Global Roaming Trust-based Model for V2X Communications

Smart cities need to connect physical devices as a network to improve the efficiency of city operations and services. Intelligent Transportation System (ITS) is one of the key components in smart cities, due to its capability of supporting communications between vehicles to improve the driving experience. Whilst Vehicle-to-Everything (V2X) communications are essential, cyber-security poses a significant challenge in V2X communications. A V2X communication link is vulnerable to various cyber-attacks including internal and external attacks. Internal attacks cannot be detected by conventional security schemes because the compromised nodes have valid credentials. Thus, a new trust model is urgently needed to mitigate cybersecurity risks. In this paper, a global roaming trust-based security model is proposed for V2X communications. Each vehicle has a global knowledge about malicious nodes in the network. In addition, various experiments are conducted with different percentage of malicious nodes to measure the performance of the proposed model. Simulation results show that the proposed model improves False Negative Rate (FNR) by 33.5% in comparison with the existing method.


I. INTRODUCTION
Intelligent Transportation System (ITS) is one of the leading smart systems which have been developed to obtain reliable transportation. One vehicle can establish a communication with other vehicles and/or infrastructure units using Vehicleto-Everything (V2X) communications. Vehicles include all moving road entities, such as cars, bicycles, buses, trains and motorcycles. The road entity periodically broadcasts a message which contains status information, such as speed, directions and location. V2X supports several types of communication links as shown in Fig.1, e.g. Vehicle-to-Vehicle (V2V), Vehicle-to-Pedestrian (V2P), Vehicle-to-Grid (V2G) and Vehicle-to-Infrastructure (V2I).
As a consequence, the communication link between road entities is exposed to either internal or external cyber-attacks. External attacks means that unauthorized nodes launch the malicious behavior. Fortunately, the network can be protected against these attacks by applying conventional security schemes, such as encryption and authentication. Internal attacks means that authorized nodes initiate the malicious behavior. Unfortunately, the compromised nodes are hard to be detected because they have valid credentials. As a result, a trust-based model was studied to protect the network A. Alnasser (alalnasser@ksu.edu.sa) is also with School of Engineering and Computing Sciences, Durham University, Durham, UK. against internal attacks in [1], by continuously monitoring the surrounding nodes' behavior. When a misbehavior node is detected, a warning alarm is sent to the network [2].
There is a rich literature on developing security models to provide data confidentiality in V2X communications. For instance, Liu et al. [3] designed a privacy-preserving ad conversion protocol for V2X-assisted proximity marketing that achieves input certification and output verifiability against malicious ad networks. Ulybyshev et al. [4] suggested a data exchange method for V2X communications, to ensure data confidentiality and integrity. This method supports encrypted search over encrypted vehicle records that could be stored in untrusted cloud. Simplicio et al. [5] improved the structure of SCMS's certificate revocation and linkage approach by addressing some limitations. The proposed modifications support the temporary revocation and linkage of pseudonym certificates. Furthermore, Cheng et al. [6] presented a remote attestation security model based on a privacy-preserving blockchain. The model is comprised of two parts: identity authentication and the calculation of the nodes to make final decisions and write them into data blocks.
Recently, the authentication of V2X communications has been well studied. For instance, Yang et al. [7] implemented an authentication model for V2X communications. This model consists of two schemes: one scheme for V2V communications, and another for V2I communications. Villarreal-Vasquez et al. [8] proposed a dynamic approach which achieves the trade-off between safety, security and performance of V2X systems. However, the analysis is limited to V2V communications compliant with IEEE802.11p. In addition, Kiening et al. [9] studied the security requirements for V2X systems in particular trust assurance levels. A certification framework was designed to support trust establishment between road entities in V2X communications. Indeed, the node should be trusted if it has been correctly authenticated. Ahmed and Lee [10] evaluated security services of the new LTE-based V2X architecture. Building on evaluation results, a practical solution was proposed to protect privacy and achieve security requirements of message exchange in V2X networks. Also, Jung et al. [11] suggested a procedure and test scenario to achieve secure communication for autonomous cooperation driving. Furthermore, there are some research on ensuring data integrity. To defend against both false data injection and packet drop attacks, a new model was proposed in [12] that particularly focuses on the security in sensing systems for V2X networks. However, far less effort has been devoted to defending against internal attacks.
To deal with internal attacks, this paper studies a global roaming trust-based model for V2X communications. The performance of the proposed model is then evaluated by comparing it with an existing model [13]. The simulation results show that the proposed model outperforms the existing one. This paper makes two main contributions to the field of vehicular network security: • This paper proposes a global roaming trust-based model for V2X communications. Different from existing research, the nodes have global knowledge about malicious nodes in the network. • This paper compares the performance of the proposed model with the existing model in [13]; the proposed model improves the False Negative Rate (FNR) by 33.5% when the percentage of malicious nodes is around 87.5%. The remaining of this paper is organised as follows. Section II presents the system model. Section III provides a detailed description of the proposed trust model. Section IV includes both simulation setup and experimental results. Section V focuses on performance comparison with the existing model [13]. Section VI draws conclusions.

II. SYSTEM MODEL
The considered network consists of N road entities, which move at various speeds, and M fixed Road Side Units (RSUs). Each road entity sends three types of messages: Beacon message which is sent periodically to inform the surrounding nodes about its current speed, location and direction; transaction message which contains confidential information and it is sent to the core network; and warning message that is sent to the surrounding RSUs when a malicious node is detected. Each time the road entity sends a message to the core network, it should go through the following phases: • Connectivity phase: each road entity examines its connectivity with the core network and the surrounding entities. • Communication phase: if the source entity has a connection with the core network, it forwards its packet to the nearest RSU. Otherwise, the packet is sent to a trusted entity to relay them to the core network. Moreover, the considered network has two types of nodes which are normal and malicious nodes. The normal node keeps monitoring the surrounding environment and sends its packets to the core network. Also, it relays any received packet to the nearest RSU. On the other hand, the malicious node launches various attacks to disturb the network performance such as: • Selective forwarding attack: occurs when the malicious node drops some of the received packets randomly to escape punishment. • Recommendation attack: occurs when the malicious node sends bogus recommendations regarding other nodes: -In good-mouthing attack, the malicious node f sends good recommendations regarding other malicious nodes h 1 , h 2 , ... h np as shown in Fig.2(a). In this attack, the malicious nodes h could be considered as normal nodes. Thus, the malicious node f disturbs the decision phase. -In bad-mouthing attack, the malicious node f sends bad recommendations regarding other normal nodes q 1 , q 2 , ... q np as shown in Fig.2(b). In this attack, the normal nodes q may be classified by node i as malicious nodes.
III. GLOBAL ROAMING TRUST-BASED MODEL The global roaming trust-based model maintains two levels of trust as shown in Fig.3: road entities level and RSU level. The road entity evaluates the trustworthiness of surrounding entities, and then sends warning messages to the surrounding RSUs when a malicious node is detected. When the RSUs receive high volume of warning messages from the surrounding entities, they generate an alarm and send it to the central unit.
The details of this model are presented as follows.

A. Road entity level
During time interval t, each road entity measures the trustworthiness of all surrounding entities. Indeed, node i continuously monitors its one-hop neighbors j. Then, node i is able to compute direct trust using the collected information. In addition, node i sends recommendation requests to the surrounding nodes k regarding node j. The proposed model manages two trust components as follows.
current(i,j) : it is computed by node i to evaluate the communication experience with node j during time interval t. It is calculated using It is measured based on the following trust values: past(i,j) : it is a measure for the past behavior of node j. The past trust is considered to prevent the non-continuous malicious behavior.
: it is an evaluation for the communication experience with the neighboring nodes j. It is computed using where Successf ul_Interactions is the number of successful interactions between node i and node j, and T otal_Interactions is the total number of interactions between node i and node j.
indirect(i,j) : it is a measure for the behavior of neighboring nodes j using surrounding nodes' opinions. Node i collects recommendations from the surrounding nodes regarding node j. Before computing indirect trust, node i applies the following steps: -Confidence value computation-C (t) (i,k) : node i measures the confidence value for each recommender node k. C (t) (i,k) is computed by After that, each node i calculates indirect trust for node j by applying different weights α and β for P (t) (i,j) and N (t) (i,j) respectively. It is calculated using where P l(i,j) : each node i is able to compute local trust for node j and make a decision. Generally, local trust is computed using where T rust 1 and T rust 2 are adjusted based on three factors which are the occurrence of current communications between node i and node j; the existence of the recommendations about node j; and the presence of a previous connection between node i and node j. The measurement of T rust 1 and T rust 2 are described in Table I. In addition, trust weights w 1 and w 2 are changed based on recommendation factor (RC) and the number of neighbors. w 1 and w 2 are weights for indirect trust and (direct/current or past) trust respectively. w 1 represents the recommendation rate as follows: where w 2 = 1 − w 1 , and N eighbors (t) is the number of node i neighbors at time t. • Local decision: node i has a local blacklist which has a list of malicious nodes based on the local decision. Thus, node i stops the communication with any node j in the blacklist. The decision is made using where T h min and T h max are minimum and maximum trust thresholds, respectively. After that, the node updates its local blacklist and sends malicious and uncertain warning messages to the surrounding RSUs.

B. RSU level
During time interval t , where t > t, RSUs start trust calculation phase. First, each RSU measures the percentage of malicious and uncertain alarms regarding node j using where m and u are the number of malicious and uncertain warnings respectively. Second, each RSU is able to make a decision regarding node j using where Rate M and Rate U are the rates of malicious alarms and uncertain alarms respectively. They are calculated using Finally, the RSU classifies node j as malicious node when Decision j > 0. Therefore, RSU sends malicious alarm to the central server.

C. Global Trust decision
At this stage, central server can make global decision regarding node j based on the alarms which are received from RSUs.
Otherwise. (13) where A m is the number of malicious warnings that are received regarding node j. Node j is added to the global blacklist when it is classified as malicious node. Central server broadcasts the updated global blacklist to RSUs. Then, RSUs rebroadcast it again to all roads entities that are covered by the network. The road entities updates the local blacklist based on the received global blacklist.

IV. SIMULATION ANALYSIS
This section describes the simulation setup for evaluating the performance of the proposed model. The effect of changing parameters on the false alarm rate is also analysed.

A. Network specifications
We used MATLAB R2016b to conduct the simulation of a V2X network with 24 road entities and 9 RSUs with parameters as shown in Table II. The road entities move over an area of 900 × 900 m 2 with various speed ranges. The considered area is composed of two intersections using three two-lanes roads. The road entity sends the transaction message to the core network directly or using a multi-hop routing protocol. To measure the performance of the proposed trust model, we study various types of malicious nodes: six selective forwarding attackers, three good-mouthing attackers and three bad-mouthing attackers.

B. Simulation Results
In this section, we study the impact of changing parameters on the global trust measure and relate these to the false alarm rate. False alarm rate includes False Negative Rate (FNR) and False Positive Rate (FPR). FNR measures the rate of undetected attacks, whilst FPR measures the rate of classifying normal nodes as malicious. We run the simulations using the initial parameters T h max = 0.9, RC = 0.3, C w = 0.9. Then, we updated their values with the optimal ones. 1) Effect of trust thresholds on false alarm rate: The simulation experiments were run with initial parameters. We study how various values of T h min has an impact on false alarm rate. Also, it helps us to define the optimal value for T h min . The corresponding results are shown in Fig.4 (a). The following remarks can be made: • FNR increases when the value of T h min increases; • FPR rises significantly as long as the T h min increases; • the impact of T h min is high on FPR because as long as T h min goes up that means the malicious range is expanded. As a result, many normal nodes are classified as malicious nodes; • when T h min = 0.4, it achieves low FNR and FPR values. Moreover, we study how various values of T h max has an impact on false alarm rate. The experiment was run with initial parameters and T h min = 0.4. The corresponding results are shown in Fig.4 (b). We notice that FNR slightly decreases when the value of T h max increases, however, the FPR slightly goes up as long as the T h max increases. We update initial value of T h max with 0.7 which is the optimal value.
2) Effect of recommendation factor (RC): The simulation experiments were run with updated initial parameters. Here, we study the effect of various values of RC on the false alarm rate. By inspecting Fig.5 (a), the following remarks can be made: • FPR goes up when the value of RC increases to reach approximately 0.27, however, the FNR is stable while RC increases; • the RC has an impact on FPR only because RC is a part of the calculation of indirect trust weight w 1 . Therefore, giving high weight to indirect trust results high FPR. As a result, the model starts making false decisions regarding the normal nodes. • we choose RC = 0.3 as an optimal value which is the same as initial value. 3) Effect of Confidence weight (C w ): We examine various values of C w to choose the value that achieves minimum false alarm rate, as shown in Fig.5 (b). Key findings are: • FPR goes down when the C w increases because we give lower weight for the recommendations that are sent by uncertain nodes, however, the FNR decreases slightly when the C w increases. • majority of normal nodes are classified as uncertain, giving recommendations low weight results high FPR. • the initial value of C w is the optimal one.

V. PERFORMANCE EVALUATION
We use the existing model in [13] as a benchmark to evaluate the performance of the proposed model. The impact of various rates of malicious nodes on the false alarm rate is studied on the proposed model and existing model.

A. Effect of selective forwarding attack on FNR
Generally, when the model has a low FNR, it is able to detect the most malicious nodes. The result that is shown in Fig.6 (a) represents the FNR for various percentages of malicious nodes. The following remarks can be made: • in the existing model, the FNR reaches to 0.73 when the percentage of malicious nodes is equal to 87.50%.

B. Effect of selective forwarding attack on PDR
To measure the model performance, we measure the PDR with different percentage of malicious nodes as shown in Fig.6  (b). Generally, the PDR is increasing when the percentage of malicious nodes is increasing. In addition, the existing model produces high PDR which results from the high FNR. On the other hand, the proposed model has lower PDR which improves the network performance.

C. Measuring the improvement rate
We measure the improvement rate on FNR and PDR for the proposed model in comparison with the existing model [13] as shown in Fig.7. We notice that the FNR is highly improved in the proposed model when the percentage of malicious nodes is equal to 12.50%. In addition, the rate at 50%, which is a high percentage, increases again to around 50%.
Moreover, we notice that the proposed model provides high improvement on PDR in comparison with the existing model, thus, it gains better network performance.

VI. CONCLUSION
In this paper, we proposed a global roaming trust-based model for the V2X network. Various malicious behaviors are considered to study the performance of the proposed model which are selective forwarding attack, bad-mouthing attack and good-mouthing attack. We conducted various experiments with different percentage of malicious nodes. Comparison