sponds to the CAM and DENM. These message types makeup the bulk of communication between vehicles; in Europe,additional message types are currently under standardizationfor specific applications, such as the signal phase and time(SPaT) and Topology Specification (TOPO) message types.Both the CAM and the first BSM part consist of core elementsincluding position, heading, speed, steering wheel angle andvehicle size. Supplemental information can be added, such asvehicle role and status of vehicle lights. CACC applicationscan technically work with just CAM/BSM.1 information, butmost proposals include acceleration information into beaconmessages for better performance.

The second BSM part is only transmitted when a specificevent occurs, similar to DENMs, but is packaged within thenext periodic BSM instead of being transmitted separately.This second BSM part is also single-hop; unlike the Euro-pean model, which specifically foresees DENMs as multi-hop messages, events are transferred through 1-hop BSMsonly. DENMs are event triggered messages, which are de-signed to warn about specific events, such as traffic jams,emergency breaking, an approaching emergency vehicle, orroad construction. DENMs are usually relevant for specificgeographical area, and can be forwarded there over multiplehops. A geobroadcast protocol is specified [31], which firstforwards messages to the designated target region and thenbroadcasts the message within that region.

Although V2V communication using CAMs and DENMsis able to support a large number of use cases, some use

cases require V2I communication. Infrastructure can help toincrease communication range during the initial deploymentphase, especially in critical areas such as intersections. An-other important feature of infrastructure is that it enablescommunication with back-end infrastructure and the generalInternet. This is useful for non-safety application classes, suchas infotainment services, over-the-air software updates andsecurity credential updates. RSUs can also be used to enablespecific applications, such as traffic and fuel managementthrough SPaT messages2. However, large-scale deploymentof roadside units is considered unlikely due to the estimateddeployment and operation costs of 3,000–5,000 US dollars perRSU [32].

Complementary to RSUs, cellular communication can beused to provide back-end and Internet connectivity, makinguse of the fact that broadband cellular communication serviceslike long-term evolution (LTE) have already been deployedon a large scale. However, the necessary developments tosupport a large fleet of vehicles in addition to regular cellphones have not yet been made, despite recent strides inthis area [5]. One of the major open question is related tothe business model; thus many assume that cellular supportwill likely remain restricted to more expensive vehicles, atleast as long as cellular usage still incurs considerable fees.New proposals from the area of 5G suggest that an ad-hoc-like mode dedicated for inter-vehicle communication will alsobe available in the form of LTE-V, which is inspired byDevice-to-Device communication (D2D) [33]. This approachhas significant backing from industry, but lacks fundamentalprivacy guarantees in the same way that standard cellular com-munication does. Independent of C-V2X, some have proposedthe use of a heterogeneous network in recent years, usingboth IEEE 802.11p-based and cellular communication [34].This approach can take advantage of both networks, but alsopresents the challenge of efficiently managing the availablechannels in a decentralized way [35]. Both heterogeneous net-works and pure cellular proposals are still in research phases,and will likely face many of the same security challenges asIEEE 802.11p. Although our survey focuses primarily on theIEEE 802.11p setting, we expect the results of many schemesto transfer to C-V2X with limited modifications.

Beyond the communication model under standardization,some authors propose that clustering might be a viable ap-proach to organize the communication. Current standards donot foresee this approach because it has significant disad-vantages in terms of communication overhead to create andmaintain clusters [36]. These clusters are typically createdand maintained in an ad-hoc fashion, to facilitate deployment,which requires vehicles to agree on one or more cluster headsthat manage a cluster. The disadvantage of this approach isthat it requires a fundamental inequality between differentvehicles to take advantage of clustering, i.e., the cluster headsmust have an authoritative status. Because this network modelsecurity challenges that are widely different from the standardcITS communication models, we do not address them in detail

2These messages inform incoming vehicles when the traffic light will turngreen, allowing more efficient fuel management.

5

in this survey.

B. cITS Security

In order to mitigate possible attack vectors, security fea-tures are actively considered by both academia and industry.Standardization agencies have developed an initial standard forpractical implementation, which serves as the basis for a lotof work in cITS security. Unlike traditional networks, though,confidentiality is not considered a major requirement, becausemost applications inherently rely on the data exchanged be-tween vehicles. The main focus is instead to ensure integrityand authenticity, for which standardization employs proactivesecurity mechanisms. The basic approach is to set up a PKIsand provide each vehicle with an asymmetric key pair and acertificate. The certificate contains the public key alongside anumber of cITS specific attributes (e.g., vehicle type, vehicledimensions, license plate number) and is signed by the keyissuing authority [37], [38], [39]. This serves as a long-termidentifier of a vehicle that confirms it as a valid participantin the cITS. We first discuss the basic application of thesecertificates for cITS security, before discussing proposals forcredential management in detail in Section III-C.

The ETSI TS 103 097 standard [40] in Europe and theIEEE 1609.2 standard [41] in the US specify how certificatesshould be used to achieve integrity and authenticity. Thebasic idea is that each outgoing message is signed using thesender’s secret key. The signature and certificate are bothattached to the message to enable broadcast authentication, i.e.,each receiver can check message authenticity without furthermessage exchanges. For efficiency reasons, some authors haveproposed certificates could be omitted periodically to savebandwidth [42], but this introduces additional delays beyondthose already present due to time needed for verification. Inboth European and American standards, the cryptographicalgorithm is the elliptic curve digital signature algorithm(ECDSA), using the p-256 curve standardized by NIST [43].This signature and certificate validation process providessender authenticity and message integrity, protecting againstattackers that transmit messages using commodity hardwarewithout key material.

While signature and certificates effectively thwart most at-tacks using commodity hardware without key material, they donot provide any guarantees on message correctness. Because ofthe expected wide deployment of cITS and the long lifetimeof vehicles, it is likely that attackers either physically owna vehicle or are otherwise able to extract key material from(old) communication units. If key material is stored on aregular storage medium (e.g., hard disk or flash memory),attackers with physical access to a car could easily extractit, transfer it to other devices, and create arbitrary messageswith valid signatures. Some propose to use trusted hardware,usually in the form of a hardware security module, to protectkey material [37], [38]. Here, the idea is to store (secret) keymaterial within a tamper resistant component that is protectedagainst outside access. If a message needs to be signed, itcan be forwarded to the trusted device and the signatureis returned. Thus, the key material never leaves the trusted

hardware, making it much harder for an attacker to extractsecret keys and subsequently sign arbitrary messages. As innormal PKIs, revocation can be employed to mitigate thisissue, but this raises new questions on how key material abusecan be detected in existing vehicles.

Note that if key material is kept in trusted hardware, theapplication code is still untrusted: it is likely that attackersare able to manipulate the software in order to create arbitrarymessages. These messages will then be signed, because thesigning functionality running on trusted hardware has no wayto tell whether messages have been manipulated [44]. Thealternative would be to build an architecture in which allhardware is trusted, but this also has a number of disad-vantages. First, running all software on trusted hardware willgreatly increase cost, because more powerful trusted hardwareis needed. In addition, if all applications need to be manuallycertified and deployed on trusted hardware within the vehicle,over-the-air updates are more complicated and the deploymentprocess of new software is slowed down. Even if attackersare not able to modify the software, they may be able tomodify sensor readings, which lead to modified messages as aresult. To alter sensor readings, attackers can either inject falsereadings in the CAN bus or directly modify sensor hardware.Therefore, it is likely that software running on the vehicle canbe controlled by a capable attacker, despite trusted hardware.This requires us to consider correctly signed messages withinvalid contents circulating in the network.

C. Certificate Management & Privacy

If vehicles attach their long term certificates to all outgoingmessages, they can be tracked using a trace of receivedmessages with attached location information. For this reason,long-term certificates can be replaced by short-term identifiers,referred to as pseudonyms. These pseudonyms make it harderto collect location traces of specific vehicles [38], [39], [45],while still providing the same authenticity guarantees. Whilepseudonyms enhance privacy, their parallel use enables poten-tial attacks, often referred to as Sybil attacks [46]. This is oneof the classes of attacks that we will discuss extensively in thissurvey (in section IV-A2), as it is one of the key challenges thatmisbehavior detection helps address. However, in this sectionwe first present a discussion of some proposals for certificatemanagement.

A standard PKI only foresees the model as discussed above:each entity has a valid certificate that identifies the entity, andauthenticity entails identification. For privacy reasons, manyproposals have been made to issue a set of pseudonyms,which is typically linkable under certain conditions to the long-term identifier of the entity [45]. The creation, distribution,management and revocation of these pseudonyms present atrade-off between privacy, security and performance. Twomajor proposals are now in the initial stages of deployment,which analogous to standardization of communication canalso be seen as a European and a US proposal. In the USproposal, Brecht et al. [47] propose the use of butterfly keysto provide a cryptographic link between different certificates.In this model, pseudonyms are issued in bulk, revocation

6

is done by revealing the butterfly key, and a misbehaviorauthority interacts with the pseudonym issuing entities todetect attacks in the back-end. Recent European proposals,such as that suggested by Khodaei et al. [48], take an on-demand approach to pseudonym issuing, and claim to havemore protection against Sybil attacks. Such protection can beprovided by limiting the validity of pseudonyms, which is atrade-off against performance in the US model (where manypseudonyms would be wasted due to batch issuing).

In general, these pseudonym issuance systems provide apartial framework that in turn influences the suitability ofcertain detection schemes. At the time of writing, it is still notclear which exact scheme will be implemented world-wide,or whether disparate systems will be used in different partsof the world. However, the constraints posed by the credentialmanagement system impacts potential detection mechanisms,primarily through how easily Sybil attacks can be executed.This aspect of pseudonym management is addressed in oursurvey through a classification, as discussed in Section IV-D.

D. Attacks on cITS

Here we briefly review a number of proposed attacks onthe cITS, particularly those that can still be performed withinthe scope of existing security mechanisms as described in theprevious subsections. These are divided along the lines of thecyber and physical in a cyber-physical system; in this surveywe primarily focus on the cyber component.

1) Cyber attacks: The space of possible attacks on com-puter systems is vast; in this survey, we concentrate on attacksthat are not easily avoidable through security mechanisms thatare already implemented. As there are many survey articlesdiscussing attacks [6], [23], [24], we here provide a reviewof the important types and refer interested readers to othersurveys for a detailed review. The attacks we discuss here arejamming attacks, data injection attacks, replay attacks, routingattacks and Sybil attacks.

The jamming attack was already briefly introduced in Figure1a. The attacker disrupts communication from or to specificnodes by transmitting a constant or targeted burst communica-tion to disrupt communication between nodes. This essentiallymeans that the attacker can decide which messages will arrive,and which do not. This attack is commonly discussed inCACC and can be executed even by low-power devices suchas UAVs [9].

Replay attacks, on the other hand, refer to an attackerre-transmitting received messages. Standard proactive mech-anisms provide some protection against replay attacks byincluding a time stamp in every message. In cITS, a relativelyreliable source of timing is available in the form of a globalnavigation satellite system (GNSS), which also provides high-accuracy time synchronization [20]. However, in multi-hopcommunication it is conceivable that these attacks can affectthroughput.

Replay attacks in multi-hop communication are closelylinked to routing misbehavior, a well-studied class of attacksthat aims to disrupt network performance. This category ofattacks originates from MANETs, and both attacks and defense

mechanisms have since been transferred to VANETs andother types of ad-hoc networks, as discussed in Section II.Basically, the attacker deviates from the routing protocol tocause messages to be lost or be routed through a specific node.Unlike most attacks we study, routing attacks do not directlyaffect safety, and thus we consider these attacks to be oflimited importance. Note also that cITS includes infrastructure;if available, using infrastructure by default for long-distancecommunication significantly reduces the impact of routingmisbehavior.

Another important class of attacks is that of data injection;in these kinds of attacks, an attacker claims information thatcontradicts with real-world information. The purpose of suchan attack can be disrupting road traffic, or even triggering acollision. For example, attackers may falsely claim that a roadis blocked to have the road for themselves, or they may claima vehicle is directly in front of a victim, causing the victim totrigger the breaks. As suggested by these examples, attackshave widely different goals, with varying time-sensitivity.Because of the variety of attacks, many different mechanismsto detect them have been proposed in the literature, anda large chunk of misbehavior detection is directly relatedto these attacks. Authors have shown [8], [11] that CACCis particularly vulnerable to these attacks, and being ableto detect them is essential for the design of secure controlalgorithms.

Sybil attacks [46] are a specific type of attack associatedwith the pseudonym discussion above. In the simplest case,an attacker here uses multiple identities to achieve a specificgoal. In cITS, this goal is often related to the application,similar to data injection attacks: an attacker may use multiplepseudonyms to make it appear as though the road is full, eventhough it is not. Closely related to this are various types ofattacks on specific detection mechanisms, where the attackeruses the identities to boost the reputation of specific vehicles,or conversely reduce the reputation of legitimate vehicles (badmouthing attacks). A detailed discussion of reputation systemsand attacks on them was provided by Koutrouli et al. [49].

2) Physical attacks: Apart from the cyber component, thereare also many attacks possible on the physical processessurrounding the vehicle itself. Recent work on the securityof controller area networks (CANs) [50], [51], which are theprimary type of bus used in current vehicles, has shown thatthey are vulnerable to attacks. So far, this work has primarilyfocused on attacking a vehicle from the outside; however, anattacker attempting to attack the cITS could similarly exploittheir physical access to the bus. Such attacks allow an attackerto force the on board unit to transmit arbitrary messagesthat conform to the network specification without needing tocompromise the hardware security module.

Some authors have also suggested that physical attacks onspecific vehicles may be possible. This works by directing theattack towards the sensors themselves [2]. A simple exampleof such an attack would be taking a laser pointer and disruptingthe cameras of a nearby vehicle. In this survey we primarilyfocus on attacks in the cyber space; however, we feel itis important to also consider that physical sensors are notnecessarily immune to attacks.

7

IV. MISBEHAVIOR IN CITS

In this section, we will go into more detail concerningmisbehavior in cITS. In particular, we discuss the attackermodel, different types of realistic attackers and a taxonomyof misbehavior detection. As detection can be performed ondifferent scopes, we also briefly address this topic and theclosely related topics of misbehavior reporting and revocation.Finally, we will go into the topic of pseudonyms, in orderto investigate the compatibility of the misbehavior detectionmechanisms with this privacy-enhancing mechanism. We willuse each of these aspects in our classification of the literaturein the next section.

A. Definition and Attacker Model

In this subsection, we will treat the definition of misbehaviorand the attacker model associated with it. We distinguish thesetwo concepts because misbehavior gives a strong intuitiveunderstanding of the ultimate goal of our work. The attackermodel aims to provide a more formal version of this intuition,based on the state of the art.

1) Defining Misbehavior: In literature, there are manydifferent definitions of misbehavior [44], [37], [52], [53], [54],often implicitly defined by the attacker model rather thanexplicitly being stated alongside it. Misbehavior is a broadterm; its origins are somewhat unclear, but it is commonlyused for ad-hoc networks when discussing specific attacksthat are executed by the participating nodes, as opposed tointrusions or attacks. Our definition of the term covers notonly attackers and malicious participants, but also faulty nodes.Misbehaving nodes are thus any node that transmits erroneousdata that it should not transmit when the hard- and softwareare behaving as expected. We argue that a misbehaving nodeis the type of node we should detect. However, the literatureoften distinguishes [7], [55], [38], [56] between faulty nodeand malicious node, which are defined as follows:

Faulty nodes are those participants in the network thatproduce incorrect or inaccurate data without malicious intent.Faulty nodes are usually related to faults in sensors, eitherbecause the sensor was damaged or because of errors causedby variance in the sensor. Examples include a heat sensor thatis malfunctioning, causing the node to transmit the currenttemperature to be -50 degrees Celcius, and the error causedby a reading produced by a GPS device, which can causevehicles to transmit an erroneous position.

Malicious nodes or attacker nodes are those nodes that aretransmitting erroneous messages with malicious intent. Suchmessages may also be referred to as deceptive messages, andthe attackers as deceptive attacks. These nodes are our maintarget for detection, as they represent a direct threat to theintegrity of the data exchanged in the network. These nodescan actively attempt to avoid detection, or subvert other nodesin the network to transmit their erroneous messages. Thisdefinition includes denial of service attacks and exclusion ofmessages that should be sent (e.g., attacks on routing). Thegoal, source and means of these nodes may vary greatly, asdiscussed below.

Note that these definitions are not consistently used through-out the literature; in our work, we use misbehavior detectionto refer to the detection of both faulty and malicious nodes.Unlike traditional intrusion detection, misbehavior detectionattempts to detect incorrect packets, rather than detectingmalicious packets. There are many good reasons to avoida focus on content in a generic networking setting: unlikein cITS, such networks see a lot of encrypted traffic and alarge variety of application layer protocols. In cITS, we haverelatively few protocols, and the public nature of transmitteddata implies that content is rarely encrypted. In addition, cITSlack a clear system boundary, which is essential for effectiveIDS deployment. Misbehavior detection can take advantageof the public nature of data, and does not suffer from thelack of a system boundary, making it a potentially moresuitable approach. This type of detection may not be feasiblefor normal networks, but the characteristics shared betweencITS and cyber-physical systems (CPS) suggest some schemescould be used in both systems.

2) Attacker Model: We now review several attacker modelsthat are used in the literature. The secondary purpose ofthis section is to discuss the challenges involved with thedevelopment of a good and universal attacker model forcITS. Unlike most network scenarios, there is no universallyaccepted attacker model that is consistently used for cITS; herewe provide a brief overview of the most common assumptions.

The attacker model from [37], one of the seminal workson security in cITS, presents the following four classificationdimensions for attackers, and a variety of basic and sophis-ticated attacks. We already discussed the distinction betweeninsider and outsider, i.e., whether or not the attacker possessesvalid credentials. The motivation of the attacker is classifiedas either rational, where the attacker has a direct benefit fromhis attack, and malicious, where an attacker only seeks todisrupt or cause harm. The attacker may be active or passive,which considers whether the attacker can transmit messagesor signals, or whether the attacker only eavesdrops on thechannel. For this survey, we seek to detect active attackersonly, as the very goal of misbehavior detection is to determinewhether certain messages or signals constitute undesirablebehavior; eavesdropping is not misbehavior, in the sense thatit cannot be detected. The final classification dimension isthe scope of the attack, which may be local or extended.This distinction does not consider the amount of attacker-controlled nodes, but rather their distribution over the network.Local refers to one or more attackers distributed in a smallregion, such as a highway section between two intersectionsor a few neighboring intersections in an urban setting. Theextended scope provides for a number of attacker-controllednodes across a larger region.

Most attackers in this classification are instances of thestandard Dolev-Yao attacker model. However, the insiderattackers that behave according to the protocol, but send falseinformation are not covered in the attacker model. Similarly, asdiscussed by the authors [37], Sybil attacks play a significantrole. In those attacks, attackers obtain multiple identities (mul-tiple certified key-pairs) to circumvent reputation mechanisms.Many authors of detection mechanisms implicitly or explicitly

8

limit the potential for Sybil attacks, meaning the attacker haspossession of a small set (usually 1-3) of valid pseudonymsfor each vehicle they control. Because this is usually donethrough the PKI, there is a potential impact on privacy, whichmany authors consider acceptable to guarantee safe operationof the cITS.

One concern is that many authors [37] consider RSUs tobe fully trusted. We remark that although this may be thecase for connections leading outward through the RSUs, fulltrust cannot be assumed for the devices themselves. As thename implies, RSUs are deployed on the side of the road,which makes them susceptible to physical attacks like sensortampering and differential power analysis, just like regularvehicles. Because RSUs are potentially more authoritative,they are potentially valuable targets if too much trust is placedon them.

On the other hand, the full Dolev-Yao model, with the exten-sions and limitations described above, is too strong to providea meaningful level of security. Particularly, if the attacker isallowed to arbitrarily re-organize the packets received by eachindividual node in the network (as in the Dolev-Yao model),they can selectively deliver only those messages that confirmthe view presented by the attacker. In reality, the attacker isalso subject to the limitations of physics. For example, anattacker cannot arbitrarily re-arrange the reception of messagesfor each receiver in a wireless network. For this reason, theliterature specifies an important limitation compared to theDolev-Yao model: an attacker must be a node in the network,restricted by the same physical properties that restrict a normalnode. Although their transmission range may be increasedthrough power control [57], attackers are considered to havea limited physical presence [39]. In addition, it is commonlyassumed that attackers are constrained to physical limitationssuch as the speed of light. Similarly, an attacker cannot ingeneral receive and jam a message at the same time withoutthe risk that some other receiver also successfully receivesthe message. Another issue with the Dolev-Yao model is thatit is not designed for the analysis of attacks on applicationsemantics, i.e., message correctness is not considered, whichis the primary focus of misbehavior detection.

In the literature, some authors have attempted to formalizethese attacks and the effects on specific mechanisms usinggame theory [58], [59]. These formalizations often make aninformal honest majority assumption, which assumes that amajority of the nodes (or sometimes keys or messages) ishonest. The assumption is sometimes explicitly specified asbeing about a local neighborhood or the entire network. Alocal honest majority assumption is then the assumption thatmore than half of the nodes in the direct communication rangeof a vehicle is honest. This assumption is the most significantlimitation of some classes of detection mechanisms, which wewill discuss at length in this survey. Apart from this, we willrely on terminology introduced by earlier work [37], [60], [39],[61].

B. Scope of DetectionA first classification of detection mechanisms is by scope,

as show in Figure 2: local, cooperative and global detection.

Local detection refers to detection that checks internal con-sistency, and optionally the vehicles’ sensors, as measuresfor correctness. Cooperative detection relies on collaborationbetween vehicles (and possibly some RSUs). Finally, globaldetection refers to detection that occurs at least partiallywith support from a back-end system. This terminology isused throughout the literature describing the different mech-anisms, although there is some disagreement regarding whatan attackers capabilities in a cooperative setting are (refer toSection IV-A2 for more details).

Most detection mechanisms in the behavioral and plausibil-ity classes operate purely locally, which makes them invariantto Sybil attacks. However, this also makes it difficult toidentify the attacker, or even the attack, due to the low amountof available information. Some consistency-based mechanismsalso operate locally, by comparing series of beacons fromseveral vehicles, exposing them to Sybil attacks, in exchangefor a much more fine-grained approach to detecting attacks.

On the other hand, there exist schemes that perform detec-tion cooperatively: these are typically consistency- and trust-based detection mechanisms. These detection mechanismsoften rely on an honest majority and exchange messagesbetween participants to detect inconsistencies or untrustworthyparticipants. In particular the category of trust-based detectionis based on cooperation between nodes. Most schemes that op-erate as a reputation mechanism also incorporate a mechanismto perform reporting and/or revocation on the cooperative andglobal level.

C. Taxonomy of Misbehavior Detection

We have designed a taxonomy to categorize mechanismsdetecting attacks within the attacker model discussed above,consisting of two classification aspects and four classes, asshown in Figure 3.

The first aspect we use for classification distinguishesbetween node-centric and data-centric mechanisms, which hasregularly been used in the literature. For our purposes, node-centric mechanisms are defined as mechanisms that primarilyconcerned with the participants of the network. For exam-ple, they can verify the forwarding behavior of a node byanalyzing packet frequencies, correctly formatted messages,and so on to decide on its trustworthiness. Alternatively, theyare focused on the interaction between participants, verifyingtheir trustworthiness based on the correctness of previousmessages. Obviously the correctness needs to be tested someother mechanism: those mechanisms are usually data-centricin nature, meaning they use the content of the message todetermine its validity, independent of who transmitted themessage. Data-centric and node-centric misbehavior detectionare therefore mostly orthogonal, leading many authors topropose combinations of both types.

The second aspect we use to classify misbehavior detectionmechanisms is the distinction between mechanisms that ana-lyze messages from a single vehicle (autonomous) and mech-anisms that attempt to deduce misbehavior from multiple ve-hicles (collaborative). This distinction is best illustrated usingan example from a data-centric mechanism. Such mechanisms

9

Sensors

World model Detection

Reporting RevocationDissemination

World model Detection

Reporting RevocationDissemination

World model Detection Revocation

Local

Cooperative

Global

Fig. 2. Different scopes at which detection mechanisms can operate.

can analyze one or more messages from the same sender forinvalid behavior (autonomous), or they can compare messagesfrom different sources for consistency or deviations (collab-orative) A significant advantage of autonomous detection isthat the mechanism will function independent of any attackersthat may be present, while collaborative mechanisms rely onthe fact that an honest majority exists. Note that autonomousdetection sometimes includes the use of the vehicles’ ownsensors (e.g., when determining the approximate source of aradio transmission, or the relative position). Some considerautonomous approaches combined with vehicular sensors tobe the only one that provides a reliable system. However, thechallenge with autonomous detection mechanisms is that theyare often imprecise, and cannot necessarily detect intelligentattacks that use knowledge of the detection algorithm. Thisimprecision is best exemplified by plausibility checks, suchas a limit on the claimed speed that is accepted; an intelligentattack can always attack such checks by choosing values closeto the limit. To avoid a large number of false positives, thelimit on the accepted speed should be high enough to dealwith outliers (e.g., speeding vehicles), but low enough to detectmalicious behavior. If correctly employed, a set of plausibilitychecks bounds the message space available to the attacker,but also provides a space in which the attacker can choosemessages that will be considered valid. This resulting boundcan be used by employing collaborative mechanisms to pro-vide a higher quality of detection than is possible using eitherapproach individually. Indeed, the field is progressing towardsthese ideas, as evidenced by several detection mechanisms wediscuss in this survey. Having discussed these classifications,we now describe the resulting four classes from Figure 3.

1) Node-centric Misbehavior Detection:a) Behavioral: The first branch of node-centric detection

is behavioral. This type of detection exploits patterns in thebehavior of specific nodes at a protocol level. Informationconsidered by these mechanisms includes the amount ofmessages transmitted by a node or the correctness of theirformat. A core aspect of behavioral mechanisms is that theiranalysis is focused on a node-basis and typically does not

node-centric behavioral trust-based

data-centric plausibility consistency

autonomous collaborative

Fig. 3. Taxonomy of misbehavior detection.

consider data semantics, as done by data-centric mechanisms.An example of a behavioral misbehavior detection mechanismis the concept of a Watchdog [16] that was introduced for thesecurity of routing in mobile ad-hoc networks. In a Watchdog,each node monitors the network to verify that its neighborsactually forward the messages they are supposed to forward.

b) Trust-based: The other branch of node-centric de-tection is trust-based. Trust-based mechanisms exploit thefact that many nodes in the network are honest, and thatinfrastructure is available to remove malicious nodes. Trust-based detection includes reputation systems, which rate nodebehavior over time, but also voting schemes that allow vehiclesto vote on the correctness of information. Trust-based detectioncan occur either locally or with infrastructural support. In thelatter case, issues regarding privacy are a serious concern,which we address in Section IV-D. Trust-based detection oftenrelies on input from other detection mechanisms to update thereputation of nodes in the network.

A core advantage of trust-based mechanisms is that theysimplify the revocation process. However, the ephemeral na-ture of cITS poses additional challenges to trust-based mecha-nisms, particularly when determining their initial trustworthi-ness, as well as the information to update it. Data-centric de-tection mechanisms or behavioral detection mechanisms maybe used for this: the trust-based detection mechanism is thenused to distinguish between legitimate and malicious behavior.Both reputation- and voting-based mechanisms have to dealwith Sybil attacks [46], where an attacker abuses the reputationmechanism by creating multiple identities. These attacks canbe used to either amplify an attack or exclude legitimate

10

nodes from the network, and is one of the core researchchallenges for trust-based misbehavior detection, especially incombination with privacy requirements. Similarly, if an honestnode suddenly starts misbehaving (e.g., due to a faulty sensor),this will not be detected quickly by reputation mechanisms.

2) Data-centric Misbehavior Detection:a) Consistency: Consistency-based detection uses rela-

tions between packets, typically from multiple participants,to determine the trustworthiness of newly received data. Forexample, a consistency-based detection mechanism may con-sider a previously computed average speed of vehicles on ahighway to judge newly received messages. Messages thatdeviate from the average are inconsistent with the knownstate and can thus be considered suspicious. Alternatively,pairwise comparison of messages from different vehicles isalso considered consistency-based. Consistency-based detec-tion has the advantage that only limited domain knowledgeis required to design reasonable schemes. However, a localhonest majority is often required to draw reliable conclusions:if several colluding attackers surround a victim, consistencymight exclude information from legitimate vehicles.

b) Plausibility: Plausibility-based detection uses a spe-cific underlying model of data in order to verify if the trans-mitted information is consistent with this model. For example,plausibility of movement can be verified from two subsequentbeacon messages by examining the distance traveled betweenthem and comparing it to the speed in these messages.Plausibility-based typically allows for a very rudimentarybut fast analysis of received packets. It is performed byconsidering packets from individual senders. The informationin the packet is either tested against a prediction of the model,or the model is used to judge whether the information in thepacket is a plausible next step according to the model. Becausethere is an underlying model, the mechanism can directlyexpress the plausibility of the message in a probability, whichcan be input for further misbehavior detection mechanisms.The models used for plausibility vary from narrowly definedmodels like the laws of physics up to models that allow awide range of variation, such as a model that predicts driverbehavior. The narrowly defined models can be effectivelyused to filter incoming packets for “impossible” messages thatcan be discarded directly. A major advantage of plausibility-based detection is that the mechanisms are always applicable,even when an honest majority does not exist. A significantdisadvantage is that a model of the underlying data is required,and the utility of the mechanism depends directly on howaccurate this model is.

D. Impact of Pseudonyms

As mentioned previously, pseudonym systems can have animpact on the types of misbehavior detection that can beperformed. In particular, pseudonym schemes aim to hinderlinkability of different information items. Linkability is animportant aspect of many models used for misbehavior de-tection, and sometimes even critical for safety applications.We propose four simple classes that we will use to classifydetection mechanisms in our survey: full, explicit, implicit and

no linkability, which are briefly explained in the following.For more details on the subtleties of pseudonyms, we referinterested readers to a survey by Petit et al. [45].

a) Full linkability: means that all messages transmittedby the same OBU can be linked, i.e., there is no pseudonymchange at all, and thus essentially no privacy. All possiblemisbehavior detection mechanisms can be realized at this leveland some types of misbehavior detection even require this levelof linkability. Examples of such schemes include trust-basedapproaches like OREN [62] and [63].

b) Explicit linkability: refers to any type of linkabilitythat allows direct access to an identity. This means thatlinking is technically possible; however, there are severalways to implement this. The issued certificate can eithercontain the identity in an encrypted form, a direct mappingfrom certificates to identity can be stored in the back-end,or this mapping may be split across multiple entities throughorganizational separation. Using each of these classes, it istechnically possible to link pseudonyms, but this capability islimited by the pseudonym scheme.

Encrypting an identity in the certificate is an attractiveapproach, because there are cryptographic schemes that enableconditionally revealing this identity (e.g., PriPAYD [64], ordouble spending prevention in electronic payment systems).However, it is not clear whether this can also be appliedfor misbehavior detection, especially if revealing the iden-tity should happen locally. This system also requires thatdetection mechanisms are standardized, and in most casespart of the certification infrastructure, which is an unrealisticassumption. Using a back-end mapping is a solid alternativeto this approach, in terms of implementation effort. Here, eachcertification authority simply stores the relationship betweenpseudonyms and real identities, revealing malicious usersas needed. This is particularly useful when combined withdirect back-end connectivity, either through RSUs or anothertechnology, such as UMTS or LTE. However, this requires fulltrust in the back-end system, as it can revoke the privacy ofthe users. Another advantage is that a back-end could performits’ own misbehavior detection, and exploit the significantlyhigher computational power available to it. An example ofsuch a powerful scheme is [65]. A middle way between thesetwo types is organizational separation, which also stores thelink between two pseudonyms, but spreads the informationnecessary to reveal a user across organizational boundaries.VToken [66] and Butterfly Keys [67] are different proposalsthat achieve this; overall it seems that industry and academiaboth prefer organizational separation over purely technicalsolutions. The core advantage is that the organizational sepa-ration allows individual decisions on a case-by-case basis, ifneeded. However, for misbehavior detection, this means thatlinkability between pseudonyms cannot be achieved locally inthe vehicle, but only on an organizational level. The advantageis that confirmed misbehavior can be acted upon immediately,and some mechanisms may be able to detect attacks byusing a partial linking protocol to perform specific checks formessages that are suspicious if the pseudonyms would belongto the same identity (or vice-versa).

11

c) Implicit linkability: or inference allows pseudonymlinking even when no mechanism for direct identificationor linking is available. There are three different sources ofinformation available for this purpose: certificates, messagecontent and signal properties during transmission. Using thisinformation, partial or complete identities may be derived,although there is no guarantee that such a linking approach willalways be able to identify every vehicle. For example, certifi-cates typically contain attributes of a vehicle, such as length,height and color. These properties allow full identification ofunusual vehicles on the road, such as a yellow limousine, butnot the identification of several black vans of identical make.Although this is an example of linking based on certificatecontent, this type of limitation applies to all inference-basedlinking, and while it can be bounded by combining differenttypes, it will have implications for misbehavior detection.

Secondly, implicit linkability does not fundamentally pro-vide linkability through an identity, but through similaritiesin messages. Implicit linkability only provides links betweenmessages, which will allow a receiving vehicle to create’pseudo-identities’ for groups of pseudonyms that are consid-ered to be the same vehicle. This makes it more challengingto exchange information about particular vehicles with otherparticipants, and can also make it difficult to verify mis-behavior and revoke the misbehaving vehicle. Nevertheless,many misbehavior detectors will need to function under theseassumptions, as they provide the most realistic environmentin which individual vehicles have to perform misbehaviordetection (as opposed to detectors in the back-end). Examplesof inference-based systems include virtually all data-centricsecurity mechanisms. For signal-based inference, [68] and [69]are good examples, while for inference on message content,a good example is the Kalman filter [70], [71]. Inferencebased on certificates is a relatively new idea that is some-times captured within inference through messages, and is notcommonly considered because it conflicts with the assumptionthat these certificates are intended to be pseudonymous oranonymous towards other participants. Therefore, they aretypically assumed not to reveal this information, making suchdetection mechanisms obsolete.

d) No linkability: is the idealized scenario in which it isimpossible to determine whether two messages originate fromthe same or from distinct vehicles. Although this results inmaximum privacy, such a scenario makes it nearly impossibleto provide any working cITS applications, let alone securingthem. For example we can still attempt to perform misbehaviordetection on individual messages. The goal of such an analysisis to detect unusual or inconsistent messages, which eithercontain obviously incorrect values: this includes unrealisticvalues (speeds of 500m/s) and values that do not match theperceived scenario (speeds of 50m/s in a traffic jam). Thevalue of such detections is limited from a security point ofview, but filtering malicious packets may still be beneficial forapplications. Beyond that, not much more is possible: at thislevel of linkability, the inability to detect Sybil attacks makesit extremely difficult, if not impossible, to build a structureddetection mechanism. Unfortunately, this means that there is anecessary trade-off between privacy as opposed to security

and functionality – necessarily, we are forced to sacrificetheoretically perfect privacy in order to gain functionalityand security. However, we remark that even in this scenario,tracking is possible by simply following a vehicle. Becausetracking vehicles by following them individually is unavoid-able, it serves as a good baseline against which privacy can betested. However, detection schemes that require no linkabilityat all will definitely not negatively impact the privacy of thesystem.

V. STATE OF THE ART

In this section, we present state of the art mechanisms formisbehavior detection in cITS, as structured by our taxonomy.Although some mechanisms in this survey are designed for re-lated types of ad-hoc networks, such as MANETs and wirelesssensor networks (WSNs), we will focus on cITS. Separatesurveys exist for these networks, though [72], [73], and wewill only use these as examples of how works for cITS evolvedfrom them. After discussing the individual mechanisms for ourstate of the art, we provide a summarizing table of our analysisin Section V-C. This summary will include the additionalparameters we discussed in Section IV; the scope of thedetection and its compatibility with pseudonyms.

A. Node-centric Mechanisms

The idea of node-centric detection mechanisms is to useknowledge about the senders of messages in order to detectmalicious senders. Signatures are typically used to achievethis goal, with certificates provided by a PKI (cf. Section III),that allow identification of a messages’ sender. Once theauthenticity of a message sender is verified, it can be usedto correlate messages originating from the same sender andthereupon analyze its behavior. Such analysis can includewhether the message frequency, headers and content are inline with protocol specifications. Using past behavior, we canthen assign a trust value to information sources based on pre-vious interaction with them. The assumption is that maliciousmessages most frequently originate from information sourcesthat have misbehaved in the past.

In our taxonomy, we classify node-centric mechanisms aseither behavioral or trust-based. In earlier work for MANETs,node-centric mechanisms are the most popular, because thesenetworks are focused on providing an abstract service tonetwork participants, as opposed to a set of services thatis inherently tied with data semantics, as in cITS. Node-centric approaches can be further subdivided by their specificapproach; an overview of these approaches, with the examplemechanisms we discuss in this survey, are shown in Table I.We explain these types, as well as exemplary mechanisms, inthe remainder of this section.

1) Behavioral mechanisms: Behavioral mechanisms arefocused on the behavior of a particular node. This mainlyconcerns packet headers and meta-information like messagefrequency. Behavioral schemes in cITS typically focus onidentifying nodes which send messages too frequently or nodeswhich modify the message content in a way that does not

12

Type Category Examples

Watchdogs Behavioral Hortelano et al. [74]Flooding detection Behavioral Hamieh et al. [75], Puñal et al. [76]

Central Sybil detection Trust-based Chen et al. [77], P2DAP [78], and Footprint [79]Node validation and reputation Trust-based LEAVE [52], OREN [62], SLEP/PRP [53], Sowattana et al. [80]Decision logics Trust-based Raya et al. [81], Rawat et al. [63]Event validation and consensus Trust-based PoR [82], z-smallest [83], Leinmüller et al. [84], CoE [85], Petit et al. [86]

TABLE INODE-CENTRIC DETECTION APPROACHES

adhere to protocol standards. As these attacks are not funda-mentally different from attacks that some classes of networkintrusion detection mechanisms aim at, there are not manycITS-specific schemes available. Behavioral mechanisms areespecially popular to protect networks where routing attacksand fairness play an important role, such as MANETs. Someof these misbehavior detection mechanisms have been adaptedto work in cITS scenarios.

Before discussing mechanisms specifically designed forcITS, we take a brief historical perspective and discuss aseminal work developed for MANETs [16]. This paper intro-duces two tools for misbehavior detection: the Watchdog andthe Pathrater, which they evaluate for the multi-hop routingmechanism called dynamic source routing (DSR). The essenceof the watchdog mechanism is that each node that participatesin routing monitors the network after forwarding a packet toa next hop. This node can then overhear whether the next hopforwards the packet or not, and therefore establish whether itis correctly behaving as defined by the protocol (in this case,DSR). Because a lossy channel might cause transmissions tobe lost, a Watchdog should be configured with a thresholdbefore it detects a node as malicious. Challenges for thismechanism include loss or collision on the channel, as wellas false reports generated by malicious or colluding nodes.The aspect of colluding nodes is discussed in more detail inSection V-A2, where we discuss trust-based mechanisms thatdeal with this issue.

a) Watchdogs: There are many proposals that adapt theoriginal Watchdog mechanism for specific requirements ofcITS, because they have the advantage that they are fullyindependent of transported content. However, they can clearlyonly be applied in settings where multi-hop communicationoccurs (either through routing or flooding-style approaches).One such work is that of Hortelano et al. [74], who set out toevaluate the usefulness of the traditional Watchdog mechanismfor cITS. The core assumption is that routing is standardized,and vehicles can predict the (expected) behavior of theirneighbors. To accommodate packet collisions and noise onthe wireless medium, the required number of re-broadcasts islowered by a certain threshold (called tolerance threshold), toreduce the number of false positives, similar to the MANETcase. In addition, the importance of older results degradesmore quickly over time, to account for the increased mobility(the authors call this devaluation). Once the watchdog detectsmalicious behavior, it is logged in a local file, but reports arenot forwarded to other vehicles or a centralized instance. Theirevaluation shows that it is difficult to find a global thresholdfor deciding at which point misbehavior should be detected;

setting this dynamically could lead to higher accuracy. Inaddition, we note this paper does not address privacy in theiranalysis, making the true suitability for cITS unclear at best.As pointed out by the authors, several vulnerabilities remain;additionally, there is no protection against Sybil attacks. Wenote that in our more general attacker model, the attacker coulduse selective jamming in addition to further amplify severalattacks.

b) Flooding detection: In addition to mechanisms thatare designed to detect attacks on routing, a very usefulmechanism involves the detection of a related type of attack:flooding. Although Watchdogs are capable of detecting sometypes of flooding, we create a separate category for detectionalgorithms that detect other types of flooding, such as jammingand MAC attacks. In contrast to Watchdogs, Hamieh et al. [75]describe a detection mechanism for jamming attacks basedon detecting patterns in radio interference. The assumptionis that a jamming attacker behaves intelligently, in orderto gain an advantage through his jamming. This approach,known as selective jamming, is a common technique to avoidbeing easily detected due to constant jamming of the wirelesschannel. The proposed approach makes use of the fact that aselective jamming attacker will wait until regular transmissionsoccur until they jam the wireless medium. Hence, a correlationcoefficient between correct reception time and time whereerrors occur is calculated. If the correlation is high, that is,if the medium is jammed most of the time when regularreception should occur, the medium is considered jammed.In order to achieve useful results, the authors took intoaccount realistic reception and error probabilities as a baseline.Only if the correlation is unusually high, the medium canbe considered jammed. The proposed method is interestingbecause the correlation can be passively calculated with asimple formula, and because detection of selective jamming isan important problem that is often neglected in security-relatedworks. A deeper discussion and classification of jammingattacks is provided in a later work by Puñal et al. [76], whichdiscusses different types of jamming attacks and analyzes theirfeasibility. In particular, they show some types of jammers arecapable enough to prevent communication altogether with highprobability, illustrating the necessity of jamming detection.

2) Trust-based mechanisms: Similar to behavioral mech-anisms, many trust-based mechanisms for cITS are rooted inmechanisms that were developed for MANETs. These partiallyevolved from mechanisms such as the Watchdog [16], whichprovide metrics to establish the trustworthiness of a node. Toaggregate this trust, distribute it among nodes, and provideit to a back-end system, a mechanism is required that not

13

only filters malicious nodes as quickly and efficiently aspossible, but also prevent attacks on the mechanism itself.For example, Pathrater [16] aggregates the Watchdog results,but it may be attacked through Sybil attacks (as the authorsalso discuss). Core issues for trust-based mechanisms areSybil attacks on the one hand, and high mobility and briefconnectivity on the other. These challenges are much strongerin cITS, as the connectivity between vehicles is sporadic,and privacy requirements lead to a vehicle being allowed touse multiple identities. This is especially significant whenconflicting information is received from two sources that areeither equally trustworthy, or both unknown up to this point, asillustrated in Figure 4. To account for these challenges, authorsoften propose the use of data-centric mechanism output, whichthey then integrate into the trust-based mechanism; we willdiscuss these approaches towards the end of this section. Weinclude these mechanisms here, because the primary focus isthe development of the trust management, and not the data-centric detection process. There are also dedicated surveys fortrust schemes to be found in the literature, such as the workby Rivas et al. [54].

a) RSU-supported Sybil attack detection: There aremany schemes that operate using a centralized authority todetect Sybil nodes. The approaches we describe here are basedprimarily on interactions between infrastructure and vehicle.By grouping vehicles based on the RSUs they interact with, theassumption is that the Sybils of an attacker will always followthe same interaction path as the attacker. We describe severalof these schemes here, which are developed independently, buthave similar properties: trajectory signatures [77], P2DAP [78],and Footprint [79].

[77] points out that Sybil nodes that originate from the samevehicle will always have unrealistically similar trajectoriesover time. With this observation, they design a protocolto request special signatures, obtained from RSUs by eachvehicle, which can be used to build a trajectory. Wheneverdetermining trustworthiness, the identities with identical re-cent trajectories are assumed to be the same vehicle, andare combined into a single identity for this step, eveningout the effect of Sybil attacks. Although this approach istheoretically appealing, it relies on a variety of assumptionsmost significantly; a widespread deployment of RSUs, whichcannot be assumed everywhere, and full trust in all RSUs.There is also the practical issue of bandwidth overhead versusdistinguishability; the larger the amount of signatures r , themore expensive the protocol. This also potentially enablesdenial of service attacks, because each request requires a muchlarger response (i.e., the signatures). Next, some of the valuesmay be set to the value None for time slots in which nosignature was received from an RSU, which could be used tocheat the protocol. Finally, any vehicle will completely loseprivacy if they want to prove that they are not Sybil nodes,because they must reveal their position trace (i.e., the set of rsignatures).

In P2DAP, Zhou et al. [78] proposes a baseline to verifyall messages, which constitutes a relatively specific attack.Whenever a triplet of time, location and event type is signed bythe same vehicle with different pseudonyms, it is considered an

attack. In order to prevent these attacks, the authors propose aninherent linking between pseudonyms based on hash functions.A semi-trusted RSUs is responsible for checking whetheran attack occurs using this linking, and reports it to thecentral authority, which can resolve pseudonymity completely.By using two classes of pseudonyms, the RSUs can onlydetermine that two pseudonyms belong to the same class(called coarse-grained group), which corresponds to a vehicle,and it cannot directly identify that vehicle. Although thisscheme provides relatively strong security in this setting, beingable to link arbitrary pseudonyms is a huge privacy issue.Apart from that, the central authority has complete knowledge,which is problematic. Another problem with this scheme isthat the event types, time and spatial granularity must bestandardized and require a single central authority, which is notpractical in a real world where border crossings are common.

Footprint [79] improves on Chen et al. [77]: it also exploitscentral authorities by using similarity of trajectories, whichare generated using signed messages by RSUs that a vehiclepasses. In Footprint, these trajectories are cryptographicallyprotected, and consist of special signatures, requested by thevehicle from the RSUs is has seen while driving. Footprintworks by bounding the potential set of valid distinct trajec-tories an attacker can create. This bound is, in the worstcase, the power set of trajectories, but can be limited in sizeusing a test (which we do not discuss in detail here). Theauthors assume that real trajectories are sufficiently distinct;by forcing the attacker to obtain signatures through the RSUs,the bound is created based on the real path of the attacker.Then, when detecting Sybil attacks, all trajectories that aresuspiciously similar are considered as coming from the samevehicle (referred to as a Sybil community). The authors use thetrajectories for every message as an authentication mechanism,which allows any vehicle to compute the Sybil communi-ties and avoid Sybil attacks. The signatures of RSUs aretime-dependent and unpredictable, which means that locationprivacy is achieved against long term tracking. The otherdisadvantages remain, however; wide RSU deployment is stillneeded.

b) Node validation and Reputation: Following are multi-ple papers specifically aiming at mechanisms that use explicitvoting. Here, voting is used to decide which nodes are (not)trustworthy. These are distinct from consensus schemes, whichuse identities to vote on whether or not a claimed event is true;such schemes are discussed below. Voting mechanisms strictlyrequire protection against Sybil attacks, and those attacks arethus usually not part of the attacker model.

Raya et al. [52] have also been among the first to present asystem for locally evicting nodes, including the possibility toperform global revocation as a result using a protocol calledLEAVE. Here, vehicles exchange accusations about potentialattackers; as soon as a threshold is reached, a vehicle isevicted temporarily. The set of accusations can be distributedin an aggregated message, which can be used to immediatelyignore a vehicle, and used as a tool for global revocationonce it reaches the CA. A core advantage of this approachcompared to reputation systems is reduced detection latency,because trust does not need to be built over time in LEAVE.

14

(dry road, 50 m)

(icy road, 60 m)

Fig. 4. Example showing conflicting event notifications.

The authors argued that local eviction is especially suitablefor vehicular networks because of the low communicationoverhead and quick reaction time to attacks compared to globalrevocation. However, global revocation based on analysis ofthe collected local reports is foreseen as an orthogonal coun-termeasure against persistent attackers. Some disadvantagesof the scheme is that it may be vulnerable to Sybil attacksand may have privacy issues, depending on the type andimplementation of the pseudonyms that are used.

Similarly, Zhuo et al. [53] aims to remove misbehaving in-siders from the local neighborhood or the network. To achievethis goal, two specific mechanisms are proposed: suicide-based local eviction (SLEP) and permanent revocation (PRP).As their names suggest, SLEP evicts attackers locally andPRP achieves global revocation of misbehaving vehicles. Bothprotocols can be applied even if pseudonym schemes are usedin order to preserve user privacy. The local eviction protocolworks using a so-called suicide mechanism, which is used todiscourage false accusations. The assumption is that vehiclesin the direct neighborhood of an attacker are able to detectbogus messages, for instance, by comparing them to localsensor information about the same event. If a vehicle detectsan attack, it broadcasts a message accusing the potentialattacker vehicle. Surrounding vehicles receiving the messagewill henceforth ignore messages from the accused vehicle,but they will also ignore further messages from the accusingvehicle. To prevent multiple honest vehicles from committingsuicide in response to the same misbehavior, a random back-off timer is employed before disseminating accusations. Toachieve global revocation, each vehicle periodically reports itslocal blacklist of possible attackers to the back-end, which thenuses the trust level of each accuser to decide on revocation.Unlike Raya et al., the authors specifically address the useof pseudonyms, and SLEP relies on it to allow vehicles to“re-join” the network after a successful accusation.

Raya et al. [87] and Bilogrevic et al. [58], [62] have pre-sented closely related game-theoretic approaches to combinetheir eviction scheme from [52] with a suicide mechanism sim-ilar to that of Zhuo et al., combining the previous approaches.Here, a suicide action results in immediate local revocation ofboth accuser and accused, but vehicles have the alternativeto vote by transmitting an accusation, or abstain from theprotocol completely. Each course of action is associated witha certain cost, where suicide has the highest cost. In addition,cost values take into account the fact that abstaining from any

action for longer periods of time will leave the attacker moretime to do harm to the network. Using game theory, eachvehicle decides when and whether to take which action inorder to minimize the cost for all participants using a varietyof strategies.

Criticizing a number of existing revocation schemes includ-ing the aforementioned papers, Liu et al.’s [59] goal is toidentify the limits of such schemes in vehicular networks. Oneof the main points argued in the paper is that a local honestmajority, an assumption made by the revocation schemesdiscussed so far, is not as likely as the previous authors argued.If an attacker manages to create a local majority, she cancreate false accusations and falsely remove honest vehiclesfrom the local communication network. If pseudonyms areused to protect user privacy, the authors considered it feasiblefor an attacker to use multiple pseudonyms in parallel to createsuch a local majority. A general conclusion for all voting-based schemes is thus that parallel use of multiple pseudonymsshould be prevented by the underlying pseudonym mechanismused. Moreover, Liu criticized Raya et al.’s game-theoretic ap-proach discussed above, arguing that the assumption that eachvehicle acts in it’s own interest might be flawed. The reasoningis that the software running on the vehicles is not programmedby the vehicle owner herself, but by the manufacturer. Theauthors note that manufacturers may optimize their own cost,which could invalidate the game-theoretic results that wereobtained by assuming that all vehicles optimize their individualcosts.

Sowattana et al. [80] discuss a voting-based Sybil detec-tion scheme. This scheme has similarities with earlier wit-ness/verifier schemes proposed by [69] among others. Similarto those schemes, each receiver validates the validity ofreceived beacons by transmission range of those neighbors.However, in contrast to earlier work, this scheme generatestrust on specific vehicles through a voting scheme based onthese results. The voting process is the focus of this work,and the authors evaluate the performance of this scheme usingstate-of-the-art methods. However, the voting process is itselfvulnerable to attacks, and those attacks are not analyzed inthis work. It remains to be seen whether the limited spaceof positions for Sybils is sufficient to negate attacks on thisvoting scheme. Privacy is not covered in this work at all, butwe assume pseudonyms are used to generate Sybils.

c) Decision logic: To establish the trustworthiness ofvehicles, which is used as input by the reputation mecha-

15

nisms discussed above, authors often use a decision logic.This is similar to traditional trust network approaches, whichare typically adopted for this purpose. Raya et al. [81]present one such adaptation, which uses both data-centricand node-centric information to establish trust in specificnodes. However, the final decision is made by deciding onthe overall trustworthiness of a node, rather than decidingthe individual trustworthiness of messages. The authors useda combination of three different factors to evaluate trust innodes. This includes default trustworthiness, which is basedon the type of certificate (e.g., police cars); event- or task-specific trustworthiness, which matches the type of vehicleto the event; and dynamic trustworthiness, which capturesmessage-specific information like proximity to the event. Onceeach factor is computed, it is combined with the data-centricinformation and only then does the decision logic decidewhether or not to trust the given node. The authors evaluateda number of different decision logic implementations, butstated that no single mechanism performs best in all simulatedconfigurations. However, the Dempster-Shafer inference [88],[89] was identified as the most promising technique.

Similarly, Rawat et al. [63] present an approach usingBayesian logic to predict the trustworthiness of vehicles. Basi-cally, they compute the maliciousness probability for a vehiclei for a time t given some observation Ot . Their approach relieson Bayesian reasoning, i.e., computing P(Timalicious|Ot ) byapplying Bayes’ theorem. Unfortunately the authors do notspecify how they obtain the necessary conditional probabilities(such as the probability of a message given previous observa-tions). The scheme requires pre-configured knowledge on thereception probability of a particular message. Another issue isthat the authors’ model does not forget: they always computeprobabilities over the entire observation history. They do pointout their detection threshold will change over time, but do notspecify how. In their evaluation, they contrast signal-to-noiseratio with their computed trust values, based on a model ofsignal-to-noise ratio over relative distance and receive power.This makes computation of the associated probabilities easier:if the claimed relative distance is falsified, their scheme canreliably detect this based on their model. Their results aredifficult to generalize, and even for this specific use case relyon a fixed transmission range for all nodes (including theattackers).

d) Event validation and consensus: A common challengein trust-based mechanisms is the application of trust overmultiple hops. Event validation addresses this question byallowing each vehicle to use their identity as a vote in supportof or against a specific event. Similarly, consensus mechanismsdo the same, but often relate more closely to data-centricmechanisms (e.g., agreeing on specific data, rather than events,or including data-centric detection results).

The work by Cao et al. [82] determine the correctness ofevent reports through voting. The core contribution of thepaper is an efficient way to collect signatures from a sufficientnumber of witnesses without causing too much bandwidthoverhead on the wireless channel. In the proposed scheme,growth codes are used to achieve an efficient dissemination ofthe witnesses’ signatures on the claimed events. Growth codes

are a type of erasure code, and are used to efficiently XORtogether signatures over an unreliable channel for efficientcollection. They are optimized to decode as many signatures asquickly (in terms of transmission rounds) as possible; each ofthese signatures certifies a claimed event, and only events withmany valid signatures are accepted as valid. Growth codes givea relatively strong confidence, but introduce a significant delaybefore convincing a receiver of the validity of the message,because a threshold amount of signatures must be decodedfirst. A strong criticism of this approach is that false negativesmay cause significant problems; if insufficient signatures arereceived, events may be missed completely. In addition, theattackers are assumed to have exactly one key pair each, whichmeans the scheme is not compatible with pseudonyms.

Hsiao et al. [83] present a similar approach to determinewhether a claimed event has actually occurred. In order toprevent attacks, the senders collect a number of witnessesfor each possible event. For space efficiency purposes, z-smallest probabilistic counting is used, reducing the requiredamount of signatures that need to be attached to the message.The idea of z-smallest is that, given n elements uniformlydistributed between 0 and 1, the z-smallest element givesan approximation of n by calculating z

c , where c is thevalue of the z-smallest element. To protect against inflation,where attackers increase the number of witnesses of an event,each vehicle signs a hash of its vehicle id, the event type,location segment, and time of the event. Only the z-smallestsignatures are kept with the aggregate, meaning it is hard forthe attacker to produce these z signatures (because the hash iscryptographically secure). There is no deflation protection inthis scheme; the attacker can reduce the amount of signaturesattached to the message. The authors argue that an attackerwill only try to produce fake events; there are easier ways tohide events that this mechanism cannot protect against anyway.Similar to the previous paper, it is a hard requirement thatvehicles are restricted to exactly one pseudonym per timeperiod as the attacker model does not include Sybil attacks.

Leinmüller et al. designed, amongst other mechanisms, a co-operative trust mechanism [84] to improve the results of theirmechanisms by exploiting trust developed between vehicles.The goal of the mechanism is to defend against attacks per-formed by static roadside attackers. This is done by combiningthe data-centric minimum distance moved mechanisms withtransitive trust. Each vehicle evaluates locally whether sensorinformation implies that the sender of a message has moved acertain minimum distance. Then, each vehicle broadcasts thecollected information, indicating which neighbors passed thelocal the minimum distance moved check. The assumptionis that if a vehicle A receives positive feedback about avehicle C from vehicle B and A has earlier identified B astrustworthy, then A will also trust C without directly verifyingit. The scheme also incorporates neighbor information, whichis shared among vehicles using periodic messages (proactive),although the authors also note that reactive mechanisms maybe possible. An honest majority assumption allows this mecha-nism to work, but only when the attacker is (mostly) stationary,which is a fairly weak attacker model.

The authors in [86] have proposed a scheme to build con-

16

sensus about certain events in vehicular networks using a dy-namic threshold for their consensus mechanism. The proposedscheme collects a number of reports about the same event fromsurrounding vehicles until a certain threshold of supportingreports is passed, after which the message is considered tobe trustworthy. To cater for safety-relevant applications, theauthors took into account a maximum waiting time, beforewhich a decision must be reached. For instance, in case ofan accident warning message, the decision whether to trustthe warning must be made early enough, so that the vehiclecan still brake in time to avoid further collisions. A maincontribution of the authors is to implement the acceptancethreshold in a dynamic way. The threshold is adapted basedon factors like distance to the claimed event and number ofvehicles currently in the neighborhood. However, like mostconsensus mechanisms, this approach suffers from potentialSybil attacks. The dynamic threshold allows the mechanismto deal with density variations on the road, but as the authorsalso remark, selecting an appropriate initial value is still anopen challenge.

Kim et al. [85] combine several data-centric and node-centric parameters of messages into a single curve, called thecertainty-of-event (CoE) curve. The validity of messages isdetermined by checking messages against the vehicles’ ownsensors, messages from other vehicles, and, where available,validation by infrastructure, making it a consensus mechanism.This is combined with a relevance metric (i.e., whether thevehicle will ever interact with the event): only relevant, validevents are presented to the driver. Validity is defined usinga threshold curve, defining the required supporting evidence(similar in functionality to Petit et al.’s dynamic threshold).This allows for fast responses in emergencies with less cer-tainty, while it reduces the false positives for events wheremore evidence can be gathered over time. We note that theCoE could be vulnerable to Sybil attacks, depending on theimplementation of the various sources of information thatare specified. In addition, this scheme is very difficult togeneralize to other types of applications, because specificlocations are required for events. The example applicationthe authors use, the emergency electronic break light (EEBL)application, provides such locations, but it is unclear whetherthe scheme can deal with multiple lanes and urban settings,where there may be some uncertainty about the driver’s path.However, the CoE is a powerful concept that can be employedto allow for maximum certainty before warning the driver,reducing false positive and negative rates.

B. Data-centric Mechanisms

In this section, we consider the different forms of data-centric misbehavior detection that were identified in Sec-tion IV-C. Recall that the core distinction between consistencyand plausibility is that consistency analyzes messages fromdifferent senders, while plausibility verifies messages fromthe same sender. Plausibility mechanisms include analyzingphysical layer signals to detect that they indeed come fromthe same source. As before, we provide a brief overview ofthis section in Table II.

1) Plausibility: Plausibility checks can be used to quicklyand efficiently filter packets that are malicious. Typicallysimple instances of these mechanisms are assumed to exist bynode-centric schemes to provide a way to determine trustwor-thiness of nodes. However, plausibility checks can also be usedas a more advanced tool to determine a numeric plausibilityvalue, rather than just filtering out bad packets. For example,one can analyze the speed or location of a vehicle over time, areceiver can identify its path and attempt to identify suspiciouspaths. Plausibility checks are often used to detect attacks thatinvolve Sybil nodes. This relies on the fact that an attackergenerating these Sybil nodes transmits the associated messagesfrom approximately the same location.

a) Signal-based plausibility: One of the first applicationsfor data-centric misbehavior detection was the identificationof falsified positions by exploiting channel properties. Bydetecting the source direction of the signal and using time-of-flight, vehicles can attempt to verify the position containedwithin a CAM. An overall challenge of these approaches is thatthe error of measurements outside a controlled environment arevery high.

The authors of [68] provide a detailed analysis of Sybilattack detection through analysis of physical layer properties.They assume that antennas, gains and transmission powers arefixed and known to all users of the cITS (except for the attack-ers’). By applying signal models, they use the received signalstrength to determine the approximate distance to the senderand apply this to verify the GPS position transmitted in eachbeacon message. They show the theoretically possible areaswhere an attacker can transmit to cause the receiver to observethe desired received signal strength, in order to correspond tothe received signal strength. The authors also analyze the effectof using different antenna models (bi-directional and omni-directional) for the receiver. As the authors point out, they donot consider special propagation models or GPS errors.

Similarly, [90] exploits the relation between location, timeand transmission duration for both beacons and event mes-sages. Time of flight is used to verify the positions transmittedby each sender, computing the time spent in the air by themessage. They assume light speed, i.e., t2 = t1 ∗

dist(li, t2,lj, t1 )c ,

with t1 as the claimed time of transmission, tj,t1 as the claimedlocation of sender j and li,t2 as the location of receiver at thetime of reception t2. Although this approach is immune toSybil attacks, it does not compensate for GPS errors, MACdelays or limited time synchronization between vehicles. Theauthors also propose a post-event validation approach thatlooks at messages from other vehicles to verify specific eventmessages, which relies on correct positions using this time offlight approach. Finally, we note that the authors consider apseudonym change after a claimed event is malicious, which isdetected through a lack of subsequent beacon messages fromthe same source. This scheme is easily exploited to revokelegitimate vehicles by an attacker with even limited jammingcapabilities.

Sun et al. [91] propose a vehicle tracking scheme based onextended Kalman filters (EKF), a generalization of Kalmanfilters for non-linear systems. The authors assume that EKFsare used to combine angle of arrival (AoA) and Doppler

17

Type Category Examples

Signal-based plausibility Plausibility Guette & Ducourthial [68], Ruj et al. [90], Xiao et al. [69],Sun et al. [91], Yao et al. [57]

Multi-rule plausibility Plausibility Leinmüller et al. [92], PVN [55], VEBAS [93], Yan et al. [94]Position prediction Plausibility Jaeger et al. [95], [71], Bißmeyer et al. [96], Barnwal et al. [97]Vehicle dynamics Plausibility Yavvari et al. [98]Post-event validation Plausibility Ghosh et al. [99]

Raw data comparison Consistency Bißmeyer et al. [100], Zaidi et al. [101], Grover et al. [102], Leinmüller et al. [92]World modeling Consistency Golle et al. [103], Dietzel et al. [104], Bißmeyer et al. [65]Rule mining Consistency VARM [105]Machine learning on message contents Consistency Grover et al. [106], Ghaleb et al. [107]Sensor sharing detection Consistency Yan et al. [108]

TABLE IIDATA-CENTRIC DETECTION APPROACHES (SOME PAPERS PROPOSE MORE THAN ONE TYPE).

Speed measurements of the received signal to estimate thebehavior of the sender. By combining this information withthe position information in the message, the estimation errorof the EKF will not diverge, unless the vehicle misbehavesby transmitting false positions. This is detected by applyinga chi-square test to determine whether the n most recentmeasurements reflect Gaussian behavior. When the chi-squaretest detects a deviation, AoA and Doppler shift measurementsfrom neighbors are used to estimate the position, which is thenused to track the misbehaving vehicle despite the misbehavior.The proposed scheme is discussed in highway scenarios only,but can deal with any attacks, regardless of collaboration.Privacy is not addressed in this work; however, we suspectthat the author’s system can be deployed to track pseudonyms,while applying the work by Stübing et al. [70] to track vehiclesacross pseudonyms.

Schäfer et al. [109] discuss how the Doppler effect can beused to validate movement in an approach similar to thosediscussed above. Although their work primarily focuses onflying vehicles (e.g., airplanes), where distances are muchgreater and thus signal propagation takes much more time.Thus, they also briefly address the application of their resultsto vehicular networks. Specifically, they describe that becausethe required precision cannot be achieved in these networksat reasonable cost, they conducted experiments that measureDoppler Shift in sound. Despite encouraging results with anequal error rate of zero, the authors state that approachesbased on their scheme have two fundamental limitations.These are attacks from moving vehicles and attacks wheremultiple antennas are used by the attacker. Moving vehiclesare unlikely due to the extreme velocities required, but multi-antenna attackers remain an open issue, which is the case formost schemes in this section.

Yao et al. [57] provide an extensive analysis of RSSI-basedschemes to detect Sybil attacks. First, the authors describean experimental setup that is used to make observations onhow RSSI measurements change over time, and how thesecan be applied to detect attacks. Basically, the authors statethat one cannot directly apply RSSI measurements, and usinga propagation model to estimate validity of messages throughthe RSSI is unlikely to provide reasonable results. However,they also identify similarities between the RSSI of an attackerand its Sybil nodes over time, and discuss the use of similaritymeasures for these time series. In their work, they use the

dynamic time wrapping as a measure, which is particularlysuitable because it can deal with message loss. They alsoinclude Z-score normalization of all RSSI time series toprevent the attacker from simply using different power levelsfor each Sybil node. Their work shows that even though RSSIitself is considered unreliable, it can be used to identify attackswhen used as a time series. One weakness of this system isthat it breaks as soon as an attacker uses more than one radio.

b) Multi-rule plausibility: Another early idea was touse several sources of information to verify message validity,rather than just using signals to verify a position, which wassketched in [110]. The authors introduce the concept to useon-board vehicle sensor data and data from different layersof the communication system to build a world model, withwhich newly received information can be compared. Manyof these multi-rule mechanisms also include some form ofother detection mechanism, but often the focus lies on takingadvantage of the many fast and simple checks that can beperformed through plausibility checks.

Lo & Tsai [55] discuss a type of data injection attack calledthe illusion attack, where the attacker injects false informationinto the cITS. To protect against this attack, the authors pro-pose a plausibility validation network (PVN), which consistsmainly of a checking module and a rule database. The ruledatabase contains a set of rules that govern whether certaininformation should be considered valid or not, by analyzingthe individual message fields. The authors provide a list ofsuch rules to detect fake vehicles, which includes dropping ofduplicate messages, the position being in transmission range,valid time stamps and others. The set of rules is different permessage type, and is default-deny (i.e., all rules must acceptthe message). A weakness of this work is that it assumesthat the attacker can only manipulate messages indirectly(i.e., through sensor manipulation, the attacker has no keymaterial). Because the rule database is shared amongst allparticipants, the attacker can generate only valid messages toavoid detection.

In [92], the authors discuss a variety of data-centric mecha-nisms, including what they refer to as autonomous verification,which is similar to the PVN from Lo & Tsai. These checkswere previously studied in [111]; we discuss the consistencymechanisms in the next section. The checks introduced hereare called acceptance range threshold (ART), mobility gradethreshold (MGT) and maximum density threshold (MDT).

18

ART provides a very simple check that discards messages withposition claims that are far outside the communication range ofthe receiver, and thus likely contain a falsified position. MGTchecks the distance moved between two beacons for suspi-ciously high speeds. MDT examines the maximum amountof vehicles in a particular area; when too many beacons aresent from one area, the vehicle ignores further beacons fromthe same area, in order to limit the impact of Sybil attacks. Inaddition to these checks, the authors mention the possibility ofmap-based verification and position claim overhearing. Map-based verification assigns a plausibility value to the receivedbeacons by comparing the location to a road map. Positionclaim overhearing can be applied in (geo)routing scenarios: bycomparing different overheard packets and their destinations,overheard packets can provide indications of a false positionin the past. All of these checks do not perform particularlywell individually, as also discussed in [112], but the potentialfor these checks lies in their efficiency, similar to the PVN.

Vehicle behavior analysis and Evaluation scheme (VEBAS),was presented by Schmidt et al. [93] as an attempt to builda full system up out of behavioral, plausibility and trust-based mechanisms. VEBAS allows the local detection ofunusual vehicle behavior. Each vehicle analyzes all messagesreceived from neighboring vehicles to detect possible misbe-havior. Schmidt et al. analyze the content of messages usingdifferent modules. In this, most mechanisms are plausibilitychecks, with either positive (meaning the mechanism statesthe information is correct) or negative (information is false)results. Some mechanisms analyze the behavior of a vehicle inthe classical sense (i.e., behavioral mechanisms) while othermechanisms also make use of physical models. As an exampleof behavior-based mechanisms, the authors used a maximumbeaconing frequency threshold. If a vehicle sends messageswith an unusually high frequency, the behavior can be regardedas possible attack. The other mechanisms discussed by theauthors are plausibility-based mechanisms, some of which arere-used from earlier work. Finally, the authors show a way tocombine the output of the different detection mechanisms, theauthors proposed to use the exponentially weighted moving av-erage (EWMA) method. Here, older information is integratedwith less weight than fresh information, and different weightcan be given to different modules. This includes the possibilityto send and receive reports from other nodes in the network(which adds a trust-based element to the mechanism): oncea vehicle has accumulated a defined amount of informationabout surrounding node behavior, it will broadcast the resultswithin the 1-hop neighborhood. However, these recommen-dation reports are not trusted blindly by receiving nodes toprevent attackers from broadcasting fake positive behaviorreports.

Multi-rule plausibility has also been used to detect attackswithin cell- or cluster-based vehicular networks. Althoughclustering itself has numerous disadvantages, verification ap-proaches that analyze a leaders’ behavior often require data-centric operation in order to exclude attacks. Yan et al. [94]present one such scheme where attacks are largely preventedby centralizing information at the leader. The leader is re-sponsible for announcing its cell member’s positions, and the

authors design a scheme where leader and cell members verifyeach other. The local verification primarily relies on a compar-ison of GPS and radar measurements. For additional accuracy,the authors introduce Sybil attack detection by using cosinesimilarity and two alternative information sources that areessentially consistency schemes. Finally, the authors includea position prediction approach as one of their plausibilityrules. Nevertheless, the reliance on clustering makes thisscheme particularly poor for privacy, and potentially reducesperformance.

c) Position Prediction: As discussed in Section V-A2, theadvantages of node-based mechanisms are strengthened whenpseudonyms can be resolved, or at least linked, in the localvicinity of a vehicle. Position prediction essentially uses suchtechniques to predict behavior of vehicles and verify whetherthey follow an expected pattern. Although the Kalman filteris the most common approach, alternatives include the use ofparticle filters, as discussed by Bißmeyer et al. [96], and zoneprediction, as discussed by Barnwal et al. [97].

The authors of [70] and [95] verify transmitted CAMs byanalyzing the sequence of messages to find the trajectory ofeach vehicle. By tracking a vehicle using a Kalman filter,they can verify the location contained within each CAM,thereby allowing the detection and correction of falsified datain CAMs. This works, because the Kalman filter allows theaccurate prediction of movement even under the influenceof errors (e.g., they are also used to correct errors in GPSmeasurements). As a result, the Kalman filter allows vehiclesto locally link pseudonyms with high probability, and fea-tures adjustment for errors and new vehicles. By defeatingpseudonyms in this way, vehicles can check that vehiclesare transmitting valid messages. Their scheme explicitly doesnot distinguish between malicious and faulty nodes, insteadaiming to detect any misbehavior. We note that the existence ofKalman filters does not imply that privacy is void – the Kalmanfilter only provides accurate estimates when actually followinga vehicle (similar to physically following it by driving behindit). The scheme was later extended [71] to deal with situationswhere Kalman filter accuracy is poor, such as lane changesand other special maneuvers. After computing the plausibilityof a CAM according to the Kalman filter associated with thesender, they propose a scheme that probabilistically recognizesthe maneuvers of a vehicle using hidden Markov models. Ahidden Markov model is trained for each maneuver, classifiedby the Baum-Welch algorithm, allowing the state of the hiddenMarkov model to represent the different steps in the maneuver.The information used for these models is then used to updatethe Kalman filters where necessary. This entire process isshown in detail in Figure 5.

d) Vehicle dynamics: Going beyond the position predic-tion work, which often assume a static vehicle model that isthe same for every vehicle, Yavvari et al. [98] suggest thatprediction could be much more accurate. Their core idea is totest the plausibility of new messages within the scope of oldmessages using an accurate model of the vehicles’ dynamics.This can then be used to construct bounding polygons thatdescribe the extremes of valid positions that could be obtainedgiven the vehicle dynamics and the previously received in-

19

Basic Checks

no

yes

Path Prediction

yes

no

New Vehicle Checks

no

yes

Maneuver Recognition

no

yes

yes no

neutralapprovederroneous

mobility dataand vehicle ID

checkpassed?

known vehicle ID?

deviationOK?

inside margin?

dynamicmaneuver?

instantiatenew tracker

adapt Kalman gain

calculateKalman prediction

calculateKalman correction

compare predictionwith mobility data

performthreshold check

perform margincheck

query maneuverrecognition

re-calculate Kalmancorrection & prediction

deviationOK?

Start

yes

no

Fig. 5. Figure based on [71] explaining their detection method surroundingusage and updating of Kalman filters.

formation. Because this process requires detailed knowledgeof the capabilities of each vehicle, the authors discuss howto derive this from BSM information. In BSMs (in the USmodel), there is detailed information about the dimensions ofeach vehicle (with a resolution of 1cm). This can be used touniquely identify the vast majority of vehicle types, as shownby the authors. Using this information allows for much tighterbounds than an abstract vehicle dynamics model. Although thisdesign raises some privacy concerns, the resources requiredto store or simulate the vehicle dynamics per vehicle type isrelatively limited, and the bounds on valid behavior are quitetight.

e) Post-event detection: The idea of post-event detectionis that events are not isolated from each other, but typicallyrelate directly to future behavior. A good example of sucha scheme is the work by Ghosh et al. [99], who looked atthe post-crash notification (PCN) application. After sending aPCN message, drivers normally adapt their behavior to avoidthe crash site; this is exploited here to confirm whether the

event was valid or not. Although this specific scheme uniquelyuses driver behavior for validation, other proposals have beenmade that use subsequent beacons to verify whether an eventactually happened (e.g., Ruj et al. [90] above). In their scheme,Ghosh et al. use a technique called root cause analysis todetect which part of the event message was false. Althoughlacking in privacy, this scheme is very useful to serve as abaseline for revocation. Post-event detection suffers if driverbehavior models are unsuitable, and it notably cannot preventfalse information from reaching the driver, which may leadto low user acceptance. However, for future cITS that relyon increased autonomous driving, post-event detection maybe feasible, due to the fact that valid behavior is more well-defined.

2) Consistency: Consistency-based mechanisms look at se-quences of packets from distinct vehicles. These mechanismsfocus on detecting and resolving conflicting information toachieve an accurate representation of the real world scenario.They are often employed by secure aggregation mechanisms tocombine information from several vehicles into aggregates andto deal with inaccuracies, which may occur when aggregationmechanisms are used.

a) Raw data comparison: The simplest type of con-sistency mechanism is direct comparison between messagecontents to check them for conflicts. This is closely relatedto consensus mechanisms from the node-centric mechanismssection: the mechanisms here are distinguished by the factthat a decision is mainly based on the data, rather than trust(potentially derived from data) in vehicles. Unlike consensusmechanisms, direct checking mechanisms often simply out-put that a conflict exists (although some authors add sometrust mechanism to verify the effectiveness of their schemedirectly).

Leinmüller et al. [111], [92] describe a position verificationmechanism that bases on a number of different algorithms(also called sensors), each of which attempts to detect mali-cious or selfish behavior. The position verification mechanismdetermines a trust value for each vehicle, but the focus ofthe paper lies on the sensors. The authors propose sensorsbased on either consistency or plausibility (called cooperativeand autonomous sensors respectively in the paper); we discussthe consistency sensors here, and the plausibility sensors inSection V-B1. The cooperative sensors are based on neighbortables and position beacons to avoid the requirement ofdedicated hardware. First, pro-active exchange of neighbortables can include positions or only include logical linksbetween nodes. In both cases, beacons are checked againstreceived neighbor tables by comparing the claimed positionsfor a particular node in the beacon and the table. When thetables do not include positions directly, nodes can extrapolateinformation using the maximum transmission range (usingthe accepted range threshold, see Section V-B1). Second,reactive position requests can be used as a more bandwidth-efficient sensor than periodic neighbor table exchange. Theserequests are sent when an unknown vehicle M is encountered;a vehicle knows the position of its neighbors, and selectsa subset of them as either rejector or acceptor, based onwhether the neighbor is in transmission range or not. It then

20

Fig. 6. Figure based on [100] showing the different rectangles used to modelthe vehicle in the presence of GPS errors.

sends its request to this subset of neighbors, asking for theposition of M . Neighbors that do not know M will respondwith a corresponding message; others will respond with aposition. The sender can then compare the responses withthe expected responses. Both of these mechanisms rely onan honest majority, but are capable of dealing with noisysensor data for those honest nodes. The mechanisms can alsocope with network loss, allowing the mechanisms to cope withlimited attacks on lower layers.

In [100], the authors use consistency between CAM mes-sages of vehicles to detect attacks. The authors claim that amodel typically used for crash avoidance systems can also beused to determine likely attacks. The model describes that onlyone vehicle can occupy a given space at a given time. Thisallows detection of falsified position information. They assumeit is possible to uniquely identify vehicles despite the use ofpseudonyms (using the Kalman filter approach we discuss inSection V-B1) and use this capability to determine whethervehicles intersect. Intersection itself is measured using thegiven width and length of a vehicle in a CAM. A mechanismto deal with errors is also introduced, by simulating largerrectangles outside the bounds of the vehicle, as shown inFigure 6. The size of each of these is computed using the speedof the vehicle. When detecting overlap of rectangles arounddifferent vehicles, a degree of certainty corresponding to thesize of the rectangle is used. The higher this certainty, thehigher the probability that the position for one of two vehicleswas falsified. To compensate for lost packets, the authors alsodiscuss a prediction mechanism to predict the location fromwhich the next CAM is sent. To further increase detectionaccuracy, the authors note that a history of received CAMs andpredictions can be used to compute a vehicles’ trustworthiness;this trust value can then be used to decide which of two CAMsis the correct one. This scheme is highly efficient in terms ofbandwidth, but the accuracy of the detection may be limiteddue to the effects of noise in the sensors. Although Sybilattacks are an issue for this work, the authors can deal withsome degree of packet loss as well.

Rather than comparing individual messages between vehi-cles, Zaidi et al. [101] instead compare a single vehicles’ datato the overall flow of all surrounding neighbors. The authorspropose to extend the beacon messages with three fields: flow,average speed and density, which all vehicles must compute

and transmit regularly. Flow is a traffic research term that isclosely related to throughput; it is an indicator for congestion,and the flow computation used in this paper is related to speedand density. The idea is that if an attacker falsifies its data,or uses Sybils to do so, there will be a significant differencebetween computed flow from benign and malicious vehicles.Whenever detection occurs, a vehicle is monitored for sometime; if the vehicle is marked as malicious (through hypothesistesting), the vehicles data is rejected. This scheme has thesignificant advantage that the proof of misbehavior is rigorous(due to the hypothesis testing approach), but suffers fromattacks when the attacker slowly increases their value (andthose values of controlled Sybils). This attack is excluded bythe authors attacker model. Also note that this scheme onlyworks on a per-road basis (messages between different roadswill not verify, since they have different flow); this could beresolved by including road identifiers.

Grover et al. [102] perform Sybil attack detection bycomparing neighbor tables of several vehicles over time. Thereasoning behind their work is that the fake identities of theattacker must always be in the vicinity of the attacker inorder to be able to the necessary local majority the attackerwants to achieve. Therefore, they must frequently appear inthe neighbor tables of legitimate vehicles as a group, whilelegitimate vehicles will not form such a group over time.Because network topology is highly dynamic in cITS, theauthors distinguish between uni-directional and bi-directionalcommunication links. We note that while the authors presentan effective way to limit Sybil attacks in duration, the commu-nication overhead is significant, as is the latency for detection.In addition, certain traffic scenarios cause the assumption ofrecurrence to become unrealistic, e.g., in traffic jams, whichincreases false positives or increases detection latency. Mostimportantly, it does not protect against Sybil attacks that havea short duration, which however may be sufficient to attacka variety of information dissemination mechanisms, such astraffic jam detectors.

[69] describes one of the earliest of such mechanisms,verifying claimed positions using signal strength metrics. Thebasic scheme consists of three roles: claimer, where a nodeclaims a position in a beacon, witness, where a node receivesa beacon and measures its proximity using the received signalstrength, which it transmits in subsequent beacons, and verifier,which collects signal strength measurements to estimate andverify the position of a node. To ensure that the scheme isnot subject to Sybil attacks, the authors design an improvedposition verification scheme, which focus on the witnesses. Inthis scheme, RSUs issue a signature of proximity at a specifictime, with a defined driving direction. By authenticating di-rection, the authors can reliably establish which witnesses areapproaching vehicles, and only use these for detection. Thescheme does not account for scenarios with low amount ofwitnesses, or one-way situations, but their statistical approachthat compares RSSI-based estimations with claimed positionsis theoretically sound. After classifying a neighbor as a Sybilnode, the vehicle will go through its neighbor table and verifyother neighbors in order to find other Sybils originating fromthe same malicious entity. A final criticism is that this scheme

21

assumes Sybil attacks are targeted; attacks aiming to confuseapproaching vehicles by issuing false witnesses continuouslyare still possible.

b) World modeling: Rather than comparing raw data,some authors suggest the more abstract approach of worldmodeling. This removes the restriction of comparison betweenspecific messages, and rather allows queries such as “is thisworld state consistent?” or “is this hypothesis true”? Fordetection, these approaches often aim to find the data thatis the cause of a conflict in the consistency of the model.

Golle et al. [103] have presented the earliest example ofdata-centric detection, which checks for consistency betweenassertions (messages, also called observed events in the paper)using some abstract model of the cITS. If this results in an in-valid state, their system identifies possible explanations wherea subset of all assertions is valid – the best explanation canthen be chosen. The model relies on four core assumptions:nodes can bind observations to received communication, theycan uniquely identify neighboring vehicles (that is, detect Sybilattacks using physical properties), they can authenticate toone another, and finally, the network graph should always beconnected. In case inconsistencies are found, Occam’s Razoris applied, meaning that the explanation with the least amountof attackers best explains the conflicts found. As an exampleof how their model works, the authors introduce two modelsthat determine the correct locations of vehicles in the network.Although this is one of the earliest works on data-centricsecurity mechanisms in cITS, the outline of their mechanism isstill used as a guideline for data-centric security and secure ag-gregation schemes. Unfortunately, the detection component ofthis work is not evaluated for feasibility, due to an assumptionthat neighbors can immediately exchange derived information.As the authors note, assuming this instant connectivity is notvery realistic, as the amount of data exchanged in their schemeis quite high and available bandwidth in cITS is limited. Inaddition, it seems to be assumed that the attacker is a protocol-adhering participant, e.g., there are no attacks on routing oron lower communication layers (such as selective jamming oraltered transmission power).

Data-centric security mechanisms have also been applied tosecure aggregation, as proposed by [104]. Aggregation is heremotivated as a means to make cITS more feasible. Due to highpotential bandwidth requirements, especially for traffic effi-ciency applications that require information from large areas,aggregation will be essential to efficiently disseminating infor-mation through the cITS on a large scale. However, security isan unresolved issue in aggregation: in particular, aggregationaims to remove redundancy of information, which increasesthe challenge of applying data-centric security mechanisms.The authors specify a framework using fuzzy reasoning todetect that an attack is in progress with high accuracy. As inputfor this reasoning process, clues attached to each aggregateare used, which are atomic, unaggregated observations signedby their original senders. These clues provide the necessaryintegrity that is typically hard to obtain in secure aggregation.Using fuzzy logic to determine confidence in data, rather thantrust in nodes, is a main advantage of the scheme. The attackermodel in this paper considers an attacker that is specifically

aimed at compromising aggregation mechanisms, rather thana general attacker that also exploits lower layer and Sybilattacks.

In [65], the authors propose a more strongly centralizedapproach. They require each node to detect incidents, andforward them to a central authority that will detect misbehaviorbased on these reports. Because the central authority onlyneeds to perform detection based on reports, rather thancontinuously for all nodes, this provides a scalable approach.In addition, this makes the assumption of an honest majorityreasonable, when combined with revocation. Each node as-signs trust to all nodes it knows; confidence in this trust isdefined as a weight on the trust assigned by another node.For example, if node a has neighbors b, c and assigns a hightrust to b, while b assigns a low trust to c, then confidence isused to describe the amount of evidence each node has for itstrust assignment. These parameters are later used to determinereputation of each node by the central authority. The centralauthority can then resolve pseudonyms and determine whetherany node was cheating repeatedly, or whether there was abenign fault. This is done by using the trust and confidenceof the suspect and reported nodes; attackers are detected bydetermining which nodes have very low reputation.

c) Rule mining: Finally, some authors have proposedmechanisms that use techniques from the field of data miningto extract useful information from a large amount of storeddata, such as CAMs and DENMs. By extracting these rules,the likelihood of the message being valid can be expressed.

VARM [105] is an example of this idea, which directlyapplies data mining techniques to misbehavior detection. Theauthors propose a data mining-based mechanism that dynami-cally derives association rules from received data using a data-structure called the Itemset-Tree. Association rules expresscorrelations in a data set, and are a basic concept in datamining. By extracting these association rules, the node thusinfers information from received messages that represent theexpected behavior of senders. This knowledge can expresshidden information that represents local road conditions, with-out the need to list all such scenarios and develop rulesor models for them by hand. Their core drawback is thatthey may not generalize, because correlation does not implycausation. Another issue is that the paper does not extensivelystudy the bandwidth requirements posed by their scheme,nor is latency or detection rate the main target of the study.We note that data mining is typically applied in scenarioswhere latency and computational resources are not an issue,and these techniques may not provide sufficient performance.Nevertheless, the application of data mining is a novel idea thatcan combine elements from both data-centric and behavioralmisbehavior detection; this work provides a good starting pointfor applying data mining techniques to misbehavior detection.VARM is considered to be a consistency-based misbehaviordetection mechanism because the authors specifically focuson temporal relationships between events received from manydifferent vehicles, rather than verifying individual vehicles.

d) Machine learning: Grover et al. [106] have also pro-posed a machine learning-based method to detect misbehavingvehicles. Grover et al. have implemented several attacks on

22

VANET model

Feature extraction

Attack model

Classification algorithm AlarmsFeatures Misbehavior

Fig. 7. Machine learning architecture proposed in [106].

routing and several attacks on message content, in particu-lar a Sybil attack and position forging. They use machinelearning to learn the features of legitimate and misbehavingmessages, based on models of both. The authors definedseveral features and used a network simulator to generatetraffic; the features of this traffic was used to train severalclassification algorithms. There are two classes of features –one used for detecting position falsification and Sybil attacks(similar to many data-centric mechanisms) and one class thatconsiders various temporal aspects and delivery ratios. Thegenerated network traffic was created using a two-way, multi-lane highway scenario. The authors used the values for eachof these features as input for several classification algorithmsfrom machine learning, contained in the WEKA toolset [113].The best results were obtained using the Random Forest [114]and J48 algorithms. Figure 7 shows the overall architecture ofthe proposed mechanism. In a later paper [115], they improvedon their previous work by replacing the single classificationalgorithm with a number of classification algorithms. Afterclassification by each of the algorithms, a majority decision isused to decide whether a given situation is considered part ofan attack. In both papers, specific implementations of attacksare used to evaluate the system; these implementations areused to generate data for both the training and testing set. Bothof these works rely on specific implementations of attacksand a specific scenario; in particular, no details are providedregarding attack implementation and the base scenario. It isthus difficult to determine whether these classifiers providea general solution, or a solution specific to the scenario,since it is unknown how real-world behavior compares to thesimulated legitimate behavior.

Ghaleb et al. [107] propose a similar approach toGrover et al., using neural networks. The authors describehow vehicles collect information from their environment usingsensors, which is then shared through communication (i.e.,through V2V communication). This information is then used toconstruct a local dynamic map (LDM) of a vehicle, from whichfeatures for misbehavior detection can be derived. Historicalvalues of these features are used to construct a model, whichis then used in an on-line fashion to classify new messagesinto legitimate and malicious. In their work, features includea variety of plausibility and consistency checks that they citefrom previous work, as well as some own features. The authorsuse a simulated set of misbehavior to create a supervisedlearning problem, to which they apply their neural network,which is a standard feed-forward back-propagation networkwith 7 input neurons and 15 neurons in one hidden layer. Theoutput layer is not described, but can be assumed to have a

single neuron (i.e., misbehavior or not). The evaluation of thiswork has significant weaknesses, including a communicationmodel far behind the state of the art and no details on theimplemented attacks. The authors also use the entire datasetfor training, before using four vehicles from this dataset fortesting (which is methodologically unsound). Results werecompared to earlier work, whose results correspond to someof the features proposed in the feature collection (it is notclearly stated which of the work they compare to, as theyreference multiple papers). Collecting the data necessary tobuild a model for wide-spread, static deployment requires alot of resources, and the resulting model could easily be usedby an attacker to search for messages that will be accepted bya receiver. However, the approach described by the authors iseasy to generalize to other areas where appropriate data andfeatures are available.

The authors in [108] focus on discussing the verification oflocation data by using additional vehicle sensors that allowdetection by line-of-sight, so-called eye-devices, in order toverify received messages (which are referred to as comingfrom ear-devices). The authors propose that each vehicleshould have a variety of radars and cameras to detect othervehicles. It is assumed that 85% of all vehicles is honest, andthat global positioning system (GPS) data can be trusted if theinformation corresponds to the own location combined withthe data from eye-devices. However, eye-devices only workfor line-of-sight; thus, the authors allow vehicles to requesteye-device confirmation from vehicles on the oncoming traffic.Similarly, neighbors can be queried, although oncoming trafficis preferred. The authors express the eye data through vectorsrelative to the current vehicle (for speed and location). Theauthors then go on to define local security as verification bychecking against local sensors, including ear-devices (mes-sages from different vehicles). The authors claim that localsecurity can be used to obtain global security, reasoning thatthis is analogous to greedy algorithms. However, we notethat greedy algorithms are heuristics, which by definition donot necessarily provide a global solution. As the paper lacksany further proof of a globally optimal solution, it is likelythat their mechanism can achieve at best a local solution. Inaddition, the authors do not seem to consider errors in theobtained locations and other sensor data, further weakeningtheir claim. Finally, in low density scenarios the attacker maybe able to exploit the mechanism to cause false detectionsusing specially crafted messages, although this is a fairlyobscure scenario.

C. Overview

Now that we have provided an overview of different typesof mechanisms that exist in the literature, we summarize thesemechanisms and their properties in Tables III and IV. Thesetables contain the most important pros and cons for eachmechanism, as well as a qualitative analysis of the scope ofdetection, required resources (which includes computationaland communication resources), generalizability, security andimpact on privacy. The scope of detection tells us whether amechanism performs local (L), cooperative (C) or back-end

23

(B) detection, connecting back to the discussion on detectionscopes in Section IV-B. The required resources field in thetable gives an intuition of how much bandwidth, computationalresources and memory is required; highly efficient mechanismsare marked with , while expensive mechanisms are markedwith . Good generalizability ( ) means that the mechanismmay be transferred and applied to other domains relativelyeasily, a topic we discuss in detail in Section VI-C. With thesecurity column, we illustrate how easily a mechanism can bemanipulated: a mechanism subject to certain attacks is markedwith , while a mechanism with a limited attacker model(compared to the model discussed in Section IV-A2) is markedwith and a good scheme is marked with . Note that thissecurity column does not take into consideration the detectionaccuracy, but only the security of the detection mechanism.The last column, privacy, indicates the necessary type oflinkability, as discussed in Section IV-D; full linkability (F),explicit linkability (E), implicit linkability (I) or no linkability(N). When the issue is not addressed in the paper, we use aquestion mark.

VI. SOLVED AND OPEN CHALLENGES

Starting with an overview of the current cITS ecosystem,as well as ongoing standardization efforts, we have providedan extensive categorization of different misbehavior detectionmechanisms. In this section we discuss the solved and openchallenges for security in cITS. In addition, we provide adiscussion of ways to transfer the security mechanisms to otherfields.

A. Reoccurring patterns

In our discussion of the mechanisms, we often pointed outpotential attacks tied to other challenges, which are solvedby different mechanisms. Indeed, many mechanisms in ourdiscussion are complementary, and here we discuss severalrecurring patterns of approaches taken by these mechanisms.

a) Physical models: A number of mechanisms use phys-ical models to detect misbehavior [92], [100]. These modelsallow a detection mechanism to incorporate specific knowl-edge about the driving process of vehicles. The complexityof models ranges from very simple to very complex models.An example of a simple model is that cars cannot drive fasterthan 500 km/h, or that two cars cannot occupy the exact sameposition. Complex models include an analysis of accelerationand deceleration behavior, movement prediction including turnprobabilities, correlation of vehicle positions to street mapsand predictions based on vehicle dynamics [91]. Sensors areoften used as a base truth by the observing vehicle; it remainsto be investigated whether attacks can be designed that affectsensors and messages simultaneously in a consistent way.Regardless, the correlation with models is a very interestingapproach, because it often works locally and does not dependon correlation of data from several vehicles (which is alsoa common attack vector). Therefore, detection componentsbased on physical models should be included in a misbehaviordetection system.

b) Signal properties: Besides physical models targeted atthe process of driving itself, physical properties of the wirelesschannel (i.e., signal properties) are another important tool fordetection of spurious messages. The typical wireless receptionrange can be estimated, and moreover, WiFi hardware isable to measure the strength of a received signal. Whenvehicles synchronize their clocks with GPS, time of flightmeasurements can also be used. All these observations can beused to detect messages which are, for instance, received witha high signal strength but claim to originate from a positionfar away. In addition, there have been proposals to includeadditional hardware (typically additional antennae, see [117])to effectively perform more advanced signal analysis to deter-mine the direction from which the signal originates. However,the effectiveness of signal-based mechanisms is somewhatdisputed due to the high mobility, cost constraints and po-tential inaccuracy [111], [68]. This will be especially chal-lenging when combined with newly proposed MAC-protocolsthat exploit the additional spatial re-use enabled by transmitpower variations, such as decentralized congestion control inETSI [118]. Although some proposals [57] address this issueby looking at signals over time, this increases the detectionlatency.

c) Machine learning techniques: A problem that manymechanisms face is how to interpret locally collected data inorder to find patterns, or how to merge results from a setof different misbehavior detectors into one coherent output.To solve these problems, a number of schemes adapt ideasfrom machine learning. Often-employed approaches includedecision trees, Bayesian inference or Dempster-Shafer the-ory [81], [63], [105]. These approaches can provide usefultools to analyze data and derive certain interesting featuresthat might point at attacks. Some reputation systems, suchas those proposed in [58], already use some of these ideasto manage node reputation, but these typically only focus onnode-centric aspects, such as how to maintain the reputationsystem and how to protect it against attacks. In additionto providing misbehavior detection for vehicles, these node-centric approaches may be later used to perform an after-the-fact analysis, which in turn can be used to verify detectedmisbehavior. This is essentially the idea behind various data-centric machine learning approaches, where a large volume ofdata is labeled and used to learn a classifier. For this lattercase, collecting labeled data that is sufficiently diverse is ahuge challenge.

d) Centralized detection: Early works often perform thewhole process of misbehavior detection locally and only sendreports about local decisions to the back-end to performpseudonym resolution and revocation. In these works, theback-end does not perform any detection task; rather, it justverifies received reports for correctness and checks for falseaccusations. However, performing detection exclusively in alocal fashion prevents the detection mechanism from detectinglarger clusters of distributed misbehavior. For instance, anattacker could repeatedly mount attacks at different locations,which might be detected locally, but only in correlation showthe full extend of the attacks’ severity. Hence, newer schemesinclude the back-end more and more in the actual detection

24

TABLE IIIMECHANISMS OVERVIEW

Mechanism Pros Cons

Scope

Resources

Generalizability

Security

Privacy ∑Node-centric / behavioral (Section V-A1)

Watchdogs [74] Low implementation complexity Only detects malevolent forwarding,vulnerable to attacks

L ?

Jammingdetection [75], [76]

Detects adaptive jamming No attacker identification L N

Node-centric / trust-based (Section V-A2)

Urban path-based [77] fast, computationally efficient detection infrastructure-dependent, privacy is-sues, vulnerabilities and false positives

C ?

P2DAP [78] Strong detection/attacker model; poten-tially efficient approach

Infrastructure dependent; no privacy tocentral authority

B E

Footprint [79] Reasonable level of privacy withouthigh cost; useful for authenticatingevents

infrastructure-dependent; geared onlytowards Urban networks; full trust inRSUs; potential false positives

C E,I

LEAVE [52] Aggregation improves the quality ofdetection and reduces latency

Mechanism is prone to Sybil attacks C ?

OREN [62], [58] [87] Game-theoretic evidence, integrates is-suance of pseudonyms as incentive sys-tem, pseudonyms are not linkable

Prone to Sybil attacks by financiallycapable attackers

B N

SLEP & PRP [53] Holistic approach, integrating coopera-tive and back-end detection

Potentially prone to Sybil attacks B E

Sowattana et al. [80] Improves ideas from earlier work Voting is prone to Sybil attacks, expen-sive neighbor table exchange

C E

Decision logics [81] Can reuse results of the mechanisms No optimal decision logic L E

Bayesianlogic-based [63]

Suspiciousness instead of trust Misclassification of unusual events L E

PoR [82], [116] Simple and relatively efficient Decoding issues for new nodes, weakattacker model

C,B F

Z-smallestprobabilisticcounting [83]

Protection against inflation attacks,bandwidth efficient broadcast

Enforces a specific message format,weak attacker model

C E,I

Cooperative trustbuilding [84]

Builds on simple schemes, trust transi-tivity for improved performance

Bandwidth requirements not considered C ?

Dynamic thresholdtrustworthiness [86]

Maximizes the confidence in messagesuntil response is required

Potentially vulnerable to targeted at-tacks exploiting the mechanism

C ?

Certainty ofEvent [85]

Intuitive representation, combines secu-rity and safety aspects

Highly application-specific, relies onverified positions

C E

25

TABLE IVMECHANISMS OVERVIEW (CONTINUED)

Mechanism Pros Cons

Scope

Resources

Generalizability

Security

Privacy ∑Data-centric / plausibility (Section V-B1)

Signal Analysis [68] Thorough analysis of RSSI-based estima-tion

Potentially infeasible with GPS errors L N

Transmissiontime-based [90]

Useful for specific events Unrealistic assumptions for position ver-ification, vulnerable to attacks

L,C E

EKF with AoA andDS [91]

Efficient tracking of malicious vehicles Additional hardware required, relies onprivacy breach

L E

RSSI voiceprint [57] Linking Sybil nodes through physicalcharacteristics

Attacker may only use one radio L I

[92], [111] and [112] Efficient Limited detection capabilities L I/N

PVN [55] Fast and efficient, allows relations be-tween plausibility checks

Insufficient as the only means to detectattacks

L I

VEBAS [93] Self-sufficiency of mechanisms Honest majority assumption L,C F

Kalmanfilter-based [70], [71],[95]

Highly efficient tracking of vehicles Computationally expensive, relies on par-tial privacy breach

L I

Prediction based onvehicle dynamics [98]

Excellent performance Ease of tracking and potentillay largedatabase

L E

After-the-factverification [99]

Highly useful for reporting No preemptive detection, each applica-tion requires accurate predictions

L ?

work. Notably [65] and [78] employ such centralized detectionapproaches. A challenge to solve in this context is the level ofevent reporting. In order to allow the back-end to detect moreattacks than possible locally, it may be necessary to reportmore data to the back-end, including even mildly suspiciousbehavior, to provide a large enough data basis for centralizeddetection.

B. Open IssuesEven though many specific aspects of misbehavior have

been addressed, there are still a number of open issues. Wediscuss these issues based on our survey of the state of theart and the mechanisms discussed in Section V. These issuesare challenges regarding the detection itself – dealing withconflicting data, for instance by discarding or hiding messages,error correction, reporting and so forth is an orthogonal issue.

a) Thresholds for detection: An important problem inany intrusion detection system is its configuration; after whichthreshold is a message malicious? This question is also animportant challenge in misbehavior detection, because highfalse positive or false negative rates can cause significantproblems or even cause the system to be rejected entirely. Es-pecially for cITS, where direct reporting to an expert throughwarnings is not always possible, this needs to be addressed. Asa related issue, the distinction between erroneous and explicitly

malicious messages would be useful, although this may notbe feasible. Additionally, because of the data-centric nature ofmany detection mechanisms, the question of when informationshould be merged is significant, and this may affect detectionperformance directly.

b) Identification of misbehaving nodes: We note thatwhile data-centric mechanisms are superior at detecting con-flicting data and identifying which data is malicious, they maynot be able to identify the attacker directly. Although for manyapplications, it is more important to have accurate data thanit is to identify attackers to mitigate possible harm throughattacks, node-centric mechanisms that identify attackers arestill useful. They can be used to perform local or globalrevocation, thereby limiting both the amount of attackers inthe network and the impact they may have on the network. Asan example take the fake traffic jam scenario from Figure 1b.Although a data-centric mechanism may detect that the re-ported traffic jam is fake, without proper identification of thesender, a local revocation is not feasible. Finally, identifyingwhich data belongs to which vehicle may provide additionalinput for node-centric mechanisms, for instance to assign acredibility to information sources.

c) Voting, pseudonyms and Sybil attacks: Many node-centric mechanisms rely on long-term identities to performvoting or other trust-based evaluation of data. The basic idea is

26

TABLE VMECHANISMS OVERVIEW (CONTINUED)

Mechanism Pros Cons

Scope

Resources

Generalizability

Security

Privacy ∑Data-centric / consistency (Section V-B2)

Overlapdetection [100]

Good detection results under reasonableassumptions

Requires fixed transmission power C I

Abnormal flowdetection [101]

Novel idea that applies traffic researchknowledge

Constrained to specific roads, vulnerableto gradual change

L N

Neighbor-sets overtime [102]

Novel ideas, prevents long-term Sybil at-tacks

False positives possible; no preventionfor short-term Sybil attacks

C ?

Enhanced PositionVerification [69]

Works well in ideal situations Depends on infrastructure & networkproperties, vulnerabilities

L(,C) ?

Proactive cooperativesensors in [92]

Simplicity, capable of dealing with noisydata, powerful in dense scenarios

Vulnerable to Sybil attacks, high band-width cost

C ?

Reactive cooperativesensors in [92]

Simplicity, capable of dealing with noisydata

Unreliable detection, requires unicastmessage exchange

C ?

Attackermodeling [103]

Structured and general approach Requires complex reasoning techniqueson every vehicle

C I

Resilient secureaggregation [104]

Efficient approach to secure aggregation only works for aggregation purposes C ?

Back-enddetection [65]

Uses global knowledge toimprove/confirm detection

Potential privacy concerns; potential highcost at the back-end

B E

VARM [105] Novel approach, based on well-researched area

Feasibility and mapping of rules to con-clusions is unclear

L ?

Machine-learning [106] [115]

Machine learning allows easy generaliza-tion

Prone to gradual changing from attacks,decisions not transparent

L ?

NeuralNetworks [107]

Generalizability Fixed model, weak evaluation, privacyunclear

L,B ?

Active positiondetection [108]

Dedicated hardware for secure position-ing is highly effective

Hardware requirements, no privacy, vul-nerable to Sybil attacks

C ?

simple: assuming that an event, such as an icy road, is detectedby all passing vehicles and further assuming that the majorityof vehicles is honest, a simple majority vote about whetherthe road is actually icy should reveal possible misbehavior.

However, it is a common assumption that vehicles willuse short-term pseudonyms for communication to protectprivacy, as discussed in Section III-C. Therefore, an importantopen issue is to build a scheme that performs voting usingpseudonyms, while still providing the necessary resilienceagainst Sybil attacks. A simple solution would be to requirethat a vehicle can only use one pseudonym at a time, but thisassumption is disputable both from a practical and a privacypoint of view. Although some work has already been done(see Section V-A2), it is an open challenge to design a votingscheme where all participants can use arbitrary pseudonymswhile still allowing to reveal multiple votes by the samevehicle. One possible solution for this challenge is to assumelimited processing capabilities for the attacker and employ

a cryptographic primitive called Proof-of-Work (PoW). Asthe name implies, this primitive allows a vehicle to provethat it has performed some amount of computation, and itis traditionally employed to hinder denial of service attacks.This works because the computation becomes exponentiallyharder and cannot be precomputed. One proposal to usePoW mechanisms for cITS is [119], which requires PoW forevidence that an event actually occurred. The problem withthese approaches is that they pose significant computationaloverhead, and thus cannot work in all situations. An alternativewould be assuming a functioning revocation infrastructurewith strong penalties. This significantly reduces the prevalenceof malicious nodes, since they would be removed from thenetwork, which reduces the required false negative rate. How-ever, this does not protect the cITS against stronger, irrationalattacker models, since these will not care about penalties.

d) Linkable messages: While the aforementioned mech-anisms are beneficial for detecting misbehavior, they might

27

have negative impact on the location privacy the users. Asdiscussed above, pseudonym schemes are employed to preventattackers from collecting location traces of specific vehiclesover a longer time. The standardization efforts aim mainlyat preventing privacy impact on a larger scale: the goal is toprevent attackers from efficiently following many participants,given a few stationary attacker-controlled network nodes. Thisis opposed to attackers that track a single vehicle with amoving node – this is, after all, equivalent to physically fol-lowing a vehicle. It has been shown by privacy research [120]that it is possible to track vehicles in this manner, which isindeed necessary for certain safety applications, such as thosethat rely on path prediction. This functionality is provided byemploying movement models for vehicles to predict futurepositions and correlate them with current positions. Suchlinking can provide the necessary information, which can notonly enable cITS applications, but also misbehavior detection.Indeed, several data-centric mechanisms, such as [71], alreadyexploit this approach. However, it is an open challenge toassess the exact privacy impact of these mechanisms andtheir full potential for misbehavior detection. In particular,the reliability of these mechanisms can subsequently have alarge impact on accuracy, which an attacker could exploit. Weremark that mechanisms relying on these approaches may bedefeated by future, more powerful privacy mechanisms.

e) Cooperative misbehavior detection: As long as ve-hicles or other entities only analyze locally received data todetect misbehavior, trust in the derived opinions is not a bigissue. That is, we can assume that vehicles trust the mech-anisms running locally. Even though the decisions reachedmight be associated with uncertainty, that uncertainty is stillknown. Once vehicles exchange reports with other vehicles,the situation is different. A misbehavior report received byanother vehicle is basically just another item of information,like any other information item received from remote vehicles.Therefore, we have to assume that the misbehavior reports canbe fake as well. Some schemes propose to solve this issueby collecting a number of misbehavior reports from differentvehicles, again using a voting mechanism, which relies onlong-term identities. Other approaches propose to solve theissue by so-called suicide schemes where vehicles reportingmisbehavior of other vehicles also exempt themselves fromthe network (see Section V-A2). However, another large shareof related work ignores the issue of trusting cooperativemisbehavior reports. These schemes assume that reports fromother vehicles are trustworthy if they carry correct signatures.An ideal solution for cooperative misbehavior detection hasnot been presented yet.

f) Level of reporting to back-end: As discussed above,we need to rethink the level of reporting to the back-endin order to benefit from misbehavior detection in the back-end. If the back-end only receives reports about definitemisbehavior, then local nodes have already identified themisbehavior. Hence, the additional benefit of involving theback-end is limited to possible revocation of the misbehavingnodes’ certificates. On the other hand, it is not possible toreport all data received by vehicles to the back-end becauseof bandwidth constraints. It is an open challenge to find a good

trade-off between reporting somewhat suspicious behavior tothe back-end in order to allow for better attack detection andnot using too much bandwidth.

g) Comparison and Reproducibility: A final importantopen issue is that many of the presented articles are difficult tocompare, because their detection mechanisms rely on differentattacker models. In this article, we attempted to describe thedifferences in attacker model by illustrating vulnerabilities insome mechanisms, but to truly compare schemes, detectionshould be performed in the same scenario against the sameattacks. The simplest way to do this would be to use acommon dataset, shared between different authors, and thisis the approach suggested in [121]. However, as noted inthat article, it would be erroneous to conclude from a highdetection rate against this dataset that all attacks can bedetected. To achieve good results, a mutual development ofnovel attacks and detection mechanisms is necessary. Thisin turn requires that attack and detection code be publishedalongside the articles, such that authors can compare results.Unfortunately, this practice is not yet commonplace in ourfield, and thus this presents an important open challenge.

C. Applications beyond cITS

Now that we have studied and classified the state of theart misbehavior detection mechanisms for cITS, we addressthe possible application of the ideas of these mechanisms toother cyber-physical system (CPS). Although many possiblechoices exist, we have chosen two domains that seem mostappropriate: WSNs, due to their ephemeral and ad-hoc nature,and industrial control systems (ICS), due to the potential for(especially) plausibility-based misbehavior detection mecha-nisms that we have identified.

1) Wireless Sensor Networks: Similar to cITS, WSNs area type of network that is built up out of many different nodeswith significant geographic distribution and connected througha wireless medium. Contrary to cITS, mobility is limited ina WSN, as sensors are relatively stationary entities. The mainpurpose of WSNs is to collect information in an efficientand cost-effective manner, using cheap throw-away devicesthat have a battery and a wireless transmitter. For example,WSNs are used to monitor the temperature of the great barrierreef [122]. For the lifetime of these networks, it is extremelyimportant to monitor resource usage, particularly when trans-mitting messages, because transmission of messages is by farthe most costly operation in terms of battery power. There areusually also one or more base stations involved in a WSN,to provide access to the sensor functionality and to performmore expensive operations [73].

There is already existing work that extensively surveysattacks and defensive techniques for WSNs, which we brieflydiscuss below. We discuss why these approaches cannot begeneralized to CPS, while the mechanisms we have reviewedshow significant potential to be generalized and applied toWSNs.

Zhou et al. [73] describe the WSN setting primarily asdefined by resource-constrained sensors that perform bothsensing and processing, while having a central authority that

28

establishes the network. The network is mostly static andincludes one or more base stations controlled by the author-ity. The main security challenges identified by the authorsare the public nature of both the wireless medium and theprotocols, the lack of (physical) surveillance of nodes andfinally the extreme resource constraints. They also identifynode compromise as one of the most challenging attackson WSN, which we have similarly identified as applying togeneral CPS. Contrary to the cITS use case, WSNs typicallyalso include confidentiality requirements. The authors thenprovide a thorough analysis of key management protocols,authentication and integrity, secure routing, intrusion detectionand secure applications. Out of these security mechanisms, wefocus on those relating to our discussions regarding reactivesecurity: integrity and intrusion detection, which are the mainissues that we see recurring in CPS.

As we have emphasized, protecting the message in transitis not sufficient when insider attackers need to be considered.The authors of [73] address the issue of node compromise intheir section on intrusion detection. Although node compro-mise implies an outside attacker, the effects on the network areessentially the same; an attacker can transmit validly signedmessage (i.e., this enables misbehavior, which is what weaim to detect). The discussed misbehavior detection mecha-nisms raised in this work include a discussion of location-based keys, signal analysis as discussed in Section V-B1and countermeasures to routing misbehavior as discussed inSection V-A1. Finally, the authors have discussed denial ofservice and jamming a type of attack that is extremely hardto detect, and secure base stations as another issue that isfairly specific to WSNs. The authors note that it is possiblethat base stations become compromised, even though they aregenerally assumed to be secure, followed by a discussion ofpreventive mechanisms for base stations. Similar assumptionsexist in cITS for road side units (RSUs), but the detectionof malicious RSUs is generally easier because they are notessential to a cITS the way they are for WSNs. Mechanismsemployed for cITS could be used to address this challenge inexchange for higher computational overhead.

Finally, as their section on open issues describes [73],detecting intruders remains a difficult task, and many mech-anisms only focus on a particular attack. We claim that oursurvey provides further insight into what mechanisms exist,and we include several mechanisms that describe combinationsof existing schemes. For future work, we believe a primarygoal of the CPS research community should be to developa more systematic approach to this problem. This approachcan then be aided by our survey, which can be used to selectdifferent types of mechanisms to gain an overall insight ofpotential attackers in the network. This includes the transferof mechanisms described here into the area of WSNs, inparticular the recurring patterns we have identified in theprevious section. For example, physical models that describethe behavior of a complex system monitored by a WSN canbe used to verify the messages transmitted by individual nodesat a base station, or at an aggregating node.

2) Unmanned Areal Vehicles: Recent advances in the devel-opment and wide-spread adoption of unmanned areal vehicles

(UAVs) have led to the idea that it may be useful to addcommunication capabilities to these devices. In some sense,networked UAVs are thus quite similar to VANETs: both aretypes of ad-hoc networks with mobile nodes and a decentral-ized infrastructure. In contrast to cITS, where the existence ofperiodic availability of back-end communication and relativelyhigh-power devices, UAVs put much stricter requirementson the decentralized nature of communication. Additionally,the application of these networks is almost exclusively rout-ing [123], and thus the associated attacks fall outside the scopeof this survey. Future applications of UAVs that also includeapplication-specific information (e.g., relative positions andspeeds), which are subject to similar attacks addressed bymost detectors described in this article, as addressed bysome recent work [109]. Similarly, applications discussedfor WSNs discussed above apply equally to UAVs designedfor collaborative sensing applications, as such networks aresimply a highly dynamic variant of WSNs. Some dedicatedsecurity mechanisms have been proposed specifically for thesenetworks [124], [125]; however, adopting these works to thespecifics of cITS is likely non-trivial, because these authorsspecify different assumptions. For example, these assumptionsinclude a much lower density, no privacy requirements anda central control system that collects the data (the groundstation in [125]). For a detailed review of security and privacyrequirements for these devices, we refer interested readers toan existing survey on this topic [126].

3) Industrial Control Systems: Unlike cITS, ICS are a typeof CPS that has historically grown out of the field of controlsystems, and the focus of these systems has primarily beensafety, rather than security [1]. Specifically, ICS must avoidindividual but random failures from escalating and causing acascading failure, that is, causing a shutdown of componentsthat are not directly related to the original failure. To this end,much research has been conducted, but recent developmentsregarding attacks on these systems, such as those by Stuxnet,that these systems are not built to resist targeted attacks. Inthe past, ICS were internal networks, which were completelyseparated from the Internet by a so-called “air-gap”, meaningno direct connectivity is possible. However, the necessity ofpatching these systems and the use of re-writable media likeUSB-devices has led many security researchers to concludethat a complete “air-gap” is not a feasible solution. In addition,secure connectivity has already provided organizations withsignificant cost savings and ease of management for thesesystems. Therefore, we study how misbehavior detection canbe used to improve security in these systems, in particularagainst an insider attack that attempts to cause damage bydisrupting or sabotaging the industrial process controlled bythe ICS. Again, the recurring patterns we have identified forcITS may provide significant insights for new developments inICS, for example through the application of physical modelsto detect anomalies with high accuracy.

VII. CONCLUSION

In this survey, we have provided an overview of differentapproaches to misbehavior detection in cITS. cITS are a

29

promising type of networked system that connect vehicles,road-side units and back-end systems in order to achieve safer,more efficient and more comfortable travel on roads. cITSare an instance of CPS, a type of system where interactionbetween the physical world and the cyber world is a centralaspect. CPS have several unique challenges, including thecritical usage scenarios, strong resource and cost constraints,and high scalability requirements. These challenges lead tonew and strong security requirements, which lead to thedevelopment of misbehavior detection as a second, reactivelayer of security on top of the first, proactive layer. In thecase of cITS, this proactive security layer is the PKI, whichenables the exclusion of attackers that do not possess keymaterial. However, in highly constrained environments likeCPS, some network nodes may be compromised to obtainkey material; in particular, in cITS, an attacker may obtainlegitimate key material by manipulating her own vehicle tosend arbitrary messages. Therefore, reactive security in theform of misbehavior detection is a necessary tool to providesecurity in cITS. Although many of these schemes wereoriginally designed for vehicular ad-hoc networks (VANETs),our discussion is designed to present them in the contextof upcoming cITS, where autonomous vehicles communicate.We have surveyed such misbehavior detection mechanisms indetail, and discussed their generalizability towards other CPS.

To this end, we have first defined the system model for cITS(Section III) and the concept of misbehavior in these systems(Section IV). We then presented a classification of differentmisbehavior detection mechanisms that have been developedin the literature over the last decade, designed specifically forcITS. The classification consists of node-centric mechanisms,which use properties of a sender to detect malicious messages,and data-centric mechanisms, which primarily analyze thesemantics of received messages. Node-centric mechanisms canbe sub-divided in two further classes; behavioral mechanisms,where the receiver analyzes aspects like message frequencyand conformance to standards, and trust-based mechanisms,which allow nodes to express trust in messages or sendersdirectly. Data-centric mechanism can be divided in plausibilitymechanisms, analyzing the semantics of a series of packetsfrom an individual sender, and consistency mechanisms, whichanalyze the consistency of messages received from multipledifferent senders. The classification has been used to discussa large number of different misbehavior detection mechanismsdeveloped in the literature, the results of which are summa-rized in Tables III, IV and V.

Although we have limited the survey of mechanisms tothose designed for cITS, we believe that this survey offersa contribution to the wider field of CPS, as the novel aspectsof mechanisms developed for cITS can be used to improve thesecurity of other CPS. To take a first step towards this goal, wehave analyzed the common aspects in Section VI and discussedtheir application to other systems from the CPS-domain. Weenvision two broad paths for future work; for security in cITS,taking further advantage of the highly orthogonal nature ofthe four different classes of misbehavior detection we havepresented is of vital importance, while the generalization ofmisbehavior detection mechanisms for cITS to general CPS

will allow the field to advance without sacrificing security.This survey has provided a wide scope of different detectionapproaches, which provides a conclusive overview of and in-troduction to the field for industry, developers, standardizationagencies, and aspiring researchers in this field.

ACKNOWLEDGEMENTS

We thank Anke Jentzsch and Hendrik Decke from Volkswa-gen AG, Germany, for their cooperation, feedback and fruitfuldiscussions concerning this survey. This work was supportedin part by the Baden-Württemberg Stiftung gGmbH Stuttgartas part of the project IKT-05 AutoDetect of its IT securityresearch programme.

REFERENCES

[1] F. Kargl, R. W. van der Heijden, H. König, A. Valdes, and M. C.Dacier, “Insights on the Security and Dependability of IndustrialControl Systems,” IEEE Security & Privacy, vol. 12, no. 6, pp. 75–78,Nov. 2014. [Online]. Available: https://doi.org/10.1109/MSP.2014.120

[2] J. Petit and S. Shladover, “Potential cyberattacks on automatedvehicles,” Intelligent Transportation Systems, IEEE Transactions on,vol. 16, no. 2, pp. 546–556, April 2015. [Online]. Available:https://doi.org/10.1109/TITS.2014.2342271

[3] R. Mitchell and I.-R. Chen, “A Survey of Intrusion DetectionTechniques for Cyber-physical Systems,” ACM Comput. Surv.,vol. 46, no. 4, pp. 55:1–55:29, Mar. 2014. [Online]. Available:http://doi.acm.org/10.1145/2542049

[4] S. Amin, G. A. Schwartz, and A. Hussain, “In quest ofbenchmarking security risks to cyber-physical systems,” IEEENetwork, vol. 27, no. 1, pp. 19–24, January 2013. [Online]. Available:https://doi.org/10.1109/MNET.2013.6423187

[5] E. Uhlemann, “The Battle of Technologies or the Battle ofBusiness Models? [Connected Vehicles],” IEEE Vehicular TechnologyMagazine, vol. 13, no. 1, pp. 14–18, Mar. 2018. [Online]. Available:https://doi.org/10.1109/MVT.2017.2781539

[6] M. Saini, A. Alelaiwi, and A. E. Saddik, “How close are we torealizing a pragmatic vanet solution? a meta-survey,” ACM Comput.Surv., vol. 48, no. 2, pp. 29:1–29:40, Nov. 2015. [Online]. Available:http://doi.acm.org/10.1145/2817552

[7] T. Leinmüller, E. Schoch, and C. Maihöfer, “Security requirementsand solution concepts in vehicular ad hoc networks,” in FourthAnnual Conference on Wireless on Demand Network Systems andServices (WONS). IEEE, Jan. 2007, pp. 84–91. [Online]. Available:https://doi.org/10.1109/WONS.2007.340489

[8] M. Amoozadeh, A. Raghuramu, C. n. Chuah, D. Ghosal, H. M.Zhang, J. Rowe, and K. Levitt, “Security vulnerabilities of connectedvehicle streams and their impact on cooperative driving,” IEEECommunications Magazine, vol. 53, no. 6, pp. 126–132, June 2015.[Online]. Available: https://doi.org/10.1109/MCOM.2015.7120028

[9] A. Alipour-Fanid, M. Dabaghchian, H. Zhang, and K. Zeng, “StringStability Analysis of Cooperative Adaptive Cruise Control underJamming Attacks,” in 2017 IEEE 18th International Symposium onHigh Assurance Systems Engineering (HASE), Jan. 2017, pp. 157–162.[Online]. Available: https://doi.org/10.1109/HASE.2017.39

[10] D. Jia, K. Lu, J. Wang, X. Zhang, and X. Shen, “A Survey on Platoon-Based Vehicular Cyber-Physical Systems,” IEEE CommunicationsSurveys & Tutorials, vol. 18, no. 1, pp. 263–284, 2016. [Online].Available: https://doi.org/10.1109/COMST.2015.2410831

[11] R. W. van der Heijden, T. Lukaseder, and F. Kargl, “Analyzingattacks on cooperative adaptive cruise control (cacc),” in 2017 IEEEVehicular Networking Conference (VNC), Nov 2017, pp. 45–52.[Online]. Available: https://doi.org/10.1109/VNC.2017.8275598

[12] F. Sabahi and A. Movaghar, “Intrusion detection: A survey,” in 3rdInternational Conference on Systems and Networks Communications(ICSNC). IEEE, 2008, pp. 23–26. [Online]. Available: https://doi.org/10.1109/ICSNC.2008.44

[13] A. Lazarevic, V. Kumar, and J. Srivastava, “Intrusion detection:A survey,” in Managing Cyber Threats, ser. Massive Computing,V. Kumar, J. Srivastava, and A. Lazarevic, Eds. Springer US,2005, vol. 5, pp. 19–78. [Online]. Available: https://doi.org/10.1007/0-387-24230-9_2

https://doi.org/10.1109/MSP.2014.120

https://doi.org/10.1109/TITS.2014.2342271

http://doi.acm.org/10.1145/2542049

https://doi.org/10.1109/MNET.2013.6423187

https://doi.org/10.1109/MVT.2017.2781539

http://doi.acm.org/10.1145/2817552

https://doi.org/10.1109/WONS.2007.340489

https://doi.org/10.1109/MCOM.2015.7120028

https://doi.org/10.1109/HASE.2017.39

https://doi.org/10.1109/COMST.2015.2410831

https://doi.org/10.1109/VNC.2017.8275598

https://doi.org/10.1109/ICSNC.2008.44

https://doi.org/10.1109/ICSNC.2008.44

https://doi.org/10.1007/0-387-24230-9_2

https://doi.org/10.1007/0-387-24230-9_2

30

[14] J. M. Estévez-Tapiador, P. Garcia-Teodoro, and J. E. Díaz-Verdejo,“Anomaly detection methods in wired networks: a survey andtaxonomy,” Computer Communications, vol. 27, no. 16, pp. 1569– 1584, 2004. [Online]. Available: https://doi.org/10.1016/j.comcom.2004.07.002

[15] H. Debar, M. Dacier, and A. Wespi, “Towards a taxonomy ofintrusion-detection systems,” Computer Networks, vol. 31, no. 8,pp. 805 – 822, 1999. [Online]. Available: http://doi.org/10.1016/S1389-1286(98)00017-6

[16] S. Marti, T. J. Giuli, K. Lai, and M. Baker, “Mitigating routingmisbehavior in mobile ad hoc networks,” in Proceedings ofthe 6th annual international conference on Mobile computingand networking (MobiCom), ser. MobiCom ’00. New York,NY, USA: ACM Press, 2000, pp. 255–265. [Online]. Available:http://doi.acm.org/10.1145/345910.345955

[17] Z. Movahedi, Z. Hosseini, F. Bayan, and G. Pujolle, “Trust-Distortion Resistant Trust Management Frameworks on MobileAd Hoc Networks: A Survey,” IEEE Communications Surveys &Tutorials, vol. 18, no. 2, pp. 1287–1309, 2016. [Online]. Available:https://doi.org/10.1109/COMST.2015.2496147

[18] Y. Wu, Y. Zhao, M. Riguidel, G. Wang, and P. Yi, “Security andtrust management in opportunistic networks: a survey,” Security andCommunication Networks, vol. 8, no. 9, pp. 1812–1827, Jun. 2015.[Online]. Available: https://doi.org/10.1002/sec.1116

[19] J. Giraldo, E. Sarkar, A. A. Cardenas, M. Maniatakos, andM. Kantarcioglu, “Security and Privacy in Cyber-Physical Systems:A Survey of Surveys,” IEEE Design Test, vol. 34, no. 4, pp. 7–17,Aug. 2017. [Online]. Available: https://doi.org/10.1109/MDAT.2017.2709310

[20] D. Schmidt, K. Radke, S. Camtepe, E. Foo, and M. Ren, “A Surveyand Analysis of the GNSS Spoofing Threat and Countermeasures,”ACM Comput. Surv., vol. 48, no. 4, pp. 64:1–64:31, May 2016.[Online]. Available: http://doi.acm.org/10.1145/2897166

[21] L. C. Hua, M. H. Anisi, P. L. Yee, and M. Alam, “Social networking-based cooperation mechanisms in vehicular ad-hoc network—asurvey,” Vehicular Communications, vol. 10, no. Supplement C,pp. 57–73, Oct. 2017. [Online]. Available: https://doi.org/10.1016/j.vehcom.2017.11.001

[22] M. Azees, P. Vijayakumar, and L. J. Deborah, “Comprehensive surveyon security services in vehicular ad-hoc networks,” IET IntelligentTransport Systems, vol. 10, no. 6, pp. 379–388, 2016. [Online].Available: https://doi.org/10.1049/iet-its.2015.0072

[23] H. Hasrouny, A. E. Samhat, C. Bassil, and A. Laouiti, “VANet securitychallenges and solutions: A survey,” Vehicular Communications,vol. 7, no. Supplement C, pp. 7–20, Jan. 2017. [Online]. Available:http://www.sciencedirect.com/science/article/pii/S2214209616301231

[24] F. Sakiz and S. Sen, “A survey of attacks and detection mechanismson intelligent transportation systems: VANETs and IoV,” Ad HocNetworks, vol. 61, no. Supplement C, pp. 33–50, Jun. 2017. [Online].Available: https://doi.org/10.1016/j.adhoc.2017.03.006

[25] R. W. van der Heijden, S. Dietzel, T. Leinmüller, and F. Kargl, “Sur-vey on misbehavior detection in cooperative intelligent transportationsystems,” arXiv preprint https://arxiv.org/abs/1610.06810, 2016.

[26] E. Schoch, F. Kargl, and M. Weber, “Communication patterns inVANETs,” Communications Magazine, vol. 46, no. 11, pp. 119–125, 2008. [Online]. Available: https://doi.org/10.1109/MCOM.2008.4689254

[27] ETSI, “Intelligent Transport Systems (ITS); Vehicular communications;GeoNetworking; Basic Set of Applications; Part 2: Specification ofCooperative Awareness Basic Service,” Technical Specification: TS 102637-2, V1.1.1, March 2011.

[28] ——, “Intelligent Transport Systems (ITS); Vehicular communications;GeoNetworking; Basic Set of Applications; Part 3: Specifications ofDecentralized Environmental Notification Basic Service,” TechnicalSpecification: TS 102 637-3, V1.1.1, September 2010.

[29] M. McGurrin, “Vehicle information exchange needs formobility applications exchange,” United States Department ofTransportation, Tech. Rep., February 2012. [Online]. Avail-able: http://ntl.bts.gov/lib/45000/45400/45492/Vehicle_Information_Needs_and_BSM_-_FINAL_508Compliant.pdf

[30] SAE International, “Dedicated short range communications (DSRC)message set dictionary,” Tech. Rep. J2735, November 2009. [Online].Available: http://standards.sae.org/j2735_200911/

[31] ETSI, “Intelligent Transport Systems (ITS); Vehicular communications;GeoNetworking; Part 4: Geographical addressing and forwarding forpoint-to-point and point-to-multipoint communications; Sub-part 1:

Media-Independent Functionality,” Technical Specification: TS 102636-4-1, V1.1.1, June 2011.

[32] N. Banerjee, M. D. Corner, D. Towsley, and B. N. Levine,“Relays, base stations, and meshes: enhancing mobile networkswith infrastructure,” in Proceedings of the 14th ACM internationalconference on Mobile computing and networking, ser. MobiCom’08. New York, NY, USA: ACM Press, 2008, pp. 81–91. [Online].Available: http://doi.acm.org/10.1145/1409944.1409955

[33] R. Molina-Masegosa and J. Gozalvez, “LTE-V for Sidelink 5g V2xVehicular Communications: A New 5g Technology for Short-RangeVehicle-to-Everything Communications,” IEEE Vehicular TechnologyMagazine, vol. 12, no. 4, pp. 30–39, Dec. 2017. [Online]. Available:https://doi.org/10.1109/MVT.2017.2752798

[34] M. Charitos and G. Kalivas, “MIMO HetNet IEEE 802.11p–LTEdeployment in a vehicular urban environment,” VehicularCommunications, vol. 9, pp. 222–232, Jul. 2017. [Online]. Available:https://doi.org/10.1016/j.vehcom.2016.12.004

[35] N. Dreyer, A. Moller, Z. H. Mir, F. Filali, and T. Kurner, “AData Traffic Steering Algorithm for IEEE 802.11p/LTE HybridVehicular Networks,” in 2016 IEEE 84th Vehicular TechnologyConference (VTC-Fall), Sep. 2016, pp. 1–6. [Online]. Available:https://doi.org/10.1109/VTCFall.2016.7880850

[36] T. L. Willke, P. Tientrakool, and N. F. Maxemchuk, “A survey ofinter-vehicle communication protocols and their applications,” IEEECommunications Surveys & Tutorials, vol. 11, no. 2, pp. 3–20, Second2009. [Online]. Available: https://doi.org/10.1109/SURV.2009.090202

[37] M. Raya and J.-P. Hubaux, “Securing vehicular ad hoc networks,”Journal of Computer Security, vol. 15, pp. 39–68, 2007. [Online].Available: https://doi.org/10.3233/JCS-2007-15103

[38] F. Kargl, P. Papadimitratos, L. Buttyan, M. Müter, E. Schoch,B. Wiedersheim, T.-V. Thong, G. Calandriello, A. Held,A. Kung, and J.-P. Hubaux, “Secure vehicular communicationsystems: implementation, performance, and research challenges,”Communications Magazine, vol. 46, no. 11, pp. 110–118, 2008.[Online]. Available: https://doi.org/10.1109/MCOM.2008.4689253

[39] P. Papadimitratos, L. Buttyan, T. Holczer, E. Schoch, J. Freudiger,M. Raya, Z. Ma, F. Kargl, A. Kung, and J.-P. Hubaux,“Secure vehicular communication systems: design and architecture,”Communications Magazine, vol. 46, no. 11, pp. 100–109, 2008.[Online]. Available: https://doi.org/10.1109/MCOM.2008.4689252

[40] ETSI, “Intelligent Transport Systems (ITS); Security; Security headerand certificate formats,” Technical Specification: TS 103 097, V1.1.1,April 2013.

[41] IEEE, “IEEE 1609.2: IEEE standard for wireless access in vehicularenvironments - security services for applications and managementmessages,” IEEE Vehicular Technology Society, 2013.

[42] M. Feiri, J. Petit, and F. Kargl, “Congestion-based certificate omissionin VANETs,” in Proceedings of the Ninth ACM InternationalWorkshop on Vehicular Inter-networking, Systems, and Applications,ser. VANET ’12. New York, NY, USA: ACM, 2012, p. 135–138.[Online]. Available: http://doi.acm.org/10.1145/2307888.2307915

[43] National Institute of Standards and Technology (NIST), “Digital signa-ture standard,” Federal Information Processing Standards, Tech. Rep.FIPS PUB 186-4, july 2013.

[44] M. Raya, P. Papadimitratos, and J.-P. Hubaux, “Securing vehicularcommunications,” Wireless Communications Magazine, vol. 13, no. 5,pp. 8–15, Oct. 2006. [Online]. Available: https://doi.org/10.1109/WC-M.2006.250352

[45] J. Petit, F. Schaub, M. Feiri, and F. Kargl, “Pseudonym schemesin vehicular networks: A survey,” IEEE Communications Surveys &Tutorials, vol. 17, no. 1, pp. 228–255, Firstquarter 2015. [Online].Available: https://doi.org/10.1109/COMST.2014.2345420

[46] J. R. Douceur, “The sybil attack,” in Peer-to-Peer Systems, ser.Lecture Notes in Computer Science, P. Druschel, F. Kaashoek,and A. Rowstron, Eds., vol. 2429. Springer Berlin Heidelberg,Mar. 2002, pp. 251–260. [Online]. Available: https://doi.org/10.1007/3-540-45748-8_24

[47] B. Brecht, D. Therriault, A. Weimerskirch, W. Whyte, V. Kumar,T. Hehn, and R. Goudy, “A security credential managementsystem for v2x communications,” IEEE Transactions on IntelligentTransportation Systems, vol. PP, no. 99, pp. 1–22, 2018. [Online].Available: https://doi.org/10.1109/TITS.2018.2797529

[48] M. Khodaei, H. Jin, and P. Papadimitratos, “SECMACE: Scalableand Robust Identity and Credential Management Infrastructure inVehicular Communication Systems,” IEEE Transactions on IntelligentTransportation Systems (IEEE ITS), April 2018. [Online]. Available:https://doi.org/10.1109/TITS.2017.2722688

https://doi.org/10.1016/j.comcom.2004.07.002

https://doi.org/10.1016/j.comcom.2004.07.002

http://doi.org/10.1016/S1389-1286(98)00017-6

http://doi.org/10.1016/S1389-1286(98)00017-6

http://doi.acm.org/10.1145/345910.345955


https://doi.org/10.1002/sec.1116

https://doi.org/10.1109/MDAT.2017.2709310

https://doi.org/10.1109/MDAT.2017.2709310

http://doi.acm.org/10.1145/2897166

https://doi.org/10.1016/j.vehcom.2017.11.001


https://doi.org/10.1049/iet-its.2015.0072

http://www.sciencedirect.com/science/article/pii/S2214209616301231

https://doi.org/10.1016/j.adhoc.2017.03.006

https://arxiv.org/abs/1610.06810



http://ntl.bts.gov/lib/45000/45400/45492/Vehicle_Information_Needs_and_BSM_-_FINAL_508Compliant.pdf

http://ntl.bts.gov/lib/45000/45400/45492/Vehicle_Information_Needs_and_BSM_-_FINAL_508Compliant.pdf

http://standards.sae.org/j2735_200911/

http://doi.acm.org/10.1145/1409944.1409955

https://doi.org/10.1109/MVT.2017.2752798


https://doi.org/10.1109/VTCFall.2016.7880850

https://doi.org/10.1109/SURV.2009.090202

https://doi.org/10.3233/JCS-2007-15103



http://doi.acm.org/10.1145/2307888.2307915

https://doi.org/10.1109/WC-M.2006.250352

https://doi.org/10.1109/WC-M.2006.250352


https://doi.org/10.1007/3-540-45748-8_24

https://doi.org/10.1007/3-540-45748-8_24



31

[49] E. Koutrouli and A. Tsalgatidou, “Reputation Systems EvaluationSurvey,” ACM Comput. Surv., vol. 48, no. 3, pp. 35:1–35:28, Dec.2015. [Online]. Available: http://doi.acm.org/10.1145/2835373

[50] K. Koscher, A. Czeskis, F. Roesner, S. Patel, T. Kohno, S. Checkoway,D. McCoy, B. Kantor, D. Anderson, H. Shacham, and S. Savage,“Experimental Security Analysis of a Modern Automobile,” in 2010IEEE Symposium on Security and Privacy, May 2010, pp. 447–462.[Online]. Available: https://doi.org/10.1109/SP.2010.34

[51] P. Kleberger, T. Olovsson, and E. Jonsson, “Security aspects of thein-vehicle network in the connected car,” in 2011 IEEE IntelligentVehicles Symposium (IV), Jun. 2011, pp. 528–533. [Online]. Available:https://doi.org/10.1109/IVS.2011.5940525

[52] M. Raya, P. Papadimitratos, I. Aad, D. Jungels, and J.-P.Hubaux, “Eviction of misbehaving and faulty nodes in vehicularnetworks,” Journal on Selected Areas in Communications, vol. 25,no. 8, pp. 1557 –1568, oct. 2007. [Online]. Available: http://doi.org/10.1109/JSAC.2007.071006

[53] X. Zhuo, J. Hao, D. Liu, and Y. Dai, “Removal of misbehaving insidersin anonymous VANETs,” in Proceedings of the 12th ACM internationalconference on Modeling, analysis and simulation of wireless andmobile systems - MSWiM ’09. New York, NY, USA: ACM Press, 2009,p. 106. [Online]. Available: http://doi.org/10.1145/1641804.1641824

[54] D. Antolino Rivas, J. M. Barceló-Ordinas, M. Guerrero Zapata, andJ. D. Morillo-Pozo, “Security on VANETs: Privacy, misbehaving nodes,false information and secure data aggregation,” Journal of Networkand Computer Applications, vol. 34, no. 6, pp. 1942–1955, Nov.2011. [Online]. Available: http://doi.org/10.1016/j.jnca.2011.07.006

[55] N.-W. Lo and H.-C. Tsai, “Illusion Attack on VANET Applications- A Message Plausibility Problem,” in 2007 IEEE GlobecomWorkshops. IEEE, Nov. 2007, pp. 1–8. [Online]. Available:http://doi.org/10.1109/GLOCOMW.2007.4437823

[56] X. Lin, R. Lu, C. Zhang, H. Zhu, P.-H. Ho, and X. Shen,“Security in vehicular ad hoc networks,” Communications Magazine,vol. 46, no. 4, pp. 88–95, 2008. [Online]. Available: https://doi.org/10.1109/MCOM.2008.4481346

[57] Y. Yao, B. Xiao, G. Wu, X. Liu, Z. Yu, K. Zhang, and X. Zhou, “Multi-channel based Sybil Attack Detection in Vehicular Ad Hoc Networksusing RSSI,” IEEE Transactions on Mobile Computing, pp. 1–1, 2018.[Online]. Available: https://doi.org/10.1109/TMC.2018.2833849

[58] I. Bilogrevic, M. H. Manshaei, M. Raya, and J.-P. Hubaux, “Optimalrevocations in ephemeral networks: A game-theoretic framework,” inProceedings of the 8th International Symposium on Modeling andOptimization in Mobile, Ad Hoc and Wireless Networks (WiOpt).IEEE, May 2010, pp. 21 –30.

[59] B. Liu, J. T. Chiang, and Y.-c. Hu, “Limits on Revocation inVANETs,” Pre-proceedings of the 8th International Conference onApplied Cryptography and Network Security (ACNS 2010), pp. 38–52,2010. [Online]. Available: http://users.crhc.illinois.edu/yihchun/pubs/acns10.pdf

[60] N. Bißmeyer, B. Schünemann, I. Radusch, and C. Schmidt, “Simulationof attacks and corresponding driver behavior in vehicular ad hocnetworks with VSimRTI,” in Proceedings of the 4th International ICSTConference on Simulation Tools and Techniques, ser. SIMUTools ’11.ICST, Brussels, Belgium, Belgium: ICST, 2011, pp. 162–167. [Online].Available: http://dl.acm.org/citation.cfm?id=2151054.2151086

[61] T. Leinmüller, R. K. Schmidt, E. Schoch, A. Held, and G. Schäfer,“Modeling roadside attacker behavior in VANETs,” in 2008 IEEEGLOBECOM Workshops. IEEE, 2008, pp. 1–10. [Online]. Available:https://doi.org/10.1109/GLOCOMW.2008.ECP.63

[62] I. Bilogrevic, M. H. Manshaei, M. Raya, and J.-P. Hubaux, “Oren:Optimal revocations in ephemeral networks,” Computer Networks,vol. 55, no. 5, pp. 1168 – 1180, 2011. [Online]. Available:http://doi.org/10.1016/j.comnet.2010.11.010

[63] D. B. Rawat, B. B. Bista, G. Yan, and M. C. Weigle, “SecuringVehicular Ad-hoc Networks Against Malicious Drivers: A ProbabilisticApproach,” in Proceedings of the 2011 International Conference onComplex, Intelligent, and Software Intensive Systems. IEEE, Jun. 2011,pp. 146–151. [Online]. Available: http://doi.org/10.1109/CISIS.2011.30

[64] C. Troncoso, G. Danezis, E. Kosta, J. Balasch, and B. Preneel, “Pri-PAYD: Privacy-Friendly Pay-As-You-Drive Insurance,” Transactionson Dependable and Secure Computing, vol. 8, no. 5, pp. 742–755,2011. [Online]. Available: https://doi.org/10.1109/TDSC.2010.71

[65] N. Bißmeyer, J. Njeukam, J. Petit, and K. M. Bayarou, “Centralmisbehavior evaluation for VANETs based on mobility dataplausibility,” in Proceedings of the ninth ACM international workshopon Vehicular inter-networking, systems, and applications (VANET).

New York, NY, USA: ACM Press, 2012, pp. 73–82. [Online].Available: http://doi.org/10.1145/2307888.2307902

[66] F. Schaub, F. Kargl, Z. Ma, and M. Weber, “V-tokens forconditional pseudonymity in VANETs,” in Proceedings of the WirelessCommunications and Networking Conference (WCNC). IEEE, Apr.2010, pp. 1–6. [Online]. Available: https://doi.org/10.1109/WCNC.2010.5506126

[67] W. Whyte, A. Weimerskirch, V. Kumar, and T. Hehn, “A securitycredential management system for v2v communications,” in VehicularNetworking Conference. IEEE, Dec 2013, pp. 1–8. [Online].Available: https://doi.org/10.1109/VNC.2013.6737583

[68] G. Guette and B. Ducourthial, “On the Sybil attack detection inVANET,” in 2007 IEEE Internatonal Conference on Mobile Adhocand Sensor Systems. IEEE, Oct. 2007, pp. 1–6. [Online]. Available:http://doi.org/10.1109/MOBHOC.2007.4428742

[69] B. Xiao, B. Yu, and C. Gao, “Detection and localization of sybil nodesin VANETs,” in Proceedings of the 2006 workshop on Dependabilityissues in wireless ad hoc networks and sensor networks (DIWANS).New York, NY, USA: ACM Press, 2006, pp. 1–8. [Online]. Available:http://doi.org/10.1145/1160972.1160974

[70] H. Stübing, A. Jaeger, N. Bißmeyer, C. Schmidt, andS. A. Huss, “Verifying mobility data under privacyconsiderations in Car-to-X communication,” in Proceedings of17th ITS World Congress. ITS America, 2010, pp. 1–12. [Online]. Available: http://trid.trb.org/view.aspx?id=1107457http://publica.fraunhofer.de/eprints/urn:nbn:de:0011-n-2123800.pdf

[71] H. Stübing, J. Firl, and S. A. Huss, “A two-stage verificationprocess for Car-to-X mobility data based on path predictionand probabilistic maneuver recognition,” in 2011 IEEE VehicularNetworking Conference (VNC). IEEE, Nov. 2011, pp. 17–24.[Online]. Available: http://doi.org/10.1109/VNC.2011.6117119

[72] D. Djenouri, L. Khelladi, and N. Badache, “A survey of securityissues in mobile ad hoc and sensor networks,” IEEE CommunicationsSurveys & Tutorials, vol. 7, no. 4, pp. 2–28, 2005. [Online]. Available:https://doi.org/10.1109/COMST.2005.1593277

[73] Y. Zhou, Y. Fang, and Y. Zhang, “Securing wireless sensornetworks: a survey,” IEEE Communications Surveys & Tutorials,vol. 10, no. 3, pp. 6–28, 2008. [Online]. Available: https://doi.org/10.1109/COMST.2008.4625802

[74] J. Hortelano, J. C. Ruiz, and P. Manzoni, “Evaluating theusefulness of watchdogs for intrusion detection in VANETs,”in IEEE International Conference on Communications Workshops(ICC). IEEE, May 2010, pp. 1–5. [Online]. Available: http://doi.org/10.1109/ICCW.2010.5503946

[75] A. Hamieh, J. Ben-Othman, and L. Mokdad, “Detection of radiointerference attacks in VANET,” in IEEE Global TelecommunicationsConference (GLOBECOM). IEEE, 30 2009-dec. 4 2009, pp. 1 –5.[Online]. Available: http://doi.org/10.1109/GLOCOM.2009.5425381

[76] O. Puñal, A. Aguiar, and J. Gross, “In VANETs we trust?:Characterizing RF jamming in vehicular networks,” in Proceedingsof the Ninth ACM International Workshop on Vehicular Inter-networking, Systems, and Applications, ser. VANET ’12. NewYork, NY, USA: ACM, 2012, pp. 83–92. [Online]. Available:http://doi.acm.org/10.1145/2307888.2307903

[77] C. Chen, X. Wang, W. Han, and B. Zang, “A Robust Detectionof the Sybil Attack in Urban VANETs,” in 29th IEEE InternationalConference on Distributed Computing Systems Workshops. IEEE,Jun. 2009, pp. 270–276. [Online]. Available: http://doi.org/10.1109/ICDCSW.2009.48

[78] T. Zhou, R. R. Choudhury, P. Ning, and K. Chakrabarty, “P2DAP —Sybil Attacks Detection in Vehicular Ad Hoc Networks,” Journal onSelected Areas in Communications, vol. 29, no. 3, pp. 582–594, Mar.2011. [Online]. Available: http://doi.org/10.1109/JSAC.2011.110308

[79] S. Chang, Y. Qi, H. Zhu, J. Zhao, and X. Shen, “Footprint: DetectingSybil Attacks in Urban Vehicular Networks,” Transactions on Paralleland Distributed Systems, vol. 23, no. 6, pp. 1103 – 1114, 2012.[Online]. Available: http://doi.org/10.1109/TPDS.2011.263

[80] C. Sowattana, W. Viriyasitavat, and A. Khurat, “Distributedconsensus-based Sybil nodes detection in VANETs,” in 2017 14thInternational Joint Conference on Computer Science and SoftwareEngineering (JCSSE), Jul. 2017, pp. 1–6. [Online]. Available:https://doi.org/10.1109/JCSSE.2017.8025908

[81] M. Raya, P. Papadimitratos, V. D. Gligor, and J.-P. Hubaux, “OnData-Centric Trust Establishment in Ephemeral Ad Hoc Networks,”in 2008 IEEE INFOCOM - The 27th Conference on ComputerCommunications. IEEE, Apr. 2008, pp. 1238–1246. [Online].Available: http://doi.org/10.1109/INFOCOM.2008.180

http://doi.acm.org/10.1145/2835373

https://doi.org/10.1109/SP.2010.34

https://doi.org/10.1109/IVS.2011.5940525

http://doi.org/10.1109/JSAC.2007.071006

http://doi.org/10.1109/JSAC.2007.071006

http://doi.org/10.1145/1641804.1641824

http://doi.org/10.1016/j.jnca.2011.07.006

http://doi.org/10.1109/GLOCOMW.2007.4437823



https://doi.org/10.1109/TMC.2018.2833849

http://users.crhc.illinois.edu/yihchun/pubs/acns10.pdf

http://users.crhc.illinois.edu/yihchun/pubs/acns10.pdf

http://dl.acm.org/citation.cfm?id=2151054.2151086

https://doi.org/10.1109/GLOCOMW.2008.ECP.63

http://doi.org/10.1016/j.comnet.2010.11.010

http://doi.org/10.1109/CISIS.2011.30

https://doi.org/10.1109/TDSC.2010.71

http://doi.org/10.1145/2307888.2307902

https://doi.org/10.1109/WCNC.2010.5506126

https://doi.org/10.1109/WCNC.2010.5506126

https://doi.org/10.1109/VNC.2013.6737583

http://doi.org/10.1109/MOBHOC.2007.4428742

http://doi.org/10.1145/1160972.1160974

http://trid.trb.org/view.aspx?id=1107457 http://publica.fraunhofer.de/eprints/urn:nbn:de:0011-n-2123800.pdf

http://trid.trb.org/view.aspx?id=1107457 http://publica.fraunhofer.de/eprints/urn:nbn:de:0011-n-2123800.pdf

http://doi.org/10.1109/VNC.2011.6117119




http://doi.org/10.1109/ICCW.2010.5503946

http://doi.org/10.1109/ICCW.2010.5503946

http://doi.org/10.1109/GLOCOM.2009.5425381

http://doi.acm.org/10.1145/2307888.2307903

http://doi.org/10.1109/ICDCSW.2009.48

http://doi.org/10.1109/ICDCSW.2009.48

http://doi.org/10.1109/JSAC.2011.110308

http://doi.org/10.1109/TPDS.2011.263

https://doi.org/10.1109/JCSSE.2017.8025908

http://doi.org/10.1109/INFOCOM.2008.180

32

[82] Z. Cao, J. Kong, U. Lee, M. Gerla, and Z. Chen, “Proof-of-Relevance: Filtering False Data via Authentic Consensus in Vehicle Ad-hocNetworks,” in IEEE INFOCOM Workshops. IEEE, 2008, pp. 1–6.[Online]. Available: http://doi.org/10.1109/INFOCOM.2008.4544650

[83] H.-C. Hsiao, A. Studer, R. Dubey, E. Shi, and A. Perrig, “Efficient andsecure threshold-based event validation for vanets,” in Proceedings ofthe fourth ACM conference on Wireless network security, ser. WiSec’11. New York, NY, USA: ACM Press, 2011, pp. 163–174. [Online].Available: http://doi.acm.org/10.1145/1998412.1998440

[84] T. Leinmüller, R. K. Schmidt, and A. Held, “Cooperative PositionVerification-Defending Against Roadside Attackers 2.0,” in Proceed-ings of 17th ITS World Congress. ITS America, 2010.

[85] T. H.-J. Kim, A. Studer, R. Dubey, X. Zhang, A. Perrig,F. Bai, B. Bellur, and A. Iyer, “VANET alert endorsementusing multi-source filters,” in Proceedings of the seventh ACMinternational workshop on VehiculAr InterNETworking (VANET).New York, NY, USA: ACM Press, 2010, p. 51. [Online]. Available:http://doi.org/10.1145/1860058.1860067

[86] J. Petit, M. Feiri, and F. Kargl, “Spoofed data detection in vanetsusing dynamic thresholds,” in Vehicular Networking Conference(VNC). IEEE, nov. 2011, pp. 25 –32. [Online]. Available:http://doi.org/10.1109/VNC.2011.6117120

[87] M. Raya, R. Shokri, and J.-P. Hubaux, “On the tradeoff between trustand privacy in wireless ad hoc networks,” in Proceedings of the thirdACM conference on Wireless network security, ser. WiSec ’10. NewYork, NY, USA: ACM Press, 2010, pp. 75–80. [Online]. Available:http://doi.acm.org/10.1145/1741866.1741879

[88] G. Shafer, A mathematical theory of evidence. Princeton universitypress, 1976.

[89] A. P. Dempster, “Upper and lower probabilities induced bya multivalued mapping,” The annals of mathematical statistics,vol. 38, no. 2, pp. 325–339, 1967. [Online]. Available: https://doi.org/10.1214/aoms/1177698950

[90] S. Ruj, M. A. Cavenaghi, Z. Huang, A. Nayak, and I. Stojmenovic,“On Data-Centric Misbehavior Detection in VANETs,” in Proceedingsof the IEEE Vehicular Technology Conference (VTC Fall). IEEE, Sep.2011, pp. 1–5. [Online]. Available: http://doi.org/10.1109/VETECF.2011.6093096

[91] M. Sun, M. Li, and R. Gerdes, “A data trust frameworkfor VANETs enabling false data detection and secure vehicletracking,” in 2017 IEEE Conference on Communications andNetwork Security (CNS), Oct. 2017, pp. 1–9. [Online]. Available:https://doi.org/10.1109/CNS.2017.8228654

[92] T. Leinmüller, E. Schoch, F. Kargl, and C. Maihöfer, “Decentralizedposition verification in geographic ad hoc routing,” Security andCommunication Networks, vol. 3, no. 4, pp. 289–302, 2008. [Online].Available: http://doi.org/10.1002/sec.56

[93] R. K. Schmidt, T. Leinmüller, E. Schoch, A. Held, and G. Schäfer,“Vehicle behavior analysis to enhance security in VANETs,” in Pro-ceedings of the 4th Workshop on Vehicle to Vehicle Communications.IEEE, 2008.

[94] G. Yan, S. Olariu, and M. C. Weigle, “Providing VANET SecurityThrough Active Position Detection,” Computer Communications,vol. 31, no. 12, pp. 2883–2897, Jul. 2008. [Online]. Available:http://doi.org/10.1016/j.comcom.2008.01.009

[95] A. Jaeger, N. Bißmeyer, H. Stübing, and S. A. Huss, “A NovelFramework for Efficient Mobility Data Verification in VehicularAd-hoc Networks,” International Journal of Intelligent TransportationSystems Research, vol. 10, no. 1, pp. 11–21, Aug. 2011. [Online].Available: http://doi.org/10.1007/s13177-011-0038-9

[96] N. Bißmeyer, S. Mauthofer, K. M. Bayarou, and F. Kargl,“Assessment of node trustworthiness in vanets using data plausibilitychecks with particle filters,” in Vehicular Networking Conference(VNC), 2012 IEEE. IEEE, 2012, pp. 78–85. [Online]. Available:https://doi.org/10.1109/VNC.2012.6407448

[97] R. P. Barnwal and S. K. Ghosh, “Heartbeat message basedmisbehavior detection scheme for vehicular ad-hoc networks,”in Connected Vehicles and Expo (ICCVE), 2012 InternationalConference on. IEEE, 2012, pp. 29–34. [Online]. Available:https://doi.org/10.1109/VNC.2012.6407448

[98] C. Yavvari, Z. Duric, and D. Wijesekera, “Vehicular dynamics basedplausibility checking,” in 2017 IEEE 20th International Conferenceon Intelligent Transportation Systems (ITSC), Oct. 2017, pp. 1–8.[Online]. Available: https://doi.org/10.1109/ITSC.2017.8317883

[99] M. Ghosh, A. Varghese, A. Gupta, A. A. Kherani, and S. N.Muthaiah, “Detecting misbehaviors in VANET with integrated root-

cause analysis,” Ad Hoc Networks, vol. 8, no. 7, pp. 778–790, Sep.2010. [Online]. Available: http://doi.org/10.1016/j.adhoc.2010.02.008

[100] N. Bißmeyer, C. Stresing, and K. M. Bayarou, “Intrusion Detectionin VANETs Through Verification of Vehicle Movement Data,” inProceedings of the Vehicular Networking Conference (VNC). IEEE,2010, pp. 166–173. [Online]. Available: http://doi.org/10.1109/VNC.2010.5698232

[101] K. Zaidi, M. B. Milojevic, V. Rakocevic, A. Nallanathan, andM. Rajarajan, “Host-based intrusion detection for vanets: A statisticalapproach to rogue node detection,” Transactions on VehicularTechnology, vol. 65, no. 8, pp. 6703–6714, Aug 2016. [Online].Available: https://doi.org/10.1109/TVT.2015.2480244

[102] J. Grover, M. S. Gaur, V. Laxmi, and N. K. Prajapati, “ASybil attack detection approach using neighboring vehicles inVANET,” in Proceedings of the 4th international conferenceon Security of information and networks (SIN). New York,NY, USA: ACM Press, 2011, p. 151. [Online]. Available: http://doi.org/10.1145/2070425.2070450

[103] P. Golle, D. Greene, and J. Staddon, “Detecting and correctingmalicious data in VANETs,” in Proceedings of the first ACMworkshop on Vehicular ad hoc networks (VANET). New York,NY, USA: ACM Press, 2004, p. 29. [Online]. Available: http://doi.org/10.1145/1023875.1023881

[104] S. Dietzel, E. Schoch, B. Könings, M. Weber, and F. Kargl,“Resilient secure aggregation for vehicular networks,” Network,vol. 24, no. 1, pp. 26–31, Jan. 2010. [Online]. Available:http://doi.org/10.1109/MNET.2010.5395780

[105] J. Rezgui and S. Cherkaoui, “Detecting faulty and malicious vehiclesusing rule-based communications data mining,” in Proceedings of the36th Conference on Local Computer Networks (LCN). IEEE, Oct.2011, pp. 827–834. [Online]. Available: http://doi.org/10.1109/LCN.2011.6115558

[106] J. Grover, N. K. Prajapati, V. Laxmi, and M. S. Gaur, “Machinelearning approach for multiple misbehavior detection in VANET,” inAdvances in Computing and Communications, ser. Communicationsin Computer and Information Science, A. Abraham, J. L. Mauri,J. F. Buford, J. Suzuki, and S. M. Thampi, Eds. SpringerBerlin Heidelberg, 2011, vol. 192, pp. 644–653. [Online]. Available:http://doi.org/10.1007/978-3-642-22720-2_68

[107] F. A. Ghaleb, A. Zainal, M. A. Rassam, and F. Mohammed, “Aneffective misbehavior detection model using artificial neural networkfor vehicular ad hoc network applications,” in 2017 IEEE Conferenceon Application, Information and Network Security (AINS), Nov. 2017,pp. 13–18.

[108] G. Yan, B. B. Bista, D. B. Rawat, and E. F. Shaner, “GeneralActive Position Detectors Protect VANET Security,” in Proceedingsof the 2011 International Conference on Broadband and WirelessComputing, Communication and Applications. IEEE, Oct. 2011, pp.11–17. [Online]. Available: http://doi.org/10.1109/BWCCA.2011.12

[109] M. Schäfer, P. Leu, V. Lenders, and J. Schmitt, “Secure MotionVerification Using the Doppler Effect,” in Proceedings of the 9th ACMConference on Security & Privacy in Wireless and Mobile Networks,ser. WiSec ’16. New York, NY, USA: ACM, 2016, pp. 135–145.[Online]. Available: http://doi.acm.org/10.1145/2939918.2939920

[110] T. Leinmüller, A. Held, G. Schäfer, and A. Wolisz, “IntrusionDetection in VANETs,” Proceedings of 12th IEEE InternationalConference on Network Protocols (ICNP 2004) – Student PosterSession, Oct. 2004. [Online]. Available: http://www.leinmueller.de

[111] T. Leinmüller, C. Maihöfer, E. Schoch, and F. Kargl, “Improvedsecurity in geographic ad hoc routing through autonomous positionverification,” in Proceedings of the 3rd international workshop onVehicular ad hoc networks (VANET). New York, NY, USA: ACMPress, 2006, pp. 57–66. [Online]. Available: http://doi.org/10.1145/1161064.1161075

[112] R. W. van der Heijden, A. Al-Momani, F. Kargl, and O. M. F.Abu-Sharkh, “Enhanced position verification for vanets usingsubjective logic,” in Proceedings of the 84th Vehicular TechnologyConference (VTC2016-Fall), vol. abs/1703.10399. IEEE, 2016.[Online]. Available: http://arxiv.org/abs/1703.10399

[113] M. Hall, E. Frank, G. Holmes, B. Pfahringer, P. Reutemann, andI. H. Witten, “The WEKA data mining software: an update,”in Special Issue: Open Source Analytics, ser. KDD Explorations,R. L. Grossman, O. R. Zaine, C. Aggarwal, and B. Goethals,Eds. ACM, July 2009, vol. 11. [Online]. Available: https://dl.acm.org/citation.cfm?id=1656278

[114] L. Breiman, “Random forests,” Machine Learning, vol. 45, no. 1,

http://doi.org/10.1109/INFOCOM.2008.4544650

http://doi.acm.org/10.1145/1998412.1998440

http://doi.org/10.1145/1860058.1860067

http://doi.org/10.1109/VNC.2011.6117120

http://doi.acm.org/10.1145/1741866.1741879

https://doi.org/10.1214/aoms/1177698950

https://doi.org/10.1214/aoms/1177698950

http://doi.org/10.1109/VETECF.2011.6093096

http://doi.org/10.1109/VETECF.2011.6093096

https://doi.org/10.1109/CNS.2017.8228654

http://doi.org/10.1002/sec.56

http://doi.org/10.1016/j.comcom.2008.01.009

http://doi.org/10.1007/s13177-011-0038-9

https://doi.org/10.1109/VNC.2012.6407448

https://doi.org/10.1109/VNC.2012.6407448

https://doi.org/10.1109/ITSC.2017.8317883

http://doi.org/10.1016/j.adhoc.2010.02.008

http://doi.org/10.1109/VNC.2010.5698232

http://doi.org/10.1109/VNC.2010.5698232

https://doi.org/10.1109/TVT.2015.2480244

http://doi.org/10.1145/2070425.2070450

http://doi.org/10.1145/2070425.2070450

http://doi.org/10.1145/1023875.1023881

http://doi.org/10.1145/1023875.1023881

http://doi.org/10.1109/MNET.2010.5395780

http://doi.org/10.1109/LCN.2011.6115558

http://doi.org/10.1109/LCN.2011.6115558

http://doi.org/10.1007/978-3-642-22720-2_68

http://doi.org/10.1109/BWCCA.2011.12

http://doi.acm.org/10.1145/2939918.2939920

http://www.leinmueller.de

http://doi.org/10.1145/1161064.1161075

http://doi.org/10.1145/1161064.1161075

http://arxiv.org/abs/1703.10399

https://dl.acm.org/citation.cfm?id=1656278

https://dl.acm.org/citation.cfm?id=1656278

33

pp. 5–32, 2001. [Online]. Available: http://doi.org/10.1023/A%3A1010933404324

[115] J. Grover, V. Laxmi, and M. Gaur, “Misbehavior detection based onensemble learning in VANET,” in Advanced Computing, Networkingand Security, ser. Lecture Notes in Computer Science, P. Thilagam,A. Pais, K. Chandrasekaran, and N. Balakrishnan, Eds. SpringerBerlin / Heidelberg, 2012, vol. 7135, pp. 602–611. [Online]. Available:http://doi.org/10.1007/978-3-642-29280-4_70

[116] A. Kamra, V. Misra, J. Feldman, and D. Rubenstein, “Growth codes:maximizing sensor network data persistence,” SIGCOMM Comput.Commun. Rev., vol. 36, no. 4, pp. 255–266, Aug. 2006. [Online].Available: http://doi.acm.org/10.1145/1151659.1159943

[117] Z. Ren, W. Li, and Q. Yang, “Location verification for VANETsrouting,” in Proceedings of the International Conference onWireless and Mobile Computing, Networking and Communications(WIMOB). IEEE, 2009, pp. 141–146. [Online]. Available: https://doi.org/10.1109/WiMob.2009.33

[118] ETSI, “Intelligent Transport Systems (ITS); Decentralized CongestionControl Mechanisms for Intelligent Transport Systems operating in the5 GHz range; Access layer part,” Technical Specification: TS 102 867,V1.1.1, July 2011.

[119] E. Palomar, J. M. de Fuentes, A. I. González-Tablas, and A. Alcaide,“Hindering false event dissemination in VANETs with proof-of-work mechanisms,” Transportation Research Part C: EmergingTechnologies, vol. 23, pp. 85–97, Aug. 2012. [Online]. Available:https://doi.org/10.1016/j.trc.2011.08.002

[120] B. Wiedersheim, Z. Ma, F. Kargl, and P. Papadimitratos, “Privacyin inter-vehicular networks: why simple pseudonym change is notenough,” in Proceedings of the 7th international conference onWireless on-demand network systems and services, ser. WONS’10.Piscataway, NJ, USA: IEEE Press, 2010, pp. 176–183. [Online].Available: https://doi.org/10.1109/WONS.2010.5437115

[121] R. W. van der Heijden, T. Lukaseder, and F. Kargl, “VeReMi: Adataset for comparable evaluation of misbehavior detection in vanets,”in Proceedings of the 14th EAI International Conference on Securityand Privacy in Communication Networks (SecureComm). Springer,August 2018.

[122] C. Huddlestone-Holmes, G. Gigan, G. Woods, A. Ruxton, I. Atkinson,and S. Kininmonth, “Infrastructure for a sensor network on daviesreef, great barrier reef,” in 3rd International Conference on IntelligentSensors, Sensor Networks and Information. IEEE, Dec. 2007, pp. 675–679. [Online]. Available: https://doi.org/10.1109/ISSNIP.2007.4496924

[123] L. Gupta, R. Jain, and G. Vaszkun, “Survey of Important Issuesin UAV Communication Networks,” IEEE Communications SurveysTutorials, vol. 18, no. 2, pp. 1123–1152, 2016. [Online]. Available:https://doi.org/10.1109/COMST.2015.2495297

[124] S. Martini, D. Di Baccio, F. Alarcón Romero, A. Viguria Jiménez,L. Pallottino, G. Dini, and A. Ollero, “Distributed motion misbehaviordetection in teams of heterogeneous aerial robots,” Robotics andAutonomous Systems, vol. 74, pp. 30–39, Dec. 2015. [Online].Available: https://doi.org/10.1016/j.robot.2015.06.008

[125] H. Sedjelmaci, S. M. Senouci, and N. Ansari, “A HierarchicalDetection and Response System to Enhance Security Against LethalCyber-Attacks in UAV Networks,” IEEE Transactions on Systems,Man, and Cybernetics: Systems, pp. 1–13, 2017. [Online]. Available:https://doi.org/10.1109/TSMC.2017.2681698

[126] R. Altawy and A. M. Youssef, “Security, privacy, and safetyaspects of civilian drones: A survey,” ACM Trans. Cyber-Phys.Syst., vol. 1, no. 2, pp. 7:1–7:25, Nov. 2016. [Online]. Available:http://doi.acm.org/10.1145/3001836

Rens Wouter van der Heijden Rens Wouter vander Heijden is a PhD student with the Institute ofDistributed Systems at Ulm University. He earned isMasters’ degree at Twente University in 2012, spe-cializing in computer security. His research focuseson misbehavior and intrusion detection in cooper-ative intelligent transport systems, with additionalinterests in information fusion, subjective logic, andnetwork security.

Stefan Dietzel Stefan Dietzel is a postdoctoral re-searcher with the chair of computer engineering atHumboldt University, Berlin, Germany. Stefan holdsa doctoral degree in computer science from the Uni-versity of Twente, The Netherlands, and a Diplomdegree in computer science from Ulm University,Germany. His research interests include efficient andresilient wireless ad-hoc communication systems forindustrial environments, as well as vehicle-to-vehiclecommunication.

Tim Leinmüller Tim Leinmüller is currently thetechnical manager responsible for DENSO’s Euro-pean Connected Automated Driving (CAD) researchand standardization activities. He serves as officialcontact and is responsible for DENSO’s involve-ment in related industry groups and standardizationactivities, such as the 5G Automotive Association(5GAA), the Car2Car Communication Consortium(C2C-CC), and ETSI. Tim’s research interests andactivities include any aspects of connected vehicletechnology, as well as automotive (cyber)security.

Frank Kargl Frank Kargl holds the chair of Dis-tributed Systems at Ulm University. His researchinterests include network security and privacy witha special focus on cooperative intelligent transporta-tion systems and automotive systems. Other researchincludes privacy-enhancing technologies and dis-tributed computing frameworks. In these areas, heco-authored more than 200 peer-reviewed publica-tions. Frank is a member of ACM, IEEE and GermanGI.

http://doi.org/10.1023/A%3A1010933404324

http://doi.org/10.1023/A%3A1010933404324

http://doi.org/10.1007/978-3-642-29280-4_70

http://doi.acm.org/10.1145/1151659.1159943

https://doi.org/10.1109/WiMob.2009.33

https://doi.org/10.1109/WiMob.2009.33

https://doi.org/10.1016/j.trc.2011.08.002

https://doi.org/10.1109/WONS.2010.5437115

https://doi.org/10.1109/ISSNIP.2007.4496924


https://doi.org/10.1016/j.robot.2015.06.008

https://doi.org/10.1109/TSMC.2017.2681698

http://doi.acm.org/10.1145/3001836

Documents

Survey on Misbehavior Detection in Cooperative Intelligent ... · Survey on Misbehavior Detection in Cooperative Intelligent Transportation Systems Rens W. van der Heijden, Stefan